Grsecurity adds a kernel patch for stealth matching in iptables. However, it's useless unless a grsecurity patch is also applied to iptables itself. The necessary patch is at <http://www.grsecurity.net/download.php>.
will this patch cause problems if a user does not have grsecurity in the kernel, or has it but not enabled?
I haven't tested it without grsecurity in the kernel, but I don't think it would cause a problem. The patch merely adds an extra extension module (libipt_stealth.so) to be built with iptables; iptables itself is not changed. The only problem might be if someone tries to use stealth matching without actually having compiled kernel support for it--I do not know what would happen then.
sys-apps/iptables-1.2.7a-r1 masked with ~x86 for testing enjoy.