netfilter.org has, for some years, been developing a patch called TARPIT, which takes a tcp connection and sets its window size to 0, forcing a timeout. This can be used by iptables to slow down unwanted connection attempts. This patch applies perfectly for vanilla sources, as does it for gentoo-sources, but it won't compile with gentoo-sources.
Steps to Reproduce:
1. get iptables
2. get patch-o-matic
3. ./runme TARPIT
4. enable the module
compile errors: "net/ipv4/netfilter/ipt_TARPIT.c:188: error: 'struct sk_buff' has no member named 'nh'" a thousand times (with different line numbers)
I'm sorry but unsupported third-party patches are not a Gentoo bug. You can either fix the patch yourself or report the bug ustream to the tarpit patch authors.