diff --git a/iptables-1.4.7-xt_CHECKSUM.patch b/iptables-1.4.7-xt_CHECKSUM.patch
new file mode 100644
index 0000000..282f934
--- /dev/null
+++ b/iptables-1.4.7-xt_CHECKSUM.patch
@@ -0,0 +1,119 @@
+diff --git a/extensions/libxt_CHECKSUM.c b/extensions/libxt_CHECKSUM.c
+new file mode 100644
+index 0000000..00fbd8f
+--- /dev/null
++++ b/extensions/libxt_CHECKSUM.c
+@@ -0,0 +1,99 @@
++/* Shared library add-on to xtables for CHECKSUM
++ *
++ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
++ * (C) 2010 by Red Hat, Inc
++ * Author: Michael S. Tsirkin <mst@redhat.com>
++ *
++ * This program is distributed under the terms of GNU GPL v2, 1991
++ *
++ * libxt_CHECKSUM.c borrowed some bits from libipt_ECN.c
++ *
++ * $Id$
++ */
++#include <stdio.h>
++#include <string.h>
++#include <stdlib.h>
++#include <getopt.h>
++
++#include <xtables.h>
++#include <linux/netfilter/xt_CHECKSUM.h>
++
++static void CHECKSUM_help(void)
++{
++	printf(
++"CHECKSUM target options\n"
++"  --checksum-fill			Fill in packet checksum.\n");
++}
++
++static const struct option CHECKSUM_opts[] = {
++	{ "checksum-fill", 0, NULL, 'F' },
++	{ .name = NULL }
++};
++
++static int CHECKSUM_parse(int c, char **argv, int invert, unsigned int *flags,
++                     const void *entry, struct xt_entry_target **target)
++{
++	struct xt_CHECKSUM_info *einfo
++		= (struct xt_CHECKSUM_info *)(*target)->data;
++
++	switch (c) {
++	case 'F':
++		if (*flags)
++			xtables_error(PARAMETER_PROBLEM,
++			        "CHECKSUM target: Only use --checksum-fill ONCE!");
++		einfo->operation = XT_CHECKSUM_OP_FILL;
++		*flags |= XT_CHECKSUM_OP_FILL;
++		break;
++	default:
++		return 0;
++	}
++
++	return 1;
++}
++
++static void CHECKSUM_check(unsigned int flags)
++{
++	if (!flags)
++		xtables_error(PARAMETER_PROBLEM,
++		           "CHECKSUM target: Parameter --checksum-fill is required");
++}
++
++static void CHECKSUM_print(const void *ip, const struct xt_entry_target *target,
++                      int numeric)
++{
++	const struct xt_CHECKSUM_info *einfo =
++		(const struct xt_CHECKSUM_info *)target->data;
++
++	printf("CHECKSUM ");
++
++	if (einfo->operation & XT_CHECKSUM_OP_FILL)
++		printf("fill ");
++}
++
++static void CHECKSUM_save(const void *ip, const struct xt_entry_target *target)
++{
++	const struct xt_CHECKSUM_info *einfo =
++		(const struct xt_CHECKSUM_info *)target->data;
++
++	if (einfo->operation & XT_CHECKSUM_OP_FILL)
++		printf("--checksum-fill ");
++}
++
++static struct xtables_target checksum_tg_reg = {
++	.name		= "CHECKSUM",
++	.version	= XTABLES_VERSION,
++	.family		= NFPROTO_UNSPEC,
++	.size		= XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
++	.userspacesize	= XT_ALIGN(sizeof(struct xt_CHECKSUM_info)),
++	.help		= CHECKSUM_help,
++	.parse		= CHECKSUM_parse,
++	.final_check	= CHECKSUM_check,
++	.print		= CHECKSUM_print,
++	.save		= CHECKSUM_save,
++	.extra_opts	= CHECKSUM_opts,
++};
++
++void _init(void)
++{
++	xtables_register_target(&checksum_tg_reg);
++}
+diff --git a/extensions/libxt_CHECKSUM.man b/extensions/libxt_CHECKSUM.man
+new file mode 100644
+index 0000000..92ae700
+--- /dev/null
++++ b/extensions/libxt_CHECKSUM.man
+@@ -0,0 +1,8 @@
++This target allows to selectively work around broken/old applications.
++It can only be used in the mangle table.
++.TP
++\fB\-\-checksum\-fill\fP
++Compute and fill in the checksum in a packet that lacks a checksum.
++This is particularly useful, if you need to work around old applications
++such as dhcp clients, that do not work well with checksum offloads,
++but don't want to disable checksum offload in your device.
diff --git a/iptables.spec b/iptables.spec
index 5745b4d..df35e90 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -1,11 +1,12 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities
 Version: 1.4.9
-Release: 1%{?dist}
+Release: 2%{?dist}
 Source: http://www.netfilter.org/projects/iptables/files/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
 Patch5: iptables-1.4.9-cloexec.patch
+Patch6: iptables-1.4.7-xt_CHECKSUM.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -52,6 +53,7 @@ stable and may change with every new version. It is therefore unsupported.
 %prep
 %setup -q
 %patch5 -p1 -b .cloexec
+%patch6 -p1 -b .xt_CHECKSUM
 
 %build
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" \
@@ -163,6 +165,9 @@ fi
 %{_libdir}/pkgconfig/xtables.pc
 
 %changelog
+* Tue Oct 12 2010 Thomas Woerner <twoerner@redhat.com> 1.4.9-2
+- added xt_CHECKSUM patch from Michael S. Tsirkin (rhbz#612587)
+
 * Wed Aug  4 2010 Thomas Woerner <twoerner@redhat.com> 1.4.9-1
 - new version 1.4.9 with all new features of 2.6.35
   - doc: xt_hashlimit: fix a typo