Make/compile error for iptables-1.4.0rc1

Make/compile error for iptables-1.4.0rc1

[Jesper Dangaard Brouer]

Hi Netfilter Developers

I get a compile/make error when compiling iptables-1.4.0rc1 and latest
SVN revision (r7090).

cc -O2 -Wall -Wunused -I"/lib/modules/2.6.18-5-686/build"/include -I"/lib/modules/2.6.18-5-686/source"/include -Iinclude/ -DIPTABLES_VERSION=\"1.4.0rc1\"  -DIPT_LIB_DIR=\"/usr/lib/iptables\" -c -o iptables.o iptables.c
iptables.c:207: error: 'XT_SO_GET_REVISION_MATCH' undeclared here (not in a function)
iptables.c:208: error: 'XT_SO_GET_REVISION_TARGET' undeclared here (not in a function)
make: *** [iptables.o] Error 1

SVN blame on iptables.c line 207-208 says its changed by Yasuyuki
Kozakai with chainset 6920.
The strange thing about these lines is that they contain
IPT_SO_GET_REVISION_xxx and not XT_SO_GET_REVISION_xxx as the compiler
claims. Is some strange macro stuff going on here?

See you around!
-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer

Re: Make/compile error for iptables-1.4.0rc1

[Jan Engelhardt]

On Nov 16 2007 21:32, Jesper Dangaard Brouer wrote:
>
>I get a compile/make error when compiling iptables-1.4.0rc1 and latest
>SVN revision (r7090).
>
>cc -O2 -Wall -Wunused -I"/lib/modules/2.6.18-5-686/build"/include -I"/lib/modules/2.6.18-5-686/source"/include -Iinclude/ -DIPTABLES_VERSION=\"1.4.0rc1\"  -DIPT_LIB_DIR=\"/usr/lib/iptables\" -c -o iptables.o iptables.c
>iptables.c:207: error: 'XT_SO_GET_REVISION_MATCH' undeclared here (not in a function)
>iptables.c:208: error: 'XT_SO_GET_REVISION_TARGET' undeclared here (not in a function)
>make: *** [iptables.o] Error 1

In 7090, these lines have IPT_SO_GET_REVISION_xxx.

Re: Make/compile error for iptables-1.4.0rc1

[Jesper Dangaard Brouer]

On Fri, 2007-11-16 at 22:34 +0100, Jan Engelhardt wrote:
> On Nov 16 2007 21:32, Jesper Dangaard Brouer wrote:
> >
> >I get a compile/make error when compiling iptables-1.4.0rc1 and latest
> >SVN revision (r7090).
> >
> >cc -O2 -Wall -Wunused -I"/lib/modules/2.6.18-5-686/build"/include -I"/lib/modules/2.6.18-5-686/source"/include -Iinclude/ -DIPTABLES_VERSION=\"1.4.0rc1\"  -DIPT_LIB_DIR=\"/usr/lib/iptables\" -c -o iptables.o iptables.c
> >iptables.c:207: error: 'XT_SO_GET_REVISION_MATCH' undeclared here (not in a function)
> >iptables.c:208: error: 'XT_SO_GET_REVISION_TARGET' undeclared here (not in a function)
> >make: *** [iptables.o] Error 1
> 
> In 7090, these lines have IPT_SO_GET_REVISION_xxx.

Thats also what I wrote in my previous mail, I'll quote my self again:

On Fri, 2007-11-16 at 21:32 +0100, Jesper Dangaard Brouer wrote:
> SVN blame on iptables.c line 207-208 says its changed by Yasuyuki
> Kozakai with chainset 6920.
>
> The strange thing about these lines is that they contain
> IPT_SO_GET_REVISION_xxx and not XT_SO_GET_REVISION_xxx as the compiler
> claims. Is some strange macro stuff going on here?

Does anyone else have this problem with iptables-1.4.0rc1, or is it just
my compile environment which is screwed?

-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer

Re: Make/compile error for iptables-1.4.0rc1

[Jesper Dangaard Brouer]

On Sun, 2007-11-18 at 13:49 +0100, Jesper Dangaard Brouer wrote:
> On Fri, 2007-11-16 at 21:32 +0100, Jesper Dangaard Brouer wrote:
> > SVN blame on iptables.c line 207-208 says its changed by Yasuyuki
> > Kozakai with chainset 6920.
> >
> > The strange thing about these lines is that they contain
> > IPT_SO_GET_REVISION_xxx and not XT_SO_GET_REVISION_xxx as the
> compiler
> > claims. Is some strange macro stuff going on here?
> 
> Does anyone else have this problem with iptables-1.4.0rc1, or is it
> just my compile environment which is screwed? 

Now I have tried to compile on three debian boxes (incl.
people.netfilter.org) where it fails!  I also tried it on a Gentoo box
where it success!  

The problem is "strange macro stuff" because on debian, the header file:
 /usr/include/linux/netfilter_ipv4/ip_tables.h

Defines:
#define IPT_SO_GET_REVISION_MATCH       XT_SO_GET_REVISION_MATCH
#define IPT_SO_GET_REVISION_TARGET      XT_SO_GET_REVISION_TARGET

So fare it looks like a debian bug, in package linux-kernel-headers
(2.6.18-7), because the latest kernel has these defines:

#define IPT_SO_GET_REVISION_MATCH       (IPT_BASE_CTL + 2)
#define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)

Is this a debian bug? or did the kernel header at some point contain the
IPT_xxx to XT_SO_xxx re-defines?

Look below for what I could find in git...

-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer


commit b96e7ecbd052a0916b6078e7600604d7e276a336
Author: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Date:   Tue Nov 14 19:48:48 2006 -0800

    [NETFILTER]: ip6_tables: fixed conflicted optname for getsockopt
    
    66 and 67 for getsockopt on IPv6 socket is doubly used for IPv6 Advanced
    API and ip6tables. This moves numbers for ip6tables to 68 and 69.
    This also kills XT_SO_* because {ip,ip6,arp}_tables doesn't have so much
    common numbers now.
    
    The old userland tools keep to behave as ever, because old kernel always
    calls functions of IPv6 Advanced API for their numbers.
    
    Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>

[FIX] Re: Make/compile error for iptables-1.4.0rc1

[Jesper Dangaard Brouer]

The problem is that "linux/netfilter/x_tables.h" got included in SVN
(changeset 6920).  The fix is to delete it from SVN, so that the systems
"x_tables.h" has effect again.

Can someone with SVN write access fix this?

  "svn rm include/linux/netfilter/x_tables.h"

-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer

Re: [FIX] Re: Make/compile error for iptables-1.4.0rc1

[Patrick McHardy]

Jesper Dangaard Brouer wrote:
> The problem is that "linux/netfilter/x_tables.h" got included in SVN
> (changeset 6920).  The fix is to delete it from SVN, so that the systems
> "x_tables.h" has effect again.
> 
> Can someone with SVN write access fix this?
> 
>   "svn rm include/linux/netfilter/x_tables.h"


Actually the fix is the other way around, we want to be able to
build iptables without having kernel sources locally. So I
guess the x_tables.h file should be resynced or something?

Re: [FIX] Re: Make/compile error for iptables-1.4.0rc1

[Jan Engelhardt]

On Nov 21 2007 08:53, Patrick McHardy wrote:
> Jesper Dangaard Brouer wrote:
>> The problem is that "linux/netfilter/x_tables.h" got included in SVN
>> (changeset 6920).  The fix is to delete it from SVN, so that the systems
>> "x_tables.h" has effect again.
>> 
>> Can someone with SVN write access fix this?
>> 
>>   "svn rm include/linux/netfilter/x_tables.h"
>
>
> Actually the fix is the other way around, we want to be able to
> build iptables without having kernel sources locally. So I
> guess the x_tables.h file should be resynced or something?
>
Works as-is for me with r7090, so it must be something different.

Re: [FIX] Re: Make/compile error for iptables-1.4.0rc1

[Jesper Dangaard Brouer]

On Wed, 2007-11-21 at 08:53 +0100, Patrick McHardy wrote:
> Jesper Dangaard Brouer wrote:
> > The problem is that "linux/netfilter/x_tables.h" got included in SVN
> > (changeset 6920).  The fix is to delete it from SVN, so that the systems
> > "x_tables.h" has effect again.
> > 
> > Can someone with SVN write access fix this?
> > 
> >   "svn rm include/linux/netfilter/x_tables.h"
> 
> 
> Actually the fix is the other way around, we want to be able to
> build iptables without having kernel sources locally. So I
> guess the x_tables.h file should be resynced or something?

If thats what you want, we need to add ip_tables.h in
include/linux/netfilter_ipv4/.  Its the interaction between ip_tables.h
and x_tables.h that screw things up.

Both ip_tables.h and x_tables.h are part of the kernel source code.
Thare might be some dependencies to specific kernel, so it might not be
wise to include the files in SVN as we make a dependency to this
specific kernel, and we also needs to keep them in sync.

Well, Yasuyuki, should be able to answer this question...?


-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer

Re: [FIX] Re: Make/compile error for iptables-1.4.0rc1

[Patrick McHardy]

Jesper Dangaard Brouer wrote:
> On Wed, 2007-11-21 at 08:53 +0100, Patrick McHardy wrote:
>> Jesper Dangaard Brouer wrote:
>>> The problem is that "linux/netfilter/x_tables.h" got included in SVN
>>> (changeset 6920).  The fix is to delete it from SVN, so that the systems
>>> "x_tables.h" has effect again.
>>>
>>> Can someone with SVN write access fix this?
>>>
>>>   "svn rm include/linux/netfilter/x_tables.h"
>>
>> Actually the fix is the other way around, we want to be able to
>> build iptables without having kernel sources locally. So I
>> guess the x_tables.h file should be resynced or something?
> 
> If thats what you want, we need to add ip_tables.h in
> include/linux/netfilter_ipv4/.  Its the interaction between ip_tables.h
> and x_tables.h that screw things up.

Since you seem to be able to test it, would you care to send a patch? :)

> Both ip_tables.h and x_tables.h are part of the kernel source code.
> Thare might be some dependencies to specific kernel, so it might not be
> wise to include the files in SVN as we make a dependency to this
> specific kernel, and we also needs to keep them in sync.

The interface between userspace and kernel is stable, there's no
risk by including those files.

Re: [FIX] Re: Make/compile error for iptables-1.4.0rc1

[Jesper Dangaard Brouer]

On Thu, 2007-11-22 at 11:31 +0100, Patrick McHardy wrote:
> Jesper Dangaard Brouer wrote:
> > On Wed, 2007-11-21 at 08:53 +0100, Patrick McHardy wrote:
> >> Jesper Dangaard Brouer wrote:
> >>> The problem is that "linux/netfilter/x_tables.h" got included in SVN
> >>> (changeset 6920).  The fix is to delete it from SVN, so that the systems
> >>> "x_tables.h" has effect again.
> >>>
> >>> Can someone with SVN write access fix this?
> >>>
> >>>   "svn rm include/linux/netfilter/x_tables.h"
> >>
> >> Actually the fix is the other way around, we want to be able to
> >> build iptables without having kernel sources locally. So I
> >> guess the x_tables.h file should be resynced or something?
> > 
> > If thats what you want, we need to add ip_tables.h in
> > include/linux/netfilter_ipv4/.  Its the interaction between ip_tables.h
> > and x_tables.h that screw things up.
> 
> Since you seem to be able to test it, would you care to send a patch? :)

You can see/test it your self by logging in on people.netfilter.org and
compile iptables-1.4.0rc1.

Okay, I'll post a patch.  It should be a quite simple task, of adding
include/linux/netfilter_ipv4/ip_tables.h and
include/linux/netfilter/x_tables.h from kernel source.

BUT before posting the patch I'll first test it, on debian and Gentoo
again.

> > Both ip_tables.h and x_tables.h are part of the kernel source code.
> > Thare might be some dependencies to specific kernel, so it might not be
> > wise to include the files in SVN as we make a dependency to this
> > specific kernel, and we also needs to keep them in sync.
> 
> The interface between userspace and kernel is stable, there's no
> risk by including those files.

If you say so, we'll add the files to SVN / the iptables package.


-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer

[PATCH] Fix make/compile error for iptables-1.4.0rc1

[Jesper Dangaard Brouer]

[-- Attachment #1: Type: text/plain, Size: 1595 bytes --]

On Fri, 2007-11-23 at 15:30 +0100, Jesper Dangaard Brouer wrote:
> > Since you seem to be able to test it, would you care to send a
> patch? :)
>
> Okay, I'll post a patch.  It should be a quite simple task, of adding
> include/linux/netfilter_ipv4/ip_tables.h and
> include/linux/netfilter/x_tables.h from kernel source.

I also need to add include/linux/netfilter_ipv6/ip6_tables.h

I have attached the patch, which is also located at
http://people.netfilter.org/hawk/patches/iptables-1.4.0rc1/iptables-1.4.0rc1__fix_compile__add_include_files.patch

Commit text:
------------
Fixing a make/compile issue with iptables, release candidate 1.4.0rc1,
which has existed since SVN changeset 6920.  This patch adds ip_tables.h
and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree.

Changeset 6920 added the include file x_tables.h from kernel source, but
didn't add ip_tables.h and ip6_tables.h.

At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these
kernel headers where changed, which actually removes certain
depencencies from ip_tables.h and ip6_tables.h to x_tables.h.

If compiling will fail, with old kernel headers (ip_tables.h and
ip6_tables.h) available in systems include path, because they depend on
certaine defines in x_tables.h with is missing in the version in SVN.

Remember we now need to keep these include files in sync with kernel.


-- 
Med venlig hilsen / Best regards
  Jesper Brouer
  ComX Networks A/S
  Linux Network developer
  Cand. Scient Datalog / MSc.
  Author of http://adsl-optimizer.dk
  LinkedIn: http://www.linkedin.com/in/brouer

[-- Attachment #2: iptables-1.4.0rc1__fix_compile__add_include_files.patch --]
[-- Type: text/x-patch, Size: 30318 bytes --]

Index: include/linux/netfilter_ipv6/ip6_tables.h
===================================================================
--- include/linux/netfilter_ipv6/ip6_tables.h	(revision 0)
+++ include/linux/netfilter_ipv6/ip6_tables.h	(revision 0)
@@ -0,0 +1,358 @@
+/*
+ * 25-Jul-1998 Major changes to allow for ip chain table
+ *
+ * 3-Jan-2000 Named tables to allow packet selection for different uses.
+ */
+
+/*
+ * 	Format of an IP6 firewall descriptor
+ *
+ * 	src, dst, src_mask, dst_mask are always stored in network byte order.
+ * 	flags are stored in host byte order (of course).
+ * 	Port numbers are stored in HOST byte order.
+ */
+
+#ifndef _IP6_TABLES_H
+#define _IP6_TABLES_H
+
+#ifdef __KERNEL__
+#include <linux/if.h>
+#include <linux/types.h>
+#include <linux/in6.h>
+#include <linux/ipv6.h>
+#include <linux/skbuff.h>
+#endif
+#include <linux/compiler.h>
+#include <linux/netfilter_ipv6.h>
+
+#include <linux/netfilter/x_tables.h>
+
+#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+
+#define ip6t_match xt_match
+#define ip6t_target xt_target
+#define ip6t_table xt_table
+#define ip6t_get_revision xt_get_revision
+
+/* Yes, Virginia, you have to zero the padding. */
+struct ip6t_ip6 {
+	/* Source and destination IP6 addr */
+	struct in6_addr src, dst;		
+	/* Mask for src and dest IP6 addr */
+	struct in6_addr smsk, dmsk;
+	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+
+	/* Upper protocol number
+	 * - The allowed value is 0 (any) or protocol number of last parsable
+	 *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
+	 *   the non IPv6 extension headers.
+	 * - The protocol numbers of IPv6 extension headers except of ESP and
+	 *   MH do not match any packets.
+	 * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
+	 */
+	u_int16_t proto;
+	/* TOS to match iff flags & IP6T_F_TOS */
+	u_int8_t tos;
+
+	/* Flags word */
+	u_int8_t flags;
+	/* Inverse flags */
+	u_int8_t invflags;
+};
+
+#define ip6t_entry_match xt_entry_match
+#define ip6t_entry_target xt_entry_target
+#define ip6t_standard_target xt_standard_target
+
+#define ip6t_counters	xt_counters
+
+/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
+#define IP6T_F_PROTO		0x01	/* Set if rule cares about upper 
+					   protocols */
+#define IP6T_F_TOS		0x02	/* Match the TOS. */
+#define IP6T_F_GOTO		0x04	/* Set if jump is a goto */
+#define IP6T_F_MASK		0x07	/* All possible flag bits mask. */
+
+/* Values for "inv" field in struct ip6t_ip6. */
+#define IP6T_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
+#define IP6T_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
+#define IP6T_INV_TOS		0x04	/* Invert the sense of TOS. */
+#define IP6T_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
+#define IP6T_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
+#define IP6T_INV_FRAG		0x20	/* Invert the sense of FRAG. */
+#define IP6T_INV_PROTO		XT_INV_PROTO
+#define IP6T_INV_MASK		0x7F	/* All possible flag bits mask. */
+
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general IP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct ip6t_entry
+{
+	struct ip6t_ip6 ipv6;
+
+	/* Mark with fields that we care about. */
+	unsigned int nfcache;
+
+	/* Size of ipt_entry + matches */
+	u_int16_t target_offset;
+	/* Size of ipt_entry + matches + target */
+	u_int16_t next_offset;
+
+	/* Back pointer */
+	unsigned int comefrom;
+
+	/* Packet and byte counters. */
+	struct xt_counters counters;
+
+	/* The matches (if any), then the target. */
+	unsigned char elems[0];
+};
+
+/* Standard entry */
+struct ip6t_standard
+{
+	struct ip6t_entry entry;
+	struct ip6t_standard_target target;
+};
+
+struct ip6t_error_target
+{
+	struct ip6t_entry_target target;
+	char errorname[IP6T_FUNCTION_MAXNAMELEN];
+};
+
+struct ip6t_error
+{
+	struct ip6t_entry entry;
+	struct ip6t_error_target target;
+};
+
+#define IP6T_ENTRY_INIT(__size)						       \
+{									       \
+	.target_offset	= sizeof(struct ip6t_entry),			       \
+	.next_offset	= (__size),					       \
+}
+
+#define IP6T_STANDARD_INIT(__verdict)					       \
+{									       \
+	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
+	.target		= XT_TARGET_INIT(IP6T_STANDARD_TARGET,		       \
+					 sizeof(struct ip6t_standard_target)), \
+	.target.verdict	= -(__verdict) - 1,				       \
+}
+
+#define IP6T_ERROR_INIT							       \
+{									       \
+	.entry		= IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),	       \
+	.target		= XT_TARGET_INIT(IP6T_ERROR_TARGET,		       \
+					 sizeof(struct ip6t_error_target)),    \
+	.target.errorname = "ERROR",					       \
+}
+
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use
+ * a raw socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in6.h before adding new number here.
+ */
+#define IP6T_BASE_CTL			64
+
+#define IP6T_SO_SET_REPLACE		(IP6T_BASE_CTL)
+#define IP6T_SO_SET_ADD_COUNTERS	(IP6T_BASE_CTL + 1)
+#define IP6T_SO_SET_MAX			IP6T_SO_SET_ADD_COUNTERS
+
+#define IP6T_SO_GET_INFO		(IP6T_BASE_CTL)
+#define IP6T_SO_GET_ENTRIES		(IP6T_BASE_CTL + 1)
+#define IP6T_SO_GET_REVISION_MATCH	(IP6T_BASE_CTL + 4)
+#define IP6T_SO_GET_REVISION_TARGET	(IP6T_BASE_CTL + 5)
+#define IP6T_SO_GET_MAX			IP6T_SO_GET_REVISION_TARGET
+
+/* CONTINUE verdict for targets */
+#define IP6T_CONTINUE XT_CONTINUE
+
+/* For standard target */
+#define IP6T_RETURN XT_RETURN
+
+/* TCP/UDP matching stuff */
+#include <linux/netfilter/xt_tcpudp.h>
+
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
+
+/* Values for "inv" field in struct ipt_tcp. */
+#define IP6T_TCP_INV_SRCPT	XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT	XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS	XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION	XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK	XT_TCP_INV_MASK
+
+/* Values for "invflags" field in struct ipt_udp. */
+#define IP6T_UDP_INV_SRCPT	XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT	XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK	XT_UDP_INV_MASK
+
+/* ICMP matching stuff */
+struct ip6t_icmp
+{
+	u_int8_t type;				/* type to match */
+	u_int8_t code[2];			/* range of code */
+	u_int8_t invflags;			/* Inverse flags */
+};
+
+/* Values for "inv" field for struct ipt_icmp. */
+#define IP6T_ICMP_INV	0x01	/* Invert the sense of type/code test */
+
+/* The argument to IP6T_SO_GET_INFO */
+struct ip6t_getinfo
+{
+	/* Which table: caller fills this in. */
+	char name[IP6T_TABLE_MAXNAMELEN];
+
+	/* Kernel fills these in. */
+	/* Which hook entry points are valid: bitmask */
+	unsigned int valid_hooks;
+
+	/* Hook entry points: one per netfilter hook. */
+	unsigned int hook_entry[NF_IP6_NUMHOOKS];
+
+	/* Underflow points. */
+	unsigned int underflow[NF_IP6_NUMHOOKS];
+
+	/* Number of entries */
+	unsigned int num_entries;
+
+	/* Size of entries. */
+	unsigned int size;
+};
+
+/* The argument to IP6T_SO_SET_REPLACE. */
+struct ip6t_replace
+{
+	/* Which table. */
+	char name[IP6T_TABLE_MAXNAMELEN];
+
+	/* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+	unsigned int valid_hooks;
+
+	/* Number of entries */
+	unsigned int num_entries;
+
+	/* Total size of new entries */
+	unsigned int size;
+
+	/* Hook entry points. */
+	unsigned int hook_entry[NF_IP6_NUMHOOKS];
+
+	/* Underflow points. */
+	unsigned int underflow[NF_IP6_NUMHOOKS];
+
+	/* Information about old entries: */
+	/* Number of counters (must be equal to current number of entries). */
+	unsigned int num_counters;
+	/* The old entries' counters. */
+	struct xt_counters __user *counters;
+
+	/* The entries (hang off end: not really an array). */
+	struct ip6t_entry entries[0];
+};
+
+/* The argument to IP6T_SO_ADD_COUNTERS. */
+#define ip6t_counters_info xt_counters_info
+
+/* The argument to IP6T_SO_GET_ENTRIES. */
+struct ip6t_get_entries
+{
+	/* Which table: user fills this in. */
+	char name[IP6T_TABLE_MAXNAMELEN];
+
+	/* User fills this in: total entry size. */
+	unsigned int size;
+
+	/* The entries. */
+	struct ip6t_entry entrytable[0];
+};
+
+/* Standard return verdict, or do jump. */
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
+
+/* Helper functions */
+static __inline__ struct ip6t_entry_target *
+ip6t_get_target(struct ip6t_entry *e)
+{
+	return (void *)e + e->target_offset;
+}
+
+/* fn returns 0 to continue iteration */
+#define IP6T_MATCH_ITERATE(e, fn, args...)	\
+({						\
+	unsigned int __i;			\
+	int __ret = 0;				\
+	struct ip6t_entry_match *__m;		\
+						\
+	for (__i = sizeof(struct ip6t_entry);	\
+	     __i < (e)->target_offset;		\
+	     __i += __m->u.match_size) {	\
+		__m = (void *)(e) + __i;	\
+						\
+		__ret = fn(__m , ## args);	\
+		if (__ret != 0)			\
+			break;			\
+	}					\
+	__ret;					\
+})
+
+/* fn returns 0 to continue iteration */
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...)		\
+({								\
+	unsigned int __i;					\
+	int __ret = 0;						\
+	struct ip6t_entry *__e;					\
+								\
+	for (__i = 0; __i < (size); __i += __e->next_offset) {	\
+		__e = (void *)(entries) + __i;			\
+								\
+		__ret = fn(__e , ## args);			\
+		if (__ret != 0)					\
+			break;					\
+	}							\
+	__ret;							\
+})
+
+/*
+ *	Main firewall chains definitions and global var's definitions.
+ */
+
+#ifdef __KERNEL__
+
+#include <linux/init.h>
+extern void ip6t_init(void) __init;
+
+extern int ip6t_register_table(struct xt_table *table,
+			       const struct ip6t_replace *repl);
+extern void ip6t_unregister_table(struct xt_table *table);
+extern unsigned int ip6t_do_table(struct sk_buff *skb,
+				  unsigned int hook,
+				  const struct net_device *in,
+				  const struct net_device *out,
+				  struct xt_table *table);
+
+/* Check for an extension */
+extern int ip6t_ext_hdr(u8 nexthdr);
+/* find specified header and get offset to it */
+extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
+			 int target, unsigned short *fragoff);
+
+extern int ip6_masked_addrcmp(const struct in6_addr *addr1,
+			      const struct in6_addr *mask,
+			      const struct in6_addr *addr2);
+
+#define IP6T_ALIGN(s) (((s) + (__alignof__(struct ip6t_entry)-1)) & ~(__alignof__(struct ip6t_entry)-1))
+
+#endif /*__KERNEL__*/
+#endif /* _IP6_TABLES_H */
Index: include/linux/netfilter/x_tables.h
===================================================================
--- include/linux/netfilter/x_tables.h	(revision 7090)
+++ include/linux/netfilter/x_tables.h	(working copy)
@@ -1,8 +1,6 @@
 #ifndef _X_TABLES_H
 #define _X_TABLES_H
 
-#include <sys/types.h>
-
 #define XT_FUNCTION_MAXNAMELEN 30
 #define XT_TABLE_MAXNAMELEN 32
 
@@ -56,6 +54,14 @@
 	unsigned char data[0];
 };
 
+#define XT_TARGET_INIT(__name, __size)					       \
+{									       \
+	.target.u.user = {						       \
+		.target_size	= XT_ALIGN(__size),			       \
+		.name		= __name,				       \
+	},								       \
+}
+
 struct xt_standard_target
 {
 	struct xt_entry_target target;
@@ -120,4 +126,271 @@
 
 #define XT_INV_PROTO		0x40	/* Invert the sense of PROTO. */
 
+#ifdef __KERNEL__
+
+#include <linux/netdevice.h>
+
+struct xt_match
+{
+	struct list_head list;
+
+	const char name[XT_FUNCTION_MAXNAMELEN-1];
+
+	/* Return true or false: return FALSE and set *hotdrop = 1 to
+           force immediate packet drop. */
+	/* Arguments changed since 2.6.9, as this must now handle
+	   non-linear skb, using skb_header_pointer and
+	   skb_ip_make_writable. */
+	bool (*match)(const struct sk_buff *skb,
+		      const struct net_device *in,
+		      const struct net_device *out,
+		      const struct xt_match *match,
+		      const void *matchinfo,
+		      int offset,
+		      unsigned int protoff,
+		      bool *hotdrop);
+
+	/* Called when user tries to insert an entry of this type. */
+	/* Should return true or false. */
+	bool (*checkentry)(const char *tablename,
+			   const void *ip,
+			   const struct xt_match *match,
+			   void *matchinfo,
+			   unsigned int hook_mask);
+
+	/* Called when entry of this type deleted. */
+	void (*destroy)(const struct xt_match *match, void *matchinfo);
+
+	/* Called when userspace align differs from kernel space one */
+	void (*compat_from_user)(void *dst, void *src);
+	int (*compat_to_user)(void __user *dst, void *src);
+
+	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	struct module *me;
+
+	/* Free to use by each match */
+	unsigned long data;
+
+	char *table;
+	unsigned int matchsize;
+	unsigned int compatsize;
+	unsigned int hooks;
+	unsigned short proto;
+
+	unsigned short family;
+	u_int8_t revision;
+};
+
+/* Registration hooks for targets. */
+struct xt_target
+{
+	struct list_head list;
+
+	const char name[XT_FUNCTION_MAXNAMELEN-1];
+
+	/* Returns verdict. Argument order changed since 2.6.9, as this
+	   must now handle non-linear skbs, using skb_copy_bits and
+	   skb_ip_make_writable. */
+	unsigned int (*target)(struct sk_buff *skb,
+			       const struct net_device *in,
+			       const struct net_device *out,
+			       unsigned int hooknum,
+			       const struct xt_target *target,
+			       const void *targinfo);
+
+	/* Called when user tries to insert an entry of this type:
+           hook_mask is a bitmask of hooks from which it can be
+           called. */
+	/* Should return true or false. */
+	bool (*checkentry)(const char *tablename,
+			   const void *entry,
+			   const struct xt_target *target,
+			   void *targinfo,
+			   unsigned int hook_mask);
+
+	/* Called when entry of this type deleted. */
+	void (*destroy)(const struct xt_target *target, void *targinfo);
+
+	/* Called when userspace align differs from kernel space one */
+	void (*compat_from_user)(void *dst, void *src);
+	int (*compat_to_user)(void __user *dst, void *src);
+
+	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	struct module *me;
+
+	char *table;
+	unsigned int targetsize;
+	unsigned int compatsize;
+	unsigned int hooks;
+	unsigned short proto;
+
+	unsigned short family;
+	u_int8_t revision;
+};
+
+/* Furniture shopping... */
+struct xt_table
+{
+	struct list_head list;
+
+	/* A unique name... */
+	char name[XT_TABLE_MAXNAMELEN];
+
+	/* What hooks you will enter on */
+	unsigned int valid_hooks;
+
+	/* Lock for the curtain */
+	rwlock_t lock;
+
+	/* Man behind the curtain... */
+	//struct ip6t_table_info *private;
+	void *private;
+
+	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
+	struct module *me;
+
+	int af;		/* address/protocol family */
+};
+
+#include <linux/netfilter_ipv4.h>
+
+/* The table itself */
+struct xt_table_info
+{
+	/* Size per table */
+	unsigned int size;
+	/* Number of entries: FIXME. --RR */
+	unsigned int number;
+	/* Initial number of entries. Needed for module usage count */
+	unsigned int initial_entries;
+
+	/* Entry points and underflows */
+	unsigned int hook_entry[NF_IP_NUMHOOKS];
+	unsigned int underflow[NF_IP_NUMHOOKS];
+
+	/* ipt_entry tables: one per CPU */
+	char *entries[NR_CPUS];
+};
+
+extern int xt_register_target(struct xt_target *target);
+extern void xt_unregister_target(struct xt_target *target);
+extern int xt_register_targets(struct xt_target *target, unsigned int n);
+extern void xt_unregister_targets(struct xt_target *target, unsigned int n);
+
+extern int xt_register_match(struct xt_match *target);
+extern void xt_unregister_match(struct xt_match *target);
+extern int xt_register_matches(struct xt_match *match, unsigned int n);
+extern void xt_unregister_matches(struct xt_match *match, unsigned int n);
+
+extern int xt_check_match(const struct xt_match *match, unsigned short family,
+			  unsigned int size, const char *table, unsigned int hook,
+			  unsigned short proto, int inv_proto);
+extern int xt_check_target(const struct xt_target *target, unsigned short family,
+			   unsigned int size, const char *table, unsigned int hook,
+			   unsigned short proto, int inv_proto);
+
+extern int xt_register_table(struct xt_table *table,
+			     struct xt_table_info *bootstrap,
+			     struct xt_table_info *newinfo);
+extern void *xt_unregister_table(struct xt_table *table);
+
+extern struct xt_table_info *xt_replace_table(struct xt_table *table,
+					      unsigned int num_counters,
+					      struct xt_table_info *newinfo,
+					      int *error);
+
+extern struct xt_match *xt_find_match(int af, const char *name, u8 revision);
+extern struct xt_target *xt_find_target(int af, const char *name, u8 revision);
+extern struct xt_target *xt_request_find_target(int af, const char *name, 
+						u8 revision);
+extern int xt_find_revision(int af, const char *name, u8 revision, int target,
+			    int *err);
+
+extern struct xt_table *xt_find_table_lock(int af, const char *name);
+extern void xt_table_unlock(struct xt_table *t);
+
+extern int xt_proto_init(int af);
+extern void xt_proto_fini(int af);
+
+extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
+extern void xt_free_table_info(struct xt_table_info *info);
+
+#ifdef CONFIG_COMPAT
+#include <net/compat.h>
+
+struct compat_xt_entry_match
+{
+	union {
+		struct {
+			u_int16_t match_size;
+			char name[XT_FUNCTION_MAXNAMELEN - 1];
+			u_int8_t revision;
+		} user;
+		struct {
+			u_int16_t match_size;
+			compat_uptr_t match;
+		} kernel;
+		u_int16_t match_size;
+	} u;
+	unsigned char data[0];
+};
+
+struct compat_xt_entry_target
+{
+	union {
+		struct {
+			u_int16_t target_size;
+			char name[XT_FUNCTION_MAXNAMELEN - 1];
+			u_int8_t revision;
+		} user;
+		struct {
+			u_int16_t target_size;
+			compat_uptr_t target;
+		} kernel;
+		u_int16_t target_size;
+	} u;
+	unsigned char data[0];
+};
+
+/* FIXME: this works only on 32 bit tasks
+ * need to change whole approach in order to calculate align as function of
+ * current task alignment */
+
+struct compat_xt_counters
+{
+#if defined(CONFIG_X86_64) || defined(CONFIG_IA64)
+	u_int32_t cnt[4];
+#else
+	u_int64_t cnt[2];
+#endif
+};
+
+struct compat_xt_counters_info
+{
+	char name[XT_TABLE_MAXNAMELEN];
+	compat_uint_t num_counters;
+	struct compat_xt_counters counters[0];
+};
+
+#define COMPAT_XT_ALIGN(s) (((s) + (__alignof__(struct compat_xt_counters)-1)) \
+		& ~(__alignof__(struct compat_xt_counters)-1))
+
+extern void xt_compat_lock(int af);
+extern void xt_compat_unlock(int af);
+
+extern int xt_compat_match_offset(struct xt_match *match);
+extern void xt_compat_match_from_user(struct xt_entry_match *m,
+				      void **dstptr, int *size);
+extern int xt_compat_match_to_user(struct xt_entry_match *m,
+				   void __user **dstptr, int *size);
+
+extern int xt_compat_target_offset(struct xt_target *target);
+extern void xt_compat_target_from_user(struct xt_entry_target *t,
+				       void **dstptr, int *size);
+extern int xt_compat_target_to_user(struct xt_entry_target *t,
+				    void __user **dstptr, int *size);
+
+#endif /* CONFIG_COMPAT */
+#endif /* __KERNEL__ */
+
 #endif /* _X_TABLES_H */
Index: include/linux/netfilter_ipv4/ip_tables.h
===================================================================
--- include/linux/netfilter_ipv4/ip_tables.h	(revision 0)
+++ include/linux/netfilter_ipv4/ip_tables.h	(revision 0)
@@ -0,0 +1,366 @@
+/*
+ * 25-Jul-1998 Major changes to allow for ip chain table
+ *
+ * 3-Jan-2000 Named tables to allow packet selection for different uses.
+ */
+
+/*
+ * 	Format of an IP firewall descriptor
+ *
+ * 	src, dst, src_mask, dst_mask are always stored in network byte order.
+ * 	flags are stored in host byte order (of course).
+ * 	Port numbers are stored in HOST byte order.
+ */
+
+#ifndef _IPTABLES_H
+#define _IPTABLES_H
+
+#ifdef __KERNEL__
+#include <linux/if.h>
+#include <linux/types.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#endif
+#include <linux/compiler.h>
+#include <linux/netfilter_ipv4.h>
+
+#include <linux/netfilter/x_tables.h>
+
+#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define ipt_match xt_match
+#define ipt_target xt_target
+#define ipt_table xt_table
+#define ipt_get_revision xt_get_revision
+
+/* Yes, Virginia, you have to zero the padding. */
+struct ipt_ip {
+	/* Source and destination IP addr */
+	struct in_addr src, dst;
+	/* Mask for src and dest IP addr */
+	struct in_addr smsk, dmsk;
+	char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+	unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+
+	/* Protocol, 0 = ANY */
+	u_int16_t proto;
+
+	/* Flags word */
+	u_int8_t flags;
+	/* Inverse flags */
+	u_int8_t invflags;
+};
+
+#define ipt_entry_match xt_entry_match
+#define ipt_entry_target xt_entry_target
+#define ipt_standard_target xt_standard_target
+
+#define ipt_counters xt_counters
+
+/* Values for "flag" field in struct ipt_ip (general ip structure). */
+#define IPT_F_FRAG		0x01	/* Set if rule is a fragment rule */
+#define IPT_F_GOTO		0x02	/* Set if jump is a goto */
+#define IPT_F_MASK		0x03	/* All possible flag bits mask. */
+
+/* Values for "inv" field in struct ipt_ip. */
+#define IPT_INV_VIA_IN		0x01	/* Invert the sense of IN IFACE. */
+#define IPT_INV_VIA_OUT		0x02	/* Invert the sense of OUT IFACE */
+#define IPT_INV_TOS		0x04	/* Invert the sense of TOS. */
+#define IPT_INV_SRCIP		0x08	/* Invert the sense of SRC IP. */
+#define IPT_INV_DSTIP		0x10	/* Invert the sense of DST OP. */
+#define IPT_INV_FRAG		0x20	/* Invert the sense of FRAG. */
+#define IPT_INV_PROTO		XT_INV_PROTO
+#define IPT_INV_MASK		0x7F	/* All possible flag bits mask. */
+
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general IP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct ipt_entry
+{
+	struct ipt_ip ip;
+
+	/* Mark with fields that we care about. */
+	unsigned int nfcache;
+
+	/* Size of ipt_entry + matches */
+	u_int16_t target_offset;
+	/* Size of ipt_entry + matches + target */
+	u_int16_t next_offset;
+
+	/* Back pointer */
+	unsigned int comefrom;
+
+	/* Packet and byte counters. */
+	struct xt_counters counters;
+
+	/* The matches (if any), then the target. */
+	unsigned char elems[0];
+};
+
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use a raw
+ * socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in.h before adding new number here.
+ */
+#define IPT_BASE_CTL		64
+
+#define IPT_SO_SET_REPLACE	(IPT_BASE_CTL)
+#define IPT_SO_SET_ADD_COUNTERS	(IPT_BASE_CTL + 1)
+#define IPT_SO_SET_MAX		IPT_SO_SET_ADD_COUNTERS
+
+#define IPT_SO_GET_INFO			(IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES		(IPT_BASE_CTL + 1)
+#define IPT_SO_GET_REVISION_MATCH	(IPT_BASE_CTL + 2)
+#define IPT_SO_GET_REVISION_TARGET	(IPT_BASE_CTL + 3)
+#define IPT_SO_GET_MAX			IPT_SO_GET_REVISION_TARGET
+
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
+
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
+
+#define IPT_TCP_INV_SRCPT	XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT	XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS	XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION	XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK	XT_TCP_INV_MASK
+
+#define IPT_UDP_INV_SRCPT	XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT	XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK	XT_UDP_INV_MASK
+
+/* ICMP matching stuff */
+struct ipt_icmp
+{
+	u_int8_t type;				/* type to match */
+	u_int8_t code[2];			/* range of code */
+	u_int8_t invflags;			/* Inverse flags */
+};
+
+/* Values for "inv" field for struct ipt_icmp. */
+#define IPT_ICMP_INV	0x01	/* Invert the sense of type/code test */
+
+/* The argument to IPT_SO_GET_INFO */
+struct ipt_getinfo
+{
+	/* Which table: caller fills this in. */
+	char name[IPT_TABLE_MAXNAMELEN];
+
+	/* Kernel fills these in. */
+	/* Which hook entry points are valid: bitmask */
+	unsigned int valid_hooks;
+
+	/* Hook entry points: one per netfilter hook. */
+	unsigned int hook_entry[NF_IP_NUMHOOKS];
+
+	/* Underflow points. */
+	unsigned int underflow[NF_IP_NUMHOOKS];
+
+	/* Number of entries */
+	unsigned int num_entries;
+
+	/* Size of entries. */
+	unsigned int size;
+};
+
+/* The argument to IPT_SO_SET_REPLACE. */
+struct ipt_replace
+{
+	/* Which table. */
+	char name[IPT_TABLE_MAXNAMELEN];
+
+	/* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+	unsigned int valid_hooks;
+
+	/* Number of entries */
+	unsigned int num_entries;
+
+	/* Total size of new entries */
+	unsigned int size;
+
+	/* Hook entry points. */
+	unsigned int hook_entry[NF_IP_NUMHOOKS];
+
+	/* Underflow points. */
+	unsigned int underflow[NF_IP_NUMHOOKS];
+
+	/* Information about old entries: */
+	/* Number of counters (must be equal to current number of entries). */
+	unsigned int num_counters;
+	/* The old entries' counters. */
+	struct xt_counters __user *counters;
+
+	/* The entries (hang off end: not really an array). */
+	struct ipt_entry entries[0];
+};
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+#define ipt_counters_info xt_counters_info
+
+/* The argument to IPT_SO_GET_ENTRIES. */
+struct ipt_get_entries
+{
+	/* Which table: user fills this in. */
+	char name[IPT_TABLE_MAXNAMELEN];
+
+	/* User fills this in: total entry size. */
+	unsigned int size;
+
+	/* The entries. */
+	struct ipt_entry entrytable[0];
+};
+
+/* Standard return verdict, or do jump. */
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
+
+/* Helper functions */
+static __inline__ struct ipt_entry_target *
+ipt_get_target(struct ipt_entry *e)
+{
+	return (void *)e + e->target_offset;
+}
+
+/* fn returns 0 to continue iteration */
+#define IPT_MATCH_ITERATE(e, fn, args...)	\
+({						\
+	unsigned int __i;			\
+	int __ret = 0;				\
+	struct ipt_entry_match *__match;	\
+						\
+	for (__i = sizeof(struct ipt_entry);	\
+	     __i < (e)->target_offset;		\
+	     __i += __match->u.match_size) {	\
+		__match = (void *)(e) + __i;	\
+						\
+		__ret = fn(__match , ## args);	\
+		if (__ret != 0)			\
+			break;			\
+	}					\
+	__ret;					\
+})
+
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...)		\
+({								\
+	unsigned int __i;					\
+	int __ret = 0;						\
+	struct ipt_entry *__entry;				\
+								\
+	for (__i = 0; __i < (size); __i += __entry->next_offset) { \
+		__entry = (void *)(entries) + __i;		\
+								\
+		__ret = fn(__entry , ## args);			\
+		if (__ret != 0)					\
+			break;					\
+	}							\
+	__ret;							\
+})
+
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
+({								\
+	unsigned int __i, __n;					\
+	int __ret = 0;						\
+	struct ipt_entry *__entry;				\
+								\
+	for (__i = 0, __n = 0; __i < (size);			\
+	     __i += __entry->next_offset, __n++) { 		\
+		__entry = (void *)(entries) + __i;		\
+		if (__n < n)					\
+			continue;				\
+								\
+		__ret = fn(__entry , ## args);			\
+		if (__ret != 0)					\
+			break;					\
+	}							\
+	__ret;							\
+})
+
+/*
+ *	Main firewall chains definitions and global var's definitions.
+ */
+#ifdef __KERNEL__
+
+#include <linux/init.h>
+extern void ipt_init(void) __init;
+
+extern int ipt_register_table(struct xt_table *table,
+			      const struct ipt_replace *repl);
+extern void ipt_unregister_table(struct xt_table *table);
+
+/* Standard entry. */
+struct ipt_standard
+{
+	struct ipt_entry entry;
+	struct ipt_standard_target target;
+};
+
+struct ipt_error_target
+{
+	struct ipt_entry_target target;
+	char errorname[IPT_FUNCTION_MAXNAMELEN];
+};
+
+struct ipt_error
+{
+	struct ipt_entry entry;
+	struct ipt_error_target target;
+};
+
+#define IPT_ENTRY_INIT(__size)						       \
+{									       \
+	.target_offset	= sizeof(struct ipt_entry),			       \
+	.next_offset	= (__size),					       \
+}
+
+#define IPT_STANDARD_INIT(__verdict)					       \
+{									       \
+	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_standard)),	       \
+	.target		= XT_TARGET_INIT(IPT_STANDARD_TARGET,		       \
+					 sizeof(struct xt_standard_target)),   \
+	.target.verdict	= -(__verdict) - 1,				       \
+}
+
+#define IPT_ERROR_INIT							       \
+{									       \
+	.entry		= IPT_ENTRY_INIT(sizeof(struct ipt_error)),	       \
+	.target		= XT_TARGET_INIT(IPT_ERROR_TARGET,		       \
+					 sizeof(struct ipt_error_target)),     \
+	.target.errorname = "ERROR",					       \
+}
+
+extern unsigned int ipt_do_table(struct sk_buff *skb,
+				 unsigned int hook,
+				 const struct net_device *in,
+				 const struct net_device *out,
+				 struct xt_table *table);
+
+#define IPT_ALIGN(s) XT_ALIGN(s)
+
+#ifdef CONFIG_COMPAT
+#include <net/compat.h>
+
+struct compat_ipt_entry
+{
+	struct ipt_ip ip;
+	compat_uint_t nfcache;
+	u_int16_t target_offset;
+	u_int16_t next_offset;
+	compat_uint_t comefrom;
+	struct compat_xt_counters counters;
+	unsigned char elems[0];
+};
+
+#define COMPAT_IPT_ALIGN(s) 	COMPAT_XT_ALIGN(s)
+
+#endif /* CONFIG_COMPAT */
+#endif /*__KERNEL__*/
+#endif /* _IPTABLES_H */

Re: [PATCH] Fix make/compile error for iptables-1.4.0rc1

[Jan Engelhardt]

On Nov 23 2007 17:16, Jesper Dangaard Brouer wrote:
>
>Commit text:
>------------
>Fixing a make/compile issue with iptables, release candidate 1.4.0rc1,
>which has existed since SVN changeset 6920.  This patch adds ip_tables.h
>and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree.
                                                            ^
-e

>Remember we now need to keep these include files in sync with kernel.

Not only them, but all .h files in include/linux/ :-/

Re: [PATCH] Fix make/compile error for iptables-1.4.0rc1

[Patrick McHardy]

Jesper Dangaard Brouer wrote:
> Fixing a make/compile issue with iptables, release candidate 1.4.0rc1,
> which has existed since SVN changeset 6920.  This patch adds ip_tables.h
> and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree.
> 
> Changeset 6920 added the include file x_tables.h from kernel source, but
> didn't add ip_tables.h and ip6_tables.h.
> 
> At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these
> kernel headers where changed, which actually removes certain
> depencencies from ip_tables.h and ip6_tables.h to x_tables.h.
> 
> If compiling will fail, with old kernel headers (ip_tables.h and
> ip6_tables.h) available in systems include path, because they depend on
> certaine defines in x_tables.h with is missing in the version in SVN.


Applied, but I stripped the #ifdef __KERNEL__ sections first.
Thanks Jesper.

Re: [PATCH] Fix make/compile error for iptables-1.4.0rc1

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Sun, 25 Nov 2007 16:13:59 +0100

> Jesper Dangaard Brouer wrote:
> > Fixing a make/compile issue with iptables, release candidate 1.4.0rc1,
> > which has existed since SVN changeset 6920.  This patch adds ip_tables.h
> > and ip6_tables.h, and updates x_tables.h, taken from Linus'es git tree.
> > 
> > Changeset 6920 added the include file x_tables.h from kernel source, but
> > didn't add ip_tables.h and ip6_tables.h.
> > 
> > At some point (Tue Nov 14 19:48:48 2006, by Yasuyuki Kozakai) these
> > kernel headers where changed, which actually removes certain
> > depencencies from ip_tables.h and ip6_tables.h to x_tables.h.
> > 
> > If compiling will fail, with old kernel headers (ip_tables.h and
> > ip6_tables.h) available in systems include path, because they depend on
> > certaine defines in x_tables.h with is missing in the version in SVN.
> 
> 
> Applied, but I stripped the #ifdef __KERNEL__ sections first.
> Thanks Jesper.

Thanks Jesper and Patrick. That looks fine to me.

XT_SO_GET_REVISION_{MATCH,TARGET} in 2.6.18 was removed because of
conflicts on {get,set}sockopt number of IPv6 socket. I.e. ip_tables.h
you used on build included bug.

iptables.c only uses IPT_SO_GET_REVISION_* and they are defined in local
header include/iptables.h. I suspects that
/usr/include/linux/netfilter_ipv4/ip_tables.h re-defined
IPT_SO_GET_REVISION_* with XT_SO_GET_REVISION_* on your environment.

P.S. sorry for late reply. I was very busy for other work this several
months but I will be able to contribute to netfilter again from next month.

Regards,

-- Yasuyuki Kozakai

Re: [PATCH] Fix make/compile error for iptables-1.4.0rc1

[Patrick McHardy]

Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Sun, 25 Nov 2007 16:13:59 +0100
> 
>> Applied, but I stripped the #ifdef __KERNEL__ sections first.
>> Thanks Jesper.
> 
> Thanks Jesper and Patrick. That looks fine to me.
> 
> XT_SO_GET_REVISION_{MATCH,TARGET} in 2.6.18 was removed because of
> conflicts on {get,set}sockopt number of IPv6 socket. I.e. ip_tables.h
> you used on build included bug.
> 
> iptables.c only uses IPT_SO_GET_REVISION_* and they are defined in local
> header include/iptables.h. I suspects that
> /usr/include/linux/netfilter_ipv4/ip_tables.h re-defined
> IPT_SO_GET_REVISION_* with XT_SO_GET_REVISION_* on your environment.


Thanks for double-checking the patch.

> P.S. sorry for late reply. I was very busy for other work this several
> months but I will be able to contribute to netfilter again from next month.


Sounds great :)