In init() in ip_tables.c, if nf_register_sockopt() fails, then the
function returns failure without unregistering the targets and matches
that it provides.  To correct this, init() should be changed to
something like this:

static int __init ip_tables_init(void)
{
	int ret;

	xt_proto_init(AF_INET);

	/* Noone else will be downing sem now, so we won't sleep */
	xt_register_target(&ipt_standard_target);
	xt_register_target(&ipt_error_target);
	xt_register_match(&icmp_matchstruct);

	/* Register setsockopt */
	ret = nf_register_sockopt(&ipt_sockopts);
	if (ret < 0) {
		duprintf("Unable to register sockopts.\n");
                goto failure_sockopt;
	}

	printk("ip_tables: (C) 2000-2006 Netfilter Core Team\n");
	return 0;

failure_sockopt:
	xt_unregister_match(AF_INET, &icmp_matchstruct);
	xt_unregister_target(AF_INET, &ipt_error_target);
	xt_unregister_target(AF_INET, &ipt_standard_target);
	xt_proto_fini(AF_INET);

        return ret;
}


Rennie deGraaf