[patch */3] some xtables changes

[patch */3] some xtables changes

[Jan Engelhardt]

Hi,


the following three patches are a rebase to 2.6.20-rc6 for the archived 
patches/messages
https://lists.netfilter.org/pipermail/netfilter-devel/2007-January/026669.html
026670.html and 026671.html.

	-`J'
-- 

[patch 1/3] Fix return values for LOG and ULOG

[Jan Engelhardt]

[PATCH 1/3] Fix return values for LOG and ULOG

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17

Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_LOG.c
@@ -471,8 +471,9 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ipt_register_target(&ipt_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET\n");
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ULOG.c
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
 
 static int __init ipt_ulog_init(void)
 {
-	int i;
+	int ret, i;
 
 	DEBUGP("ipt_ULOG: init module\n");
 
@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if ((ret = ipt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
-		return -EINVAL;
+		return ret;
 	}
 	if (nflog)
 		nf_log_register(PF_INET, &ipt_ulog_logger);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_LOG.c
@@ -482,8 +482,9 @@ static struct nf_logger ip6t_logger = {
 
 static int __init ip6t_log_init(void)
 {
-	if (ip6t_register_target(&ip6t_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ip6t_register_target(&ip6t_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET6\n");

Re: [patch 1/3] Fix return values for LOG and ULOG

[Patrick McHardy]

Jan Engelhardt wrote:
> [PATCH 1/3] Fix return values for LOG and ULOG
> 
> Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17
> 
> Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_LOG.c
> ===================================================================
> --- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_LOG.c
> +++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_LOG.c
> @@ -471,8 +471,9 @@ static struct nf_logger ipt_log_logger =
>  
>  static int __init ipt_log_init(void)
>  {
> -	if (ipt_register_target(&ipt_log_reg))
> -		return -EINVAL;
> +	int ret;
> +	if ((ret = ipt_register_target(&ipt_log_reg)) < 0)
> +		return ret;

I've changed this to

ret = ...
if (ret < 0)
	...

since this is the prefered style. Thanks Jan.

[patch 2/3] some xtables changes (xt_match,xt_target)

[Jan Engelhardt]

[PATCH 2/3] XT: xt_match and xt_target

BTW, ip_nat_rule.c <-> nf_nat_rule.c seems to be an almost identical
copy. Schedule one for removal?

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17

Index: linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- linux-2.6.20-rc6.orig/include/linux/netfilter_ipv4/ip_tables.h
+++ linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
@@ -29,8 +29,6 @@
 
 #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ipt_match xt_match
-#define ipt_target xt_target
 #define ipt_table xt_table
 #define ipt_get_revision xt_get_revision
 
@@ -272,16 +270,6 @@ ipt_get_target(struct ipt_entry *e)
 #include <linux/init.h>
 extern void ipt_init(void) __init;
 
-#define ipt_register_target(tgt) 	\
-({	(tgt)->family = AF_INET;	\
- 	xt_register_target(tgt); })
-#define ipt_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ipt_register_match(mtch) 	\
-({	(mtch)->family = AF_INET;	\
-	xt_register_match(mtch); })
-#define ipt_unregister_match(mtch) xt_unregister_match(mtch)
-
 //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
 //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
 
@@ -290,7 +278,7 @@ extern int ipt_register_table(struct ipt
 extern void ipt_unregister_table(struct ipt_table *table);
 
 /* net/sched/ipt.c: Gimme access to your targets!  Gets target->me. */
-extern struct ipt_target *ipt_find_target(const char *name, u8 revision);
+extern struct xt_target *ipt_find_target(const char *name, u8 revision);
 
 /* Standard entry. */
 struct ipt_standard
Index: linux-2.6.20-rc6/include/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- linux-2.6.20-rc6.orig/include/linux/netfilter_ipv6/ip6_tables.h
+++ linux-2.6.20-rc6/include/linux/netfilter_ipv6/ip6_tables.h
@@ -29,9 +29,6 @@
 
 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-
-#define ip6t_match xt_match
-#define ip6t_target xt_target
 #define ip6t_table xt_table
 #define ip6t_get_revision xt_get_revision
 
@@ -286,16 +283,6 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
-#define ip6t_register_target(tgt) 		\
-({	(tgt)->family = AF_INET6;		\
- 	xt_register_target(tgt); })
-#define ip6t_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ip6t_register_match(match)		\
-({	(match)->family = AF_INET6;		\
-	xt_register_match(match); })
-#define ip6t_unregister_match(match) xt_unregister_match(match)
-
 extern int ip6t_register_table(struct ip6t_table *table,
 			       const struct ip6t_replace *repl);
 extern void ip6t_unregister_table(struct ip6t_table *table);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ip_nat_rule.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ip_nat_rule.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ip_nat_rule.c
@@ -99,7 +99,7 @@ static unsigned int ipt_snat_target(stru
 				    const struct net_device *in,
 				    const struct net_device *out,
 				    unsigned int hooknum,
-				    const struct ipt_target *target,
+				    const struct xt_target *target,
 				    const void *targinfo)
 {
 	struct ip_conntrack *ct;
@@ -141,7 +141,7 @@ static unsigned int ipt_dnat_target(stru
 				    const struct net_device *in,
 				    const struct net_device *out,
 				    unsigned int hooknum,
-				    const struct ipt_target *target,
+				    const struct xt_target *target,
 				    const void *targinfo)
 {
 	struct ip_conntrack *ct;
@@ -166,7 +166,7 @@ static unsigned int ipt_dnat_target(stru
 
 static int ipt_snat_checkentry(const char *tablename,
 			       const void *entry,
-			       const struct ipt_target *target,
+			       const struct xt_target *target,
 			       void *targinfo,
 			       unsigned int hook_mask)
 {
@@ -182,7 +182,7 @@ static int ipt_snat_checkentry(const cha
 
 static int ipt_dnat_checkentry(const char *tablename,
 			       const void *entry,
-			       const struct ipt_target *target,
+			       const struct xt_target *target,
 			       void *targinfo,
 			       unsigned int hook_mask)
 {
@@ -257,8 +257,9 @@ int ip_nat_rule_find(struct sk_buff **ps
 	return ret;
 }
 
-static struct ipt_target ipt_snat_reg = {
+static struct xt_target ipt_snat_reg = {
 	.name		= "SNAT",
+	.family		= AF_INET,
 	.target		= ipt_snat_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -266,8 +267,9 @@ static struct ipt_target ipt_snat_reg = 
 	.checkentry	= ipt_snat_checkentry,
 };
 
-static struct ipt_target ipt_dnat_reg = {
+static struct xt_target ipt_dnat_reg = {
 	.name		= "DNAT",
+	.family		= AF_INET,
 	.target		= ipt_dnat_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -282,27 +284,27 @@ int __init ip_nat_rule_init(void)
 	ret = ipt_register_table(&nat_table, &nat_initial_table.repl);
 	if (ret != 0)
 		return ret;
-	ret = ipt_register_target(&ipt_snat_reg);
+	ret = xt_register_target(&ipt_snat_reg);
 	if (ret != 0)
 		goto unregister_table;
 
-	ret = ipt_register_target(&ipt_dnat_reg);
+	ret = xt_register_target(&ipt_dnat_reg);
 	if (ret != 0)
 		goto unregister_snat;
 
 	return ret;
 
  unregister_snat:
-	ipt_unregister_target(&ipt_snat_reg);
+	xt_unregister_target(&ipt_snat_reg);
  unregister_table:
-	ipt_unregister_table(&nat_table);
+	xt_unregister_table(&nat_table);
 
 	return ret;
 }
 
 void ip_nat_rule_cleanup(void)
 {
-	ipt_unregister_target(&ipt_dnat_reg);
-	ipt_unregister_target(&ipt_snat_reg);
+	xt_unregister_target(&ipt_dnat_reg);
+	xt_unregister_target(&ipt_snat_reg);
 	ipt_unregister_table(&nat_table);
 }
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ip_tables.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ip_tables.c
@@ -507,7 +507,7 @@ check_entry(struct ipt_entry *e, const c
 static inline int check_match(struct ipt_entry_match *m, const char *name,
 				const struct ipt_ip *ip, unsigned int hookmask)
 {
-	struct ipt_match *match;
+	struct xt_match *match;
 	int ret;
 
 	match = m->u.kernel.match;
@@ -531,7 +531,7 @@ find_check_match(struct ipt_entry_match 
 	    unsigned int hookmask,
 	    unsigned int *i)
 {
-	struct ipt_match *match;
+	struct xt_match *match;
 	int ret;
 
 	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
@@ -557,7 +557,7 @@ err:
 static inline int check_target(struct ipt_entry *e, const char *name)
 {
  	struct ipt_entry_target *t;
- 	struct ipt_target *target;
+ 	struct xt_target *target;
  	int ret;
 
 	t = ipt_get_target(e);
@@ -580,7 +580,7 @@ find_check_entry(struct ipt_entry *e, co
 	    unsigned int *i)
 {
 	struct ipt_entry_target *t;
-	struct ipt_target *target;
+	struct xt_target *target;
 	int ret;
 	unsigned int j;
 
@@ -1437,7 +1437,7 @@ compat_check_calc_match(struct ipt_entry
 	    unsigned int hookmask,
 	    int *size, int *i)
 {
-	struct ipt_match *match;
+	struct xt_match *match;
 
 	match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
 						   m->u.user.revision),
@@ -1466,7 +1466,7 @@ check_compat_entry_size_and_hooks(struct
 			   const char *name)
 {
 	struct ipt_entry_target *t;
-	struct ipt_target *target;
+	struct xt_target *target;
 	unsigned int entry_offset;
 	int ret, off, h, j;
 
@@ -1550,7 +1550,7 @@ static int compat_copy_entry_from_user(s
 	struct xt_table_info *newinfo, unsigned char *base)
 {
 	struct ipt_entry_target *t;
-	struct ipt_target *target;
+	struct xt_target *target;
 	struct ipt_entry *de;
 	unsigned int origsize;
 	int ret, h;
@@ -2124,7 +2124,7 @@ icmp_checkentry(const char *tablename,
 }
 
 /* The built-in targets: standard (NULL) and error. */
-static struct ipt_target ipt_standard_target = {
+static struct xt_target ipt_standard_target = {
 	.name		= IPT_STANDARD_TARGET,
 	.targetsize	= sizeof(int),
 	.family		= AF_INET,
@@ -2135,7 +2135,7 @@ static struct ipt_target ipt_standard_ta
 #endif
 };
 
-static struct ipt_target ipt_error_target = {
+static struct xt_target ipt_error_target = {
 	.name		= IPT_ERROR_TARGET,
 	.target		= ipt_error,
 	.targetsize	= IPT_FUNCTION_MAXNAMELEN,
@@ -2158,7 +2158,7 @@ static struct nf_sockopt_ops ipt_sockopt
 #endif
 };
 
-static struct ipt_match icmp_matchstruct = {
+static struct xt_match icmp_matchstruct = {
 	.name		= "icmp",
 	.match		= icmp_match,
 	.matchsize	= sizeof(struct ipt_icmp),
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ECN.c
@@ -9,12 +9,14 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_LOG.c
@@ -20,7 +20,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -472,7 +473,7 @@ static struct nf_logger ipt_log_logger =
 static int __init ipt_log_init(void)
 {
 	int ret;
-	if ((ret = ipt_register_target(&ipt_log_reg)) < 0)
+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
 		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
@@ -487,7 +488,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -190,8 +190,9 @@ static struct notifier_block masq_inet_n
 	.notifier_call	= masq_inet_event,
 };
 
-static struct ipt_target masquerade = {
+static struct xt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -88,8 +89,9 @@ target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target target_module = { 
+static struct xt_target target_module = {
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -104,8 +105,9 @@ redirect_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target redirect_reg = {
+static struct xt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_TCPMSS.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_TCPMSS.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_TCPMSS.c
@@ -14,6 +14,7 @@
 #include <linux/ip.h>
 #include <net/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_TCPMSS.h>
 
@@ -74,7 +75,7 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 				printk(KERN_ERR "ipt_tcpmss_target: "
 				       "unknown or invalid path-MTU (%d)\n",
 				       dst_mtu((*pskb)->dst));
-			return NF_DROP; /* or IPT_CONTINUE ?? */
+			return NF_DROP; /* or XT_CONTINUE ?? */
 		}
 
 		newmss = dst_mtu((*pskb)->dst) - sizeof(struct iphdr) -
@@ -92,14 +93,14 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 
 			if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU &&
 			    oldmss <= newmss)
-				return IPT_CONTINUE;
+				return XT_CONTINUE;
 
 			opt[i+2] = (newmss & 0xff00) >> 8;
 			opt[i+3] = (newmss & 0x00ff);
 
 			nf_proto_csum_replace2(&tcph->check, *pskb,
 						htons(oldmss), htons(newmss), 0);
-			return IPT_CONTINUE;
+			return XT_CONTINUE;
 		}
 	}
 
@@ -141,7 +142,7 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 	newtotlen = htons(ntohs(iph->tot_len) + TCPOLEN_MSS);
 	nf_csum_replace2(&iph->check, iph->tot_len, newtotlen);
 	iph->tot_len = newtotlen;
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 #define TH_SYN 0x02
@@ -184,8 +185,9 @@ ipt_tcpmss_checkentry(const char *tablen
 	return 0;
 }
 
-static struct ipt_target ipt_tcpmss_reg = {
+static struct xt_target ipt_tcpmss_reg = {
 	.name		= "TCPMSS",
+	.family		= AF_INET,
 	.target		= ipt_tcpmss_target,
 	.targetsize	= sizeof(struct ipt_tcpmss_info),
 	.proto		= IPPROTO_TCP,
@@ -195,12 +197,12 @@ static struct ipt_target ipt_tcpmss_reg 
 
 static int __init ipt_tcpmss_init(void)
 {
-	return ipt_register_target(&ipt_tcpmss_reg);
+	return xt_register_target(&ipt_tcpmss_reg);
 }
 
 static void __exit ipt_tcpmss_fini(void)
 {
-	ipt_unregister_target(&ipt_tcpmss_reg);
+	xt_unregister_target(&ipt_tcpmss_reg);
 }
 
 module_init(ipt_tcpmss_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_TOS.c
@@ -13,7 +13,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_TTL.c
@@ -12,7 +12,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,7 +57,7 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if ((ret = ipt_register_target(&ipt_ulog_reg)) != 0) {
+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
 		return ret;
 	}
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,7 +16,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ah.c
@@ -6,12 +6,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ecn.c
@@ -9,10 +9,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
@@ -109,8 +112,9 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +123,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_iprange.c
@@ -10,7 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_owner.c
@@ -15,7 +15,7 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,7 +25,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_tos.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("iptables TOS match module");
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ipt_ttl.c
@@ -9,11 +9,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("IP tables TTL matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/nf_nat_rule.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/nf_nat_rule.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/nf_nat_rule.c
@@ -290,7 +290,7 @@ int nf_nat_rule_find(struct sk_buff **ps
 	return ret;
 }
 
-static struct ipt_target ipt_snat_reg = {
+static struct xt_target ipt_snat_reg = {
 	.name		= "SNAT",
 	.target		= ipt_snat_target,
 	.targetsize	= sizeof(struct nf_nat_multi_range_compat),
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6_tables.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6_tables.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6_tables.c
@@ -530,7 +530,7 @@ check_match(struct ip6t_entry_match *m,
 	    unsigned int hookmask,
 	    unsigned int *i)
 {
-	struct ip6t_match *match;
+	struct xt_match *match;
 	int ret;
 
 	match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
@@ -564,14 +564,14 @@ err:
 	return ret;
 }
 
-static struct ip6t_target ip6t_standard_target;
+static struct xt_target ip6t_standard_target;
 
 static inline int
 check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
 	    unsigned int *i)
 {
 	struct ip6t_entry_target *t;
-	struct ip6t_target *target;
+	struct xt_target *target;
 	int ret;
 	unsigned int j;
 
@@ -1348,13 +1348,13 @@ icmp6_checkentry(const char *tablename,
 }
 
 /* The built-in targets: standard (NULL) and error. */
-static struct ip6t_target ip6t_standard_target = {
+static struct xt_target ip6t_standard_target = {
 	.name		= IP6T_STANDARD_TARGET,
 	.targetsize	= sizeof(int),
 	.family		= AF_INET6,
 };
 
-static struct ip6t_target ip6t_error_target = {
+static struct xt_target ip6t_error_target = {
 	.name		= IP6T_ERROR_TARGET,
 	.target		= ip6t_error,
 	.targetsize	= IP6T_FUNCTION_MAXNAMELEN,
@@ -1371,7 +1371,7 @@ static struct nf_sockopt_ops ip6t_sockop
 	.get		= do_ip6t_get_ctl,
 };
 
-static struct ip6t_match icmp6_matchstruct = {
+static struct xt_match icmp6_matchstruct = {
 	.name		= "icmp6",
 	.match		= &icmp6_match,
 	.matchsize	= sizeof(struct ip6t_icmp),
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_HL.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_HL.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_HL.c
@@ -9,12 +9,13 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6t_HL.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP tables Hop Limit modification module");
+MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
 MODULE_LICENSE("GPL");
 
 static unsigned int ip6t_hl_target(struct sk_buff **pskb, 
@@ -55,7 +56,7 @@ static unsigned int ip6t_hl_target(struc
 	if (new_hl != ip6h->hop_limit)
 		ip6h->hop_limit = new_hl;
 
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ip6t_hl_checkentry(const char *tablename,
@@ -79,8 +80,9 @@ static int ip6t_hl_checkentry(const char
 	return 1;
 }
 
-static struct ip6t_target ip6t_HL = { 
+static struct xt_target ip6t_HL = {
 	.name 		= "HL", 
+	.family		= AF_INET6,
 	.target		= ip6t_hl_target, 
 	.targetsize	= sizeof(struct ip6t_HL_info),
 	.table		= "mangle",
@@ -90,12 +92,12 @@ static struct ip6t_target ip6t_HL = { 
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_target(&ip6t_HL);
+	return xt_register_target(&ip6t_HL);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_target(&ip6t_HL);
+	xt_unregister_target(&ip6t_HL);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_LOG.c
@@ -21,6 +21,7 @@
 #include <net/tcp.h>
 #include <net/ipv6.h>
 #include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
@@ -442,7 +443,7 @@ ip6t_log_target(struct sk_buff **pskb,
 
 	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
 	                loginfo->prefix);
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 
@@ -466,8 +467,9 @@ static int ip6t_log_checkentry(const cha
 	return 1;
 }
 
-static struct ip6t_target ip6t_log_reg = {
+static struct xt_target ip6t_log_reg = {
 	.name 		= "LOG",
+	.family		= AF_INET6,
 	.target 	= ip6t_log_target, 
 	.targetsize	= sizeof(struct ip6t_log_info),
 	.checkentry	= ip6t_log_checkentry, 
@@ -483,7 +485,7 @@ static struct nf_logger ip6t_logger = {
 static int __init ip6t_log_init(void)
 {
 	int ret;
-	if ((ret = ip6t_register_target(&ip6t_log_reg)) < 0)
+	if ((ret = xt_register_target(&ip6t_log_reg)) < 0)
 		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
@@ -498,7 +500,7 @@ static int __init ip6t_log_init(void)
 static void __exit ip6t_log_fini(void)
 {
 	nf_log_unregister_logger(&ip6t_logger);
-	ip6t_unregister_target(&ip6t_log_reg);
+	xt_unregister_target(&ip6t_log_reg);
 }
 
 module_init(ip6t_log_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_REJECT.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_REJECT.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_REJECT.c
@@ -26,6 +26,7 @@
 #include <net/ip6_fib.h>
 #include <net/ip6_route.h>
 #include <net/flow.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_REJECT.h>
 
@@ -234,7 +235,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IP6T_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ipv6.proto != IPPROTO_TCP
-		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
+		    || (e->ipv6.invflags & XT_INV_PROTO)) {
 			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
 			return 0;
 		}
@@ -242,8 +243,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_target ip6t_reject_reg = {
+static struct xt_target ip6t_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET6,
 	.target		= reject6_target,
 	.targetsize	= sizeof(struct ip6t_reject_info),
 	.table		= "filter",
@@ -255,12 +257,12 @@ static struct ip6t_target ip6t_reject_re
 
 static int __init ip6t_reject_init(void)
 {
-	return ip6t_register_target(&ip6t_reject_reg);
+	return xt_register_target(&ip6t_reject_reg);
 }
 
 static void __exit ip6t_reject_fini(void)
 {
-	ip6t_unregister_target(&ip6t_reject_reg);
+	xt_unregister_target(&ip6t_reject_reg);
 }
 
 module_init(ip6t_reject_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_ah.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_ah.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_ah.c
@@ -15,6 +15,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ah.h>
 
@@ -118,8 +119,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_ah),
 	.checkentry	= checkentry,
@@ -128,12 +130,12 @@ static struct ip6t_match ah_match = {
 
 static int __init ip6t_ah_init(void)
 {
-	return ip6t_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ip6t_ah_fini(void)
 {
-	ip6t_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ip6t_ah_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_eui64.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_eui64.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_eui64.c
@@ -12,6 +12,7 @@
 #include <linux/ipv6.h>
 #include <linux/if_ether.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
@@ -61,8 +62,9 @@ match(const struct sk_buff *skb,
 	return 0;
 }
 
-static struct ip6t_match eui64_match = {
+static struct xt_match eui64_match = {
 	.name		= "eui64",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(int),
 	.hooks		= (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
@@ -72,12 +74,12 @@ static struct ip6t_match eui64_match = {
 
 static int __init ip6t_eui64_init(void)
 {
-	return ip6t_register_match(&eui64_match);
+	return xt_register_match(&eui64_match);
 }
 
 static void __exit ip6t_eui64_fini(void)
 {
-	ip6t_unregister_match(&eui64_match);
+	xt_unregister_match(&eui64_match);
 }
 
 module_init(ip6t_eui64_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_frag.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_frag.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_frag.c
@@ -14,6 +14,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_frag.h>
 
@@ -135,8 +136,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match frag_match = {
+static struct xt_match frag_match = {
 	.name		= "frag",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_frag),
 	.checkentry	= checkentry,
@@ -145,12 +147,12 @@ static struct ip6t_match frag_match = {
 
 static int __init ip6t_frag_init(void)
 {
-	return ip6t_register_match(&frag_match);
+	return xt_register_match(&frag_match);
 }
 
 static void __exit ip6t_frag_fini(void)
 {
-	ip6t_unregister_match(&frag_match);
+	xt_unregister_match(&frag_match);
 }
 
 module_init(ip6t_frag_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_hbh.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_hbh.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_hbh.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_opts.h>
 
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_hl.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_hl.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_hl.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ipv6.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv6/ip6t_hl.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
 MODULE_DESCRIPTION("IP tables Hop Limit matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ip6t_match hl_match = {
+static struct xt_match hl_match = {
 	.name		= "hl",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_hl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ip6t_match hl_match = {
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_match(&hl_match);
+	return xt_register_match(&hl_match);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_match(&hl_match);
-
+	xt_unregister_match(&hl_match);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_ipv6header.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_ipv6header.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -18,6 +18,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
 
@@ -140,8 +141,9 @@ ipv6header_checkentry(const char *tablen
 	return 1;
 }
 
-static struct ip6t_match ip6t_ipv6header_match = {
+static struct xt_match ip6t_ipv6header_match = {
 	.name		= "ipv6header",
+	.family		= AF_INET6,
 	.match		= &ipv6header_match,
 	.matchsize	= sizeof(struct ip6t_ipv6header_info),
 	.checkentry	= &ipv6header_checkentry,
@@ -151,12 +153,12 @@ static struct ip6t_match ip6t_ipv6header
 
 static int __init ipv6header_init(void)
 {
-	return ip6t_register_match(&ip6t_ipv6header_match);
+	return xt_register_match(&ip6t_ipv6header_match);
 }
 
 static void __exit ipv6header_exit(void)
 {
-	ip6t_unregister_match(&ip6t_ipv6header_match);
+	xt_unregister_match(&ip6t_ipv6header_match);
 }
 
 module_init(ipv6header_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_owner.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_owner.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_owner.c
@@ -16,6 +16,7 @@
 
 #include <linux/netfilter_ipv6/ip6t_owner.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
 MODULE_DESCRIPTION("IP6 tables owner matching module");
@@ -69,8 +70,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_owner_info),
 	.hooks		= (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
@@ -80,12 +82,12 @@ static struct ip6t_match owner_match = {
 
 static int __init ip6t_owner_init(void)
 {
-	return ip6t_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ip6t_owner_fini(void)
 {
-	ip6t_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ip6t_owner_init);
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_rt.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6t_rt.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6t_rt.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_rt.h>
 
@@ -221,8 +222,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match rt_match = {
+static struct xt_match rt_match = {
 	.name		= "rt",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_rt),
 	.checkentry	= checkentry,
@@ -231,12 +233,12 @@ static struct ip6t_match rt_match = {
 
 static int __init ip6t_rt_init(void)
 {
-	return ip6t_register_match(&rt_match);
+	return xt_register_match(&rt_match);
 }
 
 static void __exit ip6t_rt_fini(void)
 {
-	ip6t_unregister_match(&rt_match);
+	xt_unregister_match(&rt_match);
 }
 
 module_init(ip6t_rt_init);

Re: [patch 2/3] some xtables changes (xt_match,xt_target)

[Patrick McHardy]

Jan Engelhardt wrote:
> [PATCH 2/3] XT: xt_match and xt_target
> 
> BTW, ip_nat_rule.c <-> nf_nat_rule.c seems to be an almost identical
> copy. Schedule one for removal?
> 
> Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17
> 
> Index: linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
> ===================================================================
> --- linux-2.6.20-rc6.orig/include/linux/netfilter_ipv4/ip_tables.h
> +++ linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
> @@ -29,8 +29,6 @@
>  
>  #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
>  #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
> -#define ipt_match xt_match
> -#define ipt_target xt_target
>  #define ipt_table xt_table
>  #define ipt_get_revision xt_get_revision

Applied, but I removed this part since its needed for userspace compilation.

[patch 3/3] some xtables changes (xt_table)

[Jan Engelhardt]

[PATCH 3/3] XT: xt_table

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17

Index: linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- linux-2.6.20-rc6.orig/include/linux/netfilter_ipv4/ip_tables.h
+++ linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
@@ -29,7 +29,6 @@
 
 #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ipt_table xt_table
 #define ipt_get_revision xt_get_revision
 
 /* Yes, Virginia, you have to zero the padding. */
@@ -273,9 +272,9 @@ extern void ipt_init(void) __init;
 //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
 //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
 
-extern int ipt_register_table(struct ipt_table *table,
+extern int ipt_register_table(struct xt_table *table,
 			      const struct ipt_replace *repl);
-extern void ipt_unregister_table(struct ipt_table *table);
+extern void ipt_unregister_table(struct xt_table *table);
 
 /* net/sched/ipt.c: Gimme access to your targets!  Gets target->me. */
 extern struct xt_target *ipt_find_target(const char *name, u8 revision);
@@ -303,7 +302,7 @@ extern unsigned int ipt_do_table(struct 
 				 unsigned int hook,
 				 const struct net_device *in,
 				 const struct net_device *out,
-				 struct ipt_table *table);
+				 struct xt_table *table);
 
 #define IPT_ALIGN(s) XT_ALIGN(s)
 
Index: linux-2.6.20-rc6/include/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- linux-2.6.20-rc6.orig/include/linux/netfilter_ipv6/ip6_tables.h
+++ linux-2.6.20-rc6/include/linux/netfilter_ipv6/ip6_tables.h
@@ -29,7 +29,6 @@
 
 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ip6t_table xt_table
 #define ip6t_get_revision xt_get_revision
 
 /* Yes, Virginia, you have to zero the padding. */
@@ -283,14 +282,14 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
-extern int ip6t_register_table(struct ip6t_table *table,
+extern int ip6t_register_table(struct xt_table *table,
 			       const struct ip6t_replace *repl);
-extern void ip6t_unregister_table(struct ip6t_table *table);
+extern void ip6t_unregister_table(struct xt_table *table);
 extern unsigned int ip6t_do_table(struct sk_buff **pskb,
 				  unsigned int hook,
 				  const struct net_device *in,
 				  const struct net_device *out,
-				  struct ip6t_table *table);
+				  struct xt_table *table);
 
 /* Check for an extension */
 extern int ip6t_ext_hdr(u8 nexthdr);
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ip_nat_rule.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ip_nat_rule.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ip_nat_rule.c
@@ -86,7 +86,7 @@ static struct
     }
 };
 
-static struct ipt_table nat_table = {
+static struct xt_table nat_table = {
 	.name		= "nat",
 	.valid_hooks	= NAT_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc6/net/ipv4/netfilter/ip_tables.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/ip_tables.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/ip_tables.c
@@ -216,7 +216,7 @@ ipt_do_table(struct sk_buff **pskb,
 	     unsigned int hook,
 	     const struct net_device *in,
 	     const struct net_device *out,
-	     struct ipt_table *table)
+	     struct xt_table *table)
 {
 	static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
 	u_int16_t offset;
@@ -818,7 +818,7 @@ get_counters(const struct xt_table_info 
 	}
 }
 
-static inline struct xt_counters * alloc_counters(struct ipt_table *table)
+static inline struct xt_counters * alloc_counters(struct xt_table *table)
 {
 	unsigned int countersize;
 	struct xt_counters *counters;
@@ -843,7 +843,7 @@ static inline struct xt_counters * alloc
 
 static int
 copy_entries_to_user(unsigned int total_size,
-		     struct ipt_table *table,
+		     struct xt_table *table,
 		     void __user *userptr)
 {
 	unsigned int off, num;
@@ -1046,7 +1046,7 @@ static int compat_table_info(struct xt_t
 static int get_info(void __user *user, int *len, int compat)
 {
 	char name[IPT_TABLE_MAXNAMELEN];
-	struct ipt_table *t;
+	struct xt_table *t;
 	int ret;
 
 	if (*len != sizeof(struct ipt_getinfo)) {
@@ -1107,7 +1107,7 @@ get_entries(struct ipt_get_entries __use
 {
 	int ret;
 	struct ipt_get_entries get;
-	struct ipt_table *t;
+	struct xt_table *t;
 
 	if (*len < sizeof(get)) {
 		duprintf("get_entries: %u < %d\n", *len,
@@ -1151,7 +1151,7 @@ __do_replace(const char *name, unsigned 
 		void __user *counters_ptr)
 {
 	int ret;
-	struct ipt_table *t;
+	struct xt_table *t;
 	struct xt_table_info *oldinfo;
 	struct xt_counters *counters;
 	void *loc_cpu_old_entry;
@@ -1302,7 +1302,7 @@ do_add_counters(void __user *user, unsig
 	char *name;
 	int size;
 	void *ptmp;
-	struct ipt_table *t;
+	struct xt_table *t;
 	struct xt_table_info *private;
 	int ret = 0;
 	void *loc_cpu_entry;
@@ -1795,7 +1795,7 @@ struct compat_ipt_get_entries
 };
 
 static int compat_copy_entries_to_user(unsigned int total_size,
-		     struct ipt_table *table, void __user *userptr)
+		     struct xt_table *table, void __user *userptr)
 {
 	unsigned int off, num;
 	struct compat_ipt_entry e;
@@ -1869,7 +1869,7 @@ compat_get_entries(struct compat_ipt_get
 {
 	int ret;
 	struct compat_ipt_get_entries get;
-	struct ipt_table *t;
+	struct xt_table *t;
 
 
 	if (*len < sizeof(get)) {
@@ -2052,7 +2052,7 @@ int ipt_register_table(struct xt_table *
 	return 0;
 }
 
-void ipt_unregister_table(struct ipt_table *table)
+void ipt_unregister_table(struct xt_table *table)
 {
 	struct xt_table_info *private;
 	void *loc_cpu_entry;
Index: linux-2.6.20-rc6/net/ipv4/netfilter/iptable_filter.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/iptable_filter.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/iptable_filter.c
@@ -74,7 +74,7 @@ static struct
     }
 };
 
-static struct ipt_table packet_filter = {
+static struct xt_table packet_filter = {
 	.name		= "filter",
 	.valid_hooks	= FILTER_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc6/net/ipv4/netfilter/iptable_mangle.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/iptable_mangle.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/iptable_mangle.c
@@ -103,7 +103,7 @@ static struct
     }
 };
 
-static struct ipt_table packet_mangler = {
+static struct xt_table packet_mangler = {
 	.name		= "mangle",
 	.valid_hooks	= MANGLE_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc6/net/ipv4/netfilter/iptable_raw.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/iptable_raw.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/iptable_raw.c
@@ -79,7 +79,7 @@ static struct
 	}
 };
 
-static struct ipt_table packet_raw = { 
+static struct xt_table packet_raw = {
 	.name = "raw", 
 	.valid_hooks =  RAW_VALID_HOOKS, 
 	.lock = RW_LOCK_UNLOCKED, 
Index: linux-2.6.20-rc6/net/ipv4/netfilter/nf_nat_rule.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv4/netfilter/nf_nat_rule.c
+++ linux-2.6.20-rc6/net/ipv4/netfilter/nf_nat_rule.c
@@ -119,7 +119,7 @@ static struct
 	}
 };
 
-static struct ipt_table nat_table = {
+static struct xt_table nat_table = {
 	.name		= "nat",
 	.valid_hooks	= NAT_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6table_filter.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6table_filter.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6table_filter.c
@@ -92,7 +92,7 @@ static struct
     }
 };
 
-static struct ip6t_table packet_filter = {
+static struct xt_table packet_filter = {
 	.name		= "filter",
 	.valid_hooks	= FILTER_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc6/net/ipv6/netfilter/ip6table_mangle.c
===================================================================
--- linux-2.6.20-rc6.orig/net/ipv6/netfilter/ip6table_mangle.c
+++ linux-2.6.20-rc6/net/ipv6/netfilter/ip6table_mangle.c
@@ -122,7 +122,7 @@ static struct
     }
 };
 
-static struct ip6t_table packet_mangler = {
+static struct xt_table packet_mangler = {
 	.name		= "mangle",
 	.valid_hooks	= MANGLE_VALID_HOOKS,
 	.lock		= RW_LOCK_UNLOCKED,
Index: linux-2.6.20-rc6/net/sched/act_ipt.c
===================================================================
--- linux-2.6.20-rc6.orig/net/sched/act_ipt.c
+++ linux-2.6.20-rc6/net/sched/act_ipt.c
@@ -52,7 +52,7 @@ static struct tcf_hashinfo ipt_hash_info
 
 static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int hook)
 {
-	struct ipt_target *target;
+	struct xt_target *target;
 	int ret = 0;
 
 	target = xt_find_target(AF_INET, t->u.user.name, t->u.user.revision);

Re: [patch 3/3] some xtables changes (xt_table)

[Patrick McHardy]

Jan Engelhardt wrote:
> [PATCH 3/3] XT: xt_table
> 
> Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17
> 
> Index: linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
> ===================================================================
> --- linux-2.6.20-rc6.orig/include/linux/netfilter_ipv4/ip_tables.h
> +++ linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
> @@ -29,7 +29,6 @@
>  
>  #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
>  #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
> -#define ipt_table xt_table
>  #define ipt_get_revision xt_get_revision

Applied, again without the part above. Thanks Jan.

Re: [PATCH */3] several messages

[Jan Engelhardt]

On Jan 26 2007 15:03, Patrick McHardy wrote:
>
>ret = ...
>if (ret < 0)
>	...
>
>since this is the prefered style. Thanks Jan.


It's possibly useless to argue ;-)


>> --- linux-2.6.20-rc6.orig/include/linux/netfilter_ipv4/ip_tables.h
>> +++ linux-2.6.20-rc6/include/linux/netfilter_ipv4/ip_tables.h
>> @@ -29,8 +29,6 @@
>>  
>>  #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
>>  #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
>> -#define ipt_match xt_match
>> -#define ipt_target xt_target
>>  #define ipt_table xt_table
>>  #define ipt_get_revision xt_get_revision
>
>Applied, but I removed this part since its needed for userspace compilation.
>

Ok, did not know that offhand. Thanks for applying.

Did you pick up this question:

BTW, ip_nat_rule.c <-> nf_nat_rule.c seems to be an almost identical
copy. Schedule one for removal?


There is yet more to xt-ify, like (just look at all the #defines ip xt 
in linux/netfilter_ipv4/ip_tables.h and ip6_tables.h). However, I was 
not sure if some of the macros actually do get used by userspace code. 
Mind filling me in?


Thanks,
Jan
-- 

Re: [PATCH */3] several messages

[Patrick McHardy]

Jan Engelhardt wrote:
> Did you pick up this question:
> 
> BTW, ip_nat_rule.c <-> nf_nat_rule.c seems to be an almost identical
> copy. Schedule one for removal?

ip_nat and all related code will be removed in 2.6.22.

> There is yet more to xt-ify, like (just look at all the #defines ip xt 
> in linux/netfilter_ipv4/ip_tables.h and ip6_tables.h). However, I was 
> not sure if some of the macros actually do get used by userspace code. 
> Mind filling me in?

Basically anything outside of #ifdef __KERNEL__ needs to stay around
for userspace, at least for now. Long term I would prefer to make
userspace not use any headers from the kernel tree directly.

[patch] netfilter: implement TCPMSS target for IPv6

[David Madore]

Implement TCPMSS target for IPv6 by shamelessly copying from
Marc Boucher's IPv4 implementation.

Signed-off-by: David A. Madore <david.madore@ens.fr>

---

 Note: The patch for ip6tables to make use of this module can be
 obtained from <URL:
 ftp://quatramaran.ens.fr/pub/madore/misc/ip6t-TCPMSS/
 > (also contains a version of this same patch for 2.6.19.2).

 include/linux/netfilter_ipv6/ip6t_TCPMSS.h |   10 ++
 net/ipv6/netfilter/Kconfig                 |   26 ++++
 net/ipv6/netfilter/Makefile                |    1 +
 net/ipv6/netfilter/ip6t_TCPMSS.c           |  225 ++++++++++++++++++++++++++++
 4 files changed, 262 insertions(+), 0 deletions(-)

diff --git a/include/linux/netfilter_ipv6/ip6t_TCPMSS.h b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
new file mode 100644
index 0000000..412d1cb
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
@@ -0,0 +1,10 @@
+#ifndef _IP6T_TCPMSS_H
+#define _IP6T_TCPMSS_H
+
+struct ip6t_tcpmss_info {
+	u_int16_t mss;
+};
+
+#define IP6T_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /*_IP6T_TCPMSS_H*/
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index adcd613..3890a59 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -154,6 +154,32 @@ config IP6_NF_TARGET_REJECT
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_TARGET_TCPMSS
+	tristate "TCPMSS target support"
+	depends on IP6_NF_IPTABLES
+	---help---
+	  This option adds a `TCPMSS' target, which allows you to alter the
+	  MSS value of TCP SYN packets, to control the maximum size for that
+	  connection (usually limiting it to your outgoing interface's MTU
+	  minus 60).
+
+	  This is used to overcome criminally braindead ISPs or servers which
+	  block ICMPv6 Packet Too Big packets.  The symptoms of this
+	  problem are that everything works fine from your Linux
+	  firewall/router, but machines behind it can never exchange large
+	  packets:
+	  	1) Web browsers connect, then hang with no data received.
+	  	2) Small mail works fine, but large emails hang.
+	  	3) ssh works fine, but scp hangs after initial handshaking.
+
+	  Workaround: activate this option and add a rule to your firewall
+	  configuration like:
+
+	  ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
+	  		 -j TCPMSS --clamp-mss-to-pmtu
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config IP6_NF_MANGLE
 	tristate "Packet mangling"
 	depends on IP6_NF_IPTABLES
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index ac1dfeb..616a006 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -19,6 +19,7 @@ obj-$(CONFIG_IP6_NF_TARGET_LOG) += ip6t_LOG.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
 obj-$(CONFIG_IP6_NF_MATCH_HL) += ip6t_hl.o
 obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o
+obj-$(CONFIG_IP6_NF_TARGET_TCPMSS) += ip6t_TCPMSS.o
 
 # objects for l3 independent conntrack
 nf_conntrack_ipv6-objs  :=  nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_reasm.o
diff --git a/net/ipv6/netfilter/ip6t_TCPMSS.c b/net/ipv6/netfilter/ip6t_TCPMSS.c
new file mode 100644
index 0000000..ab492c3
--- /dev/null
+++ b/net/ipv6/netfilter/ip6t_TCPMSS.c
@@ -0,0 +1,225 @@
+/*
+ * This is a module which is used for setting the MSS option in TCP packets.
+ *
+ * Copyright (C) 2007 David Madore <david.madore@ens.fr>
+ *
+ * Shamelessly based on net/ipv4/netfilter/ipt_TCPMSS.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+
+#include <net/ipv6.h>
+#include <net/tcp.h>
+
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("David Madore <david.madore@ens.fr>");
+MODULE_DESCRIPTION("ip6tables TCP MSS modification module");
+
+static inline unsigned int
+optlen(const u_int8_t *opt, unsigned int offset)
+{
+	/* Beware zero-length options: make finite progress */
+	if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
+		return 1;
+	else
+		return opt[offset+1];
+}
+
+static unsigned int
+ip6t_tcpmss_target(struct sk_buff **pskb,
+		   const struct net_device *in,
+		   const struct net_device *out,
+		   unsigned int hooknum,
+		   const struct xt_target *target,
+		   const void *targinfo)
+{
+	const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+	struct tcphdr *tcph;
+	struct ipv6hdr *ipv6h;
+	u_int8_t nexthdr;
+	int tcphoff;
+	u_int16_t tcplen, newmss;
+	__be16 newiplen, oldval;
+	unsigned int i;
+	u_int8_t *opt;
+
+	if (!skb_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
+
+	ipv6h = (*pskb)->nh.ipv6h;
+	nexthdr = ipv6h->nexthdr;
+	tcphoff = ipv6_skip_exthdr(*pskb, sizeof(struct ipv6hdr), &nexthdr);
+	if ((tcphoff < 0) || (tcphoff > (*pskb)->len)) {
+		if (net_ratelimit())
+			printk(KERN_ERR
+			       "ip6t_tcpmss_target: can't find TCP header\n");
+		return NF_DROP;
+	}
+	tcplen = (*pskb)->len - tcphoff;
+	if ((nexthdr != IPPROTO_TCP) || (tcplen < sizeof(struct tcphdr))) {
+		/* Can't happen (see other comment below)? */
+		if (net_ratelimit())
+			printk(KERN_ERR
+			       "ip6t_tcpmss_target: bad TCP header\n");
+		return NF_DROP;
+	}
+	tcph = (void *)ipv6h + tcphoff;
+
+	/* Since it passed flags test in tcp match, we know it is is
+	   not a fragment, and has data >= tcp header length.  SYN
+	   packets should not contain data: if they did, then we risk
+	   running over MTU, sending Frag Needed and breaking things
+	   badly. --RR */
+	if (tcplen != tcph->doff*4) {
+		if (net_ratelimit())
+			printk(KERN_ERR
+			       "ip6t_tcpmss_target: bad length (%d bytes)\n",
+			       (*pskb)->len);
+		return NF_DROP;
+	}
+
+	if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU) {
+		if (dst_mtu((*pskb)->dst) <= sizeof(struct ipv6hdr) +
+					     sizeof(struct tcphdr)) {
+			if (net_ratelimit())
+				printk(KERN_ERR "ip6t_tcpmss_target: "
+				       "unknown or invalid path-MTU (%d)\n",
+				       dst_mtu((*pskb)->dst));
+			return NF_DROP; /* or IP6T_CONTINUE ?? */
+		}
+
+		newmss = dst_mtu((*pskb)->dst) - sizeof(struct ipv6hdr) -
+						 sizeof(struct tcphdr);
+	} else
+		newmss = tcpmssinfo->mss;
+
+ 	opt = (u_int8_t *)tcph;
+	for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
+		if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
+		    opt[i+1] == TCPOLEN_MSS) {
+			u_int16_t oldmss;
+
+			oldmss = (opt[i+2] << 8) | opt[i+3];
+
+			if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+			    oldmss <= newmss)
+				return IP6T_CONTINUE;
+
+			opt[i+2] = (newmss & 0xff00) >> 8;
+			opt[i+3] = (newmss & 0x00ff);
+
+			nf_proto_csum_replace2(&tcph->check, *pskb,
+					       htons(oldmss), htons(newmss), 0);
+			return IP6T_CONTINUE;
+		}
+	}
+
+	/*
+	 * MSS Option not found ?! add it..
+	 */
+	if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
+		struct sk_buff *newskb;
+
+		newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
+					 TCPOLEN_MSS, GFP_ATOMIC);
+		if (!newskb)
+			return NF_DROP;
+		kfree_skb(*pskb);
+		*pskb = newskb;
+		ipv6h = (*pskb)->nh.ipv6h;
+		tcph = (void *)ipv6h + tcphoff;
+	}
+
+	skb_put((*pskb), TCPOLEN_MSS);
+
+ 	opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
+	memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+
+ 	nf_proto_csum_replace2(&tcph->check, *pskb,
+ 				htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
+	opt[0] = TCPOPT_MSS;
+	opt[1] = TCPOLEN_MSS;
+	opt[2] = (newmss & 0xff00) >> 8;
+	opt[3] = (newmss & 0x00ff);
+
+ 	nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0);
+
+	oldval = ((__be16 *)tcph)[6];
+	tcph->doff += TCPOLEN_MSS/4;
+ 	nf_proto_csum_replace2(&tcph->check, *pskb,
+ 				oldval, ((__be16 *)tcph)[6], 0);
+
+	newiplen = htons(ntohs(ipv6h->payload_len) + TCPOLEN_MSS);
+	ipv6h->payload_len = newiplen;
+	return IP6T_CONTINUE;
+}
+
+#define TH_SYN 0x02
+
+static inline int find_syn_match(const struct ip6t_entry_match *m)
+{
+	const struct ip6t_tcp *tcpinfo = (const struct ip6t_tcp *)m->data;
+
+	if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
+	    tcpinfo->flg_cmp & TH_SYN &&
+	    !(tcpinfo->invflags & IP6T_TCP_INV_FLAGS))
+		return 1;
+
+	return 0;
+}
+
+/* Must specify -p tcp --syn/--tcp-flags SYN */
+static int
+ip6t_tcpmss_checkentry(const char *tablename,
+		       const void *e_void,
+		       const struct xt_target *target,
+		       void *targinfo,
+		       unsigned int hook_mask)
+{
+	const struct ip6t_tcpmss_info *tcpmssinfo = targinfo;
+	const struct ip6t_entry *e = e_void;
+
+	if (tcpmssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU &&
+	    (hook_mask & ~((1 << NF_IP6_FORWARD) |
+			   (1 << NF_IP6_LOCAL_OUT) |
+			   (1 << NF_IP6_POST_ROUTING))) != 0) {
+		printk("TCPMSS: path-MTU clamping only supported in "
+		       "FORWARD, OUTPUT and POSTROUTING hooks\n");
+		return 0;
+	}
+
+	if (IP6T_MATCH_ITERATE(e, find_syn_match))
+		return 1;
+	printk("TCPMSS: Only works on TCP SYN packets\n");
+	return 0;
+}
+
+static struct ip6t_target ip6t_tcpmss_reg = {
+	.name		= "TCPMSS",
+	.target		= ip6t_tcpmss_target,
+	.targetsize	= sizeof(struct ip6t_tcpmss_info),
+	.proto		= IPPROTO_TCP,
+	.checkentry	= ip6t_tcpmss_checkentry,
+	.me		= THIS_MODULE,
+};
+
+static int __init ip6t_tcpmss_init(void)
+{
+	return ip6t_register_target(&ip6t_tcpmss_reg);
+}
+
+static void __exit ip6t_tcpmss_fini(void)
+{
+	ip6t_unregister_target(&ip6t_tcpmss_reg);
+}
+
+module_init(ip6t_tcpmss_init);
+module_exit(ip6t_tcpmss_fini);

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Jan Engelhardt]

On Jan 14 2007 20:20, David Madore wrote:
>
>Implement TCPMSS target for IPv6 by shamelessly copying from
>Marc Boucher's IPv4 implementation.
>
>Signed-off-by: David A. Madore <david.madore@ens.fr>

Would not it be worthwhile to merge ipt_TCPMSS and
ip6t_TCPMSS to xt_TCPMSS instead?


	-`J'
-- 

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 14 2007 20:20, David Madore wrote:
> 
>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>Marc Boucher's IPv4 implementation.
>>
>>Signed-off-by: David A. Madore <david.madore@ens.fr>
> 
> 
> Would not it be worthwhile to merge ipt_TCPMSS and
> ip6t_TCPMSS to xt_TCPMSS instead?

I'm not sure how well that will work (the IPv4/IPv6-specific stuff
is spread over the entire target function), but its worth a try.

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Jan Engelhardt]

On Jan 15 2007 09:39, Patrick McHardy wrote:
>> On Jan 14 2007 20:20, David Madore wrote:
>> 
>>>Implement TCPMSS target for IPv6 by shamelessly copying from
>>>Marc Boucher's IPv4 implementation.
>>>
>>>Signed-off-by: David A. Madore <david.madore@ens.fr>
>> 
>> 
>> Would not it be worthwhile to merge ipt_TCPMSS and
>> ip6t_TCPMSS to xt_TCPMSS instead?
>
>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>is spread over the entire target function), but its worth a try.

"Nothing is impossible." Since you happened to take that one for
yourself... well here's a q: would a patch be accepted that changes
all ipt and ip6t modules to the new xt? Even if a module is only for
ipv4 or ipv6, I think it makes sense to reduce the number of
different *t structures floating around.


	-`J'
-- 

Re: [patch] netfilter: implement TCPMSS target for IPv6

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 15 2007 09:39, Patrick McHardy wrote:
> 
>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>is spread over the entire target function), but its worth a try.
> 
> 
> "Nothing is impossible." Since you happened to take that one for
> yourself... well here's a q: would a patch be accepted that changes
> all ipt and ip6t modules to the new xt? Even if a module is only for
> ipv4 or ipv6, I think it makes sense to reduce the number of
> different *t structures floating around.


If you're talking about using the xt-structures in net/ipv[46]/netfilter
and removing the ipt/ip6t-wrappers, that would make sense IMO.

[PATCH] Re: ipt->xt (was: implement TCPMSS target for IPv6)

[Jan Engelhardt]

On Jan 15 2007 11:18, Patrick McHardy wrote:
>> 
>>>I'm not sure how well that will work (the IPv4/IPv6-specific stuff
>>>is spread over the entire target function), but its worth a try.
>> 
>> 
>> "Nothing is impossible." Since you happened to take that one for
>> yourself... well here's a q: would a patch be accepted that changes
>> all ipt and ip6t modules to the new xt? Even if a module is only for
>> ipv4 or ipv6, I think it makes sense to reduce the number of
>> different *t structures floating around.
>
>If you're talking about using the xt-structures in net/ipv[46]/netfilter
>and removing the ipt/ip6t-wrappers, that would make sense IMO.
>

How about this for a start?

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -42,7 +43,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables target for CLUSTERIP");
+MODULE_DESCRIPTION("xtables target for CLUSTERIP");
 
 struct clusterip_config {
 	struct list_head list;			/* list of all configs */
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,18 +9,20 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN modification module");
+MODULE_DESCRIPTION("xtables ECN modification module");
 
 /* set ECT codepoint from IP header.
  * 	return 0 if there was an error. */
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,12 +20,12 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables syslog logging module");
+MODULE_DESCRIPTION("xtables syslog logging module");
 
 #if 0
 #define DEBUGP printk
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
+	if (xt_register_target(&ipt_log_reg))
 		return -EINVAL;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
@@ -486,7 +487,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,11 +25,11 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables MASQUERADE target module");
+MODULE_DESCRIPTION("xtables MASQUERADE target module");
 
 #if 0
 #define DEBUGP printk
@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
 
 static struct ipt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -24,7 +25,7 @@
 #define MODULENAME "NETMAP"
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
-MODULE_DESCRIPTION("iptables 1:1 NAT mapping of IP networks target");
+MODULE_DESCRIPTION("xtables 1:1 NAT mapping of IP networks target");
 
 #if 0
 #define DEBUGP printk
@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
 
 static struct ipt_target target_module = { 
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -26,7 +27,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REDIRECT target module");
+MODULE_DESCRIPTION("xtables REDIRECT target module");
 
 #if 0
 #define DEBUGP printk
@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
 
 static struct ipt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -30,7 +31,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables REJECT target module");
+MODULE_DESCRIPTION("xtables REJECT target module");
 
 #if 0
 #define DEBUGP printk
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -43,7 +44,7 @@
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Martin Josefsson <gandalf@wlug.westbo.se>");
-MODULE_DESCRIPTION("iptables special SNAT module for consistent sourceip");
+MODULE_DESCRIPTION("xtables special SNAT module for consistent sourceip");
 
 #if 0
 #define DEBUGP printk
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,12 +13,12 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
-MODULE_DESCRIPTION("iptables TOS mangling module");
+MODULE_DESCRIPTION("xtables TOS mangling module");
 
 static unsigned int
 target(struct sk_buff **pskb,
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,11 +12,11 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL modification module");
+MODULE_DESCRIPTION("xtables TTL modification module");
 MODULE_LICENSE("GPL");
 
 static unsigned int 
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,14 +57,14 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("iptables userspace logging module");
+MODULE_DESCRIPTION("xtables userspace logging module");
 MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
 
 #define ULOG_NL_EVENT		111		/* Harald's favorite number */
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if (xt_register_target(&ipt_ulog_reg) != 0) {
 		sock_release(nflognl->sk_socket);
 		return -EINVAL;
 	}
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,11 +16,11 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("iptables addrtype match");
+MODULE_DESCRIPTION("xtables addrtype match");
 
 static inline int match_type(__be32 addr, u_int16_t mask)
 {
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,16 +6,17 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
-MODULE_DESCRIPTION("iptables AH SPI match module");
+MODULE_DESCRIPTION("xtables AH SPI match module");
 
 #ifdef DEBUG_CONNTRACK
 #define duprintf(format, args...) printk(format , ## args)
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,15 +9,18 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("iptables ECN matching module");
+MODULE_DESCRIPTION("xtables ECN matching module");
 MODULE_LICENSE("GPL");
 
 static inline int match_ip(const struct sk_buff *skb,
@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
+	.proto		= IPPROTO_TCP,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,12 +10,12 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
-MODULE_DESCRIPTION("iptables arbitrary IP range match module");
+MODULE_DESCRIPTION("xtables arbitrary IP range match module");
 
 #if 0
 #define DEBUGP printk
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,11 +15,11 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables owner match");
+MODULE_DESCRIPTION("xtables owner match");
 
 static int
 match(const struct sk_buff *skb,
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,11 +25,11 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("IP tables recently seen matching module");
+MODULE_DESCRIPTION("xtables recently seen matching module");
 MODULE_LICENSE("GPL");
 
 static unsigned int ip_list_tot = 100;
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,14 +8,15 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
-MODULE_DESCRIPTION("iptables TOS match module");
+MODULE_DESCRIPTION("xtables TOS match module");
 
 static int
 match(const struct sk_buff *skb,
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,14 +9,15 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IP tables TTL matching module");
+MODULE_DESCRIPTION("xtables TTL matching module");
 MODULE_LICENSE("GPL");
 
 static int match(const struct sk_buff *skb,
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
#<EOF>

	-`J'
-- 

Re: [PATCH] Re: ipt->xt

[Patrick McHardy]

[CC-list trimmed]

Jan Engelhardt wrote:
> How about this for a start?

A few comments below.

> Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
> 
> Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
> ===================================================================
> --- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
> +++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
> @@ -42,7 +43,7 @@
>  
>  MODULE_LICENSE("GPL");
>  MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
> -MODULE_DESCRIPTION("iptables target for CLUSTERIP");
> +MODULE_DESCRIPTION("xtables target for CLUSTERIP");

The MODULE_DESCRIPTION should stay the same, its still an iptables-only
target.

> Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
> ===================================================================
> --- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
> +++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
> @@ -20,12 +20,12 @@
>  #include <net/route.h>
>  
>  #include <linux/netfilter.h>
> -#include <linux/netfilter_ipv4/ip_tables.h>
> +#include <linux/netfilter/x_tables.h>
>  #include <linux/netfilter_ipv4/ipt_LOG.h>

Please keep the _ipv4 entries next to each other.

> @@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
>  
>  static int __init ipt_log_init(void)
>  {
> -	if (ipt_register_target(&ipt_log_reg))
> +	if (xt_register_target(&ipt_log_reg))

While you're at it, this should return the real error.

>  		return -EINVAL;
>  	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
>  		printk(KERN_WARNING "ipt_LOG: not logging via system console "

> @@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
>  	if (!nflognl)
>  		return -ENOMEM;
>  
> -	if (ipt_register_target(&ipt_ulog_reg) != 0) {
> +	if (xt_register_target(&ipt_ulog_reg) != 0) {
>  		sock_release(nflognl->sk_socket);
>  		return -EINVAL;

Same here. Maybe do a seperate patch for these changes.

Re: ipt->xt

[Jan Engelhardt]

>> Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>> ===================================================================
>> --- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
>> +++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>> @@ -20,12 +20,12 @@
>>  #include <net/route.h>
>>  
>>  #include <linux/netfilter.h>
>> -#include <linux/netfilter_ipv4/ip_tables.h>
>> +#include <linux/netfilter/x_tables.h>
>>  #include <linux/netfilter_ipv4/ipt_LOG.h>
>
>Please keep the _ipv4 entries next to each other.

How do you mean? It looks like this atm:

#include <linux/netfilter.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ipt_LOG.h>

so, from my point, I'd judge "all the _ipv4 entries" are next to each other
(there is only one after all) -- please elaborate what you intended.
(linux/in.h linux/ip.h?)

>> @@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
>>  
>>  static int __init ipt_log_init(void)
>>  {
>> -	if (ipt_register_target(&ipt_log_reg))
>> +	if (xt_register_target(&ipt_log_reg))
>
>While you're at it, this should return the real error.

Good idea. Separate patch. (There was one more elsewhere.)


	-`J'
-- 

Re: ipt->xt

[Patrick McHardy]

Jan Engelhardt wrote:
> 
>>>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>>>===================================================================
>>>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
>>>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>>>@@ -20,12 +20,12 @@
>>> #include <net/route.h>
>>> 
>>> #include <linux/netfilter.h>
>>>-#include <linux/netfilter_ipv4/ip_tables.h>
>>>+#include <linux/netfilter/x_tables.h>
>>> #include <linux/netfilter_ipv4/ipt_LOG.h>
>>
>>Please keep the _ipv4 entries next to each other.
> 
> 
> How do you mean? It looks like this atm:
> 
> #include <linux/netfilter.h>
> #include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_LOG.h>


Right, I misread the patch.

Re: ipt->xt [p2]

[Jan Engelhardt]

Ok, here you go, two diffs, one for the xt (did I catch all the compat 
stuff?) and the error value propagation.

Diff 1

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,12 +9,14 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,7 +20,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -471,7 +472,7 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
+	if (xt_register_target(&ipt_log_reg))
 		return -EINVAL;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
@@ -486,7 +487,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
 
 static struct ipt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
 
 static struct ipt_target target_module = { 
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
 
 static struct ipt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,7 +13,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,7 +12,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,7 +57,7 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -400,7 +400,7 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if (xt_register_target(&ipt_ulog_reg) != 0) {
 		sock_release(nflognl->sk_socket);
 		return -EINVAL;
 	}
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,7 +16,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,12 +6,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,10 +9,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
+	.proto		= IPPROTO_TCP,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,7 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,7 +15,7 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,7 +25,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("iptables TOS match module");
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,11 +9,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("IP tables TTL matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
#<EOF>


Diff 2

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -472,8 +472,9 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (xt_register_target(&ipt_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET\n");
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
 
 static int __init ipt_ulog_init(void)
 {
-	int i;
+	int ret, i;
 
 	DEBUGP("ipt_ULOG: init module\n");
 
@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (xt_register_target(&ipt_ulog_reg) != 0) {
+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
-		return -EINVAL;
+		return ret;
 	}
 	if (nflog)
 		nf_log_register(PF_INET, &ipt_ulog_logger);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
@@ -482,8 +482,9 @@ static struct nf_logger ip6t_logger = {
 
 static int __init ip6t_log_init(void)
 {
-	if (ip6t_register_target(&ip6t_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ip6t_register_target(&ip6t_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET6\n");
#<EOF>

	-`J'
-- 

Re: ipt->xt [p2]

[Patrick McHardy]

Jan Engelhardt wrote:
> Ok, here you go, two diffs, one for the xt (did I catch all the compat 
> stuff?) and the error value propagation.

You seem to be missing ip6_tables. Also please remove the registration
wrappers.

Re: ipt->xt [p2]

[Jan Engelhardt]

On Jan 17 2007 12:31, Patrick McHardy wrote:
>Jan Engelhardt wrote:
>> Ok, here you go, two diffs, one for the xt (did I catch all the compat 
>> stuff?) and the error value propagation.
>
>You seem to be missing ip6_tables.

I have not yet gone through net/ipv6/netfilter/, right.

>Also please remove the registration wrappers.

How do you mean?


	-`J'
-- 

Re: ipt->xt [p2]

[Patrick McHardy]

Jan Engelhardt wrote:
>>Also please remove the registration wrappers.
> 
> 
> How do you mean?

There are not needed anymore after your change:

include/linux/netfilter_ipv4/ip_tables.h:

#define ipt_register_target(tgt)        \

({      (tgt)->family = AF_INET;        \
        xt_register_target(tgt); })
#define ipt_unregister_target(tgt) xt_unregister_target(tgt)

#define ipt_register_match(mtch)        \
({      (mtch)->family = AF_INET;       \
        xt_register_match(mtch); })
#define ipt_unregister_match(mtch) xt_unregister_match(mtch)

Same in ip6_tables.h.

Re: ipt->xt [p3]

[Jan Engelhardt]

On Jan 17 2007 13:40, Patrick McHardy wrote:
>
>There are not needed anymore after your change:

Removing them makes your xt_TCPMSS (which I don't have yet in my working copy)
a dependency. Anyway, here goes...

The ipt-log-fix-return.diff has been folded into use-xt-struct.diff.

Index: linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv4/ip_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
@@ -272,16 +272,6 @@ ipt_get_target(struct ipt_entry *e)
 #include <linux/init.h>
 extern void ipt_init(void) __init;
 
-#define ipt_register_target(tgt) 	\
-({	(tgt)->family = AF_INET;	\
- 	xt_register_target(tgt); })
-#define ipt_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ipt_register_match(mtch) 	\
-({	(mtch)->family = AF_INET;	\
-	xt_register_match(mtch); })
-#define ipt_unregister_match(mtch) xt_unregister_match(mtch)
-
 //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
 //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
 
Index: linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv6/ip6_tables.h
+++ linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
@@ -286,16 +286,6 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
-#define ip6t_register_target(tgt) 		\
-({	(tgt)->family = AF_INET6;		\
- 	xt_register_target(tgt); })
-#define ip6t_unregister_target(tgt) xt_unregister_target(tgt)
-
-#define ip6t_register_match(match)		\
-({	(match)->family = AF_INET6;		\
-	xt_register_match(match); })
-#define ip6t_unregister_match(match) xt_unregister_match(match)
-
 extern int ip6t_register_table(struct ip6t_table *table,
 			       const struct ip6t_replace *repl);
 extern void ip6t_unregister_table(struct ip6t_table *table);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 
 #include <linux/netfilter_arp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
 	    && (ctinfo == IP_CT_RELATED 
 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-		return IPT_CONTINUE;
+		return XT_CONTINUE;
 
 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
 	(*pskb)->pkt_type = PACKET_HOST;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
 	nf_ct_l3proto_module_put(target->family);
 }
 
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
 	.name		= "CLUSTERIP",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
 	.checkentry	= checkentry,
@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
 {
 	int ret;
 
-	ret = ipt_register_target(&clusterip_tgt);
+	ret = xt_register_target(&clusterip_tgt);
 	if (ret < 0)
 		return ret;
 
@@ -753,7 +755,7 @@ cleanup_hook:
 	nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 	return ret;
 }
 
@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
 	nf_unregister_hook(&cip_arp_ops);
-	ipt_unregister_target(&clusterip_tgt);
+	xt_unregister_target(&clusterip_tgt);
 }
 
 module_init(ipt_clusterip_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
@@ -9,12 +9,14 @@
  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
 
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
 		if (!set_ect_tcp(pskb, einfo))
 			return NF_DROP;
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
 		return 0;
 	}
 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
 		       "non-tcp rule\n");
 		return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
 	.name		= "ECN",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_ECN_info),
 	.table		= "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_target(&ipt_ecn_reg);
+	return xt_register_target(&ipt_ecn_reg);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_target(&ipt_ecn_reg);
+	xt_unregister_target(&ipt_ecn_reg);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -20,7 +20,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 
 MODULE_LICENSE("GPL");
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
 
 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
 	               loginfo->prefix);
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
 	.name		= "LOG",
+	.family		= AF_INET,
 	.target		= ipt_log_target,
 	.targetsize	= sizeof(struct ipt_log_info),
 	.checkentry	= ipt_log_checkentry,
@@ -471,8 +472,9 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET\n");
@@ -486,7 +488,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
 	nf_log_unregister_logger(&ipt_log_logger);
-	ipt_unregister_target(&ipt_log_reg);
+	xt_unregister_target(&ipt_log_reg);
 }
 
 module_init(ipt_log_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
 
 static struct ipt_target masquerade = {
 	.name		= "MASQUERADE",
+	.family		= AF_INET,
 	.target		= masquerade_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
 {
 	int ret;
 
-	ret = ipt_register_target(&masquerade);
+	ret = xt_register_target(&masquerade);
 
 	if (ret == 0) {
 		/* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
 
 static void __exit ipt_masquerade_fini(void)
 {
-	ipt_unregister_target(&masquerade);
+	xt_unregister_target(&masquerade);
 	unregister_netdevice_notifier(&masq_dev_notifier);
 	unregister_inetaddr_notifier(&masq_inet_notifier);	
 }
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
 
 static struct ipt_target target_module = { 
 	.name 		= MODULENAME,
+	.family		= AF_INET,
 	.target 	= target, 
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module =
 
 static int __init ipt_netmap_init(void)
 {
-	return ipt_register_target(&target_module);
+	return xt_register_target(&target_module);
 }
 
 static void __exit ipt_netmap_fini(void)
 {
-	ipt_unregister_target(&target_module);
+	xt_unregister_target(&target_module);
 }
 
 module_init(ipt_netmap_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
 
 static struct ipt_target redirect_reg = {
 	.name		= "REDIRECT",
+	.family		= AF_INET,
 	.target		= redirect_target,
 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
 	.table		= "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
 
 static int __init ipt_redirect_init(void)
 {
-	return ipt_register_target(&redirect_reg);
+	return xt_register_target(&redirect_reg);
 }
 
 static void __exit ipt_redirect_fini(void)
 {
-	ipt_unregister_target(&redirect_reg);
+	xt_unregister_target(&redirect_reg);
 }
 
 module_init(ipt_redirect_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -230,7 +231,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IPT_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ip.proto != IPPROTO_TCP
-		    || (e->ip.invflags & IPT_INV_PROTO)) {
+		    || (e->ip.invflags & XT_INV_PROTO)) {
 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
 			return 0;
 		}
@@ -238,8 +239,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET,
 	.target		= reject,
 	.targetsize	= sizeof(struct ipt_reject_info),
 	.table		= "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
 
 static int __init ipt_reject_init(void)
 {
-	return ipt_register_target(&ipt_reject_reg);
+	return xt_register_target(&ipt_reject_reg);
 }
 
 static void __exit ipt_reject_fini(void)
 {
-	ipt_unregister_target(&ipt_reject_reg);
+	xt_unregister_target(&ipt_reject_reg);
 }
 
 module_init(ipt_reject_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
 	return ip_nat_setup_info(ct, &newrange, hooknum);
 }
 
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
 	.name		= "SAME",
+	.family		= AF_INET,
 	.target		= same_target,
 	.targetsize	= sizeof(struct ipt_same_info),
 	.table		= "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
 
 static int __init ipt_same_init(void)
 {
-	return ipt_register_target(&same_reg);
+	return xt_register_target(&same_reg);
 }
 
 static void __exit ipt_same_fini(void)
 {
-	ipt_unregister_target(&same_reg);
+	xt_unregister_target(&same_reg);
 }
 
 module_init(ipt_same_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
@@ -13,7 +13,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 
 MODULE_LICENSE("GPL");
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
 	}
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
 	.name		= "TOS",
+	.family		= AF_INET,
 	.target		= target,
 	.targetsize	= sizeof(struct ipt_tos_target_info),
 	.table		= "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 
 static int __init ipt_tos_init(void)
 {
-	return ipt_register_target(&ipt_tos_reg);
+	return xt_register_target(&ipt_tos_reg);
 }
 
 static void __exit ipt_tos_fini(void)
 {
-	ipt_unregister_target(&ipt_tos_reg);
+	xt_unregister_target(&ipt_tos_reg);
 }
 
 module_init(ipt_tos_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
@@ -12,7 +12,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
 		iph->ttl = new_ttl;
 	}
 
-	return IPT_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
 	return 1;
 }
 
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
 	.name 		= "TTL",
+	.family		= AF_INET,
 	.target 	= ipt_ttl_target, 
 	.targetsize	= sizeof(struct ipt_TTL_info),
 	.table		= "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_target(&ipt_TTL);
+	return xt_register_target(&ipt_TTL);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_target(&ipt_TTL);
+	xt_unregister_target(&ipt_TTL);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,7 +57,7 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
 	ub->qlen = 0;
 	ub->skb = NULL;
 	ub->lastnlh = NULL;
-
 }
 
 
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
 
 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
  
- 	return IPT_CONTINUE;
+ 	return XT_CONTINUE;
 }
  
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
 	return 1;
 }
 
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
 	.name		= "ULOG",
+	.family		= AF_INET,
 	.target		= ipt_ulog_target,
 	.targetsize	= sizeof(struct ipt_ulog_info),
 	.checkentry	= ipt_ulog_checkentry,
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
 
 static int __init ipt_ulog_init(void)
 {
-	int i;
+	int ret, i;
 
 	DEBUGP("ipt_ULOG: init module\n");
 
@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
-		return -EINVAL;
+		return ret;
 	}
 	if (nflog)
 		nf_log_register(PF_INET, &ipt_ulog_logger);
@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
 
 	if (nflog)
 		nf_log_unregister_logger(&ipt_ulog_logger);
-	ipt_unregister_target(&ipt_ulog_reg);
+	xt_unregister_target(&ipt_ulog_reg);
 	sock_release(nflognl->sk_socket);
 
 	/* remove pending timers and free allocated skb's */
@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
 			ub->skb = NULL;
 		}
 	}
-
 }
 
 module_init(ipt_ulog_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,7 +16,7 @@
 #include <net/route.h>
 
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
 	return ret;
 }
 
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
 	.name		= "addrtype",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_addrtype_info),
 	.me		= THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
 
 static int __init ipt_addrtype_init(void)
 {
-	return ipt_register_match(&addrtype_match);
+	return xt_register_match(&addrtype_match);
 }
 
 static void __exit ipt_addrtype_fini(void)
 {
-	ipt_unregister_match(&addrtype_match);
+	xt_unregister_match(&addrtype_match);
 }
 
 module_init(ipt_addrtype_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
@@ -6,12 +6,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ah),
 	.proto		= IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 
 static int __init ipt_ah_init(void)
 {
-	return ipt_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ipt_ah_fini(void)
 {
-	ipt_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ipt_ah_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
@@ -9,10 +9,13 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
 	return 1;
 }
 
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
 	.name		= "ecn",
+	.family		= AF_INET,
+	.proto		= IPPROTO_TCP,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ecn_info),
 	.checkentry	= checkentry,
@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
 
 static int __init ipt_ecn_init(void)
 {
-	return ipt_register_match(&ecn_match);
+	return xt_register_match(&ecn_match);
 }
 
 static void __exit ipt_ecn_fini(void)
 {
-	ipt_unregister_match(&ecn_match);
+	xt_unregister_match(&ecn_match);
 }
 
 module_init(ipt_ecn_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
@@ -10,7 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 
 MODULE_LICENSE("GPL");
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
 	return 1;
 }
 
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
 	.name		= "iprange",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_iprange_info),
-	.destroy	= NULL,
 	.me		= THIS_MODULE
 };
 
 static int __init ipt_iprange_init(void)
 {
-	return ipt_register_match(&iprange_match);
+	return xt_register_match(&iprange_match);
 }
 
 static void __exit ipt_iprange_fini(void)
 {
-	ipt_unregister_match(&iprange_match);
+	xt_unregister_match(&iprange_match);
 }
 
 module_init(ipt_iprange_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
@@ -15,7 +15,7 @@
 #include <net/sock.h>
 
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_owner_info),
 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 
 static int __init ipt_owner_init(void)
 {
-	return ipt_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ipt_owner_fini(void)
 {
-	ipt_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ipt_owner_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
  */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,7 +25,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
 
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -462,8 +463,9 @@ static struct file_operations recent_fop
 };
 #endif /* CONFIG_PROC_FS */
 
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
 	.name		= "recent",
+	.family		= AF_INET,
 	.match		= ipt_recent_match,
 	.matchsize	= sizeof(struct ipt_recent_info),
 	.checkentry	= ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
 		return -EINVAL;
 	ip_list_hash_size = 1 << fls(ip_list_tot);
 
-	err = ipt_register_match(&recent_match);
+	err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	if (err)
 		return err;
 	proc_dir = proc_mkdir("ipt_recent", proc_net);
 	if (proc_dir == NULL) {
-		ipt_unregister_match(&recent_match);
+		xt_unregister_match(&recent_match);
 		err = -ENOMEM;
 	}
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
 	BUG_ON(!list_empty(&tables));
-	ipt_unregister_match(&recent_match);
+	xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
 	remove_proc_entry("ipt_recent", proc_net);
 #endif
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("iptables TOS match module");
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
 
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
 	.name		= "tos",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_tos_info),
 	.me		= THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 
 static int __init ipt_multiport_init(void)
 {
-	return ipt_register_match(&tos_match);
+	return xt_register_match(&tos_match);
 }
 
 static void __exit ipt_multiport_fini(void)
 {
-	ipt_unregister_match(&tos_match);
+	xt_unregister_match(&tos_match);
 }
 
 module_init(ipt_multiport_init);
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
@@ -9,11 +9,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("IP tables TTL matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
 	.name		= "ttl",
+	.family		= AF_INET,
 	.match		= match,
 	.matchsize	= sizeof(struct ipt_ttl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 
 static int __init ipt_ttl_init(void)
 {
-	return ipt_register_match(&ttl_match);
+	return xt_register_match(&ttl_match);
 }
 
 static void __exit ipt_ttl_fini(void)
 {
-	ipt_unregister_match(&ttl_match);
-
+	xt_unregister_match(&ttl_match);
 }
 
 module_init(ipt_ttl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_HL.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
@@ -9,12 +9,13 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6t_HL.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
-MODULE_DESCRIPTION("IP tables Hop Limit modification module");
+MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
 MODULE_LICENSE("GPL");
 
 static unsigned int ip6t_hl_target(struct sk_buff **pskb, 
@@ -55,7 +56,7 @@ static unsigned int ip6t_hl_target(struc
 	if (new_hl != ip6h->hop_limit)
 		ip6h->hop_limit = new_hl;
 
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 static int ip6t_hl_checkentry(const char *tablename,
@@ -79,8 +80,9 @@ static int ip6t_hl_checkentry(const char
 	return 1;
 }
 
-static struct ip6t_target ip6t_HL = { 
+static struct xt_target ip6t_HL = {
 	.name 		= "HL", 
+	.family		= AF_INET6,
 	.target		= ip6t_hl_target, 
 	.targetsize	= sizeof(struct ip6t_HL_info),
 	.table		= "mangle",
@@ -90,12 +92,12 @@ static struct ip6t_target ip6t_HL = { 
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_target(&ip6t_HL);
+	return xt_register_target(&ip6t_HL);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_target(&ip6t_HL);
+	xt_unregister_target(&ip6t_HL);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
@@ -21,6 +21,7 @@
 #include <net/tcp.h>
 #include <net/ipv6.h>
 #include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
@@ -442,7 +443,7 @@ ip6t_log_target(struct sk_buff **pskb,
 
 	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
 	                loginfo->prefix);
-	return IP6T_CONTINUE;
+	return XT_CONTINUE;
 }
 
 
@@ -466,8 +467,9 @@ static int ip6t_log_checkentry(const cha
 	return 1;
 }
 
-static struct ip6t_target ip6t_log_reg = {
+static struct xt_target ip6t_log_reg = {
 	.name 		= "LOG",
+	.family		= AF_INET6,
 	.target 	= ip6t_log_target, 
 	.targetsize	= sizeof(struct ip6t_log_info),
 	.checkentry	= ip6t_log_checkentry, 
@@ -482,8 +484,9 @@ static struct nf_logger ip6t_logger = {
 
 static int __init ip6t_log_init(void)
 {
-	if (ip6t_register_target(&ip6t_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = xt_register_target(&ip6t_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET6\n");
@@ -497,7 +500,7 @@ static int __init ip6t_log_init(void)
 static void __exit ip6t_log_fini(void)
 {
 	nf_log_unregister_logger(&ip6t_logger);
-	ip6t_unregister_target(&ip6t_log_reg);
+	xt_unregister_target(&ip6t_log_reg);
 }
 
 module_init(ip6t_log_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_REJECT.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
@@ -26,6 +26,7 @@
 #include <net/ip6_fib.h>
 #include <net/ip6_route.h>
 #include <net/flow.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_REJECT.h>
 
@@ -234,7 +235,7 @@ static int check(const char *tablename,
 	} else if (rejinfo->with == IP6T_TCP_RESET) {
 		/* Must specify that it's a TCP packet */
 		if (e->ipv6.proto != IPPROTO_TCP
-		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
+		    || (e->ipv6.invflags & XT_INV_PROTO)) {
 			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
 			return 0;
 		}
@@ -242,8 +243,9 @@ static int check(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_target ip6t_reject_reg = {
+static struct xt_target ip6t_reject_reg = {
 	.name		= "REJECT",
+	.family		= AF_INET6,
 	.target		= reject6_target,
 	.targetsize	= sizeof(struct ip6t_reject_info),
 	.table		= "filter",
@@ -255,12 +257,12 @@ static struct ip6t_target ip6t_reject_re
 
 static int __init ip6t_reject_init(void)
 {
-	return ip6t_register_target(&ip6t_reject_reg);
+	return xt_register_target(&ip6t_reject_reg);
 }
 
 static void __exit ip6t_reject_fini(void)
 {
-	ip6t_unregister_target(&ip6t_reject_reg);
+	xt_unregister_target(&ip6t_reject_reg);
 }
 
 module_init(ip6t_reject_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ah.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
@@ -15,6 +15,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ah.h>
 
@@ -118,8 +119,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match ah_match = {
+static struct xt_match ah_match = {
 	.name		= "ah",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_ah),
 	.checkentry	= checkentry,
@@ -128,12 +130,12 @@ static struct ip6t_match ah_match = {
 
 static int __init ip6t_ah_init(void)
 {
-	return ip6t_register_match(&ah_match);
+	return xt_register_match(&ah_match);
 }
 
 static void __exit ip6t_ah_fini(void)
 {
-	ip6t_unregister_match(&ah_match);
+	xt_unregister_match(&ah_match);
 }
 
 module_init(ip6t_ah_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_eui64.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
@@ -12,6 +12,7 @@
 #include <linux/ipv6.h>
 #include <linux/if_ether.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
 MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
@@ -61,8 +62,9 @@ match(const struct sk_buff *skb,
 	return 0;
 }
 
-static struct ip6t_match eui64_match = {
+static struct xt_match eui64_match = {
 	.name		= "eui64",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(int),
 	.hooks		= (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
@@ -72,12 +74,12 @@ static struct ip6t_match eui64_match = {
 
 static int __init ip6t_eui64_init(void)
 {
-	return ip6t_register_match(&eui64_match);
+	return xt_register_match(&eui64_match);
 }
 
 static void __exit ip6t_eui64_fini(void)
 {
-	ip6t_unregister_match(&eui64_match);
+	xt_unregister_match(&eui64_match);
 }
 
 module_init(ip6t_eui64_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_frag.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
@@ -14,6 +14,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_frag.h>
 
@@ -135,8 +136,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match frag_match = {
+static struct xt_match frag_match = {
 	.name		= "frag",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_frag),
 	.checkentry	= checkentry,
@@ -145,12 +147,12 @@ static struct ip6t_match frag_match = {
 
 static int __init ip6t_frag_init(void)
 {
-	return ip6t_register_match(&frag_match);
+	return xt_register_match(&frag_match);
 }
 
 static void __exit ip6t_frag_fini(void)
 {
-	ip6t_unregister_match(&frag_match);
+	xt_unregister_match(&frag_match);
 }
 
 module_init(ip6t_frag_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hbh.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_opts.h>
 
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hl.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
@@ -8,11 +8,12 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/ipv6.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 
 #include <linux/netfilter_ipv6/ip6t_hl.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
 MODULE_DESCRIPTION("IP tables Hop Limit matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
 	return 0;
 }
 
-static struct ip6t_match hl_match = {
+static struct xt_match hl_match = {
 	.name		= "hl",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_hl_info),
 	.me		= THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ip6t_match hl_match = {
 
 static int __init ip6t_hl_init(void)
 {
-	return ip6t_register_match(&hl_match);
+	return xt_register_match(&hl_match);
 }
 
 static void __exit ip6t_hl_fini(void)
 {
-	ip6t_unregister_match(&hl_match);
-
+	xt_unregister_match(&hl_match);
 }
 
 module_init(ip6t_hl_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ipv6header.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -18,6 +18,7 @@
 #include <net/checksum.h>
 #include <net/ipv6.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
 
@@ -140,8 +141,9 @@ ipv6header_checkentry(const char *tablen
 	return 1;
 }
 
-static struct ip6t_match ip6t_ipv6header_match = {
+static struct xt_match ip6t_ipv6header_match = {
 	.name		= "ipv6header",
+	.family		= AF_INET6,
 	.match		= &ipv6header_match,
 	.matchsize	= sizeof(struct ip6t_ipv6header_info),
 	.checkentry	= &ipv6header_checkentry,
@@ -151,12 +153,12 @@ static struct ip6t_match ip6t_ipv6header
 
 static int __init ipv6header_init(void)
 {
-	return ip6t_register_match(&ip6t_ipv6header_match);
+	return xt_register_match(&ip6t_ipv6header_match);
 }
 
 static void __exit ipv6header_exit(void)
 {
-	ip6t_unregister_match(&ip6t_ipv6header_match);
+	xt_unregister_match(&ip6t_ipv6header_match);
 }
 
 module_init(ipv6header_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_owner.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
@@ -14,8 +14,9 @@
 #include <linux/rcupdate.h>
 #include <net/sock.h>
 
-#include <linux/netfilter_ipv6/ip6t_owner.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_owner.h>
+#include <linux/netfilter/x_tables.h>
 
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
 MODULE_DESCRIPTION("IP6 tables owner matching module");
@@ -69,8 +70,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match owner_match = {
+static struct xt_match owner_match = {
 	.name		= "owner",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_owner_info),
 	.hooks		= (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
@@ -80,12 +82,12 @@ static struct ip6t_match owner_match = {
 
 static int __init ip6t_owner_init(void)
 {
-	return ip6t_register_match(&owner_match);
+	return xt_register_match(&owner_match);
 }
 
 static void __exit ip6t_owner_fini(void)
 {
-	ip6t_unregister_match(&owner_match);
+	xt_unregister_match(&owner_match);
 }
 
 module_init(ip6t_owner_init);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_rt.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
@@ -16,6 +16,7 @@
 
 #include <asm/byteorder.h>
 
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter_ipv6/ip6t_rt.h>
 
@@ -221,8 +222,9 @@ checkentry(const char *tablename,
 	return 1;
 }
 
-static struct ip6t_match rt_match = {
+static struct xt_match rt_match = {
 	.name		= "rt",
+	.family		= AF_INET6,
 	.match		= match,
 	.matchsize	= sizeof(struct ip6t_rt),
 	.checkentry	= checkentry,
@@ -231,12 +233,12 @@ static struct ip6t_match rt_match = {
 
 static int __init ip6t_rt_init(void)
 {
-	return ip6t_register_match(&rt_match);
+	return xt_register_match(&rt_match);
 }
 
 static void __exit ip6t_rt_fini(void)
 {
-	ip6t_unregister_match(&rt_match);
+	xt_unregister_match(&rt_match);
 }
 
 module_init(ip6t_rt_init);

Re: ipt->xt [p3]

[Jan Engelhardt]

>On Jan 17 2007 13:40, Patrick McHardy wrote:
>>
>>There are not needed anymore after your change:
>
>Removing them makes your xt_TCPMSS (which I don't have yet in my working copy)
>a dependency. Anyway, here goes...
>5B
>The ipt-log-fix-return.diff has been folded into use-xt-struct.diff.


bugger this one ... i'll resend



>
>Index: linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
>===================================================================
>--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv4/ip_tables.h
>+++ linux-2.6.20-rc5/include/linux/netfilter_ipv4/ip_tables.h
>@@ -272,16 +272,6 @@ ipt_get_target(struct ipt_entry *e)
> #include <linux/init.h>
> extern void ipt_init(void) __init;
> 
>-#define ipt_register_target(tgt) 	\
>-({	(tgt)->family = AF_INET;	\
>- 	xt_register_target(tgt); })
>-#define ipt_unregister_target(tgt) xt_unregister_target(tgt)
>-
>-#define ipt_register_match(mtch) 	\
>-({	(mtch)->family = AF_INET;	\
>-	xt_register_match(mtch); })
>-#define ipt_unregister_match(mtch) xt_unregister_match(mtch)
>-
> //#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
> //#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
> 
>Index: linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
>===================================================================
>--- linux-2.6.20-rc5.orig/include/linux/netfilter_ipv6/ip6_tables.h
>+++ linux-2.6.20-rc5/include/linux/netfilter_ipv6/ip6_tables.h
>@@ -286,16 +286,6 @@ ip6t_get_target(struct ip6t_entry *e)
> #include <linux/init.h>
> extern void ip6t_init(void) __init;
> 
>-#define ip6t_register_target(tgt) 		\
>-({	(tgt)->family = AF_INET6;		\
>- 	xt_register_target(tgt); })
>-#define ip6t_unregister_target(tgt) xt_unregister_target(tgt)
>-
>-#define ip6t_register_match(match)		\
>-({	(match)->family = AF_INET6;		\
>-	xt_register_match(match); })
>-#define ip6t_unregister_match(match) xt_unregister_match(match)
>-
> extern int ip6t_register_table(struct ip6t_table *table,
> 			       const struct ip6t_replace *repl);
> extern void ip6t_unregister_table(struct ip6t_table *table);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_CLUSTERIP.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_CLUSTERIP.c
>@@ -26,6 +26,7 @@
> 
> #include <linux/netfilter_arp.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
> #include <net/netfilter/nf_conntrack_compat.h>
>@@ -329,7 +330,7 @@ target(struct sk_buff **pskb,
> 	if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
> 	    && (ctinfo == IP_CT_RELATED 
> 		|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
>-		return IPT_CONTINUE;
>+		return XT_CONTINUE;
> 
> 	/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
> 	 * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
>@@ -367,7 +368,7 @@ target(struct sk_buff **pskb,
> 	 * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
> 	(*pskb)->pkt_type = PACKET_HOST;
> 
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int
>@@ -470,8 +471,9 @@ static void destroy(const struct xt_targ
> 	nf_ct_l3proto_module_put(target->family);
> }
> 
>-static struct ipt_target clusterip_tgt = {
>+static struct xt_target clusterip_tgt = {
> 	.name		= "CLUSTERIP",
>+	.family		= AF_INET,
> 	.target		= target,
> 	.targetsize	= sizeof(struct ipt_clusterip_tgt_info),
> 	.checkentry	= checkentry,
>@@ -727,7 +729,7 @@ static int __init ipt_clusterip_init(voi
> {
> 	int ret;
> 
>-	ret = ipt_register_target(&clusterip_tgt);
>+	ret = xt_register_target(&clusterip_tgt);
> 	if (ret < 0)
> 		return ret;
> 
>@@ -753,7 +755,7 @@ cleanup_hook:
> 	nf_unregister_hook(&cip_arp_ops);
> #endif /* CONFIG_PROC_FS */
> cleanup_target:
>-	ipt_unregister_target(&clusterip_tgt);
>+	xt_unregister_target(&clusterip_tgt);
> 	return ret;
> }
> 
>@@ -765,7 +767,7 @@ static void __exit ipt_clusterip_fini(vo
> 	remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
> #endif
> 	nf_unregister_hook(&cip_arp_ops);
>-	ipt_unregister_target(&clusterip_tgt);
>+	xt_unregister_target(&clusterip_tgt);
> }
> 
> module_init(ipt_clusterip_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ECN.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ECN.c
>@@ -9,12 +9,14 @@
>  * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
> */
> 
>+#include <linux/in.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
> #include <linux/tcp.h>
> #include <net/checksum.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_ECN.h>
> 
>@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
> 		if (!set_ect_tcp(pskb, einfo))
> 			return NF_DROP;
> 
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int
>@@ -119,7 +121,7 @@ checkentry(const char *tablename,
> 		return 0;
> 	}
> 	if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
>-	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
>+	    && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
> 		printk(KERN_WARNING "ECN: cannot use TCP operations on a "
> 		       "non-tcp rule\n");
> 		return 0;
>@@ -127,8 +129,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_target ipt_ecn_reg = {
>+static struct xt_target ipt_ecn_reg = {
> 	.name		= "ECN",
>+	.family		= AF_INET,
> 	.target		= target,
> 	.targetsize	= sizeof(struct ipt_ECN_info),
> 	.table		= "mangle",
>@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
> 
> static int __init ipt_ecn_init(void)
> {
>-	return ipt_register_target(&ipt_ecn_reg);
>+	return xt_register_target(&ipt_ecn_reg);
> }
> 
> static void __exit ipt_ecn_fini(void)
> {
>-	ipt_unregister_target(&ipt_ecn_reg);
>+	xt_unregister_target(&ipt_ecn_reg);
> }
> 
> module_init(ipt_ecn_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
>@@ -20,7 +20,7 @@
> #include <net/route.h>
> 
> #include <linux/netfilter.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_LOG.h>
> 
> MODULE_LICENSE("GPL");
>@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
> 
> 	ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
> 	               loginfo->prefix);
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int ipt_log_checkentry(const char *tablename,
>@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char
> 	return 1;
> }
> 
>-static struct ipt_target ipt_log_reg = {
>+static struct xt_target ipt_log_reg = {
> 	.name		= "LOG",
>+	.family		= AF_INET,
> 	.target		= ipt_log_target,
> 	.targetsize	= sizeof(struct ipt_log_info),
> 	.checkentry	= ipt_log_checkentry,
>@@ -471,8 +472,9 @@ static struct nf_logger ipt_log_logger =
> 
> static int __init ipt_log_init(void)
> {
>-	if (ipt_register_target(&ipt_log_reg))
>-		return -EINVAL;
>+	int ret;
>+	if ((ret = xt_register_target(&ipt_log_reg)) < 0)
>+		return ret;
> 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
> 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
> 		       "since somebody else already registered for PF_INET\n");
>@@ -486,7 +488,7 @@ static int __init ipt_log_init(void)
> static void __exit ipt_log_fini(void)
> {
> 	nf_log_unregister_logger(&ipt_log_logger);
>-	ipt_unregister_target(&ipt_log_reg);
>+	xt_unregister_target(&ipt_log_reg);
> }
> 
> module_init(ipt_log_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_MASQUERADE.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_MASQUERADE.c
>@@ -25,7 +25,7 @@
> #else
> #include <linux/netfilter_ipv4/ip_nat_rule.h>
> #endif
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
>@@ -192,6 +192,7 @@ static struct notifier_block masq_inet_n
> 
> static struct ipt_target masquerade = {
> 	.name		= "MASQUERADE",
>+	.family		= AF_INET,
> 	.target		= masquerade_target,
> 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
> 	.table		= "nat",
>@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(vo
> {
> 	int ret;
> 
>-	ret = ipt_register_target(&masquerade);
>+	ret = xt_register_target(&masquerade);
> 
> 	if (ret == 0) {
> 		/* Register for device down reports */
>@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(vo
> 
> static void __exit ipt_masquerade_fini(void)
> {
>-	ipt_unregister_target(&masquerade);
>+	xt_unregister_target(&masquerade);
> 	unregister_netdevice_notifier(&masq_dev_notifier);
> 	unregister_inetaddr_notifier(&masq_inet_notifier);	
> }
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_NETMAP.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_NETMAP.c
>@@ -15,6 +15,7 @@
> #include <linux/netdevice.h>
> #include <linux/netfilter.h>
> #include <linux/netfilter_ipv4.h>
>+#include <linux/netfilter/x_tables.h>
> #ifdef CONFIG_NF_NAT_NEEDED
> #include <net/netfilter/nf_nat_rule.h>
> #else
>@@ -90,6 +91,7 @@ target(struct sk_buff **pskb,
> 
> static struct ipt_target target_module = { 
> 	.name 		= MODULENAME,
>+	.family		= AF_INET,
> 	.target 	= target, 
> 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
> 	.table		= "nat",
>@@ -101,12 +103,12 @@ static struct ipt_target target_module =
> 
> static int __init ipt_netmap_init(void)
> {
>-	return ipt_register_target(&target_module);
>+	return xt_register_target(&target_module);
> }
> 
> static void __exit ipt_netmap_fini(void)
> {
>-	ipt_unregister_target(&target_module);
>+	xt_unregister_target(&target_module);
> }
> 
> module_init(ipt_netmap_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REDIRECT.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REDIRECT.c
>@@ -18,6 +18,7 @@
> #include <net/protocol.h>
> #include <net/checksum.h>
> #include <linux/netfilter_ipv4.h>
>+#include <linux/netfilter/x_tables.h>
> #ifdef CONFIG_NF_NAT_NEEDED
> #include <net/netfilter/nf_nat_rule.h>
> #else
>@@ -106,6 +107,7 @@ redirect_target(struct sk_buff **pskb,
> 
> static struct ipt_target redirect_reg = {
> 	.name		= "REDIRECT",
>+	.family		= AF_INET,
> 	.target		= redirect_target,
> 	.targetsize	= sizeof(struct ip_nat_multi_range_compat),
> 	.table		= "nat",
>@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = 
> 
> static int __init ipt_redirect_init(void)
> {
>-	return ipt_register_target(&redirect_reg);
>+	return xt_register_target(&redirect_reg);
> }
> 
> static void __exit ipt_redirect_fini(void)
> {
>-	ipt_unregister_target(&redirect_reg);
>+	xt_unregister_target(&redirect_reg);
> }
> 
> module_init(ipt_redirect_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_REJECT.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_REJECT.c
>@@ -22,6 +22,7 @@
> #include <net/tcp.h>
> #include <net/route.h>
> #include <net/dst.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_REJECT.h>
> #ifdef CONFIG_BRIDGE_NETFILTER
>@@ -230,7 +231,7 @@ static int check(const char *tablename,
> 	} else if (rejinfo->with == IPT_TCP_RESET) {
> 		/* Must specify that it's a TCP packet */
> 		if (e->ip.proto != IPPROTO_TCP
>-		    || (e->ip.invflags & IPT_INV_PROTO)) {
>+		    || (e->ip.invflags & XT_INV_PROTO)) {
> 			DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
> 			return 0;
> 		}
>@@ -238,8 +239,9 @@ static int check(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_target ipt_reject_reg = {
>+static struct xt_target ipt_reject_reg = {
> 	.name		= "REJECT",
>+	.family		= AF_INET,
> 	.target		= reject,
> 	.targetsize	= sizeof(struct ipt_reject_info),
> 	.table		= "filter",
>@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg 
> 
> static int __init ipt_reject_init(void)
> {
>-	return ipt_register_target(&ipt_reject_reg);
>+	return xt_register_target(&ipt_reject_reg);
> }
> 
> static void __exit ipt_reject_fini(void)
> {
>-	ipt_unregister_target(&ipt_reject_reg);
>+	xt_unregister_target(&ipt_reject_reg);
> }
> 
> module_init(ipt_reject_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_SAME.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_SAME.c
>@@ -34,6 +34,7 @@
> #include <net/protocol.h>
> #include <net/checksum.h>
> #include <linux/netfilter_ipv4.h>
>+#include <linux/netfilter/x_tables.h>
> #ifdef CONFIG_NF_NAT_NEEDED
> #include <net/netfilter/nf_nat_rule.h>
> #else
>@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
> 	return ip_nat_setup_info(ct, &newrange, hooknum);
> }
> 
>-static struct ipt_target same_reg = { 
>+static struct xt_target same_reg = {
> 	.name		= "SAME",
>+	.family		= AF_INET,
> 	.target		= same_target,
> 	.targetsize	= sizeof(struct ipt_same_info),
> 	.table		= "nat",
>@@ -199,12 +201,12 @@ static struct ipt_target same_reg = { 
> 
> static int __init ipt_same_init(void)
> {
>-	return ipt_register_target(&same_reg);
>+	return xt_register_target(&same_reg);
> }
> 
> static void __exit ipt_same_fini(void)
> {
>-	ipt_unregister_target(&same_reg);
>+	xt_unregister_target(&same_reg);
> }
> 
> module_init(ipt_same_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TOS.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TOS.c
>@@ -13,7 +13,7 @@
> #include <linux/ip.h>
> #include <net/checksum.h>
> 
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_TOS.h>
> 
> MODULE_LICENSE("GPL");
>@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
> 		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
> 		nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
> 	}
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int
>@@ -63,8 +63,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_target ipt_tos_reg = {
>+static struct xt_target ipt_tos_reg = {
> 	.name		= "TOS",
>+	.family		= AF_INET,
> 	.target		= target,
> 	.targetsize	= sizeof(struct ipt_tos_target_info),
> 	.table		= "mangle",
>@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
> 
> static int __init ipt_tos_init(void)
> {
>-	return ipt_register_target(&ipt_tos_reg);
>+	return xt_register_target(&ipt_tos_reg);
> }
> 
> static void __exit ipt_tos_fini(void)
> {
>-	ipt_unregister_target(&ipt_tos_reg);
>+	xt_unregister_target(&ipt_tos_reg);
> }
> 
> module_init(ipt_tos_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_TTL.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_TTL.c
>@@ -12,7 +12,7 @@
> #include <linux/ip.h>
> #include <net/checksum.h>
> 
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_TTL.h>
> 
> MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
>@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
> 		iph->ttl = new_ttl;
> 	}
> 
>-	return IPT_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int ipt_ttl_checkentry(const char *tablename,
>@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char
> 	return 1;
> }
> 
>-static struct ipt_target ipt_TTL = { 
>+static struct xt_target ipt_TTL = {
> 	.name 		= "TTL",
>+	.family		= AF_INET,
> 	.target 	= ipt_ttl_target, 
> 	.targetsize	= sizeof(struct ipt_TTL_info),
> 	.table		= "mangle",
>@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = { 
> 
> static int __init ipt_ttl_init(void)
> {
>-	return ipt_register_target(&ipt_TTL);
>+	return xt_register_target(&ipt_TTL);
> }
> 
> static void __exit ipt_ttl_fini(void)
> {
>-	ipt_unregister_target(&ipt_TTL);
>+	xt_unregister_target(&ipt_TTL);
> }
> 
> module_init(ipt_ttl_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
>@@ -57,7 +57,7 @@
> #include <linux/mm.h>
> #include <linux/moduleparam.h>
> #include <linux/netfilter.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_ULOG.h>
> #include <net/sock.h>
> #include <linux/bitops.h>
>@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgro
> 	ub->qlen = 0;
> 	ub->skb = NULL;
> 	ub->lastnlh = NULL;
>-
> }
> 
> 
>@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(stru
> 
> 	ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
>  
>- 	return IPT_CONTINUE;
>+ 	return XT_CONTINUE;
> }
>  
> static void ipt_logfn(unsigned int pf,
>@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const cha
> 	return 1;
> }
> 
>-static struct ipt_target ipt_ulog_reg = {
>+static struct xt_target ipt_ulog_reg = {
> 	.name		= "ULOG",
>+	.family		= AF_INET,
> 	.target		= ipt_ulog_target,
> 	.targetsize	= sizeof(struct ipt_ulog_info),
> 	.checkentry	= ipt_ulog_checkentry,
>@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
> 
> static int __init ipt_ulog_init(void)
> {
>-	int i;
>+	int ret, i;
> 
> 	DEBUGP("ipt_ULOG: init module\n");
> 
>@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
> 	if (!nflognl)
> 		return -ENOMEM;
> 
>-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
>+	if ((ret = xt_register_target(&ipt_ulog_reg)) != 0) {
> 		sock_release(nflognl->sk_socket);
>-		return -EINVAL;
>+		return ret;
> 	}
> 	if (nflog)
> 		nf_log_register(PF_INET, &ipt_ulog_logger);
>@@ -419,7 +419,7 @@ static void __exit ipt_ulog_fini(void)
> 
> 	if (nflog)
> 		nf_log_unregister_logger(&ipt_ulog_logger);
>-	ipt_unregister_target(&ipt_ulog_reg);
>+	xt_unregister_target(&ipt_ulog_reg);
> 	sock_release(nflognl->sk_socket);
> 
> 	/* remove pending timers and free allocated skb's */
>@@ -435,7 +435,6 @@ static void __exit ipt_ulog_fini(void)
> 			ub->skb = NULL;
> 		}
> 	}
>-
> }
> 
> module_init(ipt_ulog_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_addrtype.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_addrtype.c
>@@ -16,7 +16,7 @@
> #include <net/route.h>
> 
> #include <linux/netfilter_ipv4/ipt_addrtype.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
>@@ -44,8 +44,9 @@ static int match(const struct sk_buff *s
> 	return ret;
> }
> 
>-static struct ipt_match addrtype_match = {
>+static struct xt_match addrtype_match = {
> 	.name		= "addrtype",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_addrtype_info),
> 	.me		= THIS_MODULE
>@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match =
> 
> static int __init ipt_addrtype_init(void)
> {
>-	return ipt_register_match(&addrtype_match);
>+	return xt_register_match(&addrtype_match);
> }
> 
> static void __exit ipt_addrtype_fini(void)
> {
>-	ipt_unregister_match(&addrtype_match);
>+	xt_unregister_match(&addrtype_match);
> }
> 
> module_init(ipt_addrtype_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ah.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ah.c
>@@ -6,12 +6,13 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/in.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
> 
> #include <linux/netfilter_ipv4/ipt_ah.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
>@@ -86,8 +87,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_match ah_match = {
>+static struct xt_match ah_match = {
> 	.name		= "ah",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_ah),
> 	.proto		= IPPROTO_AH,
>@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
> 
> static int __init ipt_ah_init(void)
> {
>-	return ipt_register_match(&ah_match);
>+	return xt_register_match(&ah_match);
> }
> 
> static void __exit ipt_ah_fini(void)
> {
>-	ipt_unregister_match(&ah_match);
>+	xt_unregister_match(&ah_match);
> }
> 
> module_init(ipt_ah_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ecn.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ecn.c
>@@ -9,10 +9,13 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/in.h>
>+#include <linux/ip.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/tcp.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_ecn.h>
> 
>@@ -109,8 +112,10 @@ static int checkentry(const char *tablen
> 	return 1;
> }
> 
>-static struct ipt_match ecn_match = {
>+static struct xt_match ecn_match = {
> 	.name		= "ecn",
>+	.family		= AF_INET,
>+	.proto		= IPPROTO_TCP,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_ecn_info),
> 	.checkentry	= checkentry,
>@@ -119,12 +124,12 @@ static struct ipt_match ecn_match = {
> 
> static int __init ipt_ecn_init(void)
> {
>-	return ipt_register_match(&ecn_match);
>+	return xt_register_match(&ecn_match);
> }
> 
> static void __exit ipt_ecn_fini(void)
> {
>-	ipt_unregister_match(&ecn_match);
>+	xt_unregister_match(&ecn_match);
> }
> 
> module_init(ipt_ecn_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_iprange.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_iprange.c
>@@ -10,7 +10,7 @@
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_iprange.h>
> 
> MODULE_LICENSE("GPL");
>@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
> 	return 1;
> }
> 
>-static struct ipt_match iprange_match = {
>+static struct xt_match iprange_match = {
> 	.name		= "iprange",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_iprange_info),
>-	.destroy	= NULL,
> 	.me		= THIS_MODULE
> };
> 
> static int __init ipt_iprange_init(void)
> {
>-	return ipt_register_match(&iprange_match);
>+	return xt_register_match(&iprange_match);
> }
> 
> static void __exit ipt_iprange_fini(void)
> {
>-	ipt_unregister_match(&iprange_match);
>+	xt_unregister_match(&iprange_match);
> }
> 
> module_init(ipt_iprange_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_owner.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_owner.c
>@@ -15,7 +15,7 @@
> #include <net/sock.h>
> 
> #include <linux/netfilter_ipv4/ipt_owner.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
>@@ -68,8 +68,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ipt_match owner_match = {
>+static struct xt_match owner_match = {
> 	.name		= "owner",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_owner_info),
> 	.hooks		= (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
>@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
> 
> static int __init ipt_owner_init(void)
> {
>-	return ipt_register_match(&owner_match);
>+	return xt_register_match(&owner_match);
> }
> 
> static void __exit ipt_owner_fini(void)
> {
>-	ipt_unregister_match(&owner_match);
>+	xt_unregister_match(&owner_match);
> }
> 
> module_init(ipt_owner_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_recent.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_recent.c
>@@ -12,6 +12,7 @@
>  * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
>  */
> #include <linux/init.h>
>+#include <linux/ip.h>
> #include <linux/moduleparam.h>
> #include <linux/proc_fs.h>
> #include <linux/seq_file.h>
>@@ -24,7 +25,7 @@
> #include <linux/skbuff.h>
> #include <linux/inet.h>
> 
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ipt_recent.h>
> 
> MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
>@@ -462,8 +463,9 @@ static struct file_operations recent_fop
> };
> #endif /* CONFIG_PROC_FS */
> 
>-static struct ipt_match recent_match = {
>+static struct xt_match recent_match = {
> 	.name		= "recent",
>+	.family		= AF_INET,
> 	.match		= ipt_recent_match,
> 	.matchsize	= sizeof(struct ipt_recent_info),
> 	.checkentry	= ipt_recent_checkentry,
>@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
> 		return -EINVAL;
> 	ip_list_hash_size = 1 << fls(ip_list_tot);
> 
>-	err = ipt_register_match(&recent_match);
>+	err = xt_register_match(&recent_match);
> #ifdef CONFIG_PROC_FS
> 	if (err)
> 		return err;
> 	proc_dir = proc_mkdir("ipt_recent", proc_net);
> 	if (proc_dir == NULL) {
>-		ipt_unregister_match(&recent_match);
>+		xt_unregister_match(&recent_match);
> 		err = -ENOMEM;
> 	}
> #endif
>@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
> static void __exit ipt_recent_exit(void)
> {
> 	BUG_ON(!list_empty(&tables));
>-	ipt_unregister_match(&recent_match);
>+	xt_unregister_match(&recent_match);
> #ifdef CONFIG_PROC_FS
> 	remove_proc_entry("ipt_recent", proc_net);
> #endif
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_tos.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_tos.c
>@@ -8,11 +8,12 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/ip.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> 
> #include <linux/netfilter_ipv4/ipt_tos.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_LICENSE("GPL");
> MODULE_DESCRIPTION("iptables TOS match module");
>@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
> 	return (skb->nh.iph->tos == info->tos) ^ info->invert;
> }
> 
>-static struct ipt_match tos_match = {
>+static struct xt_match tos_match = {
> 	.name		= "tos",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_tos_info),
> 	.me		= THIS_MODULE,
>@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
> 
> static int __init ipt_multiport_init(void)
> {
>-	return ipt_register_match(&tos_match);
>+	return xt_register_match(&tos_match);
> }
> 
> static void __exit ipt_multiport_fini(void)
> {
>-	ipt_unregister_match(&tos_match);
>+	xt_unregister_match(&tos_match);
> }
> 
> module_init(ipt_multiport_init);
>Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ttl.c
>+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ttl.c
>@@ -9,11 +9,12 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/ip.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> 
> #include <linux/netfilter_ipv4/ipt_ttl.h>
>-#include <linux/netfilter_ipv4/ip_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
> MODULE_DESCRIPTION("IP tables TTL matching module");
>@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
> 	return 0;
> }
> 
>-static struct ipt_match ttl_match = {
>+static struct xt_match ttl_match = {
> 	.name		= "ttl",
>+	.family		= AF_INET,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ipt_ttl_info),
> 	.me		= THIS_MODULE,
>@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
> 
> static int __init ipt_ttl_init(void)
> {
>-	return ipt_register_match(&ttl_match);
>+	return xt_register_match(&ttl_match);
> }
> 
> static void __exit ipt_ttl_fini(void)
> {
>-	ipt_unregister_match(&ttl_match);
>-
>+	xt_unregister_match(&ttl_match);
> }
> 
> module_init(ipt_ttl_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_HL.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_HL.c
>@@ -9,12 +9,13 @@
> #include <linux/module.h>
> #include <linux/skbuff.h>
> #include <linux/ip.h>
>+#include <linux/ipv6.h>
> 
>-#include <linux/netfilter_ipv6/ip6_tables.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6t_HL.h>
> 
> MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
>-MODULE_DESCRIPTION("IP tables Hop Limit modification module");
>+MODULE_DESCRIPTION("IP6 tables Hop Limit modification module");
> MODULE_LICENSE("GPL");
> 
> static unsigned int ip6t_hl_target(struct sk_buff **pskb, 
>@@ -55,7 +56,7 @@ static unsigned int ip6t_hl_target(struc
> 	if (new_hl != ip6h->hop_limit)
> 		ip6h->hop_limit = new_hl;
> 
>-	return IP6T_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> static int ip6t_hl_checkentry(const char *tablename,
>@@ -79,8 +80,9 @@ static int ip6t_hl_checkentry(const char
> 	return 1;
> }
> 
>-static struct ip6t_target ip6t_HL = { 
>+static struct xt_target ip6t_HL = {
> 	.name 		= "HL", 
>+	.family		= AF_INET6,
> 	.target		= ip6t_hl_target, 
> 	.targetsize	= sizeof(struct ip6t_HL_info),
> 	.table		= "mangle",
>@@ -90,12 +92,12 @@ static struct ip6t_target ip6t_HL = { 
> 
> static int __init ip6t_hl_init(void)
> {
>-	return ip6t_register_target(&ip6t_HL);
>+	return xt_register_target(&ip6t_HL);
> }
> 
> static void __exit ip6t_hl_fini(void)
> {
>-	ip6t_unregister_target(&ip6t_HL);
>+	xt_unregister_target(&ip6t_HL);
> }
> 
> module_init(ip6t_hl_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
>@@ -21,6 +21,7 @@
> #include <net/tcp.h>
> #include <net/ipv6.h>
> #include <linux/netfilter.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> 
> MODULE_AUTHOR("Jan Rekorajski <baggins@pld.org.pl>");
>@@ -442,7 +443,7 @@ ip6t_log_target(struct sk_buff **pskb,
> 
> 	ip6t_log_packet(PF_INET6, hooknum, *pskb, in, out, &li,
> 	                loginfo->prefix);
>-	return IP6T_CONTINUE;
>+	return XT_CONTINUE;
> }
> 
> 
>@@ -466,8 +467,9 @@ static int ip6t_log_checkentry(const cha
> 	return 1;
> }
> 
>-static struct ip6t_target ip6t_log_reg = {
>+static struct xt_target ip6t_log_reg = {
> 	.name 		= "LOG",
>+	.family		= AF_INET6,
> 	.target 	= ip6t_log_target, 
> 	.targetsize	= sizeof(struct ip6t_log_info),
> 	.checkentry	= ip6t_log_checkentry, 
>@@ -482,8 +484,9 @@ static struct nf_logger ip6t_logger = {
> 
> static int __init ip6t_log_init(void)
> {
>-	if (ip6t_register_target(&ip6t_log_reg))
>-		return -EINVAL;
>+	int ret;
>+	if ((ret = xt_register_target(&ip6t_log_reg)) < 0)
>+		return ret;
> 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
> 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
> 		       "since somebody else already registered for PF_INET6\n");
>@@ -497,7 +500,7 @@ static int __init ip6t_log_init(void)
> static void __exit ip6t_log_fini(void)
> {
> 	nf_log_unregister_logger(&ip6t_logger);
>-	ip6t_unregister_target(&ip6t_log_reg);
>+	xt_unregister_target(&ip6t_log_reg);
> }
> 
> module_init(ip6t_log_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_REJECT.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_REJECT.c
>@@ -26,6 +26,7 @@
> #include <net/ip6_fib.h>
> #include <net/ip6_route.h>
> #include <net/flow.h>
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_REJECT.h>
> 
>@@ -234,7 +235,7 @@ static int check(const char *tablename,
> 	} else if (rejinfo->with == IP6T_TCP_RESET) {
> 		/* Must specify that it's a TCP packet */
> 		if (e->ipv6.proto != IPPROTO_TCP
>-		    || (e->ipv6.invflags & IP6T_INV_PROTO)) {
>+		    || (e->ipv6.invflags & XT_INV_PROTO)) {
> 			DEBUGP("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
> 			return 0;
> 		}
>@@ -242,8 +243,9 @@ static int check(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_target ip6t_reject_reg = {
>+static struct xt_target ip6t_reject_reg = {
> 	.name		= "REJECT",
>+	.family		= AF_INET6,
> 	.target		= reject6_target,
> 	.targetsize	= sizeof(struct ip6t_reject_info),
> 	.table		= "filter",
>@@ -255,12 +257,12 @@ static struct ip6t_target ip6t_reject_re
> 
> static int __init ip6t_reject_init(void)
> {
>-	return ip6t_register_target(&ip6t_reject_reg);
>+	return xt_register_target(&ip6t_reject_reg);
> }
> 
> static void __exit ip6t_reject_fini(void)
> {
>-	ip6t_unregister_target(&ip6t_reject_reg);
>+	xt_unregister_target(&ip6t_reject_reg);
> }
> 
> module_init(ip6t_reject_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ah.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ah.c
>@@ -15,6 +15,7 @@
> #include <net/checksum.h>
> #include <net/ipv6.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_ah.h>
> 
>@@ -118,8 +119,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match ah_match = {
>+static struct xt_match ah_match = {
> 	.name		= "ah",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_ah),
> 	.checkentry	= checkentry,
>@@ -128,12 +130,12 @@ static struct ip6t_match ah_match = {
> 
> static int __init ip6t_ah_init(void)
> {
>-	return ip6t_register_match(&ah_match);
>+	return xt_register_match(&ah_match);
> }
> 
> static void __exit ip6t_ah_fini(void)
> {
>-	ip6t_unregister_match(&ah_match);
>+	xt_unregister_match(&ah_match);
> }
> 
> module_init(ip6t_ah_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_eui64.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_eui64.c
>@@ -12,6 +12,7 @@
> #include <linux/ipv6.h>
> #include <linux/if_ether.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> 
> MODULE_DESCRIPTION("IPv6 EUI64 address checking match");
>@@ -61,8 +62,9 @@ match(const struct sk_buff *skb,
> 	return 0;
> }
> 
>-static struct ip6t_match eui64_match = {
>+static struct xt_match eui64_match = {
> 	.name		= "eui64",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(int),
> 	.hooks		= (1 << NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN) |
>@@ -72,12 +74,12 @@ static struct ip6t_match eui64_match = {
> 
> static int __init ip6t_eui64_init(void)
> {
>-	return ip6t_register_match(&eui64_match);
>+	return xt_register_match(&eui64_match);
> }
> 
> static void __exit ip6t_eui64_fini(void)
> {
>-	ip6t_unregister_match(&eui64_match);
>+	xt_unregister_match(&eui64_match);
> }
> 
> module_init(ip6t_eui64_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_frag.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_frag.c
>@@ -14,6 +14,7 @@
> #include <net/checksum.h>
> #include <net/ipv6.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_frag.h>
> 
>@@ -135,8 +136,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match frag_match = {
>+static struct xt_match frag_match = {
> 	.name		= "frag",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_frag),
> 	.checkentry	= checkentry,
>@@ -145,12 +147,12 @@ static struct ip6t_match frag_match = {
> 
> static int __init ip6t_frag_init(void)
> {
>-	return ip6t_register_match(&frag_match);
>+	return xt_register_match(&frag_match);
> }
> 
> static void __exit ip6t_frag_fini(void)
> {
>-	ip6t_unregister_match(&frag_match);
>+	xt_unregister_match(&frag_match);
> }
> 
> module_init(ip6t_frag_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hbh.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hbh.c
>@@ -16,6 +16,7 @@
> 
> #include <asm/byteorder.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_opts.h>
> 
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_hl.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_hl.c
>@@ -8,11 +8,12 @@
>  * published by the Free Software Foundation.
>  */
> 
>+#include <linux/ipv6.h>
> #include <linux/module.h>
> #include <linux/skbuff.h>
> 
> #include <linux/netfilter_ipv6/ip6t_hl.h>
>-#include <linux/netfilter_ipv6/ip6_tables.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_AUTHOR("Maciej Soltysiak <solt@dns.toxicfilms.tv>");
> MODULE_DESCRIPTION("IP tables Hop Limit matching module");
>@@ -48,8 +49,9 @@ static int match(const struct sk_buff *s
> 	return 0;
> }
> 
>-static struct ip6t_match hl_match = {
>+static struct xt_match hl_match = {
> 	.name		= "hl",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_hl_info),
> 	.me		= THIS_MODULE,
>@@ -57,13 +59,12 @@ static struct ip6t_match hl_match = {
> 
> static int __init ip6t_hl_init(void)
> {
>-	return ip6t_register_match(&hl_match);
>+	return xt_register_match(&hl_match);
> }
> 
> static void __exit ip6t_hl_fini(void)
> {
>-	ip6t_unregister_match(&hl_match);
>-
>+	xt_unregister_match(&hl_match);
> }
> 
> module_init(ip6t_hl_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_ipv6header.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_ipv6header.c
>@@ -18,6 +18,7 @@
> #include <net/checksum.h>
> #include <net/ipv6.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_ipv6header.h>
> 
>@@ -140,8 +141,9 @@ ipv6header_checkentry(const char *tablen
> 	return 1;
> }
> 
>-static struct ip6t_match ip6t_ipv6header_match = {
>+static struct xt_match ip6t_ipv6header_match = {
> 	.name		= "ipv6header",
>+	.family		= AF_INET6,
> 	.match		= &ipv6header_match,
> 	.matchsize	= sizeof(struct ip6t_ipv6header_info),
> 	.checkentry	= &ipv6header_checkentry,
>@@ -151,12 +153,12 @@ static struct ip6t_match ip6t_ipv6header
> 
> static int __init ipv6header_init(void)
> {
>-	return ip6t_register_match(&ip6t_ipv6header_match);
>+	return xt_register_match(&ip6t_ipv6header_match);
> }
> 
> static void __exit ipv6header_exit(void)
> {
>-	ip6t_unregister_match(&ip6t_ipv6header_match);
>+	xt_unregister_match(&ip6t_ipv6header_match);
> }
> 
> module_init(ipv6header_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_owner.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_owner.c
>@@ -14,8 +14,9 @@
> #include <linux/rcupdate.h>
> #include <net/sock.h>
> 
>-#include <linux/netfilter_ipv6/ip6t_owner.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
>+#include <linux/netfilter_ipv6/ip6t_owner.h>
>+#include <linux/netfilter/x_tables.h>
> 
> MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
> MODULE_DESCRIPTION("IP6 tables owner matching module");
>@@ -69,8 +70,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match owner_match = {
>+static struct xt_match owner_match = {
> 	.name		= "owner",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_owner_info),
> 	.hooks		= (1 << NF_IP6_LOCAL_OUT) | (1 << NF_IP6_POST_ROUTING),
>@@ -80,12 +82,12 @@ static struct ip6t_match owner_match = {
> 
> static int __init ip6t_owner_init(void)
> {
>-	return ip6t_register_match(&owner_match);
>+	return xt_register_match(&owner_match);
> }
> 
> static void __exit ip6t_owner_fini(void)
> {
>-	ip6t_unregister_match(&owner_match);
>+	xt_unregister_match(&owner_match);
> }
> 
> module_init(ip6t_owner_init);
>Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
>===================================================================
>--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_rt.c
>+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_rt.c
>@@ -16,6 +16,7 @@
> 
> #include <asm/byteorder.h>
> 
>+#include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv6/ip6_tables.h>
> #include <linux/netfilter_ipv6/ip6t_rt.h>
> 
>@@ -221,8 +222,9 @@ checkentry(const char *tablename,
> 	return 1;
> }
> 
>-static struct ip6t_match rt_match = {
>+static struct xt_match rt_match = {
> 	.name		= "rt",
>+	.family		= AF_INET6,
> 	.match		= match,
> 	.matchsize	= sizeof(struct ip6t_rt),
> 	.checkentry	= checkentry,
>@@ -231,12 +233,12 @@ static struct ip6t_match rt_match = {
> 
> static int __init ip6t_rt_init(void)
> {
>-	return ip6t_register_match(&rt_match);
>+	return xt_register_match(&rt_match);
> }
> 
> static void __exit ip6t_rt_fini(void)
> {
>-	ip6t_unregister_match(&rt_match);
>+	xt_unregister_match(&rt_match);
> }
> 
> module_init(ip6t_rt_init);
>
>
>
>

	-`J'
-- 

[PATCH 1/3] Fix return values for LOG and ULOG

[Jan Engelhardt]

[PATCH 1/3] Fix return values for LOG and ULOG

Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, 2007-01-17

Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_LOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_LOG.c
@@ -471,8 +471,9 @@ static struct nf_logger ipt_log_logger =
 
 static int __init ipt_log_init(void)
 {
-	if (ipt_register_target(&ipt_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ipt_register_target(&ipt_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
 		printk(KERN_WARNING "ipt_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET\n");
Index: linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv4/netfilter/ipt_ULOG.c
+++ linux-2.6.20-rc5/net/ipv4/netfilter/ipt_ULOG.c
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger 
 
 static int __init ipt_ulog_init(void)
 {
-	int i;
+	int ret, i;
 
 	DEBUGP("ipt_ULOG: init module\n");
 
@@ -400,9 +400,9 @@ static int __init ipt_ulog_init(void)
 	if (!nflognl)
 		return -ENOMEM;
 
-	if (ipt_register_target(&ipt_ulog_reg) != 0) {
+	if ((ret = ipt_register_target(&ipt_ulog_reg)) != 0) {
 		sock_release(nflognl->sk_socket);
-		return -EINVAL;
+		return ret;
 	}
 	if (nflog)
 		nf_log_register(PF_INET, &ipt_ulog_logger);
Index: linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
===================================================================
--- linux-2.6.20-rc5.orig/net/ipv6/netfilter/ip6t_LOG.c
+++ linux-2.6.20-rc5/net/ipv6/netfilter/ip6t_LOG.c
@@ -482,8 +482,9 @@ static struct nf_logger ip6t_logger = {
 
 static int __init ip6t_log_init(void)
 {
-	if (ip6t_register_target(&ip6t_log_reg))
-		return -EINVAL;
+	int ret;
+	if ((ret = ip6t_register_target(&ip6t_log_reg)) < 0)
+		return ret;
 	if (nf_log_register(PF_INET6, &ip6t_logger) < 0) {
 		printk(KERN_WARNING "ip6t_LOG: not logging via system console "
 		       "since somebody else already registered for PF_INET6\n");