diff -ruN iptables-1.3.8-vanilla/extensions/libipt_physdev.c iptables-1.3.8/extensions/libipt_physdev.c
--- iptables-1.3.8-vanilla/extensions/libipt_physdev.c	2007-01-23 13:50:00.000000000 +0100
+++ iptables-1.3.8/extensions/libipt_physdev.c	2007-11-01 16:57:58.000000000 +0100
@@ -19,6 +19,8 @@
 "physdev v%s options:\n"
 " --physdev-in [!] input name[+]		bridge port name ([+] for wildcard)\n"
 " --physdev-out [!] output name[+]	bridge port name ([+] for wildcard)\n"
+" --physgroup-in [!] input group		bridge port group value\n"
+" --physgroup-out [!] output group	bridge port group value\n"
 " [!] --physdev-is-in			arrived on a bridge device\n"
 " [!] --physdev-is-out			will leave on a bridge device\n"
 " [!] --physdev-is-bridged		it's a bridged packet\n"
@@ -31,6 +33,8 @@
 	{ "physdev-is-in", 0, 0, '3' },
 	{ "physdev-is-out", 0, 0, '4' },
 	{ "physdev-is-bridged", 0, 0, '5' },
+	{ "physgroup-in", 1, 0, '6' },
+	{ "physgroup-out", 1, 0, '7' },
 	{0}
 };
 
@@ -47,6 +51,7 @@
 {
 	struct ipt_physdev_info *info =
 		(struct ipt_physdev_info*)(*match)->data;
+	char *end;
 
 	switch (c) {
 	case '1':
@@ -103,6 +108,44 @@
 		info->bitmask |= IPT_PHYSDEV_OP_BRIDGED;
 		break;
 
+	case '6':
+		if (*flags & IPT_PHYSDEV_OP_GROUPIN)
+			goto multiple_use;
+		check_inverse(argv[optind-1], &invert, &optind, 0);
+	 	end = optarg = argv[optind-1];
+		info->ingroup = strtoul(optarg, &end, 0);
+		info->ingroupmask = 0xffffffffUL;
+		if (*end == '/')
+			info->ingroupmask = strtoul(end+1, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+				"physdev match: Bad ifgroup value `%s'",
+				optarg);
+		if (invert)
+			info->invert |= IPT_PHYSDEV_OP_GROUPIN;
+		*flags |= IPT_PHYSDEV_OP_GROUPIN;
+		info->bitmask |= IPT_PHYSDEV_OP_GROUPIN;
+		break;
+
+	case '7':
+		if (*flags & IPT_PHYSDEV_OP_GROUPOUT)
+			goto multiple_use;
+               check_inverse(argv[optind-1], &invert, &optind, 0);
+               end = optarg = argv[optind-1];
+		info->outgroup = strtoul(optarg, &end, 0);
+		info->outgroupmask = 0xffffffffUL;
+		if (*end == '/')
+			info->outgroupmask = strtoul(end+1, &end, 0);
+		if (*end != '\0' || end == optarg)
+			exit_error(PARAMETER_PROBLEM,
+				"physdev match: Bad ifgroup value `%s'",
+				optarg);
+		if (invert)
+			info->invert |= IPT_PHYSDEV_OP_GROUPOUT;
+		*flags |= IPT_PHYSDEV_OP_GROUPOUT;
+		info->bitmask |= IPT_PHYSDEV_OP_GROUPOUT;
+		break;
+
 	default:
 		return 0;
 	}
@@ -145,6 +186,13 @@
 	if (info->bitmask & IPT_PHYSDEV_OP_BRIDGED)
 		printf("%s --physdev-is-bridged",
 		       info->invert & IPT_PHYSDEV_OP_BRIDGED ? " !":"");
+
+	if (info->bitmask & IPT_PHYSDEV_OP_GROUPIN)
+		printf("%s --physgroup-in 0x%x/0x%x",
+		(info->invert & IPT_PHYSDEV_OP_GROUPIN) ? " !":"", info->ingroup, info->ingroupmask);
+	if (info->bitmask & IPT_PHYSDEV_OP_GROUPOUT)
+		printf("%s --physgroup-out 0x%x/0x%x",
+		(info->invert & IPT_PHYSDEV_OP_GROUPOUT) ? " !":"", info->outgroup, info->outgroupmask);
 	printf(" ");
 }
 
diff -ruN iptables-1.3.8-vanilla/include/linux/netfilter_ipv4/ipt_physdev.h iptables-1.3.8/include/linux/netfilter_ipv4/ipt_physdev.h
--- iptables-1.3.8-vanilla/include/linux/netfilter_ipv4/ipt_physdev.h	2007-01-23 13:49:51.000000000 +0100
+++ iptables-1.3.8/include/linux/netfilter_ipv4/ipt_physdev.h	2007-11-01 16:15:38.000000000 +0100
@@ -10,13 +10,19 @@
 #define IPT_PHYSDEV_OP_BRIDGED		0x04
 #define IPT_PHYSDEV_OP_ISIN		0x08
 #define IPT_PHYSDEV_OP_ISOUT		0x10
-#define IPT_PHYSDEV_OP_MASK		(0x20 - 1)
+#define IPT_PHYSDEV_OP_GROUPIN		0x20
+#define IPT_PHYSDEV_OP_GROUPOUT		0x40
+#define IPT_PHYSDEV_OP_MASK		(0x80 - 1)
 
 struct ipt_physdev_info {
 	char physindev[IFNAMSIZ];
 	char in_mask[IFNAMSIZ];
 	char physoutdev[IFNAMSIZ];
 	char out_mask[IFNAMSIZ];
+	u_int32_t ingroup;
+	u_int32_t ingroupmask;
+	u_int32_t outgroup;
+	u_int32_t outgroupmask;
 	u_int8_t invert;
 	u_int8_t bitmask;
 };
diff -ruN iptables-1.3.8-vanilla/include/linux/netfilter_ipv6/ip6t_physdev.h iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_physdev.h
--- iptables-1.3.8-vanilla/include/linux/netfilter_ipv6/ip6t_physdev.h	2007-01-23 13:49:51.000000000 +0100
+++ iptables-1.3.8/include/linux/netfilter_ipv6/ip6t_physdev.h	2007-11-01 16:15:21.000000000 +0100
@@ -10,13 +10,19 @@
 #define IP6T_PHYSDEV_OP_BRIDGED		0x04
 #define IP6T_PHYSDEV_OP_ISIN		0x08
 #define IP6T_PHYSDEV_OP_ISOUT		0x10
-#define IP6T_PHYSDEV_OP_MASK		(0x20 - 1)
+#define IP6T_PHYSDEV_OP_GROUPIN		0x20
+#define IP6T_PHYSDEV_OP_GROUPOUT	0x40
+#define IP6T_PHYSDEV_OP_MASK		(0x80 - 1)
 
 struct ip6t_physdev_info {
 	char physindev[IFNAMSIZ];
 	char in_mask[IFNAMSIZ];
 	char physoutdev[IFNAMSIZ];
 	char out_mask[IFNAMSIZ];
+	u_int32_t ingroup;
+	u_int32_t ingroupmask;
+	u_int32_t outgroup;
+	u_int32_t outgroupmask;
 	u_int8_t invert;
 	u_int8_t bitmask;
 };