[patch] netfilter: implement TCPMSS target for IPv6

[patch] netfilter: implement TCPMSS target for IPv6

[David Madore]

Implement TCPMSS target for IPv6 by shamelessly copying from
Marc Boucher's IPv4 implementation.

Signed-off-by: David A. Madore <david.madore@ens.fr>

---

 Note: The patch for ip6tables to make use of this module can be
 obtained from <URL:
 ftp://quatramaran.ens.fr/pub/madore/misc/ip6t-TCPMSS/
 > (also contains a version of this same patch for 2.6.19.2).

 include/linux/netfilter_ipv6/ip6t_TCPMSS.h |   10 ++
 net/ipv6/netfilter/Kconfig                 |   26 ++++
 net/ipv6/netfilter/Makefile                |    1 +
 net/ipv6/netfilter/ip6t_TCPMSS.c           |  225 ++++++++++++++++++++++++++++
 4 files changed, 262 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter_ipv6/ip6t_TCPMSS.h b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
new file mode 100644
index 0000000..412d1cb
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
@@ -0,0 +1,10 @@
+#ifndef _IP6T_TCPMSS_H
+#define _IP6T_TCPMSS_H
+
+struct ip6t_tcpmss_info {
+	u_int16_t mss;
+};
+
+#define IP6T_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /*_IP6T_TCPMSS_H*/
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index adcd613..3890a59 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -154,6 +154,32 @@ config IP6_NF_TARGET_REJECT
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_TARGET_TCPMSS
+	tristate "TCPMSS target support"
+	depends on IP6_NF_IPTABLES
+	---help---
+	  This option adds a `TCPMSS' target, which allows you to alter the
+	  MSS value of TCP SYN packets, to control the maximum size for that
+	  connection (usually limiting it to your outgoing interface's MTU
+	  minus 60).
+
+	  This is used to overcome criminally braindead ISPs or servers which
+	  block ICMPv6 Packet Too Big packets.  The symptoms of this
+	  problem are that everything works fine from your Linux
+	  firewall/router, but machines behind it can never exchange large
+	  packets:
+	  	1) Web browsers connect, then hang with no data received.
+	  	2) Small mail works fine, but large emails hang.
+	  	3) ssh works fine, but scp hangs after initial handshaking.
+
+	  Workaround: activate this option and add a rule to your firewall
+	  configuration like:
+
+	  ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
+	  		 -j TCPMSS --clamp-mss-to-pmtu
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config IP6_NF_MANGLE
 	tristate "Packet mangling"
 	depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index ac1dfeb..616a006 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -19,6 +19,7 @@ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
 obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
+obj-$(CONFIG_IP6_NF_TARGET_TCPMSS) += ip6t_TCPMSS.o
 
 # objects for l3 independent conntrack
 nf_conntrack_ipv6-objs  :=  nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o
diff --git a/net/ipv6/netfilter/ip6t_TCPMSS.c b/net/ipv6/netfilter/ip6t_TCPMSS.c
new file mode 100644
index 0000000..ab492c3
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_TCPMSS.c
@@ -0,0 +1,225 @@
+/*
+ * This is a module which is used for setting the MSS option in TCP packets.
+ *
+ * Copyright (C) 2007 David Madore <david.madore@ens.fr>
+ *
+ * Shamelessly based on net/ipv4/netfilter/ipt_TCPMSS.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <net/ipv6.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("David Madore <david.madore@ens.fr>");
+MODULE_DESCRIPTION("ip6tables TCP MSS modification module");
+
+static inline unsigned int
+optlen(const u_int8_t *opt, unsigned int offset)
+{
+	/* Beware zero-length options: make finite progress */
+	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
+		return 1;
+	else
+		return opt[offset+1];
+}
+
+static unsigned int
+ip6t_tcpmss_target(struct sk_buff **pskb,
+		   const struct net_device *in,
+		   const struct net_device *out,
+		   unsigned int hooknum,
+		   const struct xt_target *target,
+		   const void *targinfo)
+{
+	const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+	struct tcphdr *tcph;
+	struct ipv6hdr *ipv6h;
+	u_int8_t nexthdr;
+	int tcphoff;
+	u_int16_t tcplen, newmss;
+	__be16 newiplen, oldval;
+	unsigned int i;
+	u_int8_t *opt;
+
+	if (!skb_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
+
+	ipv6h = (*pskb)->nh.ipv6h;
+	nexthdr = ipv6h->nexthdr;
+	tcphoff = ipv6_skip_exthdr(*pskb, sizeof(struct ipv6hdr), &nexthdr);
+	if ((tcphoff < 0) || (tcphoff > (*pskb)->len)) {
+		if (net_ratelimit())
+			printk(KERN_ERR
+			       "ip6t_tcpmss_target: can't find TCP header\n");
+		return NF_DROP;
+	}
+	tcplen = (*pskb)->len - tcphoff;
+	if ((nexthdr != IPPROTO_TCP) || (tcplen < sizeof(struct tcphdr))) {
+		/* Can't happen (see other comment below)? */
+		if (net_ratelimit())
+			printk(KERN_ERR
+			       "ip6t_tcpmss_target: bad TCP header\n");
+		return NF_DROP;
+	}
+	tcph = (void *)ipv6h + tcphoff;
+
+	/* Since it passed flags test in tcp match, we know it is is
+	   not a fragment, and has data >= tcp header length.  SYN
+	   packets should not contain data: if they did, then we risk
+	   running over MTU, sending Frag Needed and breaking things
+	   badly. --RR */
+	if (tcplen != tcph->doff*4) {
+		if (net_ratelimit())
+			printk(KERN_ERR
+			       "ip6t_tcpmss_target: bad length (%d bytes)\n",
+			       (*pskb)->len);
+		return NF_DROP;
+	}
+
+	if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU) {
+		if (dst_mtu((*pskb)->dst) <= sizeof(struct ipv6hdr) +
+					     sizeof(struct tcphdr)) {
+			if (net_ratelimit())
+				printk(KERN_ERR "ip6t_tcpmss_target: "
+				       "unknown or invalid path-MTU (%d)\n",
+				       dst_mtu((*pskb)->dst));
+			return NF_DROP; /* or IP6T_CONTINUE ?? */
+		}
+
+		newmss = dst_mtu((*pskb)->dst) - sizeof(struct ipv6hdr) -
+						 sizeof(struct tcphdr);
+	} else
+		newmss = tcpmssinfo->mss;
+
+ 	opt = (u_int8_t *)tcph;
+	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
+		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
+		    opt[i+1] == TCPOLEN_MSS) {
+			u_int16_t oldmss;
+
+			oldmss = (opt[i+2] << 8) | opt[i+3];
+
+			if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+			    oldmss <= newmss)
+				return IP6T_CONTINUE;
+
+			opt[i+2] = (newmss & 0xff00) >> 8;
+			opt[i+3] = (newmss & 0x00ff);
+
+			nf_proto_csum_replace2(&tcph->check, *pskb,
+					       htons(oldmss), htons(newmss), 0);
+			return IP6T_CONTINUE;
+		}
+	}
+
+	/*
+	 * MSS Option not found ?! add it..
+	 */
+	if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
+		struct sk_buff *newskb;
+
+		newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
+					 TCPOLEN_MSS, GFP_ATOMIC);
+		if (!newskb)
+			return NF_DROP;
+		kfree_skb(*pskb);
+		*pskb = newskb;
+		ipv6h = (*pskb)->nh.ipv6h;
+		tcph = (void *)ipv6h + tcphoff;
+	}
+
+	skb_put((*pskb), TCPOLEN_MSS);
+
+ 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
+	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+
+ 	nf_proto_csum_replace2(&tcph->check, *pskb,
+ 				htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
+	opt[0] = TCPOPT_MSS;
+	opt[1] = TCPOLEN_MSS;
+	opt[2] = (newmss & 0xff00) >> 8;
+	opt[3] = (newmss & 0x00ff);
+
+ 	nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0);
+
+	oldval = ((__be16 *)tcph)[6];
+	tcph->doff += TCPOLEN_MSS/4;
+ 	nf_proto_csum_replace2(&tcph->check, *pskb,
+ 				oldval, ((__be16 *)tcph)[6], 0);
+
+	newiplen = htons(ntohs(ipv6h->payload_len) + TCPOLEN_MSS);
+	ipv6h->payload_len = newiplen;
+	return IP6T_CONTINUE;
+}
+
+#define TH_SYN 0x02
+
+static inline int find_syn_match(const struct ip6t_entry_match *m)
+{
+	const struct ip6t_tcp *tcpinfo = (const struct ip6t_tcp *)m->data;
+
+	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
+	    tcpinfo->flg_cmp & TH_SYN &&
+	    !(tcpinfo->invflags & IP6T_TCP_INV_FLAGS))
+		return 1;
+
+	return 0;
+}
+
+/* Must specify -p tcp --syn/--tcp-flags SYN */
+static int
+ip6t_tcpmss_checkentry(const char *tablename,
+		       const void *e_void,
+		       const struct xt_target *target,
+		       void *targinfo,
+		       unsigned int hook_mask)
+{
+	const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+	const struct ip6t_entry *e = e_void;
+
+	if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+	    (hook_mask & ~((1 << NF_IP6_FORWARD) |
+			   (1 << NF_IP6_LOCAL_OUT) |
+			   (1 << NF_IP6_POST_ROUTING))) != 0) {
+		printk("TCPMSS: path-MTU clamping only supported in "
+		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
+		return 0;
+	}
+
+	if (IP6T_MATCH_ITERATE(e, find_syn_match))
+		return 1;
+	printk("TCPMSS: Only works on TCP SYN packets\n");
+	return 0;
+}
+
+static struct ip6t_target ip6t_tcpmss_reg = {
+	.name		= "TCPMSS",
+	.target		= ip6t_tcpmss_target,
+	.targetsize	= sizeof(struct ip6t_tcpmss_info),
+	.proto		= IPPROTO_TCP,
+	.checkentry	= ip6t_tcpmss_checkentry,
+	.me		= THIS_MODULE,
+};
+
+static int __init ip6t_tcpmss_init(void)
+{
+	return ip6t_register_target(&ip6t_tcpmss_reg);
+}
+
+static void __exit ip6t_tcpmss_fini(void)
+{
+	ip6t_unregister_target(&ip6t_tcpmss_reg);
+}
+
+module_init(ip6t_tcpmss_init);
+module_exit(ip6t_tcpmss_fini);

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Jan Engelhardt]

On Jan 14 2007 20:20, David Madore wrote:
>
>Implement TCPMSS target for IPv6 by shamelessly copying from
>Marc Boucher's IPv4 implementation.
>
>Signed-off-by: David A. Madore <david.madore@ens.fr>

Would not it be worthwhile to merge ipt_TCPMSS and
ip6t_TCPMSS to xt_TCPMSS instead?


	-`J'
-- 

Re: [patch] netfilter: implement TCPMSS target for IPv6

[David Madore]

On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote:
> On Jan 14 2007 20:20, David Madore wrote:
> >Implement TCPMSS target for IPv6 by shamelessly copying from
> >Marc Boucher's IPv4 implementation.
> 
> Would not it be worthwhile to merge ipt_TCPMSS and
> ip6t_TCPMSS to xt_TCPMSS instead?

It may be, but I'm afraid that's outside my competence.  I happened to
need ip6t_TCPMSS badly and soon, so I went for the quickest solution.
Of course, I'd appreciate it if someone were to do it in a better way.

Happy hacking,

-- 
     David A. Madore
    (david.madore@ens.fr,
     http://www.madore.org/~david/ )

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

David Madore wrote:
> On Sun, Jan 14, 2007 at 09:10:45PM +0100, Jan Engelhardt wrote:
> 
>>On Jan 14 2007 20:20, David Madore wrote:
>>
>>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>>Marc Boucher's IPv4 implementation.
>>
>>Would not it be worthwhile to merge ipt_TCPMSS and
>>ip6t_TCPMSS to xt_TCPMSS instead?
> 
> 
> It may be, but I'm afraid that's outside my competence.  I happened to
> need ip6t_TCPMSS badly and soon, so I went for the quickest solution.
> Of course, I'd appreciate it if someone were to do it in a better way.

I'll give it a shot.

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 14 2007 20:20, David Madore wrote:
> 
>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>Marc Boucher's IPv4 implementation.
>>
>>Signed-off-by: David A. Madore <david.madore@ens.fr>
> 
> 
> Would not it be worthwhile to merge ipt_TCPMSS and
> ip6t_TCPMSS to xt_TCPMSS instead?

I'm not sure how well that will work (the IPv4/IPv6-specific stuff
is spread over the entire target function), but its worth a try.

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Jan Engelhardt]

On Jan 15 2007 09:39, Patrick McHardy wrote:
>> On Jan 14 2007 20:20, David Madore wrote:
>> 
>>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>>Marc Boucher's IPv4 implementation.
>>>
>>>Signed-off-by: David A. Madore <david.madore@ens.fr>
>> 
>> 
>> Would not it be worthwhile to merge ipt_TCPMSS and
>> ip6t_TCPMSS to xt_TCPMSS instead?
>
>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>is spread over the entire target function), but its worth a try.

"Nothing is impossible." Since you happened to take that one for
yourself... well here's a q: would a patch be accepted that changes
all ipt and ip6t modules to the new xt? Even if a module is only for
ipv4 or ipv6, I think it makes sense to reduce the number of
different *t structures floating around.


	-`J'
-- 

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 15 2007 09:39, Patrick McHardy wrote:
> 
>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>is spread over the entire target function), but its worth a try.
> 
> 
> "Nothing is impossible." Since you happened to take that one for
> yourself... well here's a q: would a patch be accepted that changes
> all ipt and ip6t modules to the new xt? Even if a module is only for
> ipv4 or ipv6, I think it makes sense to reduce the number of
> different *t structures floating around.


If you're talking about using the xt-structures in net/ipv[46]/netfilter
and removing the ipt/ip6t-wrappers, that would make sense IMO.

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Jan Engelhardt]

On Jan 15 2007 11:18, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> On Jan 15 2007 09:39, Patrick McHardy wrote:
>> 
>>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>>is spread over the entire target function), but its worth a try.
>> 
>> 
>> well here's a q: would a patch be accepted that changes
>> all ipt and ip6t modules to the new xt? Even if a module is only for
>> ipv4 or ipv6, I think it makes sense to reduce the number of
>> different *t structures floating around.
>
>If you're talking about using the xt-structures in net/ipv[46]/netfilter
>and removing the ipt/ip6t-wrappers, that would make sense IMO.

Yup. Should the files then be renamed/moved to net/netfilter/xt_[foobaz].c
in a second step?

Should I leave ipt_TCPMSS/ip6t_TCPMSS untouched while you are working on 
that one?


	-`J'
-- 

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

[CC-list trimmed]

Jan Engelhardt wrote:
> On Jan 15 2007 11:18, Patrick McHardy wrote:
> 
>>If you're talking about using the xt-structures in net/ipv[46]/netfilter
>>and removing the ipt/ip6t-wrappers, that would make sense IMO.
> 
> 
> Yup. Should the files then be renamed/moved to net/netfilter/xt_[foobaz].c
> in a second step?

No, the address family dependant stuff should stay where it is.

> Should I leave ipt_TCPMSS/ip6t_TCPMSS untouched while you are working on 
> that one?

Yes, I'm done porting it to x_tables, but it still needs testing.

[PATCH] Re: ipt->xt (was: implement TCPMSS target for IPv6)

[Jan Engelhardt]

On Jan 15 2007 11:18, Patrick McHardy wrote:
>> 
>>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>>is spread over the entire target function), but its worth a try.
>> 
>> 
>> "Nothing is impossible." Since you happened to take that one for
>> yourself... well here's a q: would a patch be accepted that changes
>> all ipt and ip6t modules to the new xt? Even if a module is only for
>> ipv4 or ipv6, I think it makes sense to reduce the number of
>> different *t structures floating around.
>
>If you're talking about using the xt-structures in net/ipv[46]/netfilter
>and removing the ipt/ip6t-wrappers, that would make sense IMO.
>

How about this for a start?

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -42,7 +43,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables target for CLUSTERIP");
+MODULE_DESCRIPTION("xtables target for CLUSTERIP");
 
 struct clusterip_config {
 	struct list_head list;			/* list of all configs */
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,18 +9,20 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN modification module");
+MODULE_DESCRIPTION("xtables ECN modification module");
 
 /* set ECT codepoint from IP header.
  * 	return 0 if there was an error. */
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,12 +20,12 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables syslog logging module");
+MODULE_DESCRIPTION("xtables syslog logging module");
 
 #if 0
 #define DEBUGP printk
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
+	if (xt_register_target(&ipt_log_reg))
 		return -EINVAL;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
@@ -486,7 +487,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,11 +25,11 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables MASQUERADE target module");
+MODULE_DESCRIPTION("xtables MASQUERADE target module");
 
 #if 0
 #define DEBUGP printk
@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
 
 static struct ipt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -24,7 +25,7 @@
 #define MODULENAME "NETMAP"
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
-MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
+MODULE_DESCRIPTION("xtables 1:1 NAT mapping of IP networks target");
 
 #if 0
 #define DEBUGP printk
@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
 
 static struct ipt_target target_module = { 
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -26,7 +27,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REDIRECT target module");
+MODULE_DESCRIPTION("xtables REDIRECT target module");
 
 #if 0
 #define DEBUGP printk
@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
 
 static struct ipt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -30,7 +31,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REJECT target module");
+MODULE_DESCRIPTION("xtables REJECT target module");
 
 #if 0
 #define DEBUGP printk
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -43,7 +44,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Martin Josefsson <gandalf@wlug.westbo.se>");
-MODULE_DESCRIPTION("iptables special SNAT module for consistent sourceip");
+MODULE_DESCRIPTION("xtables special SNAT module for consistent sourceip");
 
 #if 0
 #define DEBUGP printk
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,12 +13,12 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables TOS mangling module");
+MODULE_DESCRIPTION("xtables TOS mangling module");
 
 static unsigned int
 target(struct sk_buff **pskb,
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,11 +12,11 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_DESCRIPTION("xtables TTL modification module");
 MODULE_LICENSE("GPL");
 
 static unsigned int 
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,14 +57,14 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("iptables userspace logging module");
+MODULE_DESCRIPTION("xtables userspace logging module");
 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
 
 #define ULOG_NL_EVENT		111		/* Harald's favorite number */
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if (xt_register_target(&ipt_ulog_reg) != 0) {
 		sock_release(nflognl->sk_socket);
 		return -EINVAL;
 	}
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,11 +16,11 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("iptables addrtype match");
+MODULE_DESCRIPTION("xtables addrtype match");
 
 static inline int match_type(__be32 addr, u_int16_t mask)
 {
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,16 +6,17 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("iptables AH SPI match module");
+MODULE_DESCRIPTION("xtables AH SPI match module");
 
 #ifdef DEBUG_CONNTRACK
 #define duprintf(format, args...) printk(format , ## args)
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,15 +9,18 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN matching module");
+MODULE_DESCRIPTION("xtables ECN matching module");
 MODULE_LICENSE("GPL");
 
 static inline int match_ip(const struct sk_buff *skb,
@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
+	.proto		= IPPROTO_TCP,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,12 +10,12 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables arbitrary IP range match module");
+MODULE_DESCRIPTION("xtables arbitrary IP range match module");
 
 #if 0
 #define DEBUGP printk
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,11 +15,11 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables owner match");
+MODULE_DESCRIPTION("xtables owner match");
 
 static int
 match(const struct sk_buff *skb,
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,11 +25,11 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IP tables recently seen matching module");
+MODULE_DESCRIPTION("xtables recently seen matching module");
 MODULE_LICENSE("GPL");
 
 static unsigned int ip_list_tot = 100;
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,14 +8,15 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables TOS match module");
+MODULE_DESCRIPTION("xtables TOS match module");
 
 static int
 match(const struct sk_buff *skb,
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,14 +9,15 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL matching module");
+MODULE_DESCRIPTION("xtables TTL matching module");
 MODULE_LICENSE("GPL");
 
 static int match(const struct sk_buff *skb,
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
#<EOF>

	-`J'
-- 

Re: [PATCH] Re: ipt->xt

[Patrick McHardy]

[CC-list trimmed]

Jan Engelhardt wrote:
> How about this for a start?

A few comments below.

> Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
> 
> Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
> ===================================================================
> --- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
> +++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
> @@ -42,7 +43,7 @@
>  
>  MODULE_LICENSE("GPL");
>  MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
> -MODULE_DESCRIPTION("iptables target for CLUSTERIP");
> +MODULE_DESCRIPTION("xtables target for CLUSTERIP");

The MODULE_DESCRIPTION should stay the same, its still an iptables-only
target.

> Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
> ===================================================================
> --- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
> +++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
> @@ -20,12 +20,12 @@
>  #include <net/route.h>
>  
>  #include <linux/netfilter.h>
> -#include <linux/netfilter_ipv4/ip_tables.h>
> +#include <linux/netfilter/x_tables.h>
>  #include <linux/netfilter_ipv4/ipt_LOG.h>

Please keep the _ipv4 entries next to each other.

> @@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
>  
>  static int __init ipt_log_init(void)
>  {
> -	if (ipt_register_target(&ipt_log_reg))
> +	if (xt_register_target(&ipt_log_reg))

While you're at it, this should return the real error.

>  		return -EINVAL;
>  	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
>  		printk(KERN_WARNING "ipt_LOG: not logging via system console "

> @@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
>  	if (!nflognl)
>  		return -ENOMEM;
>  
> -	if (ipt_register_target(&ipt_ulog_reg) != 0) {
> +	if (xt_register_target(&ipt_ulog_reg) != 0) {
>  		sock_release(nflognl->sk_socket);
>  		return -EINVAL;

Same here. Maybe do a seperate patch for these changes.

Re: ipt->xt

[Jan Engelhardt]

>> Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>> ===================================================================
>> --- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
>> +++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>> @@ -20,12 +20,12 @@
>>  #include <net/route.h>
>>  
>>  #include <linux/netfilter.h>
>> -#include <linux/netfilter_ipv4/ip_tables.h>
>> +#include <linux/netfilter/x_tables.h>
>>  #include <linux/netfilter_ipv4/ipt_LOG.h>
>
>Please keep the _ipv4 entries next to each other.

How do you mean? It looks like this atm:

#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_LOG.h>

so, from my point, I'd judge "all the _ipv4 entries" are next to each other
(there is only one after all) -- please elaborate what you intended.
(linux/in.h linux/ip.h?)

>> @@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
>>  
>>  static int __init ipt_log_init(void)
>>  {
>> -	if (ipt_register_target(&ipt_log_reg))
>> +	if (xt_register_target(&ipt_log_reg))
>
>While you're at it, this should return the real error.

Good idea. Separate patch. (There was one more elsewhere.)


	-`J'
-- 

Re: ipt->xt

[Patrick McHardy]

Jan Engelhardt wrote:
> 
>>>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>>>===================================================================
>>>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
>>>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>>>@@ -20,12 +20,12 @@
>>> #include <net/route.h>
>>> 
>>> #include <linux/netfilter.h>
>>>-#include <linux/netfilter_ipv4/ip_tables.h>
>>>+#include <linux/netfilter/x_tables.h>
>>> #include <linux/netfilter_ipv4/ipt_LOG.h>
>>
>>Please keep the _ipv4 entries next to each other.
> 
> 
> How do you mean? It looks like this atm:
> 
> #include <linux/netfilter.h>
> #include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_LOG.h>


Right, I misread the patch.

Re: ipt->xt [p2]

[Jan Engelhardt]

Ok, here you go, two diffs, one for the xt (did I catch all the compat 
stuff?) and the error value propagation.

Diff 1

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,12 +9,14 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,7 +20,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
+	if (xt_register_target(&ipt_log_reg))
 		return -EINVAL;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
@@ -486,7 +487,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
 
 static struct ipt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
 
 static struct ipt_target target_module = { 
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
 
 static struct ipt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,7 +13,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,7 +12,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,7 +57,7 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if (xt_register_target(&ipt_ulog_reg) != 0) {
 		sock_release(nflognl->sk_socket);
 		return -EINVAL;
 	}
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,7 +16,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,12 +6,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,10 +9,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
+	.proto		= IPPROTO_TCP,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,7 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,7 +15,7 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,7 +25,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("iptables TOS match module");
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,11 +9,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("IP tables TTL matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
#<EOF>


Diff 2

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -472,8 +472,9 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (xt_register_target(&ipt_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET\n");
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
 
 static int __init ipt_ulog_init(void)
 {
-	int i;
+	int ret, i;
 
 	DEBUGP("ipt_ULOG: init module\n");
 
@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (xt_register_target(&ipt_ulog_reg) != 0) {
+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
-		return -EINVAL;
+		return ret;
 	}
 	if (nflog)
 		nf_log_register(PF_INET, &ipt_ulog_logger);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
@@ -482,8 +482,9 @@ static struct nf_logger ip6t_logger = {
 
 static int __init ip6t_log_init(void)
 {
-	if (ip6t_register_target(&ip6t_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ip6t_register_target(&ip6t_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET6\n");
#<EOF>

	-`J'
-- 

Re: ipt->xt [p2]

[Patrick McHardy]

Jan Engelhardt wrote:
> Ok, here you go, two diffs, one for the xt (did I catch all the compat 
> stuff?) and the error value propagation.

You seem to be missing ip6_tables. Also please remove the registration
wrappers.

Re: ipt->xt [p2]

[Jan Engelhardt]

On Jan 17 2007 12:31, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> Ok, here you go, two diffs, one for the xt (did I catch all the compat 
>> stuff?) and the error value propagation.
>
>You seem to be missing ip6_tables.

I have not yet gone through net/ipv6/netfilter/, right.

>Also please remove the registration wrappers.

How do you mean?


	-`J'
-- 

Re: ipt->xt [p2]

[Patrick McHardy]

Jan Engelhardt wrote:
>>Also please remove the registration wrappers.
> 
> 
> How do you mean?

There are not needed anymore after your change:

include/linux/netfilter_ipv4/ip_tables.h:

#define ipt_register_target(tgt)        \

({      (tgt)->family = AF_INET;        \
        xt_register_target(tgt); })
#define ipt_unregister_target(tgt) xt_unregister_target(tgt)

#define ipt_register_match(mtch)        \
({      (mtch)->family = AF_INET;       \
        xt_register_match(mtch); })
#define ipt_unregister_match(mtch) xt_unregister_match(mtch)

Same in ip6_tables.h.

Re: ipt->xt [p3]

[Jan Engelhardt]

On Jan 17 2007 13:40, Patrick McHardy wrote:
>
>There are not needed anymore after your change:

Removing them makes your xt_TCPMSS (which I don't have yet in my working copy)
a dependency. Anyway, here goes...

The ipt-log-fix-return.diff has been folded into use-xt-struct.diff.

Index: linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv4/ip_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
@@ -272,16 +272,6 @@ ipt_get_target(struct ipt_entry *e)
 #include <linux/init.h>
 extern void ipt_init(void) __init;
 
-#define ipt_register_target(tgt) 	\
-({	(tgt)->family = AF_INET;	\
- 	xt_register_target(tgt); })
-#define ipt_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ipt_register_match(mtch) 	\
-({	(mtch)->family = AF_INET;	\
-	xt_register_match(mtch); })
-#define ipt_unregister_match(mtch) xt_unregister_match(mtch)
-
 //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
 //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
 
Index: linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv6/ip6_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
@@ -286,16 +286,6 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
-#define ip6t_register_target(tgt) 		\
-({	(tgt)->family = AF_INET6;		\
- 	xt_register_target(tgt); })
-#define ip6t_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ip6t_register_match(match)		\
-({	(match)->family = AF_INET6;		\
-	xt_register_match(match); })
-#define ip6t_unregister_match(match) xt_unregister_match(match)
-
 extern int ip6t_register_table(struct ip6t_table *table,
 			       const struct ip6t_replace *repl);
 extern void ip6t_unregister_table(struct ip6t_table *table);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,12 +9,14 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,7 +20,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -471,8 +472,9 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET\n");
@@ -486,7 +488,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
 
 static struct ipt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
 
 static struct ipt_target target_module = { 
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
 
 static struct ipt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,7 +13,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,7 +12,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,7 +57,7 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
 
 static int __init ipt_ulog_init(void)
 {
-	int i;
+	int ret, i;
 
 	DEBUGP("ipt_ULOG: init module\n");
 
@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
-		return -EINVAL;
+		return ret;
 	}
 	if (nflog)
 		nf_log_register(PF_INET, &ipt_ulog_logger);
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,7 +16,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,12 +6,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,10 +9,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
+	.proto		= IPPROTO_TCP,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,7 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,7 +15,7 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,7 +25,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("iptables TOS match module");
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,11 +9,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("IP tables TTL matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_HL.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
@@ -9,12 +9,13 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6t_HL.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP tables Hop Limit modification module");
+MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
 MODULE_LICENSE("GPL");
 
 static unsigned int ip6t_hl_target(struct sk_buff **pskb, 
@@ -55,7 +56,7 @@ static unsigned int ip6t_hl_target(struc
 	if (new_hl != ip6h->hop_limit)
 		ip6h->hop_limit = new_hl;
 
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ip6t_hl_checkentry(const char *tablename,
@@ -79,8 +80,9 @@ static int ip6t_hl_checkentry(const char
 	return 1;
 }
 
-static struct ip6t_target ip6t_HL = { 
+static struct xt_target ip6t_HL = {
 	.name 		= "HL", 
+	.family		= AF_INET6,
 	.target		= ip6t_hl_target, 
 	.targetsize	= sizeof(struct ip6t_HL_info),
 	.table		= "mangle",
@@ -90,12 +92,12 @@ static struct ip6t_target ip6t_HL = { 
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_target(&ip6t_HL);
+	return xt_register_target(&ip6t_HL);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_target(&ip6t_HL);
+	xt_unregister_target(&ip6t_HL);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
@@ -21,6 +21,7 @@
 #include <net/tcp.h>
 #include <net/ipv6.h>
 #include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
@@ -442,7 +443,7 @@ ip6t_log_target(struct sk_buff **pskb,
 
 	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
 	                loginfo->prefix);
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 
@@ -466,8 +467,9 @@ static int ip6t_log_checkentry(const cha
 	return 1;
 }
 
-static struct ip6t_target ip6t_log_reg = {
+static struct xt_target ip6t_log_reg = {
 	.name 		= "LOG",
+	.family		= AF_INET6,
 	.target 	= ip6t_log_target, 
 	.targetsize	= sizeof(struct ip6t_log_info),
 	.checkentry	= ip6t_log_checkentry, 
@@ -482,8 +484,9 @@ static struct nf_logger ip6t_logger = {
 
 static int __init ip6t_log_init(void)
 {
-	if (ip6t_register_target(&ip6t_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = xt_register_target(&ip6t_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET6\n");
@@ -497,7 +500,7 @@ static int __init ip6t_log_init(void)
 static void __exit ip6t_log_fini(void)
 {
 	nf_log_unregister_logger(&ip6t_logger);
-	ip6t_unregister_target(&ip6t_log_reg);
+	xt_unregister_target(&ip6t_log_reg);
 }
 
 module_init(ip6t_log_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_REJECT.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
@@ -26,6 +26,7 @@
 #include <net/ip6_fib.h>
 #include <net/ip6_route.h>
 #include <net/flow.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_REJECT.h>
 
@@ -234,7 +235,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IP6T_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ipv6.proto != IPPROTO_TCP
-		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
+		    || (e->ipv6.invflags & XT_INV_PROTO)) {
 			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
 			return 0;
 		}
@@ -242,8 +243,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_target ip6t_reject_reg = {
+static struct xt_target ip6t_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET6,
 	.target		= reject6_target,
 	.targetsize	= sizeof(struct ip6t_reject_info),
 	.table		= "filter",
@@ -255,12 +257,12 @@ static struct ip6t_target ip6t_reject_re
 
 static int __init ip6t_reject_init(void)
 {
-	return ip6t_register_target(&ip6t_reject_reg);
+	return xt_register_target(&ip6t_reject_reg);
 }
 
 static void __exit ip6t_reject_fini(void)
 {
-	ip6t_unregister_target(&ip6t_reject_reg);
+	xt_unregister_target(&ip6t_reject_reg);
 }
 
 module_init(ip6t_reject_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ah.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
@@ -15,6 +15,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ah.h>
 
@@ -118,8 +119,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_ah),
 	.checkentry	= checkentry,
@@ -128,12 +130,12 @@ static struct ip6t_match ah_match = {
 
 static int __init ip6t_ah_init(void)
 {
-	return ip6t_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ip6t_ah_fini(void)
 {
-	ip6t_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ip6t_ah_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_eui64.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
@@ -12,6 +12,7 @@
 #include <linux/ipv6.h>
 #include <linux/if_ether.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
@@ -61,8 +62,9 @@ match(const struct sk_buff *skb,
 	return 0;
 }
 
-static struct ip6t_match eui64_match = {
+static struct xt_match eui64_match = {
 	.name		= "eui64",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(int),
 	.hooks		= (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
@@ -72,12 +74,12 @@ static struct ip6t_match eui64_match = {
 
 static int __init ip6t_eui64_init(void)
 {
-	return ip6t_register_match(&eui64_match);
+	return xt_register_match(&eui64_match);
 }
 
 static void __exit ip6t_eui64_fini(void)
 {
-	ip6t_unregister_match(&eui64_match);
+	xt_unregister_match(&eui64_match);
 }
 
 module_init(ip6t_eui64_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_frag.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
@@ -14,6 +14,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_frag.h>
 
@@ -135,8 +136,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match frag_match = {
+static struct xt_match frag_match = {
 	.name		= "frag",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_frag),
 	.checkentry	= checkentry,
@@ -145,12 +147,12 @@ static struct ip6t_match frag_match = {
 
 static int __init ip6t_frag_init(void)
 {
-	return ip6t_register_match(&frag_match);
+	return xt_register_match(&frag_match);
 }
 
 static void __exit ip6t_frag_fini(void)
 {
-	ip6t_unregister_match(&frag_match);
+	xt_unregister_match(&frag_match);
 }
 
 module_init(ip6t_frag_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hbh.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_opts.h>
 
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hl.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ipv6.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv6/ip6t_hl.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
 MODULE_DESCRIPTION("IP tables Hop Limit matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ip6t_match hl_match = {
+static struct xt_match hl_match = {
 	.name		= "hl",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_hl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ip6t_match hl_match = {
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_match(&hl_match);
+	return xt_register_match(&hl_match);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_match(&hl_match);
-
+	xt_unregister_match(&hl_match);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ipv6header.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -18,6 +18,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
 
@@ -140,8 +141,9 @@ ipv6header_checkentry(const char *tablen
 	return 1;
 }
 
-static struct ip6t_match ip6t_ipv6header_match = {
+static struct xt_match ip6t_ipv6header_match = {
 	.name		= "ipv6header",
+	.family		= AF_INET6,
 	.match		= &ipv6header_match,
 	.matchsize	= sizeof(struct ip6t_ipv6header_info),
 	.checkentry	= &ipv6header_checkentry,
@@ -151,12 +153,12 @@ static struct ip6t_match ip6t_ipv6header
 
 static int __init ipv6header_init(void)
 {
-	return ip6t_register_match(&ip6t_ipv6header_match);
+	return xt_register_match(&ip6t_ipv6header_match);
 }
 
 static void __exit ipv6header_exit(void)
 {
-	ip6t_unregister_match(&ip6t_ipv6header_match);
+	xt_unregister_match(&ip6t_ipv6header_match);
 }
 
 module_init(ipv6header_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_owner.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
@@ -14,8 +14,9 @@
 #include <linux/rcupdate.h>
 #include <net/sock.h>
 
-#include <linux/netfilter_ipv6/ip6t_owner.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_owner.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
 MODULE_DESCRIPTION("IP6 tables owner matching module");
@@ -69,8 +70,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_owner_info),
 	.hooks		= (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
@@ -80,12 +82,12 @@ static struct ip6t_match owner_match = {
 
 static int __init ip6t_owner_init(void)
 {
-	return ip6t_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ip6t_owner_fini(void)
 {
-	ip6t_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ip6t_owner_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_rt.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_rt.h>
 
@@ -221,8 +222,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match rt_match = {
+static struct xt_match rt_match = {
 	.name		= "rt",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_rt),
 	.checkentry	= checkentry,
@@ -231,12 +233,12 @@ static struct ip6t_match rt_match = {
 
 static int __init ip6t_rt_init(void)
 {
-	return ip6t_register_match(&rt_match);
+	return xt_register_match(&rt_match);
 }
 
 static void __exit ip6t_rt_fini(void)
 {
-	ip6t_unregister_match(&rt_match);
+	xt_unregister_match(&rt_match);
 }
 
 module_init(ip6t_rt_init);

Re: ipt->xt [p3]

[Jan Engelhardt]

>On Jan 17 2007 13:40, Patrick McHardy wrote:
>>
>>There are not needed anymore after your change:
>
>Removing them makes your xt_TCPMSS (which I don't have yet in my working copy)
>a dependency. Anyway, here goes...
>5B
>The ipt-log-fix-return.diff has been folded into use-xt-struct.diff.


bugger this one ... i'll resend



>
>Index: linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
>===================================================================
>--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv4/ip_tables.h
>+++ linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
>@@ -272,16 +272,6 @@ ipt_get_target(struct ipt_entry *e)
> #include <linux/init.h>
> extern void ipt_init(void) __init;
> 
>-#define ipt_register_target(tgt) 	\
>-({	(tgt)->family = AF_INET;	\
>- 	xt_register_target(tgt); })
>-#define ipt_unregister_target(tgt) xt_unregister_target(tgt)
>-
>-#define ipt_register_match(mtch) 	\
>-({	(mtch)->family = AF_INET;	\
>-	xt_register_match(mtch); })
>-#define ipt_unregister_match(mtch) xt_unregister_match(mtch)
>-
> //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
> //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
> 
>Index: linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
>===================================================================
>--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv6/ip6_tables.h
>+++ linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
>@@ -286,16 +286,6 @@ ip6t_get_target(struct ip6t_entry *e)
> #include <linux/init.h>
> extern void ip6t_init(void) __init;
> 
>-#define ip6t_register_target(tgt) 		\
>-({	(tgt)->family = AF_INET6;		\
>- 	xt_register_target(tgt); })
>-#define ip6t_unregister_target(tgt) xt_unregister_target(tgt)
>-
>-#define ip6t_register_match(match)		\
>-({	(match)->family = AF_INET6;		\
>-	xt_register_match(match); })
>-#define ip6t_unregister_match(match) xt_unregister_match(match)
>-
> extern int ip6t_register_table(struct ip6t_table *table,
> 			       const struct ip6t_replace *repl);
> extern void ip6t_unregister_table(struct ip6t_table *table);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
>@@ -26,6 +26,7 @@
> 
> #include <linux/netfilter_arp.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
> #include <net/netfilter/nf_conntrack_compat.h>
>@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
> 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
> 	    && (ctinfo == IP_CT_RELATED 
> 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
>-		return IPT_CONTINUE;
>+		return XT_CONTINUE;
> 
> 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
> 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
>@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
> 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
> 	(*pskb)->pkt_type = PACKET_HOST;
> 
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int
>@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
> 	nf_ct_l3proto_module_put(target->family);
> }
> 
>-static struct ipt_target clusterip_tgt = {
>+static struct xt_target clusterip_tgt = {
> 	.name		= "CLUSTERIP",
>+	.family		= AF_INET,
> 	.target		= target,
> 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
> 	.checkentry	= checkentry,
>@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
> {
> 	int ret;
> 
>-	ret = ipt_register_target(&clusterip_tgt);
>+	ret = xt_register_target(&clusterip_tgt);
> 	if (ret < 0)
> 		return ret;
> 
>@@ -753,7 +755,7 @@ cleanup_hook:
> 	nf_unregister_hook(&cip_arp_ops);
> #endif /* CONFIG_PROC_FS */
> cleanup_target:
>-	ipt_unregister_target(&clusterip_tgt);
>+	xt_unregister_target(&clusterip_tgt);
> 	return ret;
> }
> 
>@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
> 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
> #endif
> 	nf_unregister_hook(&cip_arp_ops);
>-	ipt_unregister_target(&clusterip_tgt);
>+	xt_unregister_target(&clusterip_tgt);
> }
> 
> module_init(ipt_clusterip_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
>@@ -9,12 +9,14 @@
>  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
> */
> 
>+#include <linux/in.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
> #include <linux/tcp.h>
> #include <net/checksum.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_ECN.h>
> 
>@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
> 		if (!set_ect_tcp(pskb, einfo))
> 			return NF_DROP;
> 
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int
>@@ -119,7 +121,7 @@ checkentry(const char *tablename,
> 		return 0;
> 	}
> 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
>-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
>+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
> 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
> 		       "non-tcp rule\n");
> 		return 0;
>@@ -127,8 +129,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_target ipt_ecn_reg = {
>+static struct xt_target ipt_ecn_reg = {
> 	.name		= "ECN",
>+	.family		= AF_INET,
> 	.target		= target,
> 	.targetsize	= sizeof(struct ipt_ECN_info),
> 	.table		= "mangle",
>@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
> 
> static int __init ipt_ecn_init(void)
> {
>-	return ipt_register_target(&ipt_ecn_reg);
>+	return xt_register_target(&ipt_ecn_reg);
> }
> 
> static void __exit ipt_ecn_fini(void)
> {
>-	ipt_unregister_target(&ipt_ecn_reg);
>+	xt_unregister_target(&ipt_ecn_reg);
> }
> 
> module_init(ipt_ecn_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>@@ -20,7 +20,7 @@
> #include <net/route.h>
> 
> #include <linux/netfilter.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_LOG.h>
> 
> MODULE_LICENSE("GPL");
>@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
> 
> 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
> 	               loginfo->prefix);
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int ipt_log_checkentry(const char *tablename,
>@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
> 	return 1;
> }
> 
>-static struct ipt_target ipt_log_reg = {
>+static struct xt_target ipt_log_reg = {
> 	.name		= "LOG",
>+	.family		= AF_INET,
> 	.target		= ipt_log_target,
> 	.targetsize	= sizeof(struct ipt_log_info),
> 	.checkentry	= ipt_log_checkentry,
>@@ -471,8 +472,9 @@ static struct nf_logger ipt_log_logger =
> 
> static int __init ipt_log_init(void)
> {
>-	if (ipt_register_target(&ipt_log_reg))
>-		return -EINVAL;
>+	int ret;
>+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
>+		return ret;
> 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
> 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
> 		       "since somebody else already registered for PF_INET\n");
>@@ -486,7 +488,7 @@ static int __init ipt_log_init(void)
> static void __exit ipt_log_fini(void)
> {
> 	nf_log_unregister_logger(&ipt_log_logger);
>-	ipt_unregister_target(&ipt_log_reg);
>+	xt_unregister_target(&ipt_log_reg);
> }
> 
> module_init(ipt_log_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
>@@ -25,7 +25,7 @@
> #else
> #include <linux/netfilter_ipv4/ip_nat_rule.h>
> #endif
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
>@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
> 
> static struct ipt_target masquerade = {
> 	.name		= "MASQUERADE",
>+	.family		= AF_INET,
> 	.target		= masquerade_target,
> 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
> 	.table		= "nat",
>@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
> {
> 	int ret;
> 
>-	ret = ipt_register_target(&masquerade);
>+	ret = xt_register_target(&masquerade);
> 
> 	if (ret == 0) {
> 		/* Register for device down reports */
>@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
> 
> static void __exit ipt_masquerade_fini(void)
> {
>-	ipt_unregister_target(&masquerade);
>+	xt_unregister_target(&masquerade);
> 	unregister_netdevice_notifier(&masq_dev_notifier);
> 	unregister_inetaddr_notifier(&masq_inet_notifier);	
> }
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
>@@ -15,6 +15,7 @@
> #include <linux/netdevice.h>
> #include <linux/netfilter.h>
> #include <linux/netfilter_ipv4.h>
>+#include <linux/netfilter/x_tables.h>
> #ifdef CONFIG_NF_NAT_NEEDED
> #include <net/netfilter/nf_nat_rule.h>
> #else
>@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
> 
> static struct ipt_target target_module = { 
> 	.name 		= MODULENAME,
>+	.family		= AF_INET,
> 	.target 	= target, 
> 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
> 	.table		= "nat",
>@@ -101,12 +103,12 @@ static struct ipt_target target_module =
> 
> static int __init ipt_netmap_init(void)
> {
>-	return ipt_register_target(&target_module);
>+	return xt_register_target(&target_module);
> }
> 
> static void __exit ipt_netmap_fini(void)
> {
>-	ipt_unregister_target(&target_module);
>+	xt_unregister_target(&target_module);
> }
> 
> module_init(ipt_netmap_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
>@@ -18,6 +18,7 @@
> #include <net/protocol.h>
> #include <net/checksum.h>
> #include <linux/netfilter_ipv4.h>
>+#include <linux/netfilter/x_tables.h>
> #ifdef CONFIG_NF_NAT_NEEDED
> #include <net/netfilter/nf_nat_rule.h>
> #else
>@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
> 
> static struct ipt_target redirect_reg = {
> 	.name		= "REDIRECT",
>+	.family		= AF_INET,
> 	.target		= redirect_target,
> 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
> 	.table		= "nat",
>@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
> 
> static int __init ipt_redirect_init(void)
> {
>-	return ipt_register_target(&redirect_reg);
>+	return xt_register_target(&redirect_reg);
> }
> 
> static void __exit ipt_redirect_fini(void)
> {
>-	ipt_unregister_target(&redirect_reg);
>+	xt_unregister_target(&redirect_reg);
> }
> 
> module_init(ipt_redirect_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
>@@ -22,6 +22,7 @@
> #include <net/tcp.h>
> #include <net/route.h>
> #include <net/dst.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_REJECT.h>
> #ifdef CONFIG_BRIDGE_NETFILTER
>@@ -230,7 +231,7 @@ static int check(const char *tablename,
> 	} else if (rejinfo->with == IPT_TCP_RESET) {
> 		/* Must specify that it's a TCP packet */
> 		if (e->ip.proto != IPPROTO_TCP
>-		    || (e->ip.invflags & IPT_INV_PROTO)) {
>+		    || (e->ip.invflags & XT_INV_PROTO)) {
> 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
> 			return 0;
> 		}
>@@ -238,8 +239,9 @@ static int check(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_target ipt_reject_reg = {
>+static struct xt_target ipt_reject_reg = {
> 	.name		= "REJECT",
>+	.family		= AF_INET,
> 	.target		= reject,
> 	.targetsize	= sizeof(struct ipt_reject_info),
> 	.table		= "filter",
>@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
> 
> static int __init ipt_reject_init(void)
> {
>-	return ipt_register_target(&ipt_reject_reg);
>+	return xt_register_target(&ipt_reject_reg);
> }
> 
> static void __exit ipt_reject_fini(void)
> {
>-	ipt_unregister_target(&ipt_reject_reg);
>+	xt_unregister_target(&ipt_reject_reg);
> }
> 
> module_init(ipt_reject_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
>@@ -34,6 +34,7 @@
> #include <net/protocol.h>
> #include <net/checksum.h>
> #include <linux/netfilter_ipv4.h>
>+#include <linux/netfilter/x_tables.h>
> #ifdef CONFIG_NF_NAT_NEEDED
> #include <net/netfilter/nf_nat_rule.h>
> #else
>@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
> 	return ip_nat_setup_info(ct, &newrange, hooknum);
> }
> 
>-static struct ipt_target same_reg = { 
>+static struct xt_target same_reg = {
> 	.name		= "SAME",
>+	.family		= AF_INET,
> 	.target		= same_target,
> 	.targetsize	= sizeof(struct ipt_same_info),
> 	.table		= "nat",
>@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
> 
> static int __init ipt_same_init(void)
> {
>-	return ipt_register_target(&same_reg);
>+	return xt_register_target(&same_reg);
> }
> 
> static void __exit ipt_same_fini(void)
> {
>-	ipt_unregister_target(&same_reg);
>+	xt_unregister_target(&same_reg);
> }
> 
> module_init(ipt_same_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
>@@ -13,7 +13,7 @@
> #include <linux/ip.h>
> #include <net/checksum.h>
> 
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_TOS.h>
> 
> MODULE_LICENSE("GPL");
>@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
> 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
> 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
> 	}
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int
>@@ -63,8 +63,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_target ipt_tos_reg = {
>+static struct xt_target ipt_tos_reg = {
> 	.name		= "TOS",
>+	.family		= AF_INET,
> 	.target		= target,
> 	.targetsize	= sizeof(struct ipt_tos_target_info),
> 	.table		= "mangle",
>@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
> 
> static int __init ipt_tos_init(void)
> {
>-	return ipt_register_target(&ipt_tos_reg);
>+	return xt_register_target(&ipt_tos_reg);
> }
> 
> static void __exit ipt_tos_fini(void)
> {
>-	ipt_unregister_target(&ipt_tos_reg);
>+	xt_unregister_target(&ipt_tos_reg);
> }
> 
> module_init(ipt_tos_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
>@@ -12,7 +12,7 @@
> #include <linux/ip.h>
> #include <net/checksum.h>
> 
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_TTL.h>
> 
> MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
>@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
> 		iph->ttl = new_ttl;
> 	}
> 
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int ipt_ttl_checkentry(const char *tablename,
>@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
> 	return 1;
> }
> 
>-static struct ipt_target ipt_TTL = { 
>+static struct xt_target ipt_TTL = {
> 	.name 		= "TTL",
>+	.family		= AF_INET,
> 	.target 	= ipt_ttl_target, 
> 	.targetsize	= sizeof(struct ipt_TTL_info),
> 	.table		= "mangle",
>@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
> 
> static int __init ipt_ttl_init(void)
> {
>-	return ipt_register_target(&ipt_TTL);
>+	return xt_register_target(&ipt_TTL);
> }
> 
> static void __exit ipt_ttl_fini(void)
> {
>-	ipt_unregister_target(&ipt_TTL);
>+	xt_unregister_target(&ipt_TTL);
> }
> 
> module_init(ipt_ttl_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
>@@ -57,7 +57,7 @@
> #include <linux/mm.h>
> #include <linux/moduleparam.h>
> #include <linux/netfilter.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_ULOG.h>
> #include <net/sock.h>
> #include <linux/bitops.h>
>@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
> 	ub->qlen = 0;
> 	ub->skb = NULL;
> 	ub->lastnlh = NULL;
>-
> }
> 
> 
>@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
> 
> 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
>  
>- 	return IPT_CONTINUE;
>+ 	return XT_CONTINUE;
> }
>  
> static void ipt_logfn(unsigned int pf,
>@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
> 	return 1;
> }
> 
>-static struct ipt_target ipt_ulog_reg = {
>+static struct xt_target ipt_ulog_reg = {
> 	.name		= "ULOG",
>+	.family		= AF_INET,
> 	.target		= ipt_ulog_target,
> 	.targetsize	= sizeof(struct ipt_ulog_info),
> 	.checkentry	= ipt_ulog_checkentry,
>@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
> 
> static int __init ipt_ulog_init(void)
> {
>-	int i;
>+	int ret, i;
> 
> 	DEBUGP("ipt_ULOG: init module\n");
> 
>@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
> 	if (!nflognl)
> 		return -ENOMEM;
> 
>-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
>+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
> 		sock_release(nflognl->sk_socket);
>-		return -EINVAL;
>+		return ret;
> 	}
> 	if (nflog)
> 		nf_log_register(PF_INET, &ipt_ulog_logger);
>@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
> 
> 	if (nflog)
> 		nf_log_unregister_logger(&ipt_ulog_logger);
>-	ipt_unregister_target(&ipt_ulog_reg);
>+	xt_unregister_target(&ipt_ulog_reg);
> 	sock_release(nflognl->sk_socket);
> 
> 	/* remove pending timers and free allocated skb's */
>@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
> 			ub->skb = NULL;
> 		}
> 	}
>-
> }
> 
> module_init(ipt_ulog_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
>@@ -16,7 +16,7 @@
> #include <net/route.h>
> 
> #include <linux/netfilter_ipv4/ipt_addrtype.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
>@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
> 	return ret;
> }
> 
>-static struct ipt_match addrtype_match = {
>+static struct xt_match addrtype_match = {
> 	.name		= "addrtype",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_addrtype_info),
> 	.me		= THIS_MODULE
>@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
> 
> static int __init ipt_addrtype_init(void)
> {
>-	return ipt_register_match(&addrtype_match);
>+	return xt_register_match(&addrtype_match);
> }
> 
> static void __exit ipt_addrtype_fini(void)
> {
>-	ipt_unregister_match(&addrtype_match);
>+	xt_unregister_match(&addrtype_match);
> }
> 
> module_init(ipt_addrtype_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
>@@ -6,12 +6,13 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/in.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
> 
> #include <linux/netfilter_ipv4/ipt_ah.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
>@@ -86,8 +87,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_match ah_match = {
>+static struct xt_match ah_match = {
> 	.name		= "ah",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_ah),
> 	.proto		= IPPROTO_AH,
>@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
> 
> static int __init ipt_ah_init(void)
> {
>-	return ipt_register_match(&ah_match);
>+	return xt_register_match(&ah_match);
> }
> 
> static void __exit ipt_ah_fini(void)
> {
>-	ipt_unregister_match(&ah_match);
>+	xt_unregister_match(&ah_match);
> }
> 
> module_init(ipt_ah_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
>@@ -9,10 +9,13 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/in.h>
>+#include <linux/ip.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/tcp.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_ecn.h>
> 
>@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
> 	return 1;
> }
> 
>-static struct ipt_match ecn_match = {
>+static struct xt_match ecn_match = {
> 	.name		= "ecn",
>+	.family		= AF_INET,
>+	.proto		= IPPROTO_TCP,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_ecn_info),
> 	.checkentry	= checkentry,
>@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
> 
> static int __init ipt_ecn_init(void)
> {
>-	return ipt_register_match(&ecn_match);
>+	return xt_register_match(&ecn_match);
> }
> 
> static void __exit ipt_ecn_fini(void)
> {
>-	ipt_unregister_match(&ecn_match);
>+	xt_unregister_match(&ecn_match);
> }
> 
> module_init(ipt_ecn_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
>@@ -10,7 +10,7 @@
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_iprange.h>
> 
> MODULE_LICENSE("GPL");
>@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
> 	return 1;
> }
> 
>-static struct ipt_match iprange_match = {
>+static struct xt_match iprange_match = {
> 	.name		= "iprange",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_iprange_info),
>-	.destroy	= NULL,
> 	.me		= THIS_MODULE
> };
> 
> static int __init ipt_iprange_init(void)
> {
>-	return ipt_register_match(&iprange_match);
>+	return xt_register_match(&iprange_match);
> }
> 
> static void __exit ipt_iprange_fini(void)
> {
>-	ipt_unregister_match(&iprange_match);
>+	xt_unregister_match(&iprange_match);
> }
> 
> module_init(ipt_iprange_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
>@@ -15,7 +15,7 @@
> #include <net/sock.h>
> 
> #include <linux/netfilter_ipv4/ipt_owner.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
>@@ -68,8 +68,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_match owner_match = {
>+static struct xt_match owner_match = {
> 	.name		= "owner",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_owner_info),
> 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
>@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
> 
> static int __init ipt_owner_init(void)
> {
>-	return ipt_register_match(&owner_match);
>+	return xt_register_match(&owner_match);
> }
> 
> static void __exit ipt_owner_fini(void)
> {
>-	ipt_unregister_match(&owner_match);
>+	xt_unregister_match(&owner_match);
> }
> 
> module_init(ipt_owner_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
>@@ -12,6 +12,7 @@
>  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
>  */
> #include <linux/init.h>
>+#include <linux/ip.h>
> #include <linux/moduleparam.h>
> #include <linux/proc_fs.h>
> #include <linux/seq_file.h>
>@@ -24,7 +25,7 @@
> #include <linux/skbuff.h>
> #include <linux/inet.h>
> 
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_recent.h>
> 
> MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
>@@ -462,8 +463,9 @@ static struct file_operations recent_fop
> };
> #endif /* CONFIG_PROC_FS */
> 
>-static struct ipt_match recent_match = {
>+static struct xt_match recent_match = {
> 	.name		= "recent",
>+	.family		= AF_INET,
> 	.match		= ipt_recent_match,
> 	.matchsize	= sizeof(struct ipt_recent_info),
> 	.checkentry	= ipt_recent_checkentry,
>@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
> 		return -EINVAL;
> 	ip_list_hash_size = 1 << fls(ip_list_tot);
> 
>-	err = ipt_register_match(&recent_match);
>+	err = xt_register_match(&recent_match);
> #ifdef CONFIG_PROC_FS
> 	if (err)
> 		return err;
> 	proc_dir = proc_mkdir("ipt_recent", proc_net);
> 	if (proc_dir == NULL) {
>-		ipt_unregister_match(&recent_match);
>+		xt_unregister_match(&recent_match);
> 		err = -ENOMEM;
> 	}
> #endif
>@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
> static void __exit ipt_recent_exit(void)
> {
> 	BUG_ON(!list_empty(&tables));
>-	ipt_unregister_match(&recent_match);
>+	xt_unregister_match(&recent_match);
> #ifdef CONFIG_PROC_FS
> 	remove_proc_entry("ipt_recent", proc_net);
> #endif
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
>@@ -8,11 +8,12 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/ip.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> 
> #include <linux/netfilter_ipv4/ipt_tos.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_DESCRIPTION("iptables TOS match module");
>@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
> 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
> }
> 
>-static struct ipt_match tos_match = {
>+static struct xt_match tos_match = {
> 	.name		= "tos",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_tos_info),
> 	.me		= THIS_MODULE,
>@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
> 
> static int __init ipt_multiport_init(void)
> {
>-	return ipt_register_match(&tos_match);
>+	return xt_register_match(&tos_match);
> }
> 
> static void __exit ipt_multiport_fini(void)
> {
>-	ipt_unregister_match(&tos_match);
>+	xt_unregister_match(&tos_match);
> }
> 
> module_init(ipt_multiport_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
>@@ -9,11 +9,12 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/ip.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> 
> #include <linux/netfilter_ipv4/ipt_ttl.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
> MODULE_DESCRIPTION("IP tables TTL matching module");
>@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
> 	return 0;
> }
> 
>-static struct ipt_match ttl_match = {
>+static struct xt_match ttl_match = {
> 	.name		= "ttl",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_ttl_info),
> 	.me		= THIS_MODULE,
>@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
> 
> static int __init ipt_ttl_init(void)
> {
>-	return ipt_register_match(&ttl_match);
>+	return xt_register_match(&ttl_match);
> }
> 
> static void __exit ipt_ttl_fini(void)
> {
>-	ipt_unregister_match(&ttl_match);
>-
>+	xt_unregister_match(&ttl_match);
> }
> 
> module_init(ipt_ttl_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_HL.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
>@@ -9,12 +9,13 @@
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
>+#include <linux/ipv6.h>
> 
>-#include <linux/netfilter_ipv6/ip6_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6t_HL.h>
> 
> MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
>-MODULE_DESCRIPTION("IP tables Hop Limit modification module");
>+MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
> MODULE_LICENSE("GPL");
> 
> static unsigned int ip6t_hl_target(struct sk_buff **pskb, 
>@@ -55,7 +56,7 @@ static unsigned int ip6t_hl_target(struc
> 	if (new_hl != ip6h->hop_limit)
> 		ip6h->hop_limit = new_hl;
> 
>-	return IP6T_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int ip6t_hl_checkentry(const char *tablename,
>@@ -79,8 +80,9 @@ static int ip6t_hl_checkentry(const char
> 	return 1;
> }
> 
>-static struct ip6t_target ip6t_HL = { 
>+static struct xt_target ip6t_HL = {
> 	.name 		= "HL", 
>+	.family		= AF_INET6,
> 	.target		= ip6t_hl_target, 
> 	.targetsize	= sizeof(struct ip6t_HL_info),
> 	.table		= "mangle",
>@@ -90,12 +92,12 @@ static struct ip6t_target ip6t_HL = { 
> 
> static int __init ip6t_hl_init(void)
> {
>-	return ip6t_register_target(&ip6t_HL);
>+	return xt_register_target(&ip6t_HL);
> }
> 
> static void __exit ip6t_hl_fini(void)
> {
>-	ip6t_unregister_target(&ip6t_HL);
>+	xt_unregister_target(&ip6t_HL);
> }
> 
> module_init(ip6t_hl_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
>@@ -21,6 +21,7 @@
> #include <net/tcp.h>
> #include <net/ipv6.h>
> #include <linux/netfilter.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> 
> MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
>@@ -442,7 +443,7 @@ ip6t_log_target(struct sk_buff **pskb,
> 
> 	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
> 	                loginfo->prefix);
>-	return IP6T_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> 
>@@ -466,8 +467,9 @@ static int ip6t_log_checkentry(const cha
> 	return 1;
> }
> 
>-static struct ip6t_target ip6t_log_reg = {
>+static struct xt_target ip6t_log_reg = {
> 	.name 		= "LOG",
>+	.family		= AF_INET6,
> 	.target 	= ip6t_log_target, 
> 	.targetsize	= sizeof(struct ip6t_log_info),
> 	.checkentry	= ip6t_log_checkentry, 
>@@ -482,8 +484,9 @@ static struct nf_logger ip6t_logger = {
> 
> static int __init ip6t_log_init(void)
> {
>-	if (ip6t_register_target(&ip6t_log_reg))
>-		return -EINVAL;
>+	int ret;
>+	if ((ret = xt_register_target(&ip6t_log_reg)) < 0)
>+		return ret;
> 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
> 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
> 		       "since somebody else already registered for PF_INET6\n");
>@@ -497,7 +500,7 @@ static int __init ip6t_log_init(void)
> static void __exit ip6t_log_fini(void)
> {
> 	nf_log_unregister_logger(&ip6t_logger);
>-	ip6t_unregister_target(&ip6t_log_reg);
>+	xt_unregister_target(&ip6t_log_reg);
> }
> 
> module_init(ip6t_log_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_REJECT.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
>@@ -26,6 +26,7 @@
> #include <net/ip6_fib.h>
> #include <net/ip6_route.h>
> #include <net/flow.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_REJECT.h>
> 
>@@ -234,7 +235,7 @@ static int check(const char *tablename,
> 	} else if (rejinfo->with == IP6T_TCP_RESET) {
> 		/* Must specify that it's a TCP packet */
> 		if (e->ipv6.proto != IPPROTO_TCP
>-		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
>+		    || (e->ipv6.invflags & XT_INV_PROTO)) {
> 			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
> 			return 0;
> 		}
>@@ -242,8 +243,9 @@ static int check(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_target ip6t_reject_reg = {
>+static struct xt_target ip6t_reject_reg = {
> 	.name		= "REJECT",
>+	.family		= AF_INET6,
> 	.target		= reject6_target,
> 	.targetsize	= sizeof(struct ip6t_reject_info),
> 	.table		= "filter",
>@@ -255,12 +257,12 @@ static struct ip6t_target ip6t_reject_re
> 
> static int __init ip6t_reject_init(void)
> {
>-	return ip6t_register_target(&ip6t_reject_reg);
>+	return xt_register_target(&ip6t_reject_reg);
> }
> 
> static void __exit ip6t_reject_fini(void)
> {
>-	ip6t_unregister_target(&ip6t_reject_reg);
>+	xt_unregister_target(&ip6t_reject_reg);
> }
> 
> module_init(ip6t_reject_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ah.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
>@@ -15,6 +15,7 @@
> #include <net/checksum.h>
> #include <net/ipv6.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_ah.h>
> 
>@@ -118,8 +119,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match ah_match = {
>+static struct xt_match ah_match = {
> 	.name		= "ah",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_ah),
> 	.checkentry	= checkentry,
>@@ -128,12 +130,12 @@ static struct ip6t_match ah_match = {
> 
> static int __init ip6t_ah_init(void)
> {
>-	return ip6t_register_match(&ah_match);
>+	return xt_register_match(&ah_match);
> }
> 
> static void __exit ip6t_ah_fini(void)
> {
>-	ip6t_unregister_match(&ah_match);
>+	xt_unregister_match(&ah_match);
> }
> 
> module_init(ip6t_ah_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_eui64.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
>@@ -12,6 +12,7 @@
> #include <linux/ipv6.h>
> #include <linux/if_ether.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> 
> MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
>@@ -61,8 +62,9 @@ match(const struct sk_buff *skb,
> 	return 0;
> }
> 
>-static struct ip6t_match eui64_match = {
>+static struct xt_match eui64_match = {
> 	.name		= "eui64",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(int),
> 	.hooks		= (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
>@@ -72,12 +74,12 @@ static struct ip6t_match eui64_match = {
> 
> static int __init ip6t_eui64_init(void)
> {
>-	return ip6t_register_match(&eui64_match);
>+	return xt_register_match(&eui64_match);
> }
> 
> static void __exit ip6t_eui64_fini(void)
> {
>-	ip6t_unregister_match(&eui64_match);
>+	xt_unregister_match(&eui64_match);
> }
> 
> module_init(ip6t_eui64_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_frag.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
>@@ -14,6 +14,7 @@
> #include <net/checksum.h>
> #include <net/ipv6.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_frag.h>
> 
>@@ -135,8 +136,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match frag_match = {
>+static struct xt_match frag_match = {
> 	.name		= "frag",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_frag),
> 	.checkentry	= checkentry,
>@@ -145,12 +147,12 @@ static struct ip6t_match frag_match = {
> 
> static int __init ip6t_frag_init(void)
> {
>-	return ip6t_register_match(&frag_match);
>+	return xt_register_match(&frag_match);
> }
> 
> static void __exit ip6t_frag_fini(void)
> {
>-	ip6t_unregister_match(&frag_match);
>+	xt_unregister_match(&frag_match);
> }
> 
> module_init(ip6t_frag_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hbh.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
>@@ -16,6 +16,7 @@
> 
> #include <asm/byteorder.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_opts.h>
> 
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hl.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
>@@ -8,11 +8,12 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/ipv6.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> 
> #include <linux/netfilter_ipv6/ip6t_hl.h>
>-#include <linux/netfilter_ipv6/ip6_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
> MODULE_DESCRIPTION("IP tables Hop Limit matching module");
>@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
> 	return 0;
> }
> 
>-static struct ip6t_match hl_match = {
>+static struct xt_match hl_match = {
> 	.name		= "hl",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_hl_info),
> 	.me		= THIS_MODULE,
>@@ -57,13 +59,12 @@ static struct ip6t_match hl_match = {
> 
> static int __init ip6t_hl_init(void)
> {
>-	return ip6t_register_match(&hl_match);
>+	return xt_register_match(&hl_match);
> }
> 
> static void __exit ip6t_hl_fini(void)
> {
>-	ip6t_unregister_match(&hl_match);
>-
>+	xt_unregister_match(&hl_match);
> }
> 
> module_init(ip6t_hl_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ipv6header.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
>@@ -18,6 +18,7 @@
> #include <net/checksum.h>
> #include <net/ipv6.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
> 
>@@ -140,8 +141,9 @@ ipv6header_checkentry(const char *tablen
> 	return 1;
> }
> 
>-static struct ip6t_match ip6t_ipv6header_match = {
>+static struct xt_match ip6t_ipv6header_match = {
> 	.name		= "ipv6header",
>+	.family		= AF_INET6,
> 	.match		= &ipv6header_match,
> 	.matchsize	= sizeof(struct ip6t_ipv6header_info),
> 	.checkentry	= &ipv6header_checkentry,
>@@ -151,12 +153,12 @@ static struct ip6t_match ip6t_ipv6header
> 
> static int __init ipv6header_init(void)
> {
>-	return ip6t_register_match(&ip6t_ipv6header_match);
>+	return xt_register_match(&ip6t_ipv6header_match);
> }
> 
> static void __exit ipv6header_exit(void)
> {
>-	ip6t_unregister_match(&ip6t_ipv6header_match);
>+	xt_unregister_match(&ip6t_ipv6header_match);
> }
> 
> module_init(ipv6header_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_owner.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
>@@ -14,8 +14,9 @@
> #include <linux/rcupdate.h>
> #include <net/sock.h>
> 
>-#include <linux/netfilter_ipv6/ip6t_owner.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
>+#include <linux/netfilter_ipv6/ip6t_owner.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
> MODULE_DESCRIPTION("IP6 tables owner matching module");
>@@ -69,8 +70,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match owner_match = {
>+static struct xt_match owner_match = {
> 	.name		= "owner",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_owner_info),
> 	.hooks		= (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
>@@ -80,12 +82,12 @@ static struct ip6t_match owner_match = {
> 
> static int __init ip6t_owner_init(void)
> {
>-	return ip6t_register_match(&owner_match);
>+	return xt_register_match(&owner_match);
> }
> 
> static void __exit ip6t_owner_fini(void)
> {
>-	ip6t_unregister_match(&owner_match);
>+	xt_unregister_match(&owner_match);
> }
> 
> module_init(ip6t_owner_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_rt.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
>@@ -16,6 +16,7 @@
> 
> #include <asm/byteorder.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_rt.h>
> 
>@@ -221,8 +222,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match rt_match = {
>+static struct xt_match rt_match = {
> 	.name		= "rt",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_rt),
> 	.checkentry	= checkentry,
>@@ -231,12 +233,12 @@ static struct ip6t_match rt_match = {
> 
> static int __init ip6t_rt_init(void)
> {
>-	return ip6t_register_match(&rt_match);
>+	return xt_register_match(&rt_match);
> }
> 
> static void __exit ip6t_rt_fini(void)
> {
>-	ip6t_unregister_match(&rt_match);
>+	xt_unregister_match(&rt_match);
> }
> 
> module_init(ip6t_rt_init);
>
>
>
>

	-`J'
-- 

[PATCH 1/3] Fix return values for LOG and ULOG

[Jan Engelhardt]

[PATCH 1/3] Fix return values for LOG and ULOG

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -471,8 +471,9 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ipt_register_target(&ipt_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET\n");
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
 
 static int __init ipt_ulog_init(void)
 {
-	int i;
+	int ret, i;
 
 	DEBUGP("ipt_ULOG: init module\n");
 
@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if ((ret = ipt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
-		return -EINVAL;
+		return ret;
 	}
 	if (nflog)
 		nf_log_register(PF_INET, &ipt_ulog_logger);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
@@ -482,8 +482,9 @@ static struct nf_logger ip6t_logger = {
 
 static int __init ip6t_log_init(void)
 {
-	if (ip6t_register_target(&ip6t_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ip6t_register_target(&ip6t_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET6\n");

[PATCH 2/3] XT: xt_match and xt_target

[Jan Engelhardt]

[PATCH 2/3] XT: xt_match and xt_target

BTW, ip_nat_rule.c <-> nf_nat_rule.c seems to be an almost identical
copy. Schedule one for removal?

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17

Index: linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv4/ip_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
@@ -29,8 +29,6 @@
 
 #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define ipt_match xt_match
-#define ipt_target xt_target
 #define ipt_table xt_table
 #define ipt_get_revision xt_get_revision
 
@@ -272,16 +270,6 @@ ipt_get_target(struct ipt_entry *e)
 #include <linux/init.h>
 extern void ipt_init(void) __init;
 
-#define ipt_register_target(tgt) 	\
-({	(tgt)->family = AF_INET;	\
- 	xt_register_target(tgt); })
-#define ipt_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ipt_register_match(mtch) 	\
-({	(mtch)->family = AF_INET;	\
-	xt_register_match(mtch); })
-#define ipt_unregister_match(mtch) xt_unregister_match(mtch)
-
 //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
 //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
 
@@ -290,7 +278,7 @@ extern int ipt_register_table(struct ipt
 extern void ipt_unregister_table(struct ipt_table *table);
 
 /* net/sched/ipt.c: Gimme access to your targets!  Gets target->me. */
-extern struct ipt_target *ipt_find_target(const char *name, u8 revision);
+extern struct xt_target *ipt_find_target(const char *name, u8 revision);
 
 /* Standard entry. */
 struct ipt_standard
Index: linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv6/ip6_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
@@ -29,9 +29,6 @@
 
 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-
-#define ip6t_match xt_match
-#define ip6t_target xt_target
 #define ip6t_table xt_table
 #define ip6t_get_revision xt_get_revision
 
@@ -286,16 +283,6 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
-#define ip6t_register_target(tgt) 		\
-({	(tgt)->family = AF_INET6;		\
- 	xt_register_target(tgt); })
-#define ip6t_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ip6t_register_match(match)		\
-({	(match)->family = AF_INET6;		\
-	xt_register_match(match); })
-#define ip6t_unregister_match(match) xt_unregister_match(match)
-
 extern int ip6t_register_table(struct ip6t_table *table,
 			       const struct ip6t_replace *repl);
 extern void ip6t_unregister_table(struct ip6t_table *table);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ip_nat_rule.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ip_nat_rule.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ip_nat_rule.c
@@ -99,7 +99,7 @@ static unsigned int ipt_snat_target(stru
 				    const struct net_device *in,
 				    const struct net_device *out,
 				    unsigned int hooknum,
-				    const struct ipt_target *target,
+				    const struct xt_target *target,
 				    const void *targinfo)
 {
 	struct ip_conntrack *ct;
@@ -141,7 +141,7 @@ static unsigned int ipt_dnat_target(stru
 				    const struct net_device *in,
 				    const struct net_device *out,
 				    unsigned int hooknum,
-				    const struct ipt_target *target,
+				    const struct xt_target *target,
 				    const void *targinfo)
 {
 	struct ip_conntrack *ct;
@@ -166,7 +166,7 @@ static unsigned int ipt_dnat_target(stru
 
 static int ipt_snat_checkentry(const char *tablename,
 			       const void *entry,
-			       const struct ipt_target *target,
+			       const struct xt_target *target,
 			       void *targinfo,
 			       unsigned int hook_mask)
 {
@@ -182,7 +182,7 @@ static int ipt_snat_checkentry(const cha
 
 static int ipt_dnat_checkentry(const char *tablename,
 			       const void *entry,
-			       const struct ipt_target *target,
+			       const struct xt_target *target,
 			       void *targinfo,
 			       unsigned int hook_mask)
 {
@@ -257,8 +257,9 @@ int ip_nat_rule_find(struct sk_buff **ps
 	return ret;
 }
 
-static struct ipt_target ipt_snat_reg = {
+static struct xt_target ipt_snat_reg = {
 	.name		= "SNAT",
+	.family		= AF_INET,
 	.target		= ipt_snat_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -266,8 +267,9 @@ static struct ipt_target ipt_snat_reg = 
 	.checkentry	= ipt_snat_checkentry,
 };
 
-static struct ipt_target ipt_dnat_reg = {
+static struct xt_target ipt_dnat_reg = {
 	.name		= "DNAT",
+	.family		= AF_INET,
 	.target		= ipt_dnat_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -282,27 +284,27 @@ int __init ip_nat_rule_init(void)
 	ret = ipt_register_table(&nat_table, &nat_initial_table.repl);
 	if (ret != 0)
 		return ret;
-	ret = ipt_register_target(&ipt_snat_reg);
+	ret = xt_register_target(&ipt_snat_reg);
 	if (ret != 0)
 		goto unregister_table;
 
-	ret = ipt_register_target(&ipt_dnat_reg);
+	ret = xt_register_target(&ipt_dnat_reg);
 	if (ret != 0)
 		goto unregister_snat;
 
 	return ret;
 
  unregister_snat:
-	ipt_unregister_target(&ipt_snat_reg);
+	xt_unregister_target(&ipt_snat_reg);
  unregister_table:
-	ipt_unregister_table(&nat_table);
+	xt_unregister_table(&nat_table);
 
 	return ret;
 }
 
 void ip_nat_rule_cleanup(void)
 {
-	ipt_unregister_target(&ipt_dnat_reg);
-	ipt_unregister_target(&ipt_snat_reg);
+	xt_unregister_target(&ipt_dnat_reg);
+	xt_unregister_target(&ipt_snat_reg);
 	ipt_unregister_table(&nat_table);
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ip_tables.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ip_tables.c
@@ -507,7 +507,7 @@ check_entry(struct ipt_entry *e, const c
 static inline int check_match(struct ipt_entry_match *m, const char *name,
 				const struct ipt_ip *ip, unsigned int hookmask)
 {
-	struct ipt_match *match;
+	struct xt_match *match;
 	int ret;
 
 	match = m->u.kernel.match;
@@ -531,7 +531,7 @@ find_check_match(struct ipt_entry_match 
 	    unsigned int hookmask,
 	    unsigned int *i)
 {
-	struct ipt_match *match;
+	struct xt_match *match;
 	int ret;
 
 	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
@@ -557,7 +557,7 @@ err:
 static inline int check_target(struct ipt_entry *e, const char *name)
 {
  	struct ipt_entry_target *t;
- 	struct ipt_target *target;
+ 	struct xt_target *target;
  	int ret;
 
 	t = ipt_get_target(e);
@@ -580,7 +580,7 @@ find_check_entry(struct ipt_entry *e, co
 	    unsigned int *i)
 {
 	struct ipt_entry_target *t;
-	struct ipt_target *target;
+	struct xt_target *target;
 	int ret;
 	unsigned int j;
 
@@ -1437,7 +1437,7 @@ compat_check_calc_match(struct ipt_entry
 	    unsigned int hookmask,
 	    int *size, int *i)
 {
-	struct ipt_match *match;
+	struct xt_match *match;
 
 	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
 						   m->u.user.revision),
@@ -1466,7 +1466,7 @@ check_compat_entry_size_and_hooks(struct
 			   const char *name)
 {
 	struct ipt_entry_target *t;
-	struct ipt_target *target;
+	struct xt_target *target;
 	unsigned int entry_offset;
 	int ret, off, h, j;
 
@@ -1550,7 +1550,7 @@ static int compat_copy_entry_from_user(s
 	struct xt_table_info *newinfo, unsigned char *base)
 {
 	struct ipt_entry_target *t;
-	struct ipt_target *target;
+	struct xt_target *target;
 	struct ipt_entry *de;
 	unsigned int origsize;
 	int ret, h;
@@ -2124,7 +2124,7 @@ icmp_checkentry(const char *tablename,
 }
 
 /* The built-in targets: standard (NULL) and error. */
-static struct ipt_target ipt_standard_target = {
+static struct xt_target ipt_standard_target = {
 	.name		= IPT_STANDARD_TARGET,
 	.targetsize	= sizeof(int),
 	.family		= AF_INET,
@@ -2135,7 +2135,7 @@ static struct ipt_target ipt_standard_ta
 #endif
 };
 
-static struct ipt_target ipt_error_target = {
+static struct xt_target ipt_error_target = {
 	.name		= IPT_ERROR_TARGET,
 	.target		= ipt_error,
 	.targetsize	= IPT_FUNCTION_MAXNAMELEN,
@@ -2158,7 +2158,7 @@ static struct nf_sockopt_ops ipt_sockopt
 #endif
 };
 
-static struct ipt_match icmp_matchstruct = {
+static struct xt_match icmp_matchstruct = {
 	.name		= "icmp",
 	.match		= icmp_match,
 	.matchsize	= sizeof(struct ipt_icmp),
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,12 +9,14 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,7 +20,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -472,7 +473,7 @@ static struct nf_logger ipt_log_logger =
 static int __init ipt_log_init(void)
 {
 	int ret;
-	if ((ret = ipt_register_target(&ipt_log_reg)) < 0)
+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
 		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
@@ -487,7 +488,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -190,8 +190,9 @@ static struct notifier_block masq_inet_n
 	.notifier_call	= masq_inet_event,
 };
 
-static struct ipt_target masquerade = {
+static struct xt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -88,8 +89,9 @@ target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target target_module = { 
+static struct xt_target target_module = {
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -104,8 +105,9 @@ redirect_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target redirect_reg = {
+static struct xt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TCPMSS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TCPMSS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TCPMSS.c
@@ -14,6 +14,7 @@
 #include <linux/ip.h>
 #include <net/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_TCPMSS.h>
 
@@ -74,7 +75,7 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 				printk(KERN_ERR "ipt_tcpmss_target: "
 				       "unknown or invalid path-MTU (%d)\n",
 				       dst_mtu((*pskb)->dst));
-			return NF_DROP; /* or IPT_CONTINUE ?? */
+			return NF_DROP; /* or XT_CONTINUE ?? */
 		}
 
 		newmss = dst_mtu((*pskb)->dst) - sizeof(struct iphdr) -
@@ -92,14 +93,14 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 
 			if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU &&
 			    oldmss <= newmss)
-				return IPT_CONTINUE;
+				return XT_CONTINUE;
 
 			opt[i+2] = (newmss & 0xff00) >> 8;
 			opt[i+3] = (newmss & 0x00ff);
 
 			nf_proto_csum_replace2(&tcph->check, *pskb,
 						htons(oldmss), htons(newmss), 0);
-			return IPT_CONTINUE;
+			return XT_CONTINUE;
 		}
 	}
 
@@ -141,7 +142,7 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 	newtotlen = htons(ntohs(iph->tot_len) + TCPOLEN_MSS);
 	nf_csum_replace2(&iph->check, iph->tot_len, newtotlen);
 	iph->tot_len = newtotlen;
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 #define TH_SYN 0x02
@@ -184,8 +185,9 @@ ipt_tcpmss_checkentry(const char *tablen
 	return 0;
 }
 
-static struct ipt_target ipt_tcpmss_reg = {
+static struct xt_target ipt_tcpmss_reg = {
 	.name		= "TCPMSS",
+	.family		= AF_INET,
 	.target		= ipt_tcpmss_target,
 	.targetsize	= sizeof(struct ipt_tcpmss_info),
 	.proto		= IPPROTO_TCP,
@@ -195,12 +197,12 @@ static struct ipt_target ipt_tcpmss_reg 
 
 static int __init ipt_tcpmss_init(void)
 {
-	return ipt_register_target(&ipt_tcpmss_reg);
+	return xt_register_target(&ipt_tcpmss_reg);
 }
 
 static void __exit ipt_tcpmss_fini(void)
 {
-	ipt_unregister_target(&ipt_tcpmss_reg);
+	xt_unregister_target(&ipt_tcpmss_reg);
 }
 
 module_init(ipt_tcpmss_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,7 +13,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,7 +12,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,7 +57,7 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if ((ret = ipt_register_target(&ipt_ulog_reg)) != 0) {
+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
 		return ret;
 	}
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,7 +16,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,12 +6,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,10 +9,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
@@ -109,8 +112,9 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +123,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,7 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,7 +15,7 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,7 +25,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("iptables TOS match module");
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,11 +9,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("IP tables TTL matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/nf_nat_rule.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/nf_nat_rule.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/nf_nat_rule.c
@@ -290,7 +290,7 @@ int nf_nat_rule_find(struct sk_buff **ps
 	return ret;
 }
 
-static struct ipt_target ipt_snat_reg = {
+static struct xt_target ipt_snat_reg = {
 	.name		= "SNAT",
 	.target		= ipt_snat_target,
 	.targetsize	= sizeof(struct nf_nat_multi_range_compat),
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6_tables.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6_tables.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6_tables.c
@@ -530,7 +530,7 @@ check_match(struct ip6t_entry_match *m,
 	    unsigned int hookmask,
 	    unsigned int *i)
 {
-	struct ip6t_match *match;
+	struct xt_match *match;
 	int ret;
 
 	match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
@@ -564,14 +564,14 @@ err:
 	return ret;
 }
 
-static struct ip6t_target ip6t_standard_target;
+static struct xt_target ip6t_standard_target;
 
 static inline int
 check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
 	    unsigned int *i)
 {
 	struct ip6t_entry_target *t;
-	struct ip6t_target *target;
+	struct xt_target *target;
 	int ret;
 	unsigned int j;
 
@@ -1348,13 +1348,13 @@ icmp6_checkentry(const char *tablename,
 }
 
 /* The built-in targets: standard (NULL) and error. */
-static struct ip6t_target ip6t_standard_target = {
+static struct xt_target ip6t_standard_target = {
 	.name		= IP6T_STANDARD_TARGET,
 	.targetsize	= sizeof(int),
 	.family		= AF_INET6,
 };
 
-static struct ip6t_target ip6t_error_target = {
+static struct xt_target ip6t_error_target = {
 	.name		= IP6T_ERROR_TARGET,
 	.target		= ip6t_error,
 	.targetsize	= IP6T_FUNCTION_MAXNAMELEN,
@@ -1371,7 +1371,7 @@ static struct nf_sockopt_ops ip6t_sockop
 	.get		= do_ip6t_get_ctl,
 };
 
-static struct ip6t_match icmp6_matchstruct = {
+static struct xt_match icmp6_matchstruct = {
 	.name		= "icmp6",
 	.match		= &icmp6_match,
 	.matchsize	= sizeof(struct ip6t_icmp),
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_HL.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
@@ -9,12 +9,13 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6t_HL.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP tables Hop Limit modification module");
+MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
 MODULE_LICENSE("GPL");
 
 static unsigned int ip6t_hl_target(struct sk_buff **pskb, 
@@ -55,7 +56,7 @@ static unsigned int ip6t_hl_target(struc
 	if (new_hl != ip6h->hop_limit)
 		ip6h->hop_limit = new_hl;
 
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ip6t_hl_checkentry(const char *tablename,
@@ -79,8 +80,9 @@ static int ip6t_hl_checkentry(const char
 	return 1;
 }
 
-static struct ip6t_target ip6t_HL = { 
+static struct xt_target ip6t_HL = {
 	.name 		= "HL", 
+	.family		= AF_INET6,
 	.target		= ip6t_hl_target, 
 	.targetsize	= sizeof(struct ip6t_HL_info),
 	.table		= "mangle",
@@ -90,12 +92,12 @@ static struct ip6t_target ip6t_HL = { 
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_target(&ip6t_HL);
+	return xt_register_target(&ip6t_HL);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_target(&ip6t_HL);
+	xt_unregister_target(&ip6t_HL);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
@@ -21,6 +21,7 @@
 #include <net/tcp.h>
 #include <net/ipv6.h>
 #include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
@@ -442,7 +443,7 @@ ip6t_log_target(struct sk_buff **pskb,
 
 	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
 	                loginfo->prefix);
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 
@@ -466,8 +467,9 @@ static int ip6t_log_checkentry(const cha
 	return 1;
 }
 
-static struct ip6t_target ip6t_log_reg = {
+static struct xt_target ip6t_log_reg = {
 	.name 		= "LOG",
+	.family		= AF_INET6,
 	.target 	= ip6t_log_target, 
 	.targetsize	= sizeof(struct ip6t_log_info),
 	.checkentry	= ip6t_log_checkentry, 
@@ -483,7 +485,7 @@ static struct nf_logger ip6t_logger = {
 static int __init ip6t_log_init(void)
 {
 	int ret;
-	if ((ret = ip6t_register_target(&ip6t_log_reg)) < 0)
+	if ((ret = xt_register_target(&ip6t_log_reg)) < 0)
 		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
@@ -498,7 +500,7 @@ static int __init ip6t_log_init(void)
 static void __exit ip6t_log_fini(void)
 {
 	nf_log_unregister_logger(&ip6t_logger);
-	ip6t_unregister_target(&ip6t_log_reg);
+	xt_unregister_target(&ip6t_log_reg);
 }
 
 module_init(ip6t_log_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_REJECT.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
@@ -26,6 +26,7 @@
 #include <net/ip6_fib.h>
 #include <net/ip6_route.h>
 #include <net/flow.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_REJECT.h>
 
@@ -234,7 +235,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IP6T_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ipv6.proto != IPPROTO_TCP
-		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
+		    || (e->ipv6.invflags & XT_INV_PROTO)) {
 			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
 			return 0;
 		}
@@ -242,8 +243,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_target ip6t_reject_reg = {
+static struct xt_target ip6t_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET6,
 	.target		= reject6_target,
 	.targetsize	= sizeof(struct ip6t_reject_info),
 	.table		= "filter",
@@ -255,12 +257,12 @@ static struct ip6t_target ip6t_reject_re
 
 static int __init ip6t_reject_init(void)
 {
-	return ip6t_register_target(&ip6t_reject_reg);
+	return xt_register_target(&ip6t_reject_reg);
 }
 
 static void __exit ip6t_reject_fini(void)
 {
-	ip6t_unregister_target(&ip6t_reject_reg);
+	xt_unregister_target(&ip6t_reject_reg);
 }
 
 module_init(ip6t_reject_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ah.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
@@ -15,6 +15,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ah.h>
 
@@ -118,8 +119,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_ah),
 	.checkentry	= checkentry,
@@ -128,12 +130,12 @@ static struct ip6t_match ah_match = {
 
 static int __init ip6t_ah_init(void)
 {
-	return ip6t_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ip6t_ah_fini(void)
 {
-	ip6t_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ip6t_ah_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_eui64.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
@@ -12,6 +12,7 @@
 #include <linux/ipv6.h>
 #include <linux/if_ether.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
@@ -61,8 +62,9 @@ match(const struct sk_buff *skb,
 	return 0;
 }
 
-static struct ip6t_match eui64_match = {
+static struct xt_match eui64_match = {
 	.name		= "eui64",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(int),
 	.hooks		= (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
@@ -72,12 +74,12 @@ static struct ip6t_match eui64_match = {
 
 static int __init ip6t_eui64_init(void)
 {
-	return ip6t_register_match(&eui64_match);
+	return xt_register_match(&eui64_match);
 }
 
 static void __exit ip6t_eui64_fini(void)
 {
-	ip6t_unregister_match(&eui64_match);
+	xt_unregister_match(&eui64_match);
 }
 
 module_init(ip6t_eui64_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_frag.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
@@ -14,6 +14,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_frag.h>
 
@@ -135,8 +136,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match frag_match = {
+static struct xt_match frag_match = {
 	.name		= "frag",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_frag),
 	.checkentry	= checkentry,
@@ -145,12 +147,12 @@ static struct ip6t_match frag_match = {
 
 static int __init ip6t_frag_init(void)
 {
-	return ip6t_register_match(&frag_match);
+	return xt_register_match(&frag_match);
 }
 
 static void __exit ip6t_frag_fini(void)
 {
-	ip6t_unregister_match(&frag_match);
+	xt_unregister_match(&frag_match);
 }
 
 module_init(ip6t_frag_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hbh.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_opts.h>
 
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hl.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ipv6.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv6/ip6t_hl.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
 MODULE_DESCRIPTION("IP tables Hop Limit matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ip6t_match hl_match = {
+static struct xt_match hl_match = {
 	.name		= "hl",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_hl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ip6t_match hl_match = {
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_match(&hl_match);
+	return xt_register_match(&hl_match);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_match(&hl_match);
-
+	xt_unregister_match(&hl_match);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ipv6header.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -18,6 +18,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
 
@@ -140,8 +141,9 @@ ipv6header_checkentry(const char *tablen
 	return 1;
 }
 
-static struct ip6t_match ip6t_ipv6header_match = {
+static struct xt_match ip6t_ipv6header_match = {
 	.name		= "ipv6header",
+	.family		= AF_INET6,
 	.match		= &ipv6header_match,
 	.matchsize	= sizeof(struct ip6t_ipv6header_info),
 	.checkentry	= &ipv6header_checkentry,
@@ -151,12 +153,12 @@ static struct ip6t_match ip6t_ipv6header
 
 static int __init ipv6header_init(void)
 {
-	return ip6t_register_match(&ip6t_ipv6header_match);
+	return xt_register_match(&ip6t_ipv6header_match);
 }
 
 static void __exit ipv6header_exit(void)
 {
-	ip6t_unregister_match(&ip6t_ipv6header_match);
+	xt_unregister_match(&ip6t_ipv6header_match);
 }
 
 module_init(ipv6header_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_owner.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
@@ -16,6 +16,7 @@
 
 #include <linux/netfilter_ipv6/ip6t_owner.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
 MODULE_DESCRIPTION("IP6 tables owner matching module");
@@ -69,8 +70,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_owner_info),
 	.hooks		= (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
@@ -80,12 +82,12 @@ static struct ip6t_match owner_match = {
 
 static int __init ip6t_owner_init(void)
 {
-	return ip6t_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ip6t_owner_fini(void)
 {
-	ip6t_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ip6t_owner_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_rt.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_rt.h>
 
@@ -221,8 +222,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match rt_match = {
+static struct xt_match rt_match = {
 	.name		= "rt",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_rt),
 	.checkentry	= checkentry,
@@ -231,12 +233,12 @@ static struct ip6t_match rt_match = {
 
 static int __init ip6t_rt_init(void)
 {
-	return ip6t_register_match(&rt_match);
+	return xt_register_match(&rt_match);
 }
 
 static void __exit ip6t_rt_fini(void)
 {
-	ip6t_unregister_match(&rt_match);
+	xt_unregister_match(&rt_match);
 }
 
 module_init(ip6t_rt_init);

[PATCH 3/3] XT: xt_table

[Jan Engelhardt]

[PATCH 3/3] XT: xt_table

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17

Index: linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv4/ip_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
@@ -29,7 +29,6 @@
 
 #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define ipt_table xt_table
 #define ipt_get_revision xt_get_revision
 
 /* Yes, Virginia, you have to zero the padding. */
@@ -273,9 +272,9 @@ extern void ipt_init(void) __init;
 //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
 //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
 
-extern int ipt_register_table(struct ipt_table *table,
+extern int ipt_register_table(struct xt_table *table,
 			      const struct ipt_replace *repl);
-extern void ipt_unregister_table(struct ipt_table *table);
+extern void ipt_unregister_table(struct xt_table *table);
 
 /* net/sched/ipt.c: Gimme access to your targets!  Gets target->me. */
 extern struct xt_target *ipt_find_target(const char *name, u8 revision);
@@ -303,7 +302,7 @@ extern unsigned int ipt_do_table(struct 
 				 unsigned int hook,
 				 const struct net_device *in,
 				 const struct net_device *out,
-				 struct ipt_table *table);
+				 struct xt_table *table);
 
 #define IPT_ALIGN(s) XT_ALIGN(s)
 
Index: linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv6/ip6_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
@@ -29,7 +29,6 @@
 
 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ip6t_table xt_table
 #define ip6t_get_revision xt_get_revision
 
 /* Yes, Virginia, you have to zero the padding. */
@@ -283,14 +282,14 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
-extern int ip6t_register_table(struct ip6t_table *table,
+extern int ip6t_register_table(struct xt_table *table,
 			       const struct ip6t_replace *repl);
-extern void ip6t_unregister_table(struct ip6t_table *table);
+extern void ip6t_unregister_table(struct xt_table *table);
 extern unsigned int ip6t_do_table(struct sk_buff **pskb,
 				  unsigned int hook,
 				  const struct net_device *in,
 				  const struct net_device *out,
-				  struct ip6t_table *table);
+				  struct xt_table *table);
 
 /* Check for an extension */
 extern int ip6t_ext_hdr(u8 nexthdr);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ip_nat_rule.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ip_nat_rule.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ip_nat_rule.c
@@ -86,7 +86,7 @@ static struct
     }
 };
 
-static struct ipt_table nat_table = {
+static struct xt_table nat_table = {
 	.name		= "nat",
 	.valid_hooks	= NAT_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ip_tables.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ip_tables.c
@@ -216,7 +216,7 @@ ipt_do_table(struct sk_buff **pskb,
 	     unsigned int hook,
 	     const struct net_device *in,
 	     const struct net_device *out,
-	     struct ipt_table *table)
+	     struct xt_table *table)
 {
 	static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
 	u_int16_t offset;
@@ -818,7 +818,7 @@ get_counters(const struct xt_table_info 
 	}
 }
 
-static inline struct xt_counters * alloc_counters(struct ipt_table *table)
+static inline struct xt_counters * alloc_counters(struct xt_table *table)
 {
 	unsigned int countersize;
 	struct xt_counters *counters;
@@ -843,7 +843,7 @@ static inline struct xt_counters * alloc
 
 static int
 copy_entries_to_user(unsigned int total_size,
-		     struct ipt_table *table,
+		     struct xt_table *table,
 		     void __user *userptr)
 {
 	unsigned int off, num;
@@ -1046,7 +1046,7 @@ static int compat_table_info(struct xt_t
 static int get_info(void __user *user, int *len, int compat)
 {
 	char name[IPT_TABLE_MAXNAMELEN];
-	struct ipt_table *t;
+	struct xt_table *t;
 	int ret;
 
 	if (*len != sizeof(struct ipt_getinfo)) {
@@ -1107,7 +1107,7 @@ get_entries(struct ipt_get_entries __use
 {
 	int ret;
 	struct ipt_get_entries get;
-	struct ipt_table *t;
+	struct xt_table *t;
 
 	if (*len < sizeof(get)) {
 		duprintf("get_entries: %u < %d\n", *len,
@@ -1151,7 +1151,7 @@ __do_replace(const char *name, unsigned 
 		void __user *counters_ptr)
 {
 	int ret;
-	struct ipt_table *t;
+	struct xt_table *t;
 	struct xt_table_info *oldinfo;
 	struct xt_counters *counters;
 	void *loc_cpu_old_entry;
@@ -1302,7 +1302,7 @@ do_add_counters(void __user *user, unsig
 	char *name;
 	int size;
 	void *ptmp;
-	struct ipt_table *t;
+	struct xt_table *t;
 	struct xt_table_info *private;
 	int ret = 0;
 	void *loc_cpu_entry;
@@ -1795,7 +1795,7 @@ struct compat_ipt_get_entries
 };
 
 static int compat_copy_entries_to_user(unsigned int total_size,
-		     struct ipt_table *table, void __user *userptr)
+		     struct xt_table *table, void __user *userptr)
 {
 	unsigned int off, num;
 	struct compat_ipt_entry e;
@@ -1869,7 +1869,7 @@ compat_get_entries(struct compat_ipt_get
 {
 	int ret;
 	struct compat_ipt_get_entries get;
-	struct ipt_table *t;
+	struct xt_table *t;
 
 
 	if (*len < sizeof(get)) {
@@ -2052,7 +2052,7 @@ int ipt_register_table(struct xt_table *
 	return 0;
 }
 
-void ipt_unregister_table(struct ipt_table *table)
+void ipt_unregister_table(struct xt_table *table)
 {
 	struct xt_table_info *private;
 	void *loc_cpu_entry;
Index: linux-2.6.20-rc5/net/ipv4/netfilter/iptable_filter.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/iptable_filter.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/iptable_filter.c
@@ -74,7 +74,7 @@ static struct
     }
 };
 
-static struct ipt_table packet_filter = {
+static struct xt_table packet_filter = {
 	.name		= "filter",
 	.valid_hooks	= FILTER_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc5/net/ipv4/netfilter/iptable_mangle.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/iptable_mangle.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/iptable_mangle.c
@@ -103,7 +103,7 @@ static struct
     }
 };
 
-static struct ipt_table packet_mangler = {
+static struct xt_table packet_mangler = {
 	.name		= "mangle",
 	.valid_hooks	= MANGLE_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc5/net/ipv4/netfilter/iptable_raw.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/iptable_raw.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/iptable_raw.c
@@ -79,7 +79,7 @@ static struct
 	}
 };
 
-static struct ipt_table packet_raw = { 
+static struct xt_table packet_raw = {
 	.name = "raw", 
 	.valid_hooks =  RAW_VALID_HOOKS, 
 	.lock = RW_LOCK_UNLOCKED, 
Index: linux-2.6.20-rc5/net/ipv4/netfilter/nf_nat_rule.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/nf_nat_rule.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/nf_nat_rule.c
@@ -119,7 +119,7 @@ static struct
 	}
 };
 
-static struct ipt_table nat_table = {
+static struct xt_table nat_table = {
 	.name		= "nat",
 	.valid_hooks	= NAT_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6table_filter.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6table_filter.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6table_filter.c
@@ -92,7 +92,7 @@ static struct
     }
 };
 
-static struct ip6t_table packet_filter = {
+static struct xt_table packet_filter = {
 	.name		= "filter",
 	.valid_hooks	= FILTER_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6table_mangle.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6table_mangle.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6table_mangle.c
@@ -122,7 +122,7 @@ static struct
     }
 };
 
-static struct ip6t_table packet_mangler = {
+static struct xt_table packet_mangler = {
 	.name		= "mangle",
 	.valid_hooks	= MANGLE_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc5/net/sched/act_ipt.c
===================================================================
--- linux-2.6.20-rc5.orig/net/sched/act_ipt.c
+++ linux-2.6.20-rc5/net/sched/act_ipt.c
@@ -52,7 +52,7 @@ static struct tcf_hashinfo ipt_hash_info
 
 static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook)
 {
-	struct ipt_target *target;
+	struct xt_target *target;
 	int ret = 0;
 
 	target = xt_find_target(AF_INET, t->u.user.name, t->u.user.revision);

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 388 bytes --]

David Madore wrote:
> Implement TCPMSS target for IPv6 by shamelessly copying from
> Marc Boucher's IPv4 implementation.


This is an x_tables port of the TCPMSS target. Care to give it a try?
I believe Yasuyuki is currently working on proper x_tables support
for userspace, but that might still take a while, so If you send me
your userspace port I'll add it to SVN for the time being.


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 19817 bytes --]

[NETFILTER]: add IPv6-capable TCPMSS target

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 6acae256d49e86abf7c84c8a8129343edbca17e0
tree 8f0299bef85de4048509e04eab148b27fb224a4f
parent fd492ee593effa6505b8c8c593002d100440f95d
author Patrick McHardy <kaber@trash.net> Mon, 15 Jan 2007 15:54:23 +0100
committer Patrick McHardy <kaber@trash.net> Mon, 15 Jan 2007 15:54:23 +0100

 include/linux/netfilter/xt_TCPMSS.h       |   10 +
 include/linux/netfilter_ipv4/ipt_TCPMSS.h |    7 -
 net/ipv4/netfilter/Kconfig                |   26 ---
 net/ipv4/netfilter/Makefile               |    1 
 net/ipv4/netfilter/ipt_TCPMSS.c           |  207 ---------------------
 net/netfilter/Kconfig                     |   26 +++
 net/netfilter/Makefile                    |    1 
 net/netfilter/xt_TCPMSS.c                 |  292 +++++++++++++++++++++++++++++
 8 files changed, 332 insertions(+), 238 deletions(-)

diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/linux/netfilter/xt_TCPMSS.h
new file mode 100644
index 0000000..5016902
--- /dev/null
+++ b/include/linux/netfilter/xt_TCPMSS.h
@@ -0,0 +1,10 @@
+#ifndef _XT_TCPMSS_H
+#define _XT_TCPMSS_H
+
+struct xt_tcpmss_info {
+	u_int16_t mss;
+};
+
+#define XT_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /* _XT_TCPMSS_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_TCPMSS.h b/include/linux/netfilter_ipv4/ipt_TCPMSS.h
index aadb395..7a850f9 100644
--- a/include/linux/netfilter_ipv4/ipt_TCPMSS.h
+++ b/include/linux/netfilter_ipv4/ipt_TCPMSS.h
@@ -1,10 +1,9 @@
 #ifndef _IPT_TCPMSS_H
 #define _IPT_TCPMSS_H
 
-struct ipt_tcpmss_info {
-	u_int16_t mss;
-};
+#include <linux/netfilter/xt_TCPMSS.h>
 
-#define IPT_TCPMSS_CLAMP_PMTU 0xffff
+#define ipt_tcpmss_info		xt_tcpmss_info
+#define IPT_TCPMSS_CLAMP_PMTU	XT_TCPMSS_CLAMP_PMTU
 
 #endif /*_IPT_TCPMSS_H*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 47bd3ad..9b08e7a 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -361,32 +361,6 @@ config IP_NF_TARGET_ULOG
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_TARGET_TCPMSS
-	tristate "TCPMSS target support"
-	depends on IP_NF_IPTABLES
-	---help---
-	  This option adds a `TCPMSS' target, which allows you to alter the
-	  MSS value of TCP SYN packets, to control the maximum size for that
-	  connection (usually limiting it to your outgoing interface's MTU
-	  minus 40).
-
-	  This is used to overcome criminally braindead ISPs or servers which
-	  block ICMP Fragmentation Needed packets.  The symptoms of this
-	  problem are that everything works fine from your Linux
-	  firewall/router, but machines behind it can never exchange large
-	  packets:
-	  	1) Web browsers connect, then hang with no data received.
-	  	2) Small mail works fine, but large emails hang.
-	  	3) ssh works fine, but scp hangs after initial handshaking.
-
-	  Workaround: activate this option and add a rule to your firewall
-	  configuration like:
-
-	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-	  		 -j TCPMSS --clamp-mss-to-pmtu
-
-	  To compile it as a module, choose M here.  If unsure, say N.
-
 # NAT + specific targets: ip_conntrack
 config IP_NF_NAT
 	tristate "Full NAT"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 15e741a..83cd6d2 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -93,7 +93,6 @@ obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_S
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
-obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
 
diff --git a/net/ipv4/netfilter/ipt_TCPMSS.c b/net/ipv4/netfilter/ipt_TCPMSS.c
deleted file mode 100644
index 93eb5c3..0000000
--- a/net/ipv4/netfilter/ipt_TCPMSS.c
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * This is a module which is used for setting the MSS option in TCP packets.
- *
- * Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-
-#include <linux/ip.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TCPMSS.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables TCP MSS modification module");
-
-static inline unsigned int
-optlen(const u_int8_t *opt, unsigned int offset)
-{
-	/* Beware zero-length options: make finite progress */
-	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
-		return 1;
-	else
-		return opt[offset+1];
-}
-
-static unsigned int
-ipt_tcpmss_target(struct sk_buff **pskb,
-		  const struct net_device *in,
-		  const struct net_device *out,
-		  unsigned int hooknum,
-		  const struct xt_target *target,
-		  const void *targinfo)
-{
-	const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
-	struct tcphdr *tcph;
-	struct iphdr *iph;
-	u_int16_t tcplen, newmss;
-	__be16 newtotlen, oldval;
-	unsigned int i;
-	u_int8_t *opt;
-
-	if (!skb_make_writable(pskb, (*pskb)->len))
-		return NF_DROP;
-
-	iph = (*pskb)->nh.iph;
-	tcplen = (*pskb)->len - iph->ihl*4;
-	tcph = (void *)iph + iph->ihl*4;
-
-	/* Since it passed flags test in tcp match, we know it is is
-	   not a fragment, and has data >= tcp header length.  SYN
-	   packets should not contain data: if they did, then we risk
-	   running over MTU, sending Frag Needed and breaking things
-	   badly. --RR */
-	if (tcplen != tcph->doff*4) {
-		if (net_ratelimit())
-			printk(KERN_ERR
-			       "ipt_tcpmss_target: bad length (%d bytes)\n",
-			       (*pskb)->len);
-		return NF_DROP;
-	}
-
-	if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) {
-		if (dst_mtu((*pskb)->dst) <= sizeof(struct iphdr) +
-					     sizeof(struct tcphdr)) {
-			if (net_ratelimit())
-				printk(KERN_ERR "ipt_tcpmss_target: "
-				       "unknown or invalid path-MTU (%d)\n",
-				       dst_mtu((*pskb)->dst));
-			return NF_DROP; /* or IPT_CONTINUE ?? */
-		}
-
-		newmss = dst_mtu((*pskb)->dst) - sizeof(struct iphdr) -
-						 sizeof(struct tcphdr);
-	} else
-		newmss = tcpmssinfo->mss;
-
- 	opt = (u_int8_t *)tcph;
-	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
-		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
-		    opt[i+1] == TCPOLEN_MSS) {
-			u_int16_t oldmss;
-
-			oldmss = (opt[i+2] << 8) | opt[i+3];
-
-			if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU &&
-			    oldmss <= newmss)
-				return IPT_CONTINUE;
-
-			opt[i+2] = (newmss & 0xff00) >> 8;
-			opt[i+3] = (newmss & 0x00ff);
-
-			nf_proto_csum_replace2(&tcph->check, *pskb,
-						htons(oldmss), htons(newmss), 0);
-			return IPT_CONTINUE;
-		}
-	}
-
-	/*
-	 * MSS Option not found ?! add it..
-	 */
-	if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
-		struct sk_buff *newskb;
-
-		newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
-					 TCPOLEN_MSS, GFP_ATOMIC);
-		if (!newskb)
-			return NF_DROP;
-		kfree_skb(*pskb);
-		*pskb = newskb;
-		iph = (*pskb)->nh.iph;
-		tcph = (void *)iph + iph->ihl*4;
-	}
-
-	skb_put((*pskb), TCPOLEN_MSS);
-
- 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
-	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
-
-	nf_proto_csum_replace2(&tcph->check, *pskb,
-				htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
-	opt[0] = TCPOPT_MSS;
-	opt[1] = TCPOLEN_MSS;
-	opt[2] = (newmss & 0xff00) >> 8;
-	opt[3] = (newmss & 0x00ff);
-
-	nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0);
-
-	oldval = ((__be16 *)tcph)[6];
-	tcph->doff += TCPOLEN_MSS/4;
-	nf_proto_csum_replace2(&tcph->check, *pskb,
-				oldval, ((__be16 *)tcph)[6], 0);
-
-	newtotlen = htons(ntohs(iph->tot_len) + TCPOLEN_MSS);
-	nf_csum_replace2(&iph->check, iph->tot_len, newtotlen);
-	iph->tot_len = newtotlen;
-	return IPT_CONTINUE;
-}
-
-#define TH_SYN 0x02
-
-static inline int find_syn_match(const struct ipt_entry_match *m)
-{
-	const struct ipt_tcp *tcpinfo = (const struct ipt_tcp *)m->data;
-
-	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
-	    tcpinfo->flg_cmp & TH_SYN &&
-	    !(tcpinfo->invflags & IPT_TCP_INV_FLAGS))
-		return 1;
-
-	return 0;
-}
-
-/* Must specify -p tcp --syn/--tcp-flags SYN */
-static int
-ipt_tcpmss_checkentry(const char *tablename,
-		      const void *e_void,
-		      const struct xt_target *target,
-		      void *targinfo,
-		      unsigned int hook_mask)
-{
-	const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
-	const struct ipt_entry *e = e_void;
-
-	if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU &&
-	    (hook_mask & ~((1 << NF_IP_FORWARD) |
-			   (1 << NF_IP_LOCAL_OUT) |
-			   (1 << NF_IP_POST_ROUTING))) != 0) {
-		printk("TCPMSS: path-MTU clamping only supported in "
-		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
-		return 0;
-	}
-
-	if (IPT_MATCH_ITERATE(e, find_syn_match))
-		return 1;
-	printk("TCPMSS: Only works on TCP SYN packets\n");
-	return 0;
-}
-
-static struct ipt_target ipt_tcpmss_reg = {
-	.name		= "TCPMSS",
-	.target		= ipt_tcpmss_target,
-	.targetsize	= sizeof(struct ipt_tcpmss_info),
-	.proto		= IPPROTO_TCP,
-	.checkentry	= ipt_tcpmss_checkentry,
-	.me		= THIS_MODULE,
-};
-
-static int __init ipt_tcpmss_init(void)
-{
-	return ipt_register_target(&ipt_tcpmss_reg);
-}
-
-static void __exit ipt_tcpmss_fini(void)
-{
-	ipt_unregister_target(&ipt_tcpmss_reg);
-}
-
-module_init(ipt_tcpmss_init);
-module_exit(ipt_tcpmss_fini);
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 0c5e290..df4101c 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -395,6 +395,32 @@ config NETFILTER_XT_TARGET_CONNSECMARK
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_TARGET_TCPMSS
+	tristate '"TCPMSS" target support'
+	depends on NETFILTER_XTABLES
+	---help---
+	  This option adds a `TCPMSS' target, which allows you to alter the
+	  MSS value of TCP SYN packets, to control the maximum size for that
+	  connection (usually limiting it to your outgoing interface's MTU
+	  minus 40).
+
+	  This is used to overcome criminally braindead ISPs or servers which
+	  block ICMP Fragmentation Needed packets.  The symptoms of this
+	  problem are that everything works fine from your Linux
+	  firewall/router, but machines behind it can never exchange large
+	  packets:
+	        1) Web browsers connect, then hang with no data received.
+	        2) Small mail works fine, but large emails hang.
+	        3) ssh works fine, but scp hangs after initial handshaking.
+
+	  Workaround: activate this option and add a rule to your firewall
+	  configuration like:
+
+	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
+	                 -j TCPMSS --clamp-mss-to-pmtu
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_COMMENT
 	tristate  '"comment" match support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 5054b0f..b2b5c75 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -45,6 +45,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
 
 # matches
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
new file mode 100644
index 0000000..5f6a23b
--- /dev/null
+++ b/net/netfilter/xt_TCPMSS.c
@@ -0,0 +1,292 @@
+/*
+ * This is a module which is used for setting the MSS option in TCP packets.
+ *
+ * Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/tcp.h>
+#include <net/ipv6.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_tcpudp.h>
+#include <linux/netfilter/xt_TCPMSS.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
+MODULE_DESCRIPTION("x_tables TCP MSS modification module");
+MODULE_ALIAS("ipt_TCPMSS");
+MODULE_ALIAS("ip6t_TCPMSS");
+
+static inline unsigned int
+optlen(const u_int8_t *opt, unsigned int offset)
+{
+	/* Beware zero-length options: make finite progress */
+	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
+		return 1;
+	else
+		return opt[offset+1];
+}
+
+static int
+tcpmss_mangle_packet(struct sk_buff **pskb,
+		     const struct xt_tcpmss_info *info,
+		     unsigned int tcphoff,
+		     unsigned int minlen)
+{
+	struct tcphdr *tcph;
+	unsigned int tcplen, i;
+	__be16 oldval;
+	u16 newmss;
+	u8 *opt;
+
+	if (!skb_make_writable(pskb, (*pskb)->len))
+		return -1;
+
+	tcplen = (*pskb)->len - tcphoff;
+	tcph = (struct tcphdr *)((*pskb)->nh.raw + tcphoff);
+
+	/* Since it passed flags test in tcp match, we know it is is
+	   not a fragment, and has data >= tcp header length.  SYN
+	   packets should not contain data: if they did, then we risk
+	   running over MTU, sending Frag Needed and breaking things
+	   badly. --RR */
+	if (tcplen != tcph->doff*4) {
+		if (net_ratelimit())
+			printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
+			       (*pskb)->len);
+		return -1;
+	}
+
+	if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
+		if (dst_mtu((*pskb)->dst) <= minlen) {
+			if (net_ratelimit())
+				printk(KERN_ERR "xt_TCPMSS: "
+				       "unknown or invalid path-MTU (%u)\n",
+				       dst_mtu((*pskb)->dst));
+			return -1;
+		}
+		newmss = dst_mtu((*pskb)->dst) - minlen;
+	} else
+		newmss = info->mss;
+
+	opt = (u_int8_t *)tcph;
+	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
+		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
+		    opt[i+1] == TCPOLEN_MSS) {
+			u_int16_t oldmss;
+
+			oldmss = (opt[i+2] << 8) | opt[i+3];
+
+			if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
+			    oldmss <= newmss)
+			    	return 0;
+
+			opt[i+2] = (newmss & 0xff00) >> 8;
+			opt[i+3] = (newmss & 0x00ff);
+
+			nf_proto_csum_replace2(&tcph->check, *pskb,
+					       htons(oldmss), htons(newmss), 0);
+			return 0;
+		}
+	}
+
+	/*
+	 * MSS Option not found ?! add it..
+	 */
+	if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
+		struct sk_buff *newskb;
+
+		newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
+					 TCPOLEN_MSS, GFP_ATOMIC);
+		if (!newskb)
+			return -1;
+		kfree_skb(*pskb);
+		*pskb = newskb;
+		tcph = (struct tcphdr *)((*pskb)->nh.raw + tcphoff);
+	}
+
+	skb_put((*pskb), TCPOLEN_MSS);
+
+	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
+	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+
+	nf_proto_csum_replace2(&tcph->check, *pskb,
+			       htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
+	opt[0] = TCPOPT_MSS;
+	opt[1] = TCPOLEN_MSS;
+	opt[2] = (newmss & 0xff00) >> 8;
+	opt[3] = (newmss & 0x00ff);
+
+	nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0);
+
+	oldval = ((__be16 *)tcph)[6];
+	tcph->doff += TCPOLEN_MSS/4;
+	nf_proto_csum_replace2(&tcph->check, *pskb,
+				oldval, ((__be16 *)tcph)[6], 0);
+	return TCPOLEN_MSS;
+}
+
+static unsigned int
+xt_tcpmss_target4(struct sk_buff **pskb,
+		  const struct net_device *in,
+		  const struct net_device *out,
+		  unsigned int hooknum,
+		  const struct xt_target *target,
+		  const void *targinfo)
+{
+	struct iphdr *iph = (*pskb)->nh.iph;
+	__be16 newlen;
+	int ret;
+
+	ret = tcpmss_mangle_packet(pskb, targinfo, iph->ihl * 4,
+				   sizeof(*iph) + sizeof(struct tcphdr));
+	if (ret < 0)
+		return NF_DROP;
+	if (ret > 0) {
+		iph = (*pskb)->nh.iph;
+		newlen = htons(ntohs(iph->tot_len) + ret);
+		nf_csum_replace2(&iph->check, iph->tot_len, newlen);
+		iph->tot_len = newlen;
+	}
+	return XT_CONTINUE;
+}
+
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+static unsigned int
+xt_tcpmss_target6(struct sk_buff **pskb,
+		  const struct net_device *in,
+		  const struct net_device *out,
+		  unsigned int hooknum,
+		  const struct xt_target *target,
+		  const void *targinfo)
+{
+	struct ipv6hdr *ipv6h = (*pskb)->nh.ipv6h;
+	u8 nexthdr;
+	int tcphoff;
+	int ret;
+
+	nexthdr = ipv6h->nexthdr;
+	tcphoff = ipv6_skip_exthdr(*pskb, sizeof(*ipv6h), &nexthdr);
+	ret = tcpmss_mangle_packet(pskb, targinfo, tcphoff,
+				   sizeof(*ipv6h) + sizeof(struct tcphdr));
+	if (ret < 0)
+		return NF_DROP;
+	if (ret > 0) {
+		ipv6h = (*pskb)->nh.ipv6h;
+		ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) + ret);
+	}
+	return XT_CONTINUE;
+}
+#endif
+
+#define TH_SYN 0x02
+
+/* Must specify -p tcp --syn/--tcp-flags SYN */
+static inline int find_syn_match(const struct xt_entry_match *m)
+{
+	const struct xt_tcp *tcpinfo = (const struct xt_tcp *)m->data;
+
+	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
+	    tcpinfo->flg_cmp & TH_SYN &&
+	    !(tcpinfo->invflags & XT_TCP_INV_FLAGS))
+		return 1;
+
+	return 0;
+}
+
+static int
+xt_tcpmss_checkentry4(const char *tablename,
+		      const void *entry,
+		      const struct xt_target *target,
+		      void *targinfo,
+		      unsigned int hook_mask)
+{
+	const struct xt_tcpmss_info *info = targinfo;
+	const struct ipt_entry *e = entry;
+
+	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
+	    (hook_mask & ~((1 << NF_IP_FORWARD) |
+			   (1 << NF_IP_LOCAL_OUT) |
+			   (1 << NF_IP_POST_ROUTING))) != 0) {
+		printk("xt_TCPMSS: path-MTU clamping only supported in "
+		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
+		return 0;
+	}
+	if (IPT_MATCH_ITERATE(e, find_syn_match))
+		return 1;
+	printk("xt_TCPMSS: Only works on TCP SYN packets\n");
+	return 0;
+}
+
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+static int
+xt_tcpmss_checkentry6(const char *tablename,
+		      const void *entry,
+		      const struct xt_target *target,
+		      void *targinfo,
+		      unsigned int hook_mask)
+{
+	const struct xt_tcpmss_info *info = targinfo;
+	const struct ip6t_entry *e = entry;
+
+	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
+	    (hook_mask & ~((1 << NF_IP6_FORWARD) |
+			   (1 << NF_IP6_LOCAL_OUT) |
+			   (1 << NF_IP6_POST_ROUTING))) != 0) {
+		printk("xt_TCPMSS: path-MTU clamping only supported in "
+		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
+		return 0;
+	}
+	if (IP6T_MATCH_ITERATE(e, find_syn_match))
+		return 1;
+	printk("xt_TCPMSS: Only works on TCP SYN packets\n");
+	return 0;
+}
+#endif
+
+static struct xt_target xt_tcpmss_reg[] = {
+	{
+		.family		= AF_INET,
+		.name		= "TCPMSS",
+		.checkentry	= xt_tcpmss_checkentry4,
+		.target		= xt_tcpmss_target4,
+		.targetsize	= sizeof(struct xt_tcpmss_info),
+		.proto		= IPPROTO_TCP,
+		.me		= THIS_MODULE,
+	},
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+	{
+		.family		= AF_INET6,
+		.name		= "TCPMSS",
+		.checkentry	= xt_tcpmss_checkentry6,
+		.target		= xt_tcpmss_target6,
+		.targetsize	= sizeof(struct xt_tcpmss_info),
+		.proto		= IPPROTO_TCP,
+		.me		= THIS_MODULE,
+	},
+#endif
+};
+
+static int __init xt_tcpmss_init(void)
+{
+	return xt_register_targets(xt_tcpmss_reg, ARRAY_SIZE(xt_tcpmss_reg));
+}
+
+static void __exit xt_tcpmss_fini(void)
+{
+	xt_unregister_targets(xt_tcpmss_reg, ARRAY_SIZE(xt_tcpmss_reg));
+}
+
+module_init(xt_tcpmss_init);
+module_exit(xt_tcpmss_fini);

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Jan Engelhardt]

On Jan 15 2007 19:42, Patrick McHardy wrote:
>> Implement TCPMSS target for IPv6 by shamelessly copying from
>> Marc Boucher's IPv4 implementation.
>
>This is an x_tables port of the TCPMSS target. Care to give it a try?
>I believe Yasuyuki is currently working on proper x_tables support
>for userspace, but that might still take a while, so If you send me
>your userspace port I'll add it to SVN for the time being.


>+#endif /* _XT_TCPMSS_H*/
                        ^
nitpick: space

>+	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
>+	                 -j TCPMSS --clamp-mss-to-pmtu

This should probably be --tcp-flags SYN,RST,FIN SYN or just --syn.

>+MODULE_LICENSE("GPL");
>+MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
>+MODULE_DESCRIPTION("x_tables TCP MSS modification module");
>+MODULE_ALIAS("ipt_TCPMSS");
>+MODULE_ALIAS("ip6t_TCPMSS");

One thing that comes to mind: what is the exact name of it? xtables?
x_tables? In ipt_*, one could also see "IP tables" and so on. The
actual userspace program is called 'iptables', so I'd go for
'xtables'. Though, it's just a userspace tool. Someone could come
along and make a SuperTables that still works with the existing
netfilter code in the kernel, making it 'netfilter TCP MSS
modification module' rather than 'x_tables...'. Well, before my
thoughts crumble, let me know something :)


>+static int
>+xt_tcpmss_checkentry4(const char *tablename,
>+		      const void *entry,
>+		      const struct xt_target *target,
>+		      void *targinfo,
>+		      unsigned int hook_mask)
>+{
>+	const struct xt_tcpmss_info *info = targinfo;
>+	const struct ipt_entry *e = entry;
>+
>+	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
>+	    (hook_mask & ~((1 << NF_IP_FORWARD) |
>+			   (1 << NF_IP_LOCAL_OUT) |
>+			   (1 << NF_IP_POST_ROUTING))) != 0) {
>+		printk("xt_TCPMSS: path-MTU clamping only supported in "
>+		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
>+		return 0;
>+	}
>+	if (IPT_MATCH_ITERATE(e, find_syn_match))
>+		return 1;
>+	printk("xt_TCPMSS: Only works on TCP SYN packets\n");
>+	return 0;
>+}

The hook_mask check could be done with struct xt_target->hooks, could
not it? (see this:)

>+static struct xt_target xt_tcpmss_reg[] = {
>+	{
>+		.family		= AF_INET,
>+		.name		= "TCPMSS",
>+		.checkentry	= xt_tcpmss_checkentry4,
>+		.target		= xt_tcpmss_target4,
>+		.targetsize	= sizeof(struct xt_tcpmss_info),
>+		.proto		= IPPROTO_TCP,
>+		.me		= THIS_MODULE,
		.hooks		= (1 << ...),
};


	-`J'
-- 

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 15 2007 19:42, Patrick McHardy wrote:
> 
>>+#endif /* _XT_TCPMSS_H*/
> 
>                         ^
> nitpick: space
> 
> 
>>+	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
>>+	                 -j TCPMSS --clamp-mss-to-pmtu
> 
> 
> This should probably be --tcp-flags SYN,RST,FIN SYN or just --syn.

Both fixed, thanks.

> 
> 
>>+MODULE_LICENSE("GPL");
>>+MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
>>+MODULE_DESCRIPTION("x_tables TCP MSS modification module");
>>+MODULE_ALIAS("ipt_TCPMSS");
>>+MODULE_ALIAS("ip6t_TCPMSS");
> 
> 
> One thing that comes to mind: what is the exact name of it? xtables?
> x_tables? In ipt_*, one could also see "IP tables" and so on. The
> actual userspace program is called 'iptables', so I'd go for
> 'xtables'. Though, it's just a userspace tool. Someone could come
> along and make a SuperTables that still works with the existing
> netfilter code in the kernel, making it 'netfilter TCP MSS
> modification module' rather than 'x_tables...'. Well, before my
> thoughts crumble, let me know something :)

Most modules use x_tables in their description. I don't care
at all.

>>+static int
>>+xt_tcpmss_checkentry4(const char *tablename,
>>+		      const void *entry,
>>+		      const struct xt_target *target,
>>+		      void *targinfo,
>>+		      unsigned int hook_mask)
>>+{
>>+	const struct xt_tcpmss_info *info = targinfo;
>>+	const struct ipt_entry *e = entry;
>>+
>>+	if (info->mss == XT_TCPMSS_CLAMP_PMTU &&
>>+	    (hook_mask & ~((1 << NF_IP_FORWARD) |
>>+			   (1 << NF_IP_LOCAL_OUT) |
>>+			   (1 << NF_IP_POST_ROUTING))) != 0) {
>>+		printk("xt_TCPMSS: path-MTU clamping only supported in "
>>+		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
>>+		return 0;
>>+	}
>>+	if (IPT_MATCH_ITERATE(e, find_syn_match))
>>+		return 1;
>>+	printk("xt_TCPMSS: Only works on TCP SYN packets\n");
>>+	return 0;
>>+}
> 
> 
> The hook_mask check could be done with struct xt_target->hooks, could
> not it? (see this:)

No, the hooks only matter for pmtu clamping.

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Arnaud Ebalard]

Patrick McHardy <kaber <at> trash.net> writes:
 > David Madore wrote:
 > > Implement TCPMSS target for IPv6 by shamelessly copying from
 > > Marc Boucher's IPv4 implementation.
 >
 > This is an x_tables port of the TCPMSS target. Care to give it a try?
 > I believe Yasuyuki is currently working on proper x_tables support
 > for userspace, but that might still take a while, so If you send me
 > your userspace port I'll add it to SVN for the time being.

Sorry for the late post. Just to say that i also _had_ to implement  
that (2.6.19.1 and iptables 1.3.7). I was testing it before pushing
it ;-) too late. Anyway, patch is below for reference.

Question : I made a specific case for AH (even if deprecated) protected
traffic to avoid clamping of that packets.  ipv6_skip_exthdr() simply
does not verify that and it seems there is no check against that. Can
you take a look at find_tcp_hdr in the patch below and tell me if i'm
wrong ? (function is based on ipv6_find_hdr(), ipv6_prepare(),
nf_ct_ipv6_skip_exthdr() and ipv6_skip_exthdr() code).

By the way, I'll take time to test your patch if it fits my 2.6.19.1  
kernel and switch to it. thx.

Regards,

a+

Patch for Kernel :

diff -Nru linux-2.6.19.1/include/linux/netfilter_ipv6/ip6t_tcpmss.h linux-2.6.19.1-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_tcpmss.h
--- linux-2.6.19.1/include/linux/netfilter_ipv6/ip6t_tcpmss.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19.1-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_tcpmss.h	2006-12-20 22:35:16.684395279 +0100
@@ -0,0 +1,7 @@
+#ifndef _IP6T_TCPMSS_MATCH_H
+#define _IP6T_TCPMSS_MATCH_H
+
+#include <linux/netfilter/xt_tcpmss.h>
+#define ip6t_tcpmss_match_info xt_tcpmss_match_info
+
+#endif /*_IP6T_TCPMSS_MATCH_H*/
diff -Nru linux-2.6.19.1/include/linux/netfilter_ipv6/ip6t_TCPMSS.h linux-2.6.19.1-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
--- linux-2.6.19.1/include/linux/netfilter_ipv6/ip6t_TCPMSS.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19.1-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_TCPMSS.h	2006-12-20 22:59:49.040411779 +0100
@@ -0,0 +1,10 @@
+#ifndef _IP6T_TCPMSS_H
+#define _IP6T_TCPMSS_H
+
+struct ip6t_tcpmss_info {
+	u_int16_t mss;
+};
+
+#define IP6T_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /*_IP6T_TCPMSS_H*/
diff -Nru linux-2.6.19.1/include/linux/netfilter_ipv6/Kbuild linux-2.6.19.1-IPv6-TCPMSS/include/linux/netfilter_ipv6/Kbuild
--- linux-2.6.19.1/include/linux/netfilter_ipv6/Kbuild	2006-12-11 20:32:53.000000000 +0100
+++ linux-2.6.19.1-IPv6-TCPMSS/include/linux/netfilter_ipv6/Kbuild	2006-12-21 20:00:00.068570949 +0100
@@ -15,6 +15,8 @@
 header-y += ip6t_opts.h
 header-y += ip6t_owner.h
 header-y += ip6t_policy.h
+header-y += ip6t_tcpmss.h
+header-y += ip6t_TCPMSS.h
 header-y += ip6t_physdev.h
 header-y += ip6t_rt.h
 
diff -Nru linux-2.6.19.1/net/ipv6/netfilter/ip6t_TCPMSS.c linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/ip6t_TCPMSS.c
--- linux-2.6.19.1/net/ipv6/netfilter/ip6t_TCPMSS.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/ip6t_TCPMSS.c	2006-12-23 22:00:31.257249420 +0100
@@ -0,0 +1,274 @@
+/*
+ * Module is used for setting the MSS option in TCP SYN packets.
+ *
+ * Ported to IPv6 by Arnaud Ebalard  <arnaud.ebalard@eads.net>
+ * Based on IPv4 TCPMSS module by Marc Boucher <marc@mbsi.ca>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Arnaud Ebalard <arnaud.ebalard@eads.net>");
+MODULE_DESCRIPTION("ip6tables TCP MSS clamping module");
+
+static inline unsigned int
+optlen(const u_int8_t *opt, unsigned int offset)
+{
+	/* Beware zero-length options: make finite progress */
+	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
+		return 1;
+	else
+		return opt[offset+1];
+}
+
+/* 
+ * Find offset of TCP header in skbuff. If return value is 0, 'offset' parameter 
+ * contains that offset. Otherwise, TCP header was not found (various possible 
+ * reasons).
+ * 
+ * It is only intended for TCP MSS clamping use: 
+ *  - Packets containing Fragment header are not considered 
+ *  - Packets containing  Auth Header are not considered. MSS Clamping 
+ *    would make them incorrect.
+ * 
+*/
+static int
+find_tcphdr(struct sk_buff *skb, unsigned int *offset)
+{
+        unsigned int start = (u8*)(skb->nh.ipv6h + 1) - skb->data;
+        u8 nexthdr = skb->nh.ipv6h->nexthdr;
+	unsigned int len = skb->len - start;
+	struct ipv6_opt_hdr hdr, *hp;
+	unsigned int hdrlen;
+
+	/* Skip all extension headers. If NEXTHDR_NONE, NEXTHDR_AUTH
+	 * or NEXTHDR_FRAGMENT is encountered, give up. We won't be able to 
+	 * clamp -- AE 
+	 */
+	while (nexthdr != IPPROTO_TCP) {
+
+	  if (len < (int)sizeof(struct ipv6_opt_hdr) ||
+	      !ipv6_ext_hdr(nexthdr) ||
+	      nexthdr == NEXTHDR_FRAGMENT || 
+	      nexthdr == NEXTHDR_NONE || 
+	      nexthdr == NEXTHDR_AUTH) 
+	    return -1;
+
+	  hp = skb_header_pointer(skb, start, sizeof(hdr), &hdr);
+	  if (hp == NULL)
+	    return -1;
+
+	  hdrlen = ipv6_optlen(hp);
+	  nexthdr = hp->nexthdr;
+	  len -= hdrlen;
+	  start += hdrlen;
+	}
+
+	*offset = start;
+	return 0;
+}
+  
+static unsigned int
+ip6t_tcpmss_target(struct sk_buff **pskb,
+		  const struct net_device *in,
+		  const struct net_device *out,
+		  unsigned int hooknum,
+		  const struct xt_target *target,
+		  const void *targinfo)
+{
+	const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+	struct tcphdr *tcph;
+	struct ipv6hdr *ip6h;
+	u_int16_t tcplen, newmss;
+	__be16 oldval;
+	unsigned int offset, i;
+	u_int8_t *opt;
+
+	if (!skb_make_writable(pskb, (*pskb)->len))
+	  return NF_DROP;
+
+	ip6h = (*pskb)->nh.ipv6h;
+
+	if (find_tcphdr(*pskb, &offset))
+	  return NF_DROP;
+
+	tcph = (void *)(*pskb)->data + offset ;
+	tcplen = (u_int16_t)((*pskb)->len - offset);
+
+	/* It passed flags test in tcp match. It's not a fragment, 
+	   and data >= tcp header length.  
+	   SYN packets should not contain data: if they did, then we risk
+	   running over MTU. Furthermore, MTU being at least 1280 bytes 
+	   on IPv6 links, only _very_ unusual packets will match */
+	if (tcplen != tcph->doff*4) {
+		if (net_ratelimit())
+			printk(KERN_ERR
+			       "ip6t_tcpmss_target: bad length (%d bytes)\n",
+			       (*pskb)->len);
+		return NF_DROP;
+	}
+
+	if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU) {
+	  /* TODO : check if that test make sense. Basically, IPv6 link have a 
+	   *        minimum MTU of 1280 bytes. For that reason, if enforced by 
+	   *        the kernel, we do not need that. Leave it anyway at the 
+	   *        moment -- AE */
+	  
+	  if (dst_mtu((*pskb)->dst) <= sizeof(struct ipv6hdr) + 
+	                               sizeof(struct tcphdr)) {
+	    if (net_ratelimit())
+	      printk(KERN_ERR "ip6t_tcpmss_target: "
+		     "unknown or invalid path-MTU (%d)\n",
+		     dst_mtu((*pskb)->dst));
+	    return NF_DROP; 
+	  }
+	  
+	  newmss = dst_mtu((*pskb)->dst) - sizeof(struct ipv6hdr) - 
+	                                   sizeof(struct tcphdr);
+	} else
+	  newmss = tcpmssinfo->mss;
+
+ 	opt = (u_int8_t *)tcph;
+	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
+		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
+		    opt[i+1] == TCPOLEN_MSS) {
+			u_int16_t oldmss;
+
+			oldmss = (opt[i+2] << 8) | opt[i+3];
+
+			if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+			    oldmss <= newmss)
+				return IP6T_CONTINUE;
+
+			opt[i+2] = (newmss & 0xff00) >> 8;
+			opt[i+3] = (newmss & 0x00ff);
+
+			tcph->check = nf_proto_csum_update(*pskb,
+							   htons(oldmss)^htons(0xFFFF),
+							   htons(newmss),
+							   tcph->check, 0);
+			return IP6T_CONTINUE;
+		}
+	}
+
+	/*
+	 * MSS Option not found ?! add it..
+	 */
+	if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
+		struct sk_buff *newskb;
+
+		newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
+					 TCPOLEN_MSS, GFP_ATOMIC);
+		if (!newskb)
+			return NF_DROP;
+		kfree_skb(*pskb);
+		*pskb = newskb;
+		ip6h = (*pskb)->nh.ipv6h;
+		find_tcphdr(*pskb, &offset);
+		tcph = (void *)(*pskb)->data + offset ;
+	}
+
+	skb_put((*pskb), TCPOLEN_MSS);
+
+ 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
+	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+
+	tcph->check = nf_proto_csum_update(*pskb,
+					   htons(tcplen) ^ htons(0xFFFF),
+				           htons(tcplen + TCPOLEN_MSS),
+					   tcph->check, 1);
+	opt[0] = TCPOPT_MSS;
+	opt[1] = TCPOLEN_MSS;
+	opt[2] = (newmss & 0xff00) >> 8;
+	opt[3] = (newmss & 0x00ff);
+
+	tcph->check = nf_proto_csum_update(*pskb, htonl(~0), *((__be32 *)opt),
+					   tcph->check, 0);
+
+	oldval = ((__be16 *)tcph)[6];
+	tcph->doff += TCPOLEN_MSS/4;
+	tcph->check = nf_proto_csum_update(*pskb,
+					   oldval ^ htons(0xFFFF),
+					   ((__be16 *)tcph)[6],
+					   tcph->check, 0);
+
+	ip6h->payload_len = htons(ntohs(ip6h->payload_len) + TCPOLEN_MSS);
+	return IP6T_CONTINUE;
+}
+
+#define TH_SYN 0x02
+
+static inline int find_syn_match(const struct ip6t_entry_match *m)
+{
+	const struct ip6t_tcp *tcpinfo = (const struct ip6t_tcp *)m->data;
+
+	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
+	    tcpinfo->flg_cmp & TH_SYN &&
+	    !(tcpinfo->invflags & IP6T_TCP_INV_FLAGS))
+		return 1;
+
+	return 0;
+}
+
+/* Must specify -p tcp --syn/--tcp-flags SYN */
+static int
+ip6t_tcpmss_checkentry(const char *tablename,
+		      const void *e_void,
+		      const struct xt_target *target,
+		      void *targinfo,
+		      unsigned int hook_mask)
+{
+	const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+	const struct ip6t_entry *e = e_void;
+
+	if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+	    (hook_mask & ~((1 << NF_IP6_FORWARD) |
+			   (1 << NF_IP6_LOCAL_OUT) |
+			   (1 << NF_IP6_POST_ROUTING))) != 0) {
+		printk("TCPMSS: path-MTU clamping only supported in "
+		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
+		return 0;
+	}
+
+	if (IP6T_MATCH_ITERATE(e, find_syn_match))
+		return 1;
+	printk("TCPMSS: Only works on TCP SYN packets\n");
+	return 0;
+}
+
+static struct ip6t_target ip6t_tcpmss_reg = {
+	.name		= "TCPMSS",
+	.target		= ip6t_tcpmss_target,
+	.targetsize	= sizeof(struct ip6t_tcpmss_info),
+	.proto		= IPPROTO_TCP,
+	.checkentry	= ip6t_tcpmss_checkentry,
+	.me		= THIS_MODULE,
+};
+
+static int __init ip6t_tcpmss_init(void)
+{
+	return ip6t_register_target(&ip6t_tcpmss_reg);
+}
+
+static void __exit ip6t_tcpmss_fini(void)
+{
+	ip6t_unregister_target(&ip6t_tcpmss_reg);
+}
+
+module_init(ip6t_tcpmss_init);
+module_exit(ip6t_tcpmss_fini);
diff -Nru linux-2.6.19.1/net/ipv6/netfilter/Kconfig linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/Kconfig
--- linux-2.6.19.1/net/ipv6/netfilter/Kconfig	2006-12-11 20:32:53.000000000 +0100
+++ linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/Kconfig	2006-12-21 18:44:47.374545199 +0100
@@ -153,6 +153,33 @@
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_TARGET_TCPMSS
+	tristate "TCPMSS target support"
+	depends on IP6_NF_IPTABLES
+	---help---
+	  This option adds a `TCPMSS' target, which allows you to alter the
+	  MSS value of TCP SYN packets, to control the maximum size for that
+	  connection (usually limiting it to your outgoing interface's MTU
+	  minus 60).
+
+	  This is used to overcome criminally braindead ISPs or servers which
+	  block ICMPv6 Packet Too Big packets or are unable to send them. The 
+	  symptoms of this problem are that everything works fine from your 
+	  Linux firewall/router, but machines behind it can never exchange 
+ 	  large packets:
+
+	  	1) Web browsers connect, then hang with no data received.
+	  	2) Small mail works fine, but large emails hang.
+	  	3) ssh works fine, but scp hangs after initial handshaking.
+
+	  Workaround: activate this option and add a rule to your firewall
+	  configuration like:
+
+	  ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
+	            -j TCPMSS --clamp-mss-to-pmtu
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config IP6_NF_MANGLE
 	tristate "Packet mangling"
 	depends on IP6_NF_IPTABLES
diff -Nru linux-2.6.19.1/net/ipv6/netfilter/Makefile linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/Makefile
--- linux-2.6.19.1/net/ipv6/netfilter/Makefile	2006-12-11 20:32:53.000000000 +0100
+++ linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/Makefile	2006-12-18 00:10:26.434896581 +0100
@@ -16,6 +16,7 @@
 obj-$(CONFIG_IP6_NF_TARGET_HL) += ip6t_HL.o
 obj-$(CONFIG_IP6_NF_QUEUE) += ip6_queue.o
 obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
+obj-$(CONFIG_IP6_NF_TARGET_TCPMSS) += ip6t_TCPMSS.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
 obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
diff -Nru linux-2.6.19.1/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
--- linux-2.6.19.1/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c	2006-12-11 20:32:53.000000000 +0100
+++ linux-2.6.19.1-IPv6-TCPMSS/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c	2006-12-21 09:30:04.087382280 +0100
@@ -85,7 +85,7 @@
 }
 
 /*
- * Based on ipv6_skip_exthdr() in net/ipv6/exthdr.c
+ * Based on ipv6_skip_exthdr() in net/ipv6/exthdrs_core.c
  *
  * This function parses (probably truncated) exthdr set "hdr"
  * of length "len". "nexthdrp" initially points to some place,
Binary files linux-2.6.19.1/scripts/kconfig/mconf and linux-2.6.19.1-IPv6-TCPMSS/scripts/kconfig/mconf differ








Patch for iptables :







diff -Nru iptables-1.3.7/extensions/libip6t_tcpmss.c iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_tcpmss.c
--- iptables-1.3.7/extensions/libip6t_tcpmss.c	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_tcpmss.c	2006-12-21 20:26:30.619974199 +0100
@@ -0,0 +1,152 @@
+/* Shared library add-on to iptables to add tcp MSS matching support. */
+#include <stdio.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6t_tcpmss.h>
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"tcpmss match v%s options:\n"
+"[!] --mss value[:value]	Match TCP MSS range.\n"
+"				(only valid for TCP SYN or SYN/ACK packets)\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "mss", 1, 0, '1' },
+	{0}
+};
+
+static u_int16_t
+parse_tcp_mssvalue(const char *mssvalue)
+{
+	unsigned int mssvaluenum;
+
+	if (string_to_number(mssvalue, 0, 65535, &mssvaluenum) != -1)
+		return (u_int16_t)mssvaluenum;
+
+	exit_error(PARAMETER_PROBLEM,
+		   "Invalid mss `%s' specified", mssvalue);
+}
+
+static void
+parse_tcp_mssvalues(const char *mssvaluestring,
+		    u_int16_t *mss_min, u_int16_t *mss_max)
+{
+	char *buffer;
+	char *cp;
+
+	buffer = strdup(mssvaluestring);
+	if ((cp = strchr(buffer, ':')) == NULL)
+		*mss_min = *mss_max = parse_tcp_mssvalue(buffer);
+	else {
+		*cp = '\0';
+		cp++;
+
+		*mss_min = buffer[0] ? parse_tcp_mssvalue(buffer) : 0;
+		*mss_max = cp[0] ? parse_tcp_mssvalue(cp) : 0xFFFF;
+	}
+	free(buffer);
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ip6t_entry *entry,
+      unsigned int *nfcache,
+      struct ip6t_entry_match **match)
+{
+	struct ip6t_tcpmss_match_info *mssinfo =
+		(struct ip6t_tcpmss_match_info *)(*match)->data;
+
+	switch (c) {
+	case '1':
+		if (*flags)
+			exit_error(PARAMETER_PROBLEM,
+				   "Only one `--mss' allowed");
+		check_inverse(optarg, &invert, &optind, 0);
+		parse_tcp_mssvalues(argv[optind-1],
+				    &mssinfo->mss_min, &mssinfo->mss_max);
+		if (invert)
+			mssinfo->invert = 1;
+		*flags = 1;
+		break;
+	default:
+		return 0;
+	}
+	return 1;
+}
+
+static void
+print_tcpmss(u_int16_t mss_min, u_int16_t mss_max, int invert, int numeric)
+{
+	if (invert)
+		printf("! ");
+
+	if (mss_min == mss_max)
+		printf("%u ", mss_min);
+	else
+		printf("%u:%u ", mss_min, mss_max);
+}
+
+/* Final check; must have specified --mss. */
+static void
+final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+			   "tcpmss match: You must specify `--mss'");
+}
+
+/* Prints out the matchinfo. */
+static void
+print(const struct ip6t_ip6 *ip6,
+      const struct ip6t_entry_match *match,
+      int numeric)
+{
+	const struct ip6t_tcpmss_match_info *mssinfo =
+		(const struct ip6t_tcpmss_match_info *)match->data;
+
+	printf("tcpmss match ");
+	print_tcpmss(mssinfo->mss_min, mssinfo->mss_max,
+		     mssinfo->invert, numeric);
+}
+
+/* Saves the union ip6t_matchinfo in parsable form to stdout. */
+static void
+save(const struct ip6t_ip6 *ip6, const struct ip6t_entry_match *match)
+{
+	const struct ip6t_tcpmss_match_info *mssinfo =
+		(const struct ip6t_tcpmss_match_info *)match->data;
+
+	printf("--mss ");
+	print_tcpmss(mssinfo->mss_min, mssinfo->mss_max,
+		     mssinfo->invert, 0);
+}
+
+static struct ip6tables_match tcpmss = {
+	.next		= NULL,
+	.name		= "tcpmss",
+	.version	= IPTABLES_VERSION,
+	.size		= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_match_info)),
+	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_match_info)),
+	.help		= &help,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_match6(&tcpmss);
+}
diff -Nru iptables-1.3.7/extensions/libip6t_TCPMSS.c iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_TCPMSS.c
--- iptables-1.3.7/extensions/libip6t_TCPMSS.c	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_TCPMSS.c	2006-12-21 20:26:30.619974199 +0100
@@ -0,0 +1,134 @@
+/* Shared library add-on to iptables to add TCPMSS target support.
+ *
+ * Copyright (c) 2000 Marc Boucher
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
+
+struct mssinfo {
+	struct ip6t_entry_target t;
+	struct ip6t_tcpmss_info mss;
+};
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"TCPMSS target v%s mutually-exclusive options:\n"
+"  --set-mss value               explicitly set MSS option to specified value\n"
+"  --clamp-mss-to-pmtu           automatically clamp MSS value to (path_MTU - 60)\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "set-mss", 1, 0, '1' },
+	{ "clamp-mss-to-pmtu", 0, 0, '2' },
+	{ 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ip6t_entry_target *t, unsigned int *nfcache)
+{
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ip6t_entry *entry,
+      struct ip6t_entry_target **target)
+{
+	struct ip6t_tcpmss_info *mssinfo
+		= (struct ip6t_tcpmss_info *)(*target)->data;
+
+	switch (c) {
+		unsigned int mssval;
+
+	case '1':
+		if (*flags)
+			exit_error(PARAMETER_PROBLEM,
+			           "TCPMSS target: Only one option may be specified");
+		if (string_to_number(optarg, 0, 65535 - 60, &mssval) == -1)
+			exit_error(PARAMETER_PROBLEM, "Bad TCPMSS value `%s'", optarg);
+		
+		mssinfo->mss = mssval;
+		*flags = 1;
+		break;
+
+	case '2':
+		if (*flags)
+			exit_error(PARAMETER_PROBLEM,
+			           "TCPMSS target: Only one option may be specified");
+		mssinfo->mss = IP6T_TCPMSS_CLAMP_PMTU;
+		*flags = 1;
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void
+final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+		           "TCPMSS target: At least one parameter is required");
+}
+
+/* Prints out the targinfo. */
+static void
+print(const struct ip6t_ip6 *ip6,
+      const struct ip6t_entry_target *target,
+      int numeric)
+{
+	const struct ip6t_tcpmss_info *mssinfo =
+		(const struct ip6t_tcpmss_info *)target->data;
+	if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
+		printf("TCPMSS clamp to PMTU ");
+	else
+		printf("TCPMSS set %u ", mssinfo->mss);
+}
+
+/* Saves the union ip6t_targinfo in parsable form to stdout. */
+static void
+save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
+{
+	const struct ip6t_tcpmss_info *mssinfo =
+		(const struct ip6t_tcpmss_info *)target->data;
+
+	if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
+		printf("--clamp-mss-to-pmtu ");
+	else
+		printf("--set-mss %u ", mssinfo->mss);
+}
+
+static struct ip6tables_target mss = {
+	.next		= NULL,
+	.name		= "TCPMSS",
+	.version	= IPTABLES_VERSION,
+	.size		= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
+	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
+	.help		= &help,
+	.init		= &init,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_target6(&mss);
+}
diff -Nru iptables-1.3.7/extensions/libip6t_tcpmss.man iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_tcpmss.man
--- iptables-1.3.7/extensions/libip6t_tcpmss.man	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_tcpmss.man	2006-12-21 20:26:30.607973449 +0100
@@ -0,0 +1,4 @@
+This matches the TCP MSS (maximum segment size) field of the TCP header.  You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
+.TP
+.BI "[!] "--mss " "value[:value]"
+Match a given TCP MSS value or range.
diff -Nru iptables-1.3.7/extensions/libip6t_TCPMSS.man iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_TCPMSS.man
--- iptables-1.3.7/extensions/libip6t_TCPMSS.man	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.7-IPv6-TCPMSS/extensions/libip6t_TCPMSS.man	2006-12-21 20:26:30.607973449 +0100
@@ -0,0 +1,42 @@
+This target allows to alter the MSS value of TCP SYN packets, to control
+the maximum size for that connection (usually limiting it to your
+outgoing interface's MTU minus 60).  Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
+It is only valid in the
+.BR mangle
+table.
+.br
+This target is used to overcome criminally braindead ISPs or servers
+which block ICMPv6 Packet Too Big packets or are unable to send them.
+The symptoms of this problem are that everything works fine from your 
+Linux firewall/router, but machines behind it can never exchange large
+packets:
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+Web browsers connect, then hang with no data received.
+.TP
+2)
+Small mail works fine, but large emails hang.
+.TP
+3)
+ssh works fine, but scp hangs after initial handshaking.
+.RE
+.PD
+Workaround: activate this option and add a rule to your firewall
+configuration like:
+.nf
+ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+             -j TCPMSS --clamp-mss-to-pmtu
+.fi
+.TP
+.BI "--set-mss " "value"
+Explicitly set MSS option to specified value.
+.TP
+.B "--clamp-mss-to-pmtu"
+Automatically clamp MSS value to (path_MTU - 60).
+.TP
+These options are mutually exclusive.
+
diff -Nru iptables-1.3.7/extensions/Makefile iptables-1.3.7-IPv6-TCPMSS/extensions/Makefile
--- iptables-1.3.7/extensions/Makefile	2006-12-04 12:15:19.000000000 +0100
+++ iptables-1.3.7-IPv6-TCPMSS/extensions/Makefile	2006-12-21 20:26:30.071939949 +0100
@@ -6,7 +6,7 @@
 # package (HW)
 #
 PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
-PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
+PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp tcpmss CONNMARK HL LOG NFQUEUE MARK TCPMSS TRACE
 
 ifeq ($(DO_SELINUX), 1)
 PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
diff -Nru iptables-1.3.7/include/linux/netfilter_ipv6/ip6t_tcpmss.h iptables-1.3.7-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_tcpmss.h
--- iptables-1.3.7/include/linux/netfilter_ipv6/ip6t_tcpmss.h	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.7-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_tcpmss.h	2006-12-21 20:26:29.955932699 +0100
@@ -0,0 +1,9 @@
+#ifndef _IP6T_TCPMSS_MATCH_H
+#define _IP6T_TCPMSS_MATCH_H
+
+struct ip6t_tcpmss_match_info {
+    u_int16_t mss_min, mss_max;
+    u_int8_t invert;
+};
+
+#endif /*_IP6T_TCPMSS_MATCH_H*/
diff -Nru iptables-1.3.7/include/linux/netfilter_ipv6/ip6t_TCPMSS.h iptables-1.3.7-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
--- iptables-1.3.7/include/linux/netfilter_ipv6/ip6t_TCPMSS.h	1970-01-01 01:00:00.000000000 +0100
+++ iptables-1.3.7-IPv6-TCPMSS/include/linux/netfilter_ipv6/ip6t_TCPMSS.h	2006-12-21 20:26:29.955932699 +0100
@@ -0,0 +1,10 @@
+#ifndef _IP6T_TCPMSS_H
+#define _IP6T_TCPMSS_H
+
+struct ip6t_tcpmss_info {
+	u_int16_t mss;
+};
+
+#define IP6T_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /*_IP6T_TCPMSS_H*/

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Arnaud Ebalard wrote:
> Sorry for the late post. Just to say that i also _had_ to implement  
> that (2.6.19.1 and iptables 1.3.7). I was testing it before pushing
> it ;-) too late. Anyway, patch is below for reference.

Thanks, I've applied the ip6tables TCPMSS extension to SVN.

> Question : I made a specific case for AH (even if deprecated) protected
> traffic to avoid clamping of that packets.  ipv6_skip_exthdr() simply
> does not verify that and it seems there is no check against that. Can
> you take a look at find_tcp_hdr in the patch below and tell me if i'm
> wrong ? (function is based on ipv6_find_hdr(), ipv6_prepare(),
> nf_ct_ipv6_skip_exthdr() and ipv6_skip_exthdr() code).

Mhh .. that makes sense, but I tend to prefer to let users take care
of that using their ruleset.

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Arnaud Ebalard]

On 16 Jan 2007, Patrick McHardy wrote:
> > Question : I made a specific case for AH (even if deprecated) protected
> > traffic to avoid clamping of that packets.  ipv6_skip_exthdr() simply
> > does not verify that and it seems there is no check against that. Can
> > you take a look at find_tcp_hdr in the patch below and tell me if i'm
> > wrong ? (function is based on ipv6_find_hdr(), ipv6_prepare(),
> > nf_ct_ipv6_skip_exthdr() and ipv6_skip_exthdr() code).
> 
> Mhh .. that makes sense, but I tend to prefer to let users take care
> of that using their ruleset.

ok but:

  o They should at least be aware of that unexpected behavior because  
this will break AH protected TCP-connections in the _default_ case

  o mangling of such packet is equivalent to a drop for them, except  
that it will be a mess to debug at the other side (packet will flow,  
but will be invalid)

anyway, who uses AH ? ;)

a+

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Yasuyuki KOZAKAI]

Hi, Patrick,

From: Patrick McHardy <kaber@trash.net>
Date: Mon, 15 Jan 2007 19:42:49 +0100

> David Madore wrote:
> > Implement TCPMSS target for IPv6 by shamelessly copying from
> > Marc Boucher's IPv4 implementation.
> 
> 
> This is an x_tables port of the TCPMSS target. Care to give it a try?
> I believe Yasuyuki is currently working on proper x_tables support
> for userspace, but that might still take a while, so If you send me
> your userspace port I'll add it to SVN for the time being.

Have you already completed removing unmaintained extensions for iptables ?
If so, I'll rebase my tree and send patches.

-- Yasuyuki Kozakai

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Mon, 15 Jan 2007 19:42:49 +0100
> 
>>This is an x_tables port of the TCPMSS target. Care to give it a try?
>>I believe Yasuyuki is currently working on proper x_tables support
>>for userspace, but that might still take a while, so If you send me
>>your userspace port I'll add it to SVN for the time being.
> 
> 
> Have you already completed removing unmaintained extensions for iptables ?
> If so, I'll rebase my tree and send patches.

Yes, I removed all of them (I think).

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Rémi Denis-Courmont]

[-- Attachment #1: Type: text/plain, Size: 367 bytes --]

Le dimanche 14 janvier 2007 21:20, David Madore a écrit :
> Implement TCPMSS target for IPv6 by shamelessly copying from
> Marc Boucher's IPv4 implementation.

Most of the code seems to be TCP- rather IPvXY- specific. Would it not 
make more sense to just write a xt_TCPMSS implementation to rule them 
all?

-- 
Rémi Denis-Courmont
http://www.remlab.net/

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Rémi Denis-Courmont wrote:
> Le dimanche 14 janvier 2007 21:20, David Madore a écrit :
> 
>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>Marc Boucher's IPv4 implementation.
> 
> 
> Most of the code seems to be TCP- rather IPvXY- specific. Would it not 
> make more sense to just write a xt_TCPMSS implementation to rule them 
> all?

Thats what I did, its in the current -git tree.