Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

12 files changed, 159 insertions, 177 deletions

diff --git a/include/linux/in6.h b/include/linux/in6.h
index c4bf46f764bf..097a34b55560 100644
--- a/include/linux/in6.h
+++ b/include/linux/in6.h
@@ -268,6 +268,10 @@ struct in6_flowlabel_req {
 /* RFC5082: Generalized Ttl Security Mechanism */
 #define IPV6_MINHOPCOUNT                73
 
+#define IPV6_ORIGDSTADDR        74
+#define IPV6_RECVORIGDSTADDR    IPV6_ORIGDSTADDR
+#define IPV6_TRANSPARENT        75
+
 /*
  * Multicast Routing:
  * see include/linux/mroute6.h.
diff --git a/include/linux/ip_vs.h b/include/linux/ip_vs.h
index 9708de265bb1..5f43a3b2e3ad 100644
--- a/include/linux/ip_vs.h
+++ b/include/linux/ip_vs.h
@@ -70,6 +70,7 @@
 
 /*
  *      IPVS Connection Flags
+ *      Only flags 0..15 are sent to backup server
  */
 #define IP_VS_CONN_F_FWD_MASK   0x0007          /* mask for the fwd methods */
 #define IP_VS_CONN_F_MASQ       0x0000          /* masquerading/NAT */
@@ -88,9 +89,20 @@
 #define IP_VS_CONN_F_TEMPLATE   0x1000          /* template, not connection */
 #define IP_VS_CONN_F_ONE_PACKET 0x2000          /* forward only one packet */
 
+/* Flags that are not sent to backup server start from bit 16 */
+#define IP_VS_CONN_F_NFCT       (1 << 16)       /* use netfilter conntrack */
+
+/* Connection flags from destination that can be changed by user space */
+#define IP_VS_CONN_F_DEST_MASK (IP_VS_CONN_F_FWD_MASK | \
+                                IP_VS_CONN_F_ONE_PACKET | \
+                                IP_VS_CONN_F_NFCT | \
+                                0)
+
 #define IP_VS_SCHEDNAME_MAXLEN  16
+#define IP_VS_PENAME_MAXLEN     16
 #define IP_VS_IFNAME_MAXLEN     16
 
+#define IP_VS_PEDATA_MAXLEN     255
 
 /*
  *      The struct ip_vs_service_user and struct ip_vs_dest_user are
@@ -324,6 +336,9 @@ enum {
         IPVS_SVC_ATTR_NETMASK,          /* persistent netmask */
 
         IPVS_SVC_ATTR_STATS,            /* nested attribute for service stats */
+
+        IPVS_SVC_ATTR_PE_NAME,          /* name of ct retriever */
+
         __IPVS_SVC_ATTR_MAX,
 };
 
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index e62683ba88e6..8e429d0e0405 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -341,7 +341,9 @@ struct ipv6_pinfo {
                                 odstopts:1,
                                 rxflow:1,
                                 rxtclass:1,
-                                rxpmtu:1;
+                                rxpmtu:1,
+                                rxorigdstaddr:1;
+                                /* 2 bits hole */
                 } bits;
                 __u16           all;
         } rxopt;
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 1afd18c855ec..50cdc2559a5a 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -98,8 +98,14 @@ enum ip_conntrack_events {
 
 enum ip_conntrack_expect_events {
         IPEXP_NEW,              /* new expectation */
+        IPEXP_DESTROY,          /* destroyed expectation */
 };
 
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT          0x1
+#define NF_CT_EXPECT_INACTIVE           0x2
+#define NF_CT_EXPECT_USERSPACE          0x4
+
 #ifdef __KERNEL__
 struct ip_conntrack_stat {
         unsigned int searched;
diff --git a/include/linux/netfilter/nf_conntrack_sip.h b/include/linux/netfilter/nf_conntrack_sip.h
index ff8cfbcf3b81..0ce91d56a5f2 100644
--- a/include/linux/netfilter/nf_conntrack_sip.h
+++ b/include/linux/netfilter/nf_conntrack_sip.h
@@ -89,6 +89,7 @@ enum sip_header_types {
         SIP_HDR_VIA_TCP,
         SIP_HDR_EXPIRES,
         SIP_HDR_CONTENT_LENGTH,
+        SIP_HDR_CALL_ID,
 };
 
 enum sdp_header_types {
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 9ed534c991b9..455f0ce4f430 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -161,6 +161,7 @@ enum ctattr_expect {
         CTA_EXPECT_ID,
         CTA_EXPECT_HELP_NAME,
         CTA_EXPECT_ZONE,
+        CTA_EXPECT_FLAGS,
         __CTA_EXPECT_MAX
 };
 #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 24e5d01d27d0..742bec051440 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -66,6 +66,11 @@ struct xt_standard_target {
         int verdict;
 };
 
+struct xt_error_target {
+        struct xt_entry_target target;
+        char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
 /* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
  * kernel supports, if >= revision. */
 struct xt_get_revision {
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/linux/netfilter/xt_TPROXY.h
index 152e8f97132b..3f3d69361289 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/linux/netfilter/xt_TPROXY.h
@@ -1,5 +1,5 @@
-#ifndef _XT_TPROXY_H_target
-#define _XT_TPROXY_H_target
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
 
 /* TPROXY target is capable of marking the packet to perform
  * redirection. We can get rid of that whenever we get support for
@@ -11,4 +11,11 @@ struct xt_tproxy_target_info {
         __be16 lport;
 };
 
-#endif /* _XT_TPROXY_H_target */
+struct xt_tproxy_target_info_v1 {
+        u_int32_t mark_mask;
+        u_int32_t mark_value;
+        union nf_inet_addr laddr;
+        __be16 lport;
+};
+
+#endif /* _XT_TPROXY_H */
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index e9948c0560f6..adbf4bff87ed 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -21,8 +21,21 @@
 
 #include <linux/netfilter/x_tables.h>
 
+#ifndef __KERNEL__
 #define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define arpt_entry_target xt_entry_target
+#define arpt_standard_target xt_standard_target
+#define arpt_error_target xt_error_target
+#define ARPT_CONTINUE XT_CONTINUE
+#define ARPT_RETURN XT_RETURN
+#define arpt_counters_info xt_counters_info
+#define arpt_counters xt_counters
+#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
+#define ARPT_ERROR_TARGET XT_ERROR_TARGET
+#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
+#endif
 
 #define ARPT_DEV_ADDR_LEN_MAX 16
 
@@ -63,9 +76,6 @@ struct arpt_arp {
         u_int16_t invflags;
 };
 
-#define arpt_entry_target xt_entry_target
-#define arpt_standard_target xt_standard_target
-
 /* Values for "flag" field in struct arpt_ip (general arp structure).
  * No flags defined yet.
  */
@@ -125,16 +135,10 @@ struct arpt_entry
 #define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
 #define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
 
-/* CONTINUE verdict for targets */
-#define ARPT_CONTINUE XT_CONTINUE
-
-/* For standard target */
-#define ARPT_RETURN XT_RETURN
-
 /* The argument to ARPT_SO_GET_INFO */
 struct arpt_getinfo {
         /* Which table: caller fills this in. */
-        char name[ARPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Kernel fills these in. */
         /* Which hook entry points are valid: bitmask */
@@ -156,7 +160,7 @@ struct arpt_getinfo {
 /* The argument to ARPT_SO_SET_REPLACE. */
 struct arpt_replace {
         /* Which table. */
-        char name[ARPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Which hook entry points are valid: bitmask.  You can't
            change this. */
@@ -184,14 +188,10 @@ struct arpt_replace {
         struct arpt_entry entries[0];
 };
 
-/* The argument to ARPT_SO_ADD_COUNTERS. */
-#define arpt_counters_info xt_counters_info
-#define arpt_counters xt_counters
-
 /* The argument to ARPT_SO_GET_ENTRIES. */
 struct arpt_get_entries {
         /* Which table: user fills this in. */
-        char name[ARPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* User fills this in: total entry size. */
         unsigned int size;
@@ -200,23 +200,12 @@ struct arpt_get_entries {
         struct arpt_entry entrytable[0];
 };
 
-/* Standard return verdict, or do jump. */
-#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define ARPT_ERROR_TARGET XT_ERROR_TARGET
-
 /* Helper functions */
-static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
+static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
-#endif
-
 /*
  *      Main firewall chains definitions and global var's definitions.
  */
@@ -225,17 +214,12 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
 /* Standard entry. */
 struct arpt_standard {
         struct arpt_entry entry;
-        struct arpt_standard_target target;
-};
-
-struct arpt_error_target {
-        struct arpt_entry_target target;
-        char errorname[ARPT_FUNCTION_MAXNAMELEN];
+        struct xt_standard_target target;
 };
 
 struct arpt_error {
         struct arpt_entry entry;
-        struct arpt_error_target target;
+        struct xt_error_target target;
 };
 
 #define ARPT_ENTRY_INIT(__size)                                                \
@@ -247,16 +231,16 @@ struct arpt_error {
 #define ARPT_STANDARD_INIT(__verdict)                                          \
 {                                                                              \
         .entry          = ARPT_ENTRY_INIT(sizeof(struct arpt_standard)),       \
-        .target         = XT_TARGET_INIT(ARPT_STANDARD_TARGET,                 \
-                                         sizeof(struct arpt_standard_target)), \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
+                                         sizeof(struct xt_standard_target)), \
         .target.verdict = -(__verdict) - 1,                                    \
 }
 
 #define ARPT_ERROR_INIT                                                        \
 {                                                                              \
         .entry          = ARPT_ENTRY_INIT(sizeof(struct arpt_error)),          \
-        .target         = XT_TARGET_INIT(ARPT_ERROR_TARGET,                    \
-                                         sizeof(struct arpt_error_target)),    \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
         .target.errorname = "ERROR",                                           \
 }
 
@@ -271,8 +255,6 @@ extern unsigned int arpt_do_table(struct sk_buff *skb,
                                   const struct net_device *out,
                                   struct xt_table *table);
 
-#define ARPT_ALIGN(s) XT_ALIGN(s)
-
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
@@ -285,14 +267,12 @@ struct compat_arpt_entry {
         unsigned char elems[0];
 };
 
-static inline struct arpt_entry_target *
+static inline struct xt_entry_target *
 compat_arpt_get_target(struct compat_arpt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#define COMPAT_ARPT_ALIGN(s)    COMPAT_XT_ALIGN(s)
-
 #endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _ARPTABLES_H */
diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild
index d4d78672873e..e48f1a3f5a4a 100644
--- a/include/linux/netfilter_bridge/Kbuild
+++ b/include/linux/netfilter_bridge/Kbuild
@@ -3,11 +3,13 @@ header-y += ebt_among.h
 header-y += ebt_arp.h
 header-y += ebt_arpreply.h
 header-y += ebt_ip.h
+header-y += ebt_ip6.h
 header-y += ebt_limit.h
 header-y += ebt_log.h
 header-y += ebt_mark_m.h
 header-y += ebt_mark_t.h
 header-y += ebt_nat.h
+header-y += ebt_nflog.h
 header-y += ebt_pkttype.h
 header-y += ebt_redirect.h
 header-y += ebt_stp.h
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index 704a7b6e8169..64a5d95c58e8 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -27,12 +27,49 @@
 
 #include <linux/netfilter/x_tables.h>
 
+#ifndef __KERNEL__
 #define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
 #define ipt_match xt_match
 #define ipt_target xt_target
 #define ipt_table xt_table
 #define ipt_get_revision xt_get_revision
+#define ipt_entry_match xt_entry_match
+#define ipt_entry_target xt_entry_target
+#define ipt_standard_target xt_standard_target
+#define ipt_error_target xt_error_target
+#define ipt_counters xt_counters
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
+
+/* This group is older than old (iptables < v1.4.0-rc1~89) */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
+#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
+#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+#define ipt_counters_info xt_counters_info
+/* Standard return verdict, or do jump. */
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
+
+/* fn returns 0 to continue iteration */
+#define IPT_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
+
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
+#endif
 
 /* Yes, Virginia, you have to zero the padding. */
 struct ipt_ip {
@@ -52,12 +89,6 @@ struct ipt_ip {
         u_int8_t invflags;
 };
 
-#define ipt_entry_match xt_entry_match
-#define ipt_entry_target xt_entry_target
-#define ipt_standard_target xt_standard_target
-
-#define ipt_counters xt_counters
-
 /* Values for "flag" field in struct ipt_ip (general ip structure). */
 #define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
 #define IPT_F_GOTO              0x02    /* Set if jump is a goto */
@@ -116,23 +147,6 @@ struct ipt_entry {
 #define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)
 #define IPT_SO_GET_MAX                  IPT_SO_GET_REVISION_TARGET
 
-#define IPT_CONTINUE XT_CONTINUE
-#define IPT_RETURN XT_RETURN
-
-#include <linux/netfilter/xt_tcpudp.h>
-#define ipt_udp xt_udp
-#define ipt_tcp xt_tcp
-
-#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
-#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
-#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
-#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
-#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
-
-#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
-#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
-#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
-
 /* ICMP matching stuff */
 struct ipt_icmp {
         u_int8_t type;                          /* type to match */
@@ -146,7 +160,7 @@ struct ipt_icmp {
 /* The argument to IPT_SO_GET_INFO */
 struct ipt_getinfo {
         /* Which table: caller fills this in. */
-        char name[IPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Kernel fills these in. */
         /* Which hook entry points are valid: bitmask */
@@ -168,7 +182,7 @@ struct ipt_getinfo {
 /* The argument to IPT_SO_SET_REPLACE. */
 struct ipt_replace {
         /* Which table. */
-        char name[IPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Which hook entry points are valid: bitmask.  You can't
            change this. */
@@ -196,13 +210,10 @@ struct ipt_replace {
         struct ipt_entry entries[0];
 };
 
-/* The argument to IPT_SO_ADD_COUNTERS. */
-#define ipt_counters_info xt_counters_info
-
 /* The argument to IPT_SO_GET_ENTRIES. */
 struct ipt_get_entries {
         /* Which table: user fills this in. */
-        char name[IPT_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* User fills this in: total entry size. */
         unsigned int size;
@@ -211,28 +222,13 @@ struct ipt_get_entries {
         struct ipt_entry entrytable[0];
 };
 
-/* Standard return verdict, or do jump. */
-#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IPT_ERROR_TARGET XT_ERROR_TARGET
-
 /* Helper functions */
-static __inline__ struct ipt_entry_target *
+static __inline__ struct xt_entry_target *
 ipt_get_target(struct ipt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define IPT_MATCH_ITERATE(e, fn, args...) \
-        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
-#endif
-
 /*
  *      Main firewall chains definitions and global var's definitions.
  */
@@ -249,17 +245,12 @@ extern void ipt_unregister_table(struct net *net, struct xt_table *table);
 /* Standard entry. */
 struct ipt_standard {
         struct ipt_entry entry;
-        struct ipt_standard_target target;
-};
-
-struct ipt_error_target {
-        struct ipt_entry_target target;
-        char errorname[IPT_FUNCTION_MAXNAMELEN];
+        struct xt_standard_target target;
 };
 
 struct ipt_error {
         struct ipt_entry entry;
-        struct ipt_error_target target;
+        struct xt_error_target target;
 };
 
 #define IPT_ENTRY_INIT(__size)                                                 \
@@ -271,7 +262,7 @@ struct ipt_error {
 #define IPT_STANDARD_INIT(__verdict)                                           \
 {                                                                              \
         .entry          = IPT_ENTRY_INIT(sizeof(struct ipt_standard)),         \
-        .target         = XT_TARGET_INIT(IPT_STANDARD_TARGET,                  \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
                                          sizeof(struct xt_standard_target)),   \
         .target.verdict = -(__verdict) - 1,                                    \
 }
@@ -279,8 +270,8 @@ struct ipt_error {
 #define IPT_ERROR_INIT                                                         \
 {                                                                              \
         .entry          = IPT_ENTRY_INIT(sizeof(struct ipt_error)),            \
-        .target         = XT_TARGET_INIT(IPT_ERROR_TARGET,                     \
-                                         sizeof(struct ipt_error_target)),     \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
         .target.errorname = "ERROR",                                           \
 }
 
@@ -291,8 +282,6 @@ extern unsigned int ipt_do_table(struct sk_buff *skb,
                                  const struct net_device *out,
                                  struct xt_table *table);
 
-#define IPT_ALIGN(s) XT_ALIGN(s)
-
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
@@ -307,14 +296,12 @@ struct compat_ipt_entry {
 };
 
 /* Helper functions */
-static inline struct ipt_entry_target *
+static inline struct xt_entry_target *
 compat_ipt_get_target(struct compat_ipt_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#define COMPAT_IPT_ALIGN(s)     COMPAT_XT_ALIGN(s)
-
 #endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 18442ff19c07..c9784f7a9c1f 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -27,13 +27,42 @@
 
 #include <linux/netfilter/x_tables.h>
 
+#ifndef __KERNEL__
 #define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
 #define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-
 #define ip6t_match xt_match
 #define ip6t_target xt_target
 #define ip6t_table xt_table
 #define ip6t_get_revision xt_get_revision
+#define ip6t_entry_match xt_entry_match
+#define ip6t_entry_target xt_entry_target
+#define ip6t_standard_target xt_standard_target
+#define ip6t_error_target xt_error_target
+#define ip6t_counters xt_counters
+#define IP6T_CONTINUE XT_CONTINUE
+#define IP6T_RETURN XT_RETURN
+
+/* Pre-iptables-1.4.0 */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
+#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
+#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
+
+#define ip6t_counters_info xt_counters_info
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
+#endif
 
 /* Yes, Virginia, you have to zero the padding. */
 struct ip6t_ip6 {
@@ -62,12 +91,6 @@ struct ip6t_ip6 {
         u_int8_t invflags;
 };
 
-#define ip6t_entry_match xt_entry_match
-#define ip6t_entry_target xt_entry_target
-#define ip6t_standard_target xt_standard_target
-
-#define ip6t_counters   xt_counters
-
 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
 #define IP6T_F_PROTO            0x01    /* Set if rule cares about upper 
                                            protocols */
@@ -112,17 +135,12 @@ struct ip6t_entry {
 /* Standard entry */
 struct ip6t_standard {
         struct ip6t_entry entry;
-        struct ip6t_standard_target target;
-};
-
-struct ip6t_error_target {
-        struct ip6t_entry_target target;
-        char errorname[IP6T_FUNCTION_MAXNAMELEN];
+        struct xt_standard_target target;
 };
 
 struct ip6t_error {
         struct ip6t_entry entry;
-        struct ip6t_error_target target;
+        struct xt_error_target target;
 };
 
 #define IP6T_ENTRY_INIT(__size)                                                \
@@ -134,16 +152,16 @@ struct ip6t_error {
 #define IP6T_STANDARD_INIT(__verdict)                                          \
 {                                                                              \
         .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
-        .target         = XT_TARGET_INIT(IP6T_STANDARD_TARGET,                 \
-                                         sizeof(struct ip6t_standard_target)), \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
+                                         sizeof(struct xt_standard_target)),   \
         .target.verdict = -(__verdict) - 1,                                    \
 }
 
 #define IP6T_ERROR_INIT                                                        \
 {                                                                              \
         .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),          \
-        .target         = XT_TARGET_INIT(IP6T_ERROR_TARGET,                    \
-                                         sizeof(struct ip6t_error_target)),    \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
         .target.errorname = "ERROR",                                           \
 }
 
@@ -166,30 +184,6 @@ struct ip6t_error {
 #define IP6T_SO_GET_REVISION_TARGET     (IP6T_BASE_CTL + 5)
 #define IP6T_SO_GET_MAX                 IP6T_SO_GET_REVISION_TARGET
 
-/* CONTINUE verdict for targets */
-#define IP6T_CONTINUE XT_CONTINUE
-
-/* For standard target */
-#define IP6T_RETURN XT_RETURN
-
-/* TCP/UDP matching stuff */
-#include <linux/netfilter/xt_tcpudp.h>
-
-#define ip6t_tcp xt_tcp
-#define ip6t_udp xt_udp
-
-/* Values for "inv" field in struct ipt_tcp. */
-#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
-#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
-#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
-#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
-#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
-
-/* Values for "invflags" field in struct ipt_udp. */
-#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
-#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
-#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
-
 /* ICMP matching stuff */
 struct ip6t_icmp {
         u_int8_t type;                          /* type to match */
@@ -203,7 +197,7 @@ struct ip6t_icmp {
 /* The argument to IP6T_SO_GET_INFO */
 struct ip6t_getinfo {
         /* Which table: caller fills this in. */
-        char name[IP6T_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Kernel fills these in. */
         /* Which hook entry points are valid: bitmask */
@@ -225,7 +219,7 @@ struct ip6t_getinfo {
 /* The argument to IP6T_SO_SET_REPLACE. */
 struct ip6t_replace {
         /* Which table. */
-        char name[IP6T_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* Which hook entry points are valid: bitmask.  You can't
            change this. */
@@ -253,13 +247,10 @@ struct ip6t_replace {
         struct ip6t_entry entries[0];
 };
 
-/* The argument to IP6T_SO_ADD_COUNTERS. */
-#define ip6t_counters_info xt_counters_info
-
 /* The argument to IP6T_SO_GET_ENTRIES. */
 struct ip6t_get_entries {
         /* Which table: user fills this in. */
-        char name[IP6T_TABLE_MAXNAMELEN];
+        char name[XT_TABLE_MAXNAMELEN];
 
         /* User fills this in: total entry size. */
         unsigned int size;
@@ -268,28 +259,13 @@ struct ip6t_get_entries {
         struct ip6t_entry entrytable[0];
 };
 
-/* Standard return verdict, or do jump. */
-#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IP6T_ERROR_TARGET XT_ERROR_TARGET
-
 /* Helper functions */
-static __inline__ struct ip6t_entry_target *
+static __inline__ struct xt_entry_target *
 ip6t_get_target(struct ip6t_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
-        XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
-
-/* fn returns 0 to continue iteration */
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
-#endif
-
 /*
  *      Main firewall chains definitions and global var's definitions.
  */
@@ -316,8 +292,6 @@ extern int ip6t_ext_hdr(u8 nexthdr);
 extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
                          int target, unsigned short *fragoff);
 
-#define IP6T_ALIGN(s) XT_ALIGN(s)
-
 #ifdef CONFIG_COMPAT
 #include <net/compat.h>
 
@@ -331,14 +305,12 @@ struct compat_ip6t_entry {
         unsigned char elems[0];
 };
 
-static inline struct ip6t_entry_target *
+static inline struct xt_entry_target *
 compat_ip6t_get_target(struct compat_ip6t_entry *e)
 {
         return (void *)e + e->target_offset;
 }
 
-#define COMPAT_IP6T_ALIGN(s)    COMPAT_XT_ALIGN(s)
-
 #endif /* CONFIG_COMPAT */
 #endif /*__KERNEL__*/
 #endif /* _IP6_TABLES_H */