[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables

This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables.  In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.

o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
  wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
  are now implemented as xt_FOOBAR.c files and provide module aliases
  to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
  include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
  around the xt_FOOBAR.h headers

Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

54 files changed, 969 insertions, 697 deletions

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 6d39b518486b..3ff88c878308 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -154,6 +154,9 @@ struct ip_conntrack_stat
         unsigned int expect_delete;
 };
 
+/* call to create an explicit dependency on nf_conntrack. */
+extern void need_conntrack(void);
+
 #endif /* __KERNEL__ */
 
 #endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
new file mode 100644
index 000000000000..472f04834809
--- /dev/null
+++ b/include/linux/netfilter/x_tables.h
@@ -0,0 +1,224 @@
+#ifndef _X_TABLES_H
+#define _X_TABLES_H
+
+#define XT_FUNCTION_MAXNAMELEN 30
+#define XT_TABLE_MAXNAMELEN 32
+
+/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
+ * kernel supports, if >= revision. */
+struct xt_get_revision
+{
+        char name[XT_FUNCTION_MAXNAMELEN-1];
+
+        u_int8_t revision;
+};
+
+/* CONTINUE verdict for targets */
+#define XT_CONTINUE 0xFFFFFFFF
+
+/* For standard target */
+#define XT_RETURN (-NF_REPEAT - 1)
+
+#define XT_ALIGN(s) (((s) + (__alignof__(void *)-1)) & ~(__alignof__(void *)-1))
+
+/* Standard return verdict, or do jump. */
+#define XT_STANDARD_TARGET ""
+/* Error verdict. */
+#define XT_ERROR_TARGET "ERROR"
+
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use a raw
+ * socket for this. Instead we check rights in the calls. */
+#define XT_BASE_CTL             64      /* base for firewall socket options */
+
+#define XT_SO_SET_REPLACE       (XT_BASE_CTL)
+#define XT_SO_SET_ADD_COUNTERS  (XT_BASE_CTL + 1)
+#define XT_SO_SET_MAX           XT_SO_SET_ADD_COUNTERS
+
+#define XT_SO_GET_INFO                  (XT_BASE_CTL)
+#define XT_SO_GET_ENTRIES               (XT_BASE_CTL + 1)
+#define XT_SO_GET_REVISION_MATCH        (XT_BASE_CTL + 2)
+#define XT_SO_GET_REVISION_TARGET       (XT_BASE_CTL + 3)
+#define XT_SO_GET_MAX                   XT_SO_GET_REVISION_TARGET
+
+#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
+#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
+
+struct xt_counters
+{
+        u_int64_t pcnt, bcnt;                   /* Packet and byte counters */
+};
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+struct xt_counters_info
+{
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        unsigned int num_counters;
+
+        /* The counters (actually `number' of these). */
+        struct xt_counters counters[0];
+};
+
+#define XT_INV_PROTO            0x40    /* Invert the sense of PROTO. */
+
+#ifdef __KERNEL__
+
+#include <linux/netdevice.h>
+
+#define ASSERT_READ_LOCK(x)
+#define ASSERT_WRITE_LOCK(x)
+#include <linux/netfilter_ipv4/listhelp.h>
+
+struct xt_match
+{
+        struct list_head list;
+
+        const char name[XT_FUNCTION_MAXNAMELEN-1];
+
+        u_int8_t revision;
+
+        /* Return true or false: return FALSE and set *hotdrop = 1 to
+           force immediate packet drop. */
+        /* Arguments changed since 2.6.9, as this must now handle
+           non-linear skb, using skb_header_pointer and
+           skb_ip_make_writable. */
+        int (*match)(const struct sk_buff *skb,
+                     const struct net_device *in,
+                     const struct net_device *out,
+                     const void *matchinfo,
+                     int offset,
+                     unsigned int protoff,
+                     int *hotdrop);
+
+        /* Called when user tries to insert an entry of this type. */
+        /* Should return true or false. */
+        int (*checkentry)(const char *tablename,
+                          const void *ip,
+                          void *matchinfo,
+                          unsigned int matchinfosize,
+                          unsigned int hook_mask);
+
+        /* Called when entry of this type deleted. */
+        void (*destroy)(void *matchinfo, unsigned int matchinfosize);
+
+        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
+        struct module *me;
+};
+
+/* Registration hooks for targets. */
+struct xt_target
+{
+        struct list_head list;
+
+        const char name[XT_FUNCTION_MAXNAMELEN-1];
+
+        u_int8_t revision;
+
+        /* Returns verdict. Argument order changed since 2.6.9, as this
+           must now handle non-linear skbs, using skb_copy_bits and
+           skb_ip_make_writable. */
+        unsigned int (*target)(struct sk_buff **pskb,
+                               const struct net_device *in,
+                               const struct net_device *out,
+                               unsigned int hooknum,
+                               const void *targinfo,
+                               void *userdata);
+
+        /* Called when user tries to insert an entry of this type:
+           hook_mask is a bitmask of hooks from which it can be
+           called. */
+        /* Should return true or false. */
+        int (*checkentry)(const char *tablename,
+                          const void *entry,
+                          void *targinfo,
+                          unsigned int targinfosize,
+                          unsigned int hook_mask);
+
+        /* Called when entry of this type deleted. */
+        void (*destroy)(void *targinfo, unsigned int targinfosize);
+
+        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
+        struct module *me;
+};
+
+/* Furniture shopping... */
+struct xt_table
+{
+        struct list_head list;
+
+        /* A unique name... */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* What hooks you will enter on */
+        unsigned int valid_hooks;
+
+        /* Lock for the curtain */
+        rwlock_t lock;
+
+        /* Man behind the curtain... */
+        //struct ip6t_table_info *private;
+        void *private;
+
+        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
+        struct module *me;
+
+        int af;         /* address/protocol family */
+};
+
+#include <linux/netfilter_ipv4.h>
+
+/* The table itself */
+struct xt_table_info
+{
+        /* Size per table */
+        unsigned int size;
+        /* Number of entries: FIXME. --RR */
+        unsigned int number;
+        /* Initial number of entries. Needed for module usage count */
+        unsigned int initial_entries;
+
+        /* Entry points and underflows */
+        unsigned int hook_entry[NF_IP_NUMHOOKS];
+        unsigned int underflow[NF_IP_NUMHOOKS];
+
+        /* ipt_entry tables: one per CPU */
+        char *entries[NR_CPUS];
+};
+
+extern int xt_register_target(int af, struct xt_target *target);
+extern void xt_unregister_target(int af, struct xt_target *target);
+extern int xt_register_match(int af, struct xt_match *target);
+extern void xt_unregister_match(int af, struct xt_match *target);
+
+extern int xt_register_table(struct xt_table *table,
+                             struct xt_table_info *bootstrap,
+                             struct xt_table_info *newinfo);
+extern void *xt_unregister_table(struct xt_table *table);
+
+extern struct xt_table_info *xt_replace_table(struct xt_table *table,
+                                              unsigned int num_counters,
+                                              struct xt_table_info *newinfo,
+                                              int *error);
+
+extern struct xt_match *xt_find_match(int af, const char *name, u8 revision);
+extern struct xt_target *xt_find_target(int af, const char *name, u8 revision);
+extern struct xt_target *xt_request_find_target(int af, const char *name, 
+                                                u8 revision);
+extern int xt_find_revision(int af, const char *name, u8 revision, int target,
+                            int *err);
+
+extern struct xt_table *xt_find_table_lock(int af, const char *name);
+extern void xt_table_unlock(struct xt_table *t);
+
+extern int xt_proto_init(int af);
+extern void xt_proto_fini(int af);
+
+extern struct xt_table_info *xt_alloc_table_info(unsigned int size);
+extern void xt_free_table_info(struct xt_table_info *info);
+
+#endif /* __KERNEL__ */
+
+#endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter/xt_CLASSIFY.h b/include/linux/netfilter/xt_CLASSIFY.h
new file mode 100644
index 000000000000..58111355255d
--- /dev/null
+++ b/include/linux/netfilter/xt_CLASSIFY.h
@@ -0,0 +1,8 @@
+#ifndef _XT_CLASSIFY_H
+#define _XT_CLASSIFY_H
+
+struct xt_classify_target_info {
+        u_int32_t priority;
+};
+
+#endif /*_XT_CLASSIFY_H */
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/linux/netfilter/xt_CONNMARK.h
new file mode 100644
index 000000000000..9f744689fffc
--- /dev/null
+++ b/include/linux/netfilter/xt_CONNMARK.h
@@ -0,0 +1,25 @@
+#ifndef _XT_CONNMARK_H_target
+#define _XT_CONNMARK_H_target
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+        XT_CONNMARK_SET = 0,
+        XT_CONNMARK_SAVE,
+        XT_CONNMARK_RESTORE
+};
+
+struct xt_connmark_target_info {
+        unsigned long mark;
+        unsigned long mask;
+        u_int8_t mode;
+};
+
+#endif /*_XT_CONNMARK_H_target*/
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
new file mode 100644
index 000000000000..b021e93ee5d6
--- /dev/null
+++ b/include/linux/netfilter/xt_MARK.h
@@ -0,0 +1,21 @@
+#ifndef _XT_MARK_H_target
+#define _XT_MARK_H_target
+
+/* Version 0 */
+struct xt_mark_target_info {
+        unsigned long mark;
+};
+
+/* Version 1 */
+enum {
+        XT_MARK_SET=0,
+        XT_MARK_AND,
+        XT_MARK_OR,
+};
+
+struct xt_mark_target_info_v1 {
+        unsigned long mark;
+        u_int8_t mode;
+};
+
+#endif /*_XT_MARK_H_target */
diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/linux/netfilter/xt_NFQUEUE.h
new file mode 100644
index 000000000000..9a9af79f74d2
--- /dev/null
+++ b/include/linux/netfilter/xt_NFQUEUE.h
@@ -0,0 +1,16 @@
+/* iptables module for using NFQUEUE mechanism
+ *
+ * (C) 2005 Harald Welte <laforge@netfilter.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+*/
+#ifndef _XT_NFQ_TARGET_H
+#define _XT_NFQ_TARGET_H
+
+/* target info */
+struct xt_NFQ_info {
+        u_int16_t queuenum;
+};
+
+#endif /* _XT_NFQ_TARGET_H */
diff --git a/include/linux/netfilter/xt_comment.h b/include/linux/netfilter/xt_comment.h
new file mode 100644
index 000000000000..eacfedc6b5d0
--- /dev/null
+++ b/include/linux/netfilter/xt_comment.h
@@ -0,0 +1,10 @@
+#ifndef _XT_COMMENT_H
+#define _XT_COMMENT_H
+
+#define XT_MAX_COMMENT_LEN 256
+
+struct xt_comment_info {
+        unsigned char comment[XT_MAX_COMMENT_LEN];
+};
+
+#endif /* XT_COMMENT_H */
diff --git a/include/linux/netfilter/xt_connbytes.h b/include/linux/netfilter/xt_connbytes.h
new file mode 100644
index 000000000000..c022c989754d
--- /dev/null
+++ b/include/linux/netfilter/xt_connbytes.h
@@ -0,0 +1,25 @@
+#ifndef _XT_CONNBYTES_H
+#define _XT_CONNBYTES_H
+
+enum xt_connbytes_what {
+        XT_CONNBYTES_PKTS,
+        XT_CONNBYTES_BYTES,
+        XT_CONNBYTES_AVGPKT,
+};
+
+enum xt_connbytes_direction {
+        XT_CONNBYTES_DIR_ORIGINAL,
+        XT_CONNBYTES_DIR_REPLY,
+        XT_CONNBYTES_DIR_BOTH,
+};
+
+struct xt_connbytes_info
+{
+        struct {
+                aligned_u64 from;       /* count to be matched */
+                aligned_u64 to;         /* count to be matched */
+        } count;
+        u_int8_t what;          /* ipt_connbytes_what */
+        u_int8_t direction;     /* ipt_connbytes_direction */
+};
+#endif
diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
new file mode 100644
index 000000000000..c592f6ae0883
--- /dev/null
+++ b/include/linux/netfilter/xt_connmark.h
@@ -0,0 +1,18 @@
+#ifndef _XT_CONNMARK_H
+#define _XT_CONNMARK_H
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+struct xt_connmark_info {
+        unsigned long mark, mask;
+        u_int8_t invert;
+};
+
+#endif /*_XT_CONNMARK_H*/
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
new file mode 100644
index 000000000000..34f63cf2e293
--- /dev/null
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -0,0 +1,63 @@
+/* Header file for kernel module to match connection tracking information.
+ * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
+ */
+
+#ifndef _XT_CONNTRACK_H
+#define _XT_CONNTRACK_H
+
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <linux/in.h>
+
+#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_CONNTRACK_STATE_INVALID (1 << 0)
+
+#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
+#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
+#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+
+/* flags, invflags: */
+#define XT_CONNTRACK_STATE      0x01
+#define XT_CONNTRACK_PROTO      0x02
+#define XT_CONNTRACK_ORIGSRC    0x04
+#define XT_CONNTRACK_ORIGDST    0x08
+#define XT_CONNTRACK_REPLSRC    0x10
+#define XT_CONNTRACK_REPLDST    0x20
+#define XT_CONNTRACK_STATUS     0x40
+#define XT_CONNTRACK_EXPIRES    0x80
+
+/* This is exposed to userspace, so remains frozen in time. */
+struct ip_conntrack_old_tuple
+{
+        struct {
+                __u32 ip;
+                union {
+                        __u16 all;
+                } u;
+        } src;
+
+        struct {
+                __u32 ip;
+                union {
+                        __u16 all;
+                } u;
+
+                /* The protocol. */
+                u16 protonum;
+        } dst;
+};
+
+struct xt_conntrack_info
+{
+        unsigned int statemask, statusmask;
+
+        struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
+        struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
+
+        unsigned long expires_min, expires_max;
+
+        /* Flags word */
+        u_int8_t flags;
+        /* Inverse flags */
+        u_int8_t invflags;
+};
+#endif /*_XT_CONNTRACK_H*/
diff --git a/include/linux/netfilter/xt_dccp.h b/include/linux/netfilter/xt_dccp.h
new file mode 100644
index 000000000000..e0221b9d32cb
--- /dev/null
+++ b/include/linux/netfilter/xt_dccp.h
@@ -0,0 +1,23 @@
+#ifndef _XT_DCCP_H_
+#define _XT_DCCP_H_
+
+#define XT_DCCP_SRC_PORTS               0x01
+#define XT_DCCP_DEST_PORTS              0x02
+#define XT_DCCP_TYPE                    0x04
+#define XT_DCCP_OPTION                  0x08
+
+#define XT_DCCP_VALID_FLAGS             0x0f
+
+struct xt_dccp_info {
+        u_int16_t dpts[2];  /* Min, Max */
+        u_int16_t spts[2];  /* Min, Max */
+
+        u_int16_t flags;
+        u_int16_t invflags;
+
+        u_int16_t typemask;
+        u_int8_t option;
+};
+
+#endif /* _XT_DCCP_H_ */
+
diff --git a/include/linux/netfilter/xt_helper.h b/include/linux/netfilter/xt_helper.h
new file mode 100644
index 000000000000..6b42763f999d
--- /dev/null
+++ b/include/linux/netfilter/xt_helper.h
@@ -0,0 +1,8 @@
+#ifndef _XT_HELPER_H
+#define _XT_HELPER_H
+
+struct xt_helper_info {
+        int invert;
+        char name[30];
+};
+#endif /* _XT_HELPER_H */
diff --git a/include/linux/netfilter/xt_length.h b/include/linux/netfilter/xt_length.h
new file mode 100644
index 000000000000..7c2b439f73fe
--- /dev/null
+++ b/include/linux/netfilter/xt_length.h
@@ -0,0 +1,9 @@
+#ifndef _XT_LENGTH_H
+#define _XT_LENGTH_H
+
+struct xt_length_info {
+    u_int16_t   min, max;
+    u_int8_t    invert;
+};
+
+#endif /*_XT_LENGTH_H*/
diff --git a/include/linux/netfilter/xt_limit.h b/include/linux/netfilter/xt_limit.h
new file mode 100644
index 000000000000..b3ce65375ecb
--- /dev/null
+++ b/include/linux/netfilter/xt_limit.h
@@ -0,0 +1,21 @@
+#ifndef _XT_RATE_H
+#define _XT_RATE_H
+
+/* timings are in milliseconds. */
+#define XT_LIMIT_SCALE 10000
+
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+struct xt_rateinfo {
+        u_int32_t avg;    /* Average secs between packets * scale */
+        u_int32_t burst;  /* Period multiplier for upper limit. */
+
+        /* Used internally by the kernel */
+        unsigned long prev;
+        u_int32_t credit;
+        u_int32_t credit_cap, cost;
+
+        /* Ugly, ugly fucker. */
+        struct xt_rateinfo *master;
+};
+#endif /*_XT_RATE_H*/
diff --git a/include/linux/netfilter/xt_mac.h b/include/linux/netfilter/xt_mac.h
new file mode 100644
index 000000000000..b892cdc67e06
--- /dev/null
+++ b/include/linux/netfilter/xt_mac.h
@@ -0,0 +1,8 @@
+#ifndef _XT_MAC_H
+#define _XT_MAC_H
+
+struct xt_mac_info {
+    unsigned char srcaddr[ETH_ALEN];
+    int invert;
+};
+#endif /*_XT_MAC_H*/
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
new file mode 100644
index 000000000000..802dd4842caf
--- /dev/null
+++ b/include/linux/netfilter/xt_mark.h
@@ -0,0 +1,9 @@
+#ifndef _XT_MARK_H
+#define _XT_MARK_H
+
+struct xt_mark_info {
+    unsigned long mark, mask;
+    u_int8_t invert;
+};
+
+#endif /*_XT_MARK_H*/
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
new file mode 100644
index 000000000000..25a7a1815b5b
--- /dev/null
+++ b/include/linux/netfilter/xt_physdev.h
@@ -0,0 +1,24 @@
+#ifndef _XT_PHYSDEV_H
+#define _XT_PHYSDEV_H
+
+#ifdef __KERNEL__
+#include <linux/if.h>
+#endif
+
+#define XT_PHYSDEV_OP_IN                0x01
+#define XT_PHYSDEV_OP_OUT               0x02
+#define XT_PHYSDEV_OP_BRIDGED           0x04
+#define XT_PHYSDEV_OP_ISIN              0x08
+#define XT_PHYSDEV_OP_ISOUT             0x10
+#define XT_PHYSDEV_OP_MASK              (0x20 - 1)
+
+struct xt_physdev_info {
+        char physindev[IFNAMSIZ];
+        char in_mask[IFNAMSIZ];
+        char physoutdev[IFNAMSIZ];
+        char out_mask[IFNAMSIZ];
+        u_int8_t invert;
+        u_int8_t bitmask;
+};
+
+#endif /*_XT_PHYSDEV_H*/
diff --git a/include/linux/netfilter/xt_pkttype.h b/include/linux/netfilter/xt_pkttype.h
new file mode 100644
index 000000000000..f265cf52faea
--- /dev/null
+++ b/include/linux/netfilter/xt_pkttype.h
@@ -0,0 +1,8 @@
+#ifndef _XT_PKTTYPE_H
+#define _XT_PKTTYPE_H
+
+struct xt_pkttype_info {
+        int     pkttype;
+        int     invert;
+};
+#endif /*_XT_PKTTYPE_H*/
diff --git a/include/linux/netfilter/xt_realm.h b/include/linux/netfilter/xt_realm.h
new file mode 100644
index 000000000000..220e87245716
--- /dev/null
+++ b/include/linux/netfilter/xt_realm.h
@@ -0,0 +1,10 @@
+#ifndef _XT_REALM_H
+#define _XT_REALM_H
+
+struct xt_realm_info {
+        u_int32_t id;
+        u_int32_t mask;
+        u_int8_t invert;
+};
+
+#endif /* _XT_REALM_H */
diff --git a/include/linux/netfilter/xt_sctp.h b/include/linux/netfilter/xt_sctp.h
new file mode 100644
index 000000000000..b157897e7792
--- /dev/null
+++ b/include/linux/netfilter/xt_sctp.h
@@ -0,0 +1,107 @@
+#ifndef _XT_SCTP_H_
+#define _XT_SCTP_H_
+
+#define XT_SCTP_SRC_PORTS               0x01
+#define XT_SCTP_DEST_PORTS              0x02
+#define XT_SCTP_CHUNK_TYPES             0x04
+
+#define XT_SCTP_VALID_FLAGS             0x07
+
+#define ELEMCOUNT(x) (sizeof(x)/sizeof(x[0]))
+
+
+struct xt_sctp_flag_info {
+        u_int8_t chunktype;
+        u_int8_t flag;
+        u_int8_t flag_mask;
+};
+
+#define XT_NUM_SCTP_FLAGS       4
+
+struct xt_sctp_info {
+        u_int16_t dpts[2];  /* Min, Max */
+        u_int16_t spts[2];  /* Min, Max */
+
+        u_int32_t chunkmap[256 / sizeof (u_int32_t)];  /* Bit mask of chunks to be matched according to RFC 2960 */
+
+#define SCTP_CHUNK_MATCH_ANY   0x01  /* Match if any of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ALL   0x02  /* Match if all of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ONLY  0x04  /* Match if these are the only chunk types present */
+
+        u_int32_t chunk_match_type;
+        struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
+        int flag_count;
+
+        u_int32_t flags;
+        u_int32_t invflags;
+};
+
+#define bytes(type) (sizeof(type) * 8)
+
+#define SCTP_CHUNKMAP_SET(chunkmap, type)               \
+        do {                                            \
+                chunkmap[type / bytes(u_int32_t)] |=    \
+                        1 << (type % bytes(u_int32_t)); \
+        } while (0)
+
+#define SCTP_CHUNKMAP_CLEAR(chunkmap, type)                     \
+        do {                                                    \
+                chunkmap[type / bytes(u_int32_t)] &=            \
+                        ~(1 << (type % bytes(u_int32_t)));      \
+        } while (0)
+
+#define SCTP_CHUNKMAP_IS_SET(chunkmap, type)                    \
+({                                                              \
+        (chunkmap[type / bytes (u_int32_t)] &                   \
+                (1 << (type % bytes (u_int32_t)))) ? 1: 0;      \
+})
+
+#define SCTP_CHUNKMAP_RESET(chunkmap)                           \
+        do {                                                    \
+                int i;                                          \
+                for (i = 0; i < ELEMCOUNT(chunkmap); i++)       \
+                        chunkmap[i] = 0;                        \
+        } while (0)
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap)                         \
+        do {                                                    \
+                int i;                                          \
+                for (i = 0; i < ELEMCOUNT(chunkmap); i++)       \
+                        chunkmap[i] = ~0;                       \
+        } while (0)
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap)                     \
+        do {                                                    \
+                int i;                                          \
+                for (i = 0; i < ELEMCOUNT(chunkmap); i++)       \
+                        destmap[i] = srcmap[i];                 \
+        } while (0)
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap)                \
+({                                                      \
+        int i;                                          \
+        int flag = 1;                                   \
+        for (i = 0; i < ELEMCOUNT(chunkmap); i++) {     \
+                if (chunkmap[i]) {                      \
+                        flag = 0;                       \
+                        break;                          \
+                }                                       \
+        }                                               \
+        flag;                                           \
+})
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap)              \
+({                                                      \
+        int i;                                          \
+        int flag = 1;                                   \
+        for (i = 0; i < ELEMCOUNT(chunkmap); i++) {     \
+                if (chunkmap[i] != ~0) {                \
+                        flag = 0;                       \
+                                break;                  \
+                }                                       \
+        }                                               \
+        flag;                                           \
+})
+
+#endif /* _XT_SCTP_H_ */
+
diff --git a/include/linux/netfilter/xt_state.h b/include/linux/netfilter/xt_state.h
new file mode 100644
index 000000000000..c06f32edee07
--- /dev/null
+++ b/include/linux/netfilter/xt_state.h
@@ -0,0 +1,13 @@
+#ifndef _XT_STATE_H
+#define _XT_STATE_H
+
+#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_STATE_INVALID (1 << 0)
+
+#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+
+struct xt_state_info
+{
+        unsigned int statemask;
+};
+#endif /*_XT_STATE_H*/
diff --git a/include/linux/netfilter/xt_string.h b/include/linux/netfilter/xt_string.h
new file mode 100644
index 000000000000..3b3419f2637d
--- /dev/null
+++ b/include/linux/netfilter/xt_string.h
@@ -0,0 +1,18 @@
+#ifndef _XT_STRING_H
+#define _XT_STRING_H
+
+#define XT_STRING_MAX_PATTERN_SIZE 128
+#define XT_STRING_MAX_ALGO_NAME_SIZE 16
+
+struct xt_string_info
+{
+        u_int16_t from_offset;
+        u_int16_t to_offset;
+        char      algo[XT_STRING_MAX_ALGO_NAME_SIZE];
+        char      pattern[XT_STRING_MAX_PATTERN_SIZE];
+        u_int8_t  patlen;
+        u_int8_t  invert;
+        struct ts_config __attribute__((aligned(8))) *config;
+};
+
+#endif /*_XT_STRING_H*/
diff --git a/include/linux/netfilter/xt_tcpmss.h b/include/linux/netfilter/xt_tcpmss.h
new file mode 100644
index 000000000000..e03274c4c790
--- /dev/null
+++ b/include/linux/netfilter/xt_tcpmss.h
@@ -0,0 +1,9 @@
+#ifndef _XT_TCPMSS_MATCH_H
+#define _XT_TCPMSS_MATCH_H
+
+struct xt_tcpmss_match_info {
+    u_int16_t mss_min, mss_max;
+    u_int8_t invert;
+};
+
+#endif /*_XT_TCPMSS_MATCH_H*/
diff --git a/include/linux/netfilter/xt_tcpudp.h b/include/linux/netfilter/xt_tcpudp.h
new file mode 100644
index 000000000000..78bc65f11adf
--- /dev/null
+++ b/include/linux/netfilter/xt_tcpudp.h
@@ -0,0 +1,36 @@
+#ifndef _XT_TCPUDP_H
+#define _XT_TCPUDP_H
+
+/* TCP matching stuff */
+struct xt_tcp
+{
+        u_int16_t spts[2];                      /* Source port range. */
+        u_int16_t dpts[2];                      /* Destination port range. */
+        u_int8_t option;                        /* TCP Option iff non-zero*/
+        u_int8_t flg_mask;                      /* TCP flags mask byte */
+        u_int8_t flg_cmp;                       /* TCP flags compare byte */
+        u_int8_t invflags;                      /* Inverse flags */
+};
+
+/* Values for "inv" field in struct ipt_tcp. */
+#define XT_TCP_INV_SRCPT        0x01    /* Invert the sense of source ports. */
+#define XT_TCP_INV_DSTPT        0x02    /* Invert the sense of dest ports. */
+#define XT_TCP_INV_FLAGS        0x04    /* Invert the sense of TCP flags. */
+#define XT_TCP_INV_OPTION       0x08    /* Invert the sense of option test. */
+#define XT_TCP_INV_MASK         0x0F    /* All possible flags. */
+
+/* UDP matching stuff */
+struct xt_udp
+{
+        u_int16_t spts[2];                      /* Source port range. */
+        u_int16_t dpts[2];                      /* Destination port range. */
+        u_int8_t invflags;                      /* Inverse flags */
+};
+
+/* Values for "invflags" field in struct ipt_udp. */
+#define XT_UDP_INV_SRCPT        0x01    /* Invert the sense of source ports. */
+#define XT_UDP_INV_DSTPT        0x02    /* Invert the sense of dest ports. */
+#define XT_UDP_INV_MASK 0x03    /* All possible flags. */
+
+
+#endif
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index e98a870a20be..fd21796e5131 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -19,8 +19,12 @@
 #include <linux/compiler.h>
 #include <linux/netfilter_arp.h>
 
-#define ARPT_FUNCTION_MAXNAMELEN 30
-#define ARPT_TABLE_MAXNAMELEN 32
+#include <linux/netfilter/x_tables.h>
+
+#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define arpt_target xt_target
+#define arpt_table xt_table
 
 #define ARPT_DEV_ADDR_LEN_MAX 16
 
@@ -91,11 +95,6 @@ struct arpt_standard_target
         int verdict;
 };
 
-struct arpt_counters
-{
-        u_int64_t pcnt, bcnt;                   /* Packet and byte counters */
-};
-
 /* Values for "flag" field in struct arpt_ip (general arp structure).
  * No flags defined yet.
  */
@@ -130,7 +129,7 @@ struct arpt_entry
         unsigned int comefrom;
 
         /* Packet and byte counters. */
-        struct arpt_counters counters;
+        struct xt_counters counters;
 
         /* The matches (if any), then the target. */
         unsigned char elems[0];
@@ -141,23 +140,24 @@ struct arpt_entry
  * Unlike BSD Linux inherits IP options so you don't have to use a raw
  * socket for this. Instead we check rights in the calls.
  */
-#define ARPT_BASE_CTL           96      /* base for firewall socket options */
+#define ARPT_CTL_OFFSET         32
+#define ARPT_BASE_CTL           (XT_BASE_CTL+ARPT_CTL_OFFSET)
 
-#define ARPT_SO_SET_REPLACE             (ARPT_BASE_CTL)
-#define ARPT_SO_SET_ADD_COUNTERS        (ARPT_BASE_CTL + 1)
-#define ARPT_SO_SET_MAX                 ARPT_SO_SET_ADD_COUNTERS
+#define ARPT_SO_SET_REPLACE             (XT_SO_SET_REPLACE+ARPT_CTL_OFFSET)
+#define ARPT_SO_SET_ADD_COUNTERS        (XT_SO_SET_ADD_COUNTERS+ARPT_CTL_OFFSET)
+#define ARPT_SO_SET_MAX                 (XT_SO_SET_MAX+ARPT_CTL_OFFSET)
 
-#define ARPT_SO_GET_INFO                (ARPT_BASE_CTL)
-#define ARPT_SO_GET_ENTRIES             (ARPT_BASE_CTL + 1)
-/* #define ARPT_SO_GET_REVISION_MATCH   (ARPT_BASE_CTL + 2)*/
-#define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
-#define ARPT_SO_GET_MAX                 ARPT_SO_GET_REVISION_TARGET
+#define ARPT_SO_GET_INFO                (XT_SO_GET_INFO+ARPT_CTL_OFFSET)
+#define ARPT_SO_GET_ENTRIES             (XT_SO_GET_ENTRIES+ARPT_CTL_OFFSET)
+/* #define ARPT_SO_GET_REVISION_MATCH   XT_SO_GET_REVISION_MATCH  */
+#define ARPT_SO_GET_REVISION_TARGET     (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
+#define ARPT_SO_GET_MAX                 (XT_SO_GET_REVISION_TARGET+ARPT_CTL_OFFSET)
 
 /* CONTINUE verdict for targets */
-#define ARPT_CONTINUE 0xFFFFFFFF
+#define ARPT_CONTINUE XT_CONTINUE
 
 /* For standard target */
-#define ARPT_RETURN (-NF_REPEAT - 1)
+#define ARPT_RETURN XT_RETURN
 
 /* The argument to ARPT_SO_GET_INFO */
 struct arpt_getinfo
@@ -208,23 +208,14 @@ struct arpt_replace
         /* Number of counters (must be equal to current number of entries). */
         unsigned int num_counters;
         /* The old entries' counters. */
-        struct arpt_counters __user *counters;
+        struct xt_counters __user *counters;
 
         /* The entries (hang off end: not really an array). */
         struct arpt_entry entries[0];
 };
 
 /* The argument to ARPT_SO_ADD_COUNTERS. */
-struct arpt_counters_info
-{
-        /* Which table. */
-        char name[ARPT_TABLE_MAXNAMELEN];
-
-        unsigned int num_counters;
-
-        /* The counters (actually `number' of these). */
-        struct arpt_counters counters[0];
-};
+#define arpt_counters_info xt_counters_info
 
 /* The argument to ARPT_SO_GET_ENTRIES. */
 struct arpt_get_entries
@@ -239,19 +230,10 @@ struct arpt_get_entries
         struct arpt_entry entrytable[0];
 };
 
-/* The argument to ARPT_SO_GET_REVISION_*.  Returns highest revision
- * kernel supports, if >= revision. */
-struct arpt_get_revision
-{
-        char name[ARPT_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-};
-
 /* Standard return verdict, or do jump. */
-#define ARPT_STANDARD_TARGET ""
+#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
 /* Error verdict. */
-#define ARPT_ERROR_TARGET "ERROR"
+#define ARPT_ERROR_TARGET XT_ERROR_TARGET
 
 /* Helper functions */
 static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e)
@@ -281,63 +263,8 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
  */
 #ifdef __KERNEL__
 
-/* Registration hooks for targets. */
-struct arpt_target
-{
-        struct list_head list;
-
-        const char name[ARPT_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-
-        /* Returns verdict. */
-        unsigned int (*target)(struct sk_buff **pskb,
-                               unsigned int hooknum,
-                               const struct net_device *in,
-                               const struct net_device *out,
-                               const void *targinfo,
-                               void *userdata);
-
-        /* Called when user tries to insert an entry of this type:
-           hook_mask is a bitmask of hooks from which it can be
-           called. */
-        /* Should return true or false. */
-        int (*checkentry)(const char *tablename,
-                          const struct arpt_entry *e,
-                          void *targinfo,
-                          unsigned int targinfosize,
-                          unsigned int hook_mask);
-
-        /* Called when entry of this type deleted. */
-        void (*destroy)(void *targinfo, unsigned int targinfosize);
-
-        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
-        struct module *me;
-};
-
-extern int arpt_register_target(struct arpt_target *target);
-extern void arpt_unregister_target(struct arpt_target *target);
-
-/* Furniture shopping... */
-struct arpt_table
-{
-        struct list_head list;
-
-        /* A unique name... */
-        char name[ARPT_TABLE_MAXNAMELEN];
-
-        /* What hooks you will enter on */
-        unsigned int valid_hooks;
-
-        /* Lock for the curtain */
-        rwlock_t lock;
-
-        /* Man behind the curtain... */
-        struct arpt_table_info *private;
-
-        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
-        struct module *me;
-};
+#define arpt_register_target(tgt) xt_register_target(NF_ARP, tgt)
+#define arpt_unregister_target(tgt) xt_unregister_target(NF_ARP, tgt)
 
 extern int arpt_register_table(struct arpt_table *table,
                                const struct arpt_replace *repl);
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index b3432ab59a17..215765f043e6 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -199,9 +199,6 @@ ip_conntrack_put(struct ip_conntrack *ct)
         nf_conntrack_put(&ct->ct_general);
 }
 
-/* call to create an explicit dependency on ip_conntrack. */
-extern void need_ip_conntrack(void);
-
 extern int invert_tuplepr(struct ip_conntrack_tuple *inverse,
                           const struct ip_conntrack_tuple *orig);
 
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index d19d65cf4530..76ba24b68515 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -25,8 +25,14 @@
 #include <linux/compiler.h>
 #include <linux/netfilter_ipv4.h>
 
-#define IPT_FUNCTION_MAXNAMELEN 30
-#define IPT_TABLE_MAXNAMELEN 32
+#include <linux/netfilter/x_tables.h>
+
+#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IPT_TABLE_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define ipt_match xt_match
+#define ipt_target xt_target
+#define ipt_table xt_table
+#define ipt_get_revision xt_get_revision
 
 /* Yes, Virginia, you have to zero the padding. */
 struct ipt_ip {
@@ -102,10 +108,7 @@ struct ipt_standard_target
         int verdict;
 };
 
-struct ipt_counters
-{
-        u_int64_t pcnt, bcnt;                   /* Packet and byte counters */
-};
+#define ipt_counters xt_counters
 
 /* Values for "flag" field in struct ipt_ip (general ip structure). */
 #define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
@@ -119,7 +122,7 @@ struct ipt_counters
 #define IPT_INV_SRCIP           0x08    /* Invert the sense of SRC IP. */
 #define IPT_INV_DSTIP           0x10    /* Invert the sense of DST OP. */
 #define IPT_INV_FRAG            0x20    /* Invert the sense of FRAG. */
-#define IPT_INV_PROTO           0x40    /* Invert the sense of PROTO. */
+#define IPT_INV_PROTO           XT_INV_PROTO
 #define IPT_INV_MASK            0x7F    /* All possible flag bits mask. */
 
 /* This structure defines each of the firewall rules.  Consists of 3
@@ -141,7 +144,7 @@ struct ipt_entry
         unsigned int comefrom;
 
         /* Packet and byte counters. */
-        struct ipt_counters counters;
+        struct xt_counters counters;
 
         /* The matches (if any), then the target. */
         unsigned char elems[0];
@@ -151,54 +154,34 @@ struct ipt_entry
  * New IP firewall options for [gs]etsockopt at the RAW IP level.
  * Unlike BSD Linux inherits IP options so you don't have to use a raw
  * socket for this. Instead we check rights in the calls. */
-#define IPT_BASE_CTL            64      /* base for firewall socket options */
+#define IPT_BASE_CTL            XT_BASE_CTL
 
-#define IPT_SO_SET_REPLACE      (IPT_BASE_CTL)
-#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
-#define IPT_SO_SET_MAX          IPT_SO_SET_ADD_COUNTERS
+#define IPT_SO_SET_REPLACE      XT_SO_SET_REPLACE
+#define IPT_SO_SET_ADD_COUNTERS XT_SO_SET_ADD_COUNTERS
+#define IPT_SO_SET_MAX          XT_SO_SET_MAX
 
-#define IPT_SO_GET_INFO                 (IPT_BASE_CTL)
-#define IPT_SO_GET_ENTRIES              (IPT_BASE_CTL + 1)
-#define IPT_SO_GET_REVISION_MATCH       (IPT_BASE_CTL + 2)
-#define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)
-#define IPT_SO_GET_MAX                  IPT_SO_GET_REVISION_TARGET
+#define IPT_SO_GET_INFO                 XT_SO_GET_INFO
+#define IPT_SO_GET_ENTRIES              XT_SO_GET_ENTRIES
+#define IPT_SO_GET_REVISION_MATCH       XT_SO_GET_REVISION_MATCH
+#define IPT_SO_GET_REVISION_TARGET      XT_SO_GET_REVISION_TARGET
+#define IPT_SO_GET_MAX                  XT_SO_GET_REVISION_TARGET
 
-/* CONTINUE verdict for targets */
-#define IPT_CONTINUE 0xFFFFFFFF
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
 
-/* For standard target */
-#define IPT_RETURN (-NF_REPEAT - 1)
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
 
-/* TCP matching stuff */
-struct ipt_tcp
-{
-        u_int16_t spts[2];                      /* Source port range. */
-        u_int16_t dpts[2];                      /* Destination port range. */
-        u_int8_t option;                        /* TCP Option iff non-zero*/
-        u_int8_t flg_mask;                      /* TCP flags mask byte */
-        u_int8_t flg_cmp;                       /* TCP flags compare byte */
-        u_int8_t invflags;                      /* Inverse flags */
-};
-
-/* Values for "inv" field in struct ipt_tcp. */
-#define IPT_TCP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
-#define IPT_TCP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
-#define IPT_TCP_INV_FLAGS       0x04    /* Invert the sense of TCP flags. */
-#define IPT_TCP_INV_OPTION      0x08    /* Invert the sense of option test. */
-#define IPT_TCP_INV_MASK        0x0F    /* All possible flags. */
-
-/* UDP matching stuff */
-struct ipt_udp
-{
-        u_int16_t spts[2];                      /* Source port range. */
-        u_int16_t dpts[2];                      /* Destination port range. */
-        u_int8_t invflags;                      /* Inverse flags */
-};
+#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
 
-/* Values for "invflags" field in struct ipt_udp. */
-#define IPT_UDP_INV_SRCPT       0x01    /* Invert the sense of source ports. */
-#define IPT_UDP_INV_DSTPT       0x02    /* Invert the sense of dest ports. */
-#define IPT_UDP_INV_MASK        0x03    /* All possible flags. */
+#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
 
 /* ICMP matching stuff */
 struct ipt_icmp
@@ -260,23 +243,14 @@ struct ipt_replace
         /* Number of counters (must be equal to current number of entries). */
         unsigned int num_counters;
         /* The old entries' counters. */
-        struct ipt_counters __user *counters;
+        struct xt_counters __user *counters;
 
         /* The entries (hang off end: not really an array). */
         struct ipt_entry entries[0];
 };
 
 /* The argument to IPT_SO_ADD_COUNTERS. */
-struct ipt_counters_info
-{
-        /* Which table. */
-        char name[IPT_TABLE_MAXNAMELEN];
-
-        unsigned int num_counters;
-
-        /* The counters (actually `number' of these). */
-        struct ipt_counters counters[0];
-};
+#define ipt_counters_info xt_counters_info
 
 /* The argument to IPT_SO_GET_ENTRIES. */
 struct ipt_get_entries
@@ -291,19 +265,10 @@ struct ipt_get_entries
         struct ipt_entry entrytable[0];
 };
 
-/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
- * kernel supports, if >= revision. */
-struct ipt_get_revision
-{
-        char name[IPT_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-};
-
 /* Standard return verdict, or do jump. */
-#define IPT_STANDARD_TARGET ""
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
 /* Error verdict. */
-#define IPT_ERROR_TARGET "ERROR"
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
 
 /* Helper functions */
 static __inline__ struct ipt_entry_target *
@@ -356,103 +321,18 @@ ipt_get_target(struct ipt_entry *e)
 #include <linux/init.h>
 extern void ipt_init(void) __init;
 
-struct ipt_match
-{
-        struct list_head list;
-
-        const char name[IPT_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-
-        /* Return true or false: return FALSE and set *hotdrop = 1 to
-           force immediate packet drop. */
-        /* Arguments changed since 2.4, as this must now handle
-           non-linear skbs, using skb_copy_bits and
-           skb_ip_make_writable. */
-        int (*match)(const struct sk_buff *skb,
-                     const struct net_device *in,
-                     const struct net_device *out,
-                     const void *matchinfo,
-                     int offset,
-                     int *hotdrop);
-
-        /* Called when user tries to insert an entry of this type. */
-        /* Should return true or false. */
-        int (*checkentry)(const char *tablename,
-                          const struct ipt_ip *ip,
-                          void *matchinfo,
-                          unsigned int matchinfosize,
-                          unsigned int hook_mask);
-
-        /* Called when entry of this type deleted. */
-        void (*destroy)(void *matchinfo, unsigned int matchinfosize);
-
-        /* Set this to THIS_MODULE. */
-        struct module *me;
-};
-
-/* Registration hooks for targets. */
-struct ipt_target
-{
-        struct list_head list;
-
-        const char name[IPT_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-
-        /* Called when user tries to insert an entry of this type:
-           hook_mask is a bitmask of hooks from which it can be
-           called. */
-        /* Should return true or false. */
-        int (*checkentry)(const char *tablename,
-                          const struct ipt_entry *e,
-                          void *targinfo,
-                          unsigned int targinfosize,
-                          unsigned int hook_mask);
-
-        /* Called when entry of this type deleted. */
-        void (*destroy)(void *targinfo, unsigned int targinfosize);
-
-        /* Returns verdict.  Argument order changed since 2.4, as this
-           must now handle non-linear skbs, using skb_copy_bits and
-           skb_ip_make_writable. */
-        unsigned int (*target)(struct sk_buff **pskb,
-                               const struct net_device *in,
-                               const struct net_device *out,
-                               unsigned int hooknum,
-                               const void *targinfo,
-                               void *userdata);
-
-        /* Set this to THIS_MODULE. */
-        struct module *me;
-};
+#define ipt_register_target(tgt) xt_register_target(AF_INET, tgt)
+#define ipt_unregister_target(tgt) xt_unregister_target(AF_INET, tgt)
 
-extern int ipt_register_target(struct ipt_target *target);
-extern void ipt_unregister_target(struct ipt_target *target);
+#define ipt_register_match(mtch) xt_register_match(AF_INET, mtch)
+#define ipt_unregister_match(mtch) xt_unregister_match(AF_INET, mtch)
 
-extern int ipt_register_match(struct ipt_match *match);
-extern void ipt_unregister_match(struct ipt_match *match);
+//#define ipt_register_table(tbl, repl) xt_register_table(AF_INET, tbl, repl)
+//#define ipt_unregister_table(tbl) xt_unregister_table(AF_INET, tbl)
 
-/* Furniture shopping... */
-struct ipt_table
-{
-        struct list_head list;
-
-        /* A unique name... */
-        char name[IPT_TABLE_MAXNAMELEN];
-
-        /* What hooks you will enter on */
-        unsigned int valid_hooks;
-
-        /* Lock for the curtain */
-        rwlock_t lock;
-
-        /* Man behind the curtain... */
-        struct ipt_table_info *private;
-
-        /* Set to THIS_MODULE. */
-        struct module *me;
-};
+extern int ipt_register_table(struct ipt_table *table,
+                              const struct ipt_replace *repl);
+extern void ipt_unregister_table(struct ipt_table *table);
 
 /* net/sched/ipt.c: Gimme access to your targets!  Gets target->me. */
 extern struct ipt_target *ipt_find_target(const char *name, u8 revision);
@@ -476,9 +356,6 @@ struct ipt_error
         struct ipt_error_target target;
 };
 
-extern int ipt_register_table(struct ipt_table *table,
-                              const struct ipt_replace *repl);
-extern void ipt_unregister_table(struct ipt_table *table);
 extern unsigned int ipt_do_table(struct sk_buff **pskb,
                                  unsigned int hook,
                                  const struct net_device *in,
@@ -486,6 +363,6 @@ extern unsigned int ipt_do_table(struct sk_buff **pskb,
                                  struct ipt_table *table,
                                  void *userdata);
 
-#define IPT_ALIGN(s) (((s) + (__alignof__(struct ipt_entry)-1)) & ~(__alignof__(struct ipt_entry)-1))
+#define IPT_ALIGN(s) XT_ALIGN(s)
 #endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv4/ipt_CLASSIFY.h b/include/linux/netfilter_ipv4/ipt_CLASSIFY.h
index 7596e3dd00ca..a46d511b5c36 100644
--- a/include/linux/netfilter_ipv4/ipt_CLASSIFY.h
+++ b/include/linux/netfilter_ipv4/ipt_CLASSIFY.h
@@ -1,8 +1,7 @@
 #ifndef _IPT_CLASSIFY_H
 #define _IPT_CLASSIFY_H
 
-struct ipt_classify_target_info {
-        u_int32_t priority;
-};
+#include <linux/netfilter/xt_CLASSIFY.h>
+#define ipt_classify_target_info xt_classify_target_info
 
 #endif /*_IPT_CLASSIFY_H */
diff --git a/include/linux/netfilter_ipv4/ipt_CONNMARK.h b/include/linux/netfilter_ipv4/ipt_CONNMARK.h
index d3c02536fc4c..9ecfee0a9e33 100644
--- a/include/linux/netfilter_ipv4/ipt_CONNMARK.h
+++ b/include/linux/netfilter_ipv4/ipt_CONNMARK.h
@@ -9,17 +9,11 @@
  * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
  */
+#include <linux/netfilter/xt_CONNMARK.h>
+#define IPT_CONNMARK_SET        XT_CONNMARK_SET
+#define IPT_CONNMARK_SAVE       XT_CONNMARK_SAVE
+#define IPT_CONNMARK_RESTORE    XT_CONNMARK_RESTORE
 
-enum {
-        IPT_CONNMARK_SET = 0,
-        IPT_CONNMARK_SAVE,
-        IPT_CONNMARK_RESTORE
-};
-
-struct ipt_connmark_target_info {
-        unsigned long mark;
-        unsigned long mask;
-        u_int8_t mode;
-};
+#define ipt_connmark_target_info xt_connmark_target_info
 
 #endif /*_IPT_CONNMARK_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_MARK.h b/include/linux/netfilter_ipv4/ipt_MARK.h
index f47485790ed4..697a486a96d3 100644
--- a/include/linux/netfilter_ipv4/ipt_MARK.h
+++ b/include/linux/netfilter_ipv4/ipt_MARK.h
@@ -1,20 +1,18 @@
 #ifndef _IPT_MARK_H_target
 #define _IPT_MARK_H_target
 
+/* Backwards compatibility for old userspace */
+
+#include <linux/netfilter/xt_MARK.h>
+
 /* Version 0 */
-struct ipt_mark_target_info {
-        unsigned long mark;
-};
+#define ipt_mark_target_info xt_mark_target_info
 
 /* Version 1 */
-enum {
-        IPT_MARK_SET=0,
-        IPT_MARK_AND,
-        IPT_MARK_OR
-};
+#define IPT_MARK_SET    XT_MARK_SET
+#define IPT_MARK_AND    XT_MARK_AND
+#define IPT_MARK_OR     XT_MARK_OR
+
+#define ipt_mark_target_info_v1 xt_mark_target_info_v1
 
-struct ipt_mark_target_info_v1 {
-        unsigned long mark;
-        u_int8_t mode;
-};
 #endif /*_IPT_MARK_H_target*/
diff --git a/include/linux/netfilter_ipv4/ipt_NFQUEUE.h b/include/linux/netfilter_ipv4/ipt_NFQUEUE.h
index b5b2943b0c66..97a2a7557cb9 100644
--- a/include/linux/netfilter_ipv4/ipt_NFQUEUE.h
+++ b/include/linux/netfilter_ipv4/ipt_NFQUEUE.h
@@ -8,9 +8,9 @@
 #ifndef _IPT_NFQ_TARGET_H
 #define _IPT_NFQ_TARGET_H
 
-/* target info */
-struct ipt_NFQ_info {
-        u_int16_t queuenum;
-};
+/* Backwards compatibility for old userspace */
+#include <linux/netfilter/xt_NFQUEUE.h>
+
+#define ipt_NFQ_info xt_NFQ_info
 
 #endif /* _IPT_DSCP_TARGET_H */
diff --git a/include/linux/netfilter_ipv4/ipt_comment.h b/include/linux/netfilter_ipv4/ipt_comment.h
index 85c1123c29ce..ae2afc2f7481 100644
--- a/include/linux/netfilter_ipv4/ipt_comment.h
+++ b/include/linux/netfilter_ipv4/ipt_comment.h
@@ -1,10 +1,10 @@
 #ifndef _IPT_COMMENT_H
 #define _IPT_COMMENT_H
 
-#define IPT_MAX_COMMENT_LEN 256
+#include <linux/netfilter/xt_comment.h>
 
-struct ipt_comment_info {
-        unsigned char comment[IPT_MAX_COMMENT_LEN];
-};
+#define IPT_MAX_COMMENT_LEN XT_MAX_COMMENT_LEN
+
+#define ipt_comment_info xt_comment_info
 
 #endif /* _IPT_COMMENT_H */
diff --git a/include/linux/netfilter_ipv4/ipt_connbytes.h b/include/linux/netfilter_ipv4/ipt_connbytes.h
index 9e5532f8d8ac..b04dfa3083c9 100644
--- a/include/linux/netfilter_ipv4/ipt_connbytes.h
+++ b/include/linux/netfilter_ipv4/ipt_connbytes.h
@@ -1,25 +1,18 @@
 #ifndef _IPT_CONNBYTES_H
 #define _IPT_CONNBYTES_H
 
-enum ipt_connbytes_what {
-        IPT_CONNBYTES_PKTS,
-        IPT_CONNBYTES_BYTES,
-        IPT_CONNBYTES_AVGPKT,
-};
+#include <net/netfilter/xt_connbytes.h>
+#define ipt_connbytes_what xt_connbytes_what
 
-enum ipt_connbytes_direction {
-        IPT_CONNBYTES_DIR_ORIGINAL,
-        IPT_CONNBYTES_DIR_REPLY,
-        IPT_CONNBYTES_DIR_BOTH,
-};
+#define IPT_CONNBYTES_PKTS      XT_CONNBYTES_PACKETS
+#define IPT_CONNBYTES_BYTES     XT_CONNBYTES_BYTES
+#define IPT_CONNBYTES_AVGPKT    XT_CONNBYTES_AVGPKT
+
+#define ipt_connbytes_direction         xt_connbytes_direction
+#define IPT_CONNBYTES_DIR_ORIGINAL      XT_CONNBYTES_DIR_ORIGINAL
+#define IPT_CONNBYTES_DIR_REPLY         XT_CONNBYTES_DIR_REPLY
+#define IPT_CONNBYTES_DIR_BOTH          XT_CONNBYTES_DIR_BOTH
+
+#define ipt_connbytes_info xt_connbytes_info
 
-struct ipt_connbytes_info
-{
-        struct {
-                aligned_u64 from;       /* count to be matched */
-                aligned_u64 to;         /* count to be matched */
-        } count;
-        u_int8_t what;          /* ipt_connbytes_what */
-        u_int8_t direction;     /* ipt_connbytes_direction */
-};
 #endif
diff --git a/include/linux/netfilter_ipv4/ipt_connmark.h b/include/linux/netfilter_ipv4/ipt_connmark.h
index 46573270d9aa..c7ba6560d44c 100644
--- a/include/linux/netfilter_ipv4/ipt_connmark.h
+++ b/include/linux/netfilter_ipv4/ipt_connmark.h
@@ -1,18 +1,7 @@
 #ifndef _IPT_CONNMARK_H
 #define _IPT_CONNMARK_H
 
-/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- * by Henrik Nordstrom <hno@marasystems.com>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- */
-
-struct ipt_connmark_info {
-        unsigned long mark, mask;
-        u_int8_t invert;
-};
+#include <linux/netfilter/xt_connmark.h>
+#define ipt_connmark_info xt_connmark_info
 
 #endif /*_IPT_CONNMARK_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_conntrack.h b/include/linux/netfilter_ipv4/ipt_conntrack.h
index 413c5658bd3a..cde6762949c5 100644
--- a/include/linux/netfilter_ipv4/ipt_conntrack.h
+++ b/include/linux/netfilter_ipv4/ipt_conntrack.h
@@ -5,56 +5,24 @@
 #ifndef _IPT_CONNTRACK_H
 #define _IPT_CONNTRACK_H
 
-#define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
-#define IPT_CONNTRACK_STATE_INVALID (1 << 0)
+#include <linux/netfilter/xt_conntrack.h>
 
-#define IPT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
-#define IPT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
-#define IPT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+#define IPT_CONNTRACK_STATE_BIT(ctinfo) XT_CONNTRACK_STATE_BIT(ctinfo)
+#define IPT_CONNTRACK_STATE_INVALID     XT_CONNTRACK_STATE_INVALID
 
-/* flags, invflags: */
-#define IPT_CONNTRACK_STATE     0x01
-#define IPT_CONNTRACK_PROTO     0x02
-#define IPT_CONNTRACK_ORIGSRC   0x04
-#define IPT_CONNTRACK_ORIGDST   0x08
-#define IPT_CONNTRACK_REPLSRC   0x10
-#define IPT_CONNTRACK_REPLDST   0x20
-#define IPT_CONNTRACK_STATUS    0x40
-#define IPT_CONNTRACK_EXPIRES   0x80
-
-/* This is exposed to userspace, so remains frozen in time. */
-struct ip_conntrack_old_tuple
-{
-        struct {
-                __u32 ip;
-                union {
-                        __u16 all;
-                } u;
-        } src;
-
-        struct {
-                __u32 ip;
-                union {
-                        __u16 all;
-                } u;
-
-                /* The protocol. */
-                u16 protonum;
-        } dst;
-};
+#define IPT_CONNTRACK_STATE_SNAT        XT_CONNTRACK_STATE_SNAT
+#define IPT_CONNTRACK_STATE_DNAT        XT_CONNTRACK_STATE_DNAT
+#define IPT_CONNTRACK_STATE_UNTRACKED   XT_CONNTRACK_STATE_UNTRACKED
 
-struct ipt_conntrack_info
-{
-        unsigned int statemask, statusmask;
-
-        struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
-        struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
-
-        unsigned long expires_min, expires_max;
-
-        /* Flags word */
-        u_int8_t flags;
-        /* Inverse flags */
-        u_int8_t invflags;
-};
+/* flags, invflags: */
+#define IPT_CONNTRACK_STATE             XT_CONNTRACK_STATE
+#define IPT_CONNTRACK_PROTO             XT_CONNTRACK_PROTO
+#define IPT_CONNTRACK_ORIGSRC           XT_CONNTRACK_ORIGSRC
+#define IPT_CONNTRACK_ORIGDST           XT_CONNTRACK_ORIGDST
+#define IPT_CONNTRACK_REPLSRC           XT_CONNTRACK_REPLSRC
+#define IPT_CONNTRACK_REPLDST           XT_CONNTRACK_REPLDST
+#define IPT_CONNTRACK_STATUS            XT_CONNTRACK_STATUS
+#define IPT_CONNTRACK_EXPIRES           XT_CONNTRACK_EXPIRES
+
+#define ipt_conntrack_info              xt_conntrack_info
 #endif /*_IPT_CONNTRACK_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_dccp.h b/include/linux/netfilter_ipv4/ipt_dccp.h
index 3cb3a522e62b..e70d11e1f53c 100644
--- a/include/linux/netfilter_ipv4/ipt_dccp.h
+++ b/include/linux/netfilter_ipv4/ipt_dccp.h
@@ -1,23 +1,15 @@
 #ifndef _IPT_DCCP_H_
 #define _IPT_DCCP_H_
 
-#define IPT_DCCP_SRC_PORTS              0x01
-#define IPT_DCCP_DEST_PORTS             0x02
-#define IPT_DCCP_TYPE                   0x04
-#define IPT_DCCP_OPTION                 0x08
+#include <linux/netfilter/xt_dccp.h>
+#define IPT_DCCP_SRC_PORTS      XT_DCCP_SRC_PORTS
+#define IPT_DCCP_DEST_PORTS     XT_DCCP_DEST_PORTS
+#define IPT_DCCP_TYPE           XT_DCCP_TYPE
+#define IPT_DCCP_OPTION         XT_DCCP_OPTION
 
-#define IPT_DCCP_VALID_FLAGS            0x0f
+#define IPT_DCCP_VALID_FLAGS    XT_DCCP_VALID_FLAGS
 
-struct ipt_dccp_info {
-        u_int16_t dpts[2];  /* Min, Max */
-        u_int16_t spts[2];  /* Min, Max */
-
-        u_int16_t flags;
-        u_int16_t invflags;
-
-        u_int16_t typemask;
-        u_int8_t option;
-};
+#define ipt_dccp_info xt_dccp_info
 
 #endif /* _IPT_DCCP_H_ */
 
diff --git a/include/linux/netfilter_ipv4/ipt_helper.h b/include/linux/netfilter_ipv4/ipt_helper.h
index 6f12ecb8c93d..80452c218551 100644
--- a/include/linux/netfilter_ipv4/ipt_helper.h
+++ b/include/linux/netfilter_ipv4/ipt_helper.h
@@ -1,8 +1,7 @@
 #ifndef _IPT_HELPER_H
 #define _IPT_HELPER_H
 
-struct ipt_helper_info {
-        int invert;
-        char name[30];
-};
+#include <linux/netfilter/xt_helper.h>
+#define ipt_helper_info xt_helper_info
+
 #endif /* _IPT_HELPER_H */
diff --git a/include/linux/netfilter_ipv4/ipt_length.h b/include/linux/netfilter_ipv4/ipt_length.h
index 6e0885229615..9b45206ffcef 100644
--- a/include/linux/netfilter_ipv4/ipt_length.h
+++ b/include/linux/netfilter_ipv4/ipt_length.h
@@ -1,9 +1,7 @@
 #ifndef _IPT_LENGTH_H
 #define _IPT_LENGTH_H
 
-struct ipt_length_info {
-    u_int16_t   min, max;
-    u_int8_t    invert;
-};
+#include <linux/netfilter/xt_length.h>
+#define ipt_length_info xt_length_info
 
 #endif /*_IPT_LENGTH_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_limit.h b/include/linux/netfilter_ipv4/ipt_limit.h
index 256453409e21..92f5cd07bbc4 100644
--- a/include/linux/netfilter_ipv4/ipt_limit.h
+++ b/include/linux/netfilter_ipv4/ipt_limit.h
@@ -1,21 +1,8 @@
 #ifndef _IPT_RATE_H
 #define _IPT_RATE_H
 
-/* timings are in milliseconds. */
-#define IPT_LIMIT_SCALE 10000
+#include <linux/netfilter/xt_limit.h>
+#define IPT_LIMIT_SCALE XT_LIMIT_SCALE
+#define ipt_rateinfo xt_rateinfo
 
-/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
-   seconds, or one every 59 hours. */
-struct ipt_rateinfo {
-        u_int32_t avg;    /* Average secs between packets * scale */
-        u_int32_t burst;  /* Period multiplier for upper limit. */
-
-        /* Used internally by the kernel */
-        unsigned long prev;
-        u_int32_t credit;
-        u_int32_t credit_cap, cost;
-
-        /* Ugly, ugly fucker. */
-        struct ipt_rateinfo *master;
-};
 #endif /*_IPT_RATE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_mac.h b/include/linux/netfilter_ipv4/ipt_mac.h
index f8d5b8e7ccdb..b186008a3c47 100644
--- a/include/linux/netfilter_ipv4/ipt_mac.h
+++ b/include/linux/netfilter_ipv4/ipt_mac.h
@@ -1,8 +1,7 @@
 #ifndef _IPT_MAC_H
 #define _IPT_MAC_H
 
-struct ipt_mac_info {
-    unsigned char srcaddr[ETH_ALEN];
-    int invert;
-};
+#include <linux/netfilter/xt_mac.h>
+#define ipt_mac_info xt_mac_info
+
 #endif /*_IPT_MAC_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_mark.h b/include/linux/netfilter_ipv4/ipt_mark.h
index f3952b563d4c..bfde67c61224 100644
--- a/include/linux/netfilter_ipv4/ipt_mark.h
+++ b/include/linux/netfilter_ipv4/ipt_mark.h
@@ -1,9 +1,9 @@
 #ifndef _IPT_MARK_H
 #define _IPT_MARK_H
 
-struct ipt_mark_info {
-    unsigned long mark, mask;
-    u_int8_t invert;
-};
+/* Backwards compatibility for old userspace */
+#include <linux/netfilter/xt_mark.h>
+
+#define ipt_mark_info xt_mark_info
 
 #endif /*_IPT_MARK_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_physdev.h b/include/linux/netfilter_ipv4/ipt_physdev.h
index 7538c8655ec0..2400e7140f26 100644
--- a/include/linux/netfilter_ipv4/ipt_physdev.h
+++ b/include/linux/netfilter_ipv4/ipt_physdev.h
@@ -1,24 +1,17 @@
 #ifndef _IPT_PHYSDEV_H
 #define _IPT_PHYSDEV_H
 
-#ifdef __KERNEL__
-#include <linux/if.h>
-#endif
+/* Backwards compatibility for old userspace */
 
-#define IPT_PHYSDEV_OP_IN               0x01
-#define IPT_PHYSDEV_OP_OUT              0x02
-#define IPT_PHYSDEV_OP_BRIDGED          0x04
-#define IPT_PHYSDEV_OP_ISIN             0x08
-#define IPT_PHYSDEV_OP_ISOUT            0x10
-#define IPT_PHYSDEV_OP_MASK             (0x20 - 1)
+#include <linux/netfilter/xt_physdev.h>
 
-struct ipt_physdev_info {
-        char physindev[IFNAMSIZ];
-        char in_mask[IFNAMSIZ];
-        char physoutdev[IFNAMSIZ];
-        char out_mask[IFNAMSIZ];
-        u_int8_t invert;
-        u_int8_t bitmask;
-};
+#define IPT_PHYSDEV_OP_IN               XT_PHYSDEV_OP_IN
+#define IPT_PHYSDEV_OP_OUT              XT_PHYSDEV_OP_OUT
+#define IPT_PHYSDEV_OP_BRIDGED          XT_PHYSDEV_OP_BRIDGED
+#define IPT_PHYSDEV_OP_ISIN             XT_PHYSDEV_OP_ISIN
+#define IPT_PHYSDEV_OP_ISOUT            XT_PHYSDEV_OP_ISOUT
+#define IPT_PHYSDEV_OP_MASK             XT_PHYSDEV_OP_MASK
+
+#define ipt_physdev_info xt_physdev_info
 
 #endif /*_IPT_PHYSDEV_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_pkttype.h b/include/linux/netfilter_ipv4/ipt_pkttype.h
index d53a65848683..ff1fbc949a0c 100644
--- a/include/linux/netfilter_ipv4/ipt_pkttype.h
+++ b/include/linux/netfilter_ipv4/ipt_pkttype.h
@@ -1,8 +1,7 @@
 #ifndef _IPT_PKTTYPE_H
 #define _IPT_PKTTYPE_H
 
-struct ipt_pkttype_info {
-        int     pkttype;
-        int     invert;
-};
+#include <linux/netfilter/xt_pkttype.h>
+#define ipt_pkttype_info xt_pkttype_info
+
 #endif /*_IPT_PKTTYPE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_realm.h b/include/linux/netfilter_ipv4/ipt_realm.h
index a4d6698723ac..b3996eaa0188 100644
--- a/include/linux/netfilter_ipv4/ipt_realm.h
+++ b/include/linux/netfilter_ipv4/ipt_realm.h
@@ -1,10 +1,7 @@
 #ifndef _IPT_REALM_H
 #define _IPT_REALM_H
 
-struct ipt_realm_info {
-        u_int32_t id;
-        u_int32_t mask;
-        u_int8_t invert;
-};
+#include <linux/netfilter/xt_realm.h>
+#define ipt_realm_info xt_realm_info
 
 #endif /* _IPT_REALM_H */
diff --git a/include/linux/netfilter_ipv4/ipt_state.h b/include/linux/netfilter_ipv4/ipt_state.h
index 5df37868933d..a44a99cc28cc 100644
--- a/include/linux/netfilter_ipv4/ipt_state.h
+++ b/include/linux/netfilter_ipv4/ipt_state.h
@@ -1,13 +1,15 @@
 #ifndef _IPT_STATE_H
 #define _IPT_STATE_H
 
-#define IPT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
-#define IPT_STATE_INVALID (1 << 0)
+/* Backwards compatibility for old userspace */
 
-#define IPT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+#include <linux/netfilter/xt_state.h>
+
+#define IPT_STATE_BIT           XT_STATE_BIT
+#define IPT_STATE_INVALID       XT_STATE_INVALID
+
+#define IPT_STATE_UNTRACKED     XT_STATE_UNTRACKED
+
+#define ipt_state_info          xt_state_info
 
-struct ipt_state_info
-{
-        unsigned int statemask;
-};
 #endif /*_IPT_STATE_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_string.h b/include/linux/netfilter_ipv4/ipt_string.h
index a265f6e44eab..c26de3059903 100644
--- a/include/linux/netfilter_ipv4/ipt_string.h
+++ b/include/linux/netfilter_ipv4/ipt_string.h
@@ -1,18 +1,10 @@
 #ifndef _IPT_STRING_H
 #define _IPT_STRING_H
 
-#define IPT_STRING_MAX_PATTERN_SIZE 128
-#define IPT_STRING_MAX_ALGO_NAME_SIZE 16
+#include <linux/netfilter/xt_string.h>
 
-struct ipt_string_info
-{
-        u_int16_t from_offset;
-        u_int16_t to_offset;
-        char      algo[IPT_STRING_MAX_ALGO_NAME_SIZE];
-        char      pattern[IPT_STRING_MAX_PATTERN_SIZE];
-        u_int8_t  patlen;
-        u_int8_t  invert;
-        struct ts_config __attribute__((aligned(8))) *config;
-};
+#define IPT_STRING_MAX_PATTERN_SIZE XT_STRING_MAX_PATTERN_SIZE
+#define IPT_STRING_MAX_ALGO_NAME_SIZE XT_STRING_MAX_ALGO_NAME_SIZE
+#define ipt_string_info xt_string_info
 
 #endif /*_IPT_STRING_H*/
diff --git a/include/linux/netfilter_ipv4/ipt_tcpmss.h b/include/linux/netfilter_ipv4/ipt_tcpmss.h
index e2b14397f701..18bbc8e8e009 100644
--- a/include/linux/netfilter_ipv4/ipt_tcpmss.h
+++ b/include/linux/netfilter_ipv4/ipt_tcpmss.h
@@ -1,9 +1,7 @@
 #ifndef _IPT_TCPMSS_MATCH_H
 #define _IPT_TCPMSS_MATCH_H
 
-struct ipt_tcpmss_match_info {
-    u_int16_t mss_min, mss_max;
-    u_int8_t invert;
-};
+#include <linux/netfilter/xt_tcpmss.h>
+#define ipt_tcpmss_match_info xt_tcpmss_match_info
 
 #endif /*_IPT_TCPMSS_MATCH_H*/
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index c163ba31aab7..f249b574f0fa 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -25,8 +25,15 @@
 #include <linux/compiler.h>
 #include <linux/netfilter_ipv6.h>
 
-#define IP6T_FUNCTION_MAXNAMELEN 30
-#define IP6T_TABLE_MAXNAMELEN 32
+#include <linux/netfilter/x_tables.h>
+
+#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+
+#define ip6t_match xt_match
+#define ip6t_target xt_target
+#define ip6t_table xt_table
+#define ip6t_get_revision xt_get_revision
 
 /* Yes, Virginia, you have to zero the padding. */
 struct ip6t_ip6 {
@@ -104,10 +111,7 @@ struct ip6t_standard_target
         int verdict;
 };
 
-struct ip6t_counters
-{
-        u_int64_t pcnt, bcnt;                   /* Packet and byte counters */
-};
+#define ip6t_counters   xt_counters
 
 /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
 #define IP6T_F_PROTO            0x01    /* Set if rule cares about upper 
@@ -123,7 +127,7 @@ struct ip6t_counters
 #define IP6T_INV_SRCIP          0x08    /* Invert the sense of SRC IP. */
 #define IP6T_INV_DSTIP          0x10    /* Invert the sense of DST OP. */
 #define IP6T_INV_FRAG           0x20    /* Invert the sense of FRAG. */
-#define IP6T_INV_PROTO          0x40    /* Invert the sense of PROTO. */
+#define IP6T_INV_PROTO          XT_INV_PROTO
 #define IP6T_INV_MASK           0x7F    /* All possible flag bits mask. */
 
 /* This structure defines each of the firewall rules.  Consists of 3
@@ -145,7 +149,7 @@ struct ip6t_entry
         unsigned int comefrom;
 
         /* Packet and byte counters. */
-        struct ip6t_counters counters;
+        struct xt_counters counters;
 
         /* The matches (if any), then the target. */
         unsigned char elems[0];
@@ -155,54 +159,41 @@ struct ip6t_entry
  * New IP firewall options for [gs]etsockopt at the RAW IP level.
  * Unlike BSD Linux inherits IP options so you don't have to use
  * a raw socket for this. Instead we check rights in the calls. */
-#define IP6T_BASE_CTL                   64      /* base for firewall socket options */
+#define IP6T_BASE_CTL                   XT_BASE_CTL
 
-#define IP6T_SO_SET_REPLACE             (IP6T_BASE_CTL)
-#define IP6T_SO_SET_ADD_COUNTERS        (IP6T_BASE_CTL + 1)
-#define IP6T_SO_SET_MAX                 IP6T_SO_SET_ADD_COUNTERS
+#define IP6T_SO_SET_REPLACE             XT_SO_SET_REPLACE
+#define IP6T_SO_SET_ADD_COUNTERS        XT_SO_SET_ADD_COUNTERS
+#define IP6T_SO_SET_MAX                 XT_SO_SET_MAX
 
-#define IP6T_SO_GET_INFO                (IP6T_BASE_CTL)
-#define IP6T_SO_GET_ENTRIES             (IP6T_BASE_CTL + 1)
-#define IP6T_SO_GET_REVISION_MATCH      (IP6T_BASE_CTL + 2)
-#define IP6T_SO_GET_REVISION_TARGET     (IP6T_BASE_CTL + 3)
-#define IP6T_SO_GET_MAX                 IP6T_SO_GET_REVISION_TARGET
+#define IP6T_SO_GET_INFO                XT_SO_GET_INFO
+#define IP6T_SO_GET_ENTRIES             XT_SO_GET_ENTRIES
+#define IP6T_SO_GET_REVISION_MATCH      XT_SO_GET_REVISION_MATCH
+#define IP6T_SO_GET_REVISION_TARGET     XT_SO_GET_REVISION_TARGET
+#define IP6T_SO_GET_MAX                 XT_SO_GET_REVISION_TARGET
 
 /* CONTINUE verdict for targets */
-#define IP6T_CONTINUE 0xFFFFFFFF
+#define IP6T_CONTINUE XT_CONTINUE
 
 /* For standard target */
-#define IP6T_RETURN (-NF_REPEAT - 1)
+#define IP6T_RETURN XT_RETURN
 
-/* TCP matching stuff */
-struct ip6t_tcp
-{
-        u_int16_t spts[2];                      /* Source port range. */
-        u_int16_t dpts[2];                      /* Destination port range. */
-        u_int8_t option;                        /* TCP Option iff non-zero*/
-        u_int8_t flg_mask;                      /* TCP flags mask byte */
-        u_int8_t flg_cmp;                       /* TCP flags compare byte */
-        u_int8_t invflags;                      /* Inverse flags */
-};
+/* TCP/UDP matching stuff */
+#include <linux/netfilter/xt_tcpudp.h>
+
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
 
 /* Values for "inv" field in struct ipt_tcp. */
-#define IP6T_TCP_INV_SRCPT      0x01    /* Invert the sense of source ports. */
-#define IP6T_TCP_INV_DSTPT      0x02    /* Invert the sense of dest ports. */
-#define IP6T_TCP_INV_FLAGS      0x04    /* Invert the sense of TCP flags. */
-#define IP6T_TCP_INV_OPTION     0x08    /* Invert the sense of option test. */
-#define IP6T_TCP_INV_MASK       0x0F    /* All possible flags. */
-
-/* UDP matching stuff */
-struct ip6t_udp
-{
-        u_int16_t spts[2];                      /* Source port range. */
-        u_int16_t dpts[2];                      /* Destination port range. */
-        u_int8_t invflags;                      /* Inverse flags */
-};
+#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
 
 /* Values for "invflags" field in struct ipt_udp. */
-#define IP6T_UDP_INV_SRCPT      0x01    /* Invert the sense of source ports. */
-#define IP6T_UDP_INV_DSTPT      0x02    /* Invert the sense of dest ports. */
-#define IP6T_UDP_INV_MASK       0x03    /* All possible flags. */
+#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
 
 /* ICMP matching stuff */
 struct ip6t_icmp
@@ -264,23 +255,14 @@ struct ip6t_replace
         /* Number of counters (must be equal to current number of entries). */
         unsigned int num_counters;
         /* The old entries' counters. */
-        struct ip6t_counters __user *counters;
+        struct xt_counters __user *counters;
 
         /* The entries (hang off end: not really an array). */
         struct ip6t_entry entries[0];
 };
 
 /* The argument to IP6T_SO_ADD_COUNTERS. */
-struct ip6t_counters_info
-{
-        /* Which table. */
-        char name[IP6T_TABLE_MAXNAMELEN];
-
-        unsigned int num_counters;
-
-        /* The counters (actually `number' of these). */
-        struct ip6t_counters counters[0];
-};
+#define ip6t_counters_info xt_counters_info
 
 /* The argument to IP6T_SO_GET_ENTRIES. */
 struct ip6t_get_entries
@@ -295,19 +277,10 @@ struct ip6t_get_entries
         struct ip6t_entry entrytable[0];
 };
 
-/* The argument to IP6T_SO_GET_REVISION_*.  Returns highest revision
- * kernel supports, if >= revision. */
-struct ip6t_get_revision
-{
-        char name[IP6T_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-};
-
 /* Standard return verdict, or do jump. */
-#define IP6T_STANDARD_TARGET ""
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
 /* Error verdict. */
-#define IP6T_ERROR_TARGET "ERROR"
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
 
 /* Helper functions */
 static __inline__ struct ip6t_entry_target *
@@ -361,104 +334,11 @@ ip6t_get_target(struct ip6t_entry *e)
 #include <linux/init.h>
 extern void ip6t_init(void) __init;
 
-struct ip6t_match
-{
-        struct list_head list;
-
-        const char name[IP6T_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-
-        /* Return true or false: return FALSE and set *hotdrop = 1 to
-           force immediate packet drop. */
-        /* Arguments changed since 2.6.9, as this must now handle
-           non-linear skb, using skb_header_pointer and
-           skb_ip_make_writable. */
-        int (*match)(const struct sk_buff *skb,
-                     const struct net_device *in,
-                     const struct net_device *out,
-                     const void *matchinfo,
-                     int offset,
-                     unsigned int protoff,
-                     int *hotdrop);
-
-        /* Called when user tries to insert an entry of this type. */
-        /* Should return true or false. */
-        int (*checkentry)(const char *tablename,
-                          const struct ip6t_ip6 *ip,
-                          void *matchinfo,
-                          unsigned int matchinfosize,
-                          unsigned int hook_mask);
-
-        /* Called when entry of this type deleted. */
-        void (*destroy)(void *matchinfo, unsigned int matchinfosize);
-
-        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
-        struct module *me;
-};
-
-/* Registration hooks for targets. */
-struct ip6t_target
-{
-        struct list_head list;
-
-        const char name[IP6T_FUNCTION_MAXNAMELEN-1];
-
-        u_int8_t revision;
-
-        /* Returns verdict. Argument order changed since 2.6.9, as this
-           must now handle non-linear skbs, using skb_copy_bits and
-           skb_ip_make_writable. */
-        unsigned int (*target)(struct sk_buff **pskb,
-                               const struct net_device *in,
-                               const struct net_device *out,
-                               unsigned int hooknum,
-                               const void *targinfo,
-                               void *userdata);
-
-        /* Called when user tries to insert an entry of this type:
-           hook_mask is a bitmask of hooks from which it can be
-           called. */
-        /* Should return true or false. */
-        int (*checkentry)(const char *tablename,
-                          const struct ip6t_entry *e,
-                          void *targinfo,
-                          unsigned int targinfosize,
-                          unsigned int hook_mask);
-
-        /* Called when entry of this type deleted. */
-        void (*destroy)(void *targinfo, unsigned int targinfosize);
-
-        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
-        struct module *me;
-};
-
-extern int ip6t_register_target(struct ip6t_target *target);
-extern void ip6t_unregister_target(struct ip6t_target *target);
-
-extern int ip6t_register_match(struct ip6t_match *match);
-extern void ip6t_unregister_match(struct ip6t_match *match);
+#define ip6t_register_target(tgt) xt_register_target(AF_INET6, tgt)
+#define ip6t_unregister_target(tgt) xt_unregister_target(AF_INET6, tgt)
 
-/* Furniture shopping... */
-struct ip6t_table
-{
-        struct list_head list;
-
-        /* A unique name... */
-        char name[IP6T_TABLE_MAXNAMELEN];
-
-        /* What hooks you will enter on */
-        unsigned int valid_hooks;
-
-        /* Lock for the curtain */
-        rwlock_t lock;
-
-        /* Man behind the curtain... */
-        struct ip6t_table_info *private;
-
-        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
-        struct module *me;
-};
+#define ip6t_register_match(match) xt_register_match(AF_INET6, match)
+#define ip6t_unregister_match(match) xt_unregister_match(AF_INET6, match)
 
 extern int ip6t_register_table(struct ip6t_table *table,
                                const struct ip6t_replace *repl);
diff --git a/include/linux/netfilter_ipv6/ip6t_MARK.h b/include/linux/netfilter_ipv6/ip6t_MARK.h
index 7ade8d8f5246..7cf629a8ab92 100644
--- a/include/linux/netfilter_ipv6/ip6t_MARK.h
+++ b/include/linux/netfilter_ipv6/ip6t_MARK.h
@@ -1,8 +1,9 @@
 #ifndef _IP6T_MARK_H_target
 #define _IP6T_MARK_H_target
 
-struct ip6t_mark_target_info {
-        unsigned long mark;
-};
+/* Backwards compatibility for old userspace */
+#include <linux/netfilter/xt_MARK.h>
 
-#endif /*_IPT_MARK_H_target*/
+#define ip6t_mark_target_info xt_mark_target_info
+
+#endif /*_IP6T_MARK_H_target*/
diff --git a/include/linux/netfilter_ipv6/ip6t_length.h b/include/linux/netfilter_ipv6/ip6t_length.h
index 7fc09f9f9d63..9e9689d03ed7 100644
--- a/include/linux/netfilter_ipv6/ip6t_length.h
+++ b/include/linux/netfilter_ipv6/ip6t_length.h
@@ -1,10 +1,8 @@
 #ifndef _IP6T_LENGTH_H
 #define _IP6T_LENGTH_H
 
-struct ip6t_length_info {
-        u_int16_t  min, max;
-        u_int8_t   invert;
-};
+#include <linux/netfilter/xt_length.h>
+#define ip6t_length_info xt_length_info
 
 #endif /*_IP6T_LENGTH_H*/
         
diff --git a/include/linux/netfilter_ipv6/ip6t_limit.h b/include/linux/netfilter_ipv6/ip6t_limit.h
index f2866e50f3b4..487e5ea342c6 100644
--- a/include/linux/netfilter_ipv6/ip6t_limit.h
+++ b/include/linux/netfilter_ipv6/ip6t_limit.h
@@ -1,21 +1,8 @@
 #ifndef _IP6T_RATE_H
 #define _IP6T_RATE_H
 
-/* timings are in milliseconds. */
-#define IP6T_LIMIT_SCALE 10000
+#include <linux/netfilter/xt_limit.h>
+#define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
+#define ip6t_rateinfo xt_rateinfo
 
-/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
-   seconds, or one every 59 hours. */
-struct ip6t_rateinfo {
-        u_int32_t avg;    /* Average secs between packets * scale */
-        u_int32_t burst;  /* Period multiplier for upper limit. */
-
-        /* Used internally by the kernel */
-        unsigned long prev;
-        u_int32_t credit;
-        u_int32_t credit_cap, cost;
-
-        /* Ugly, ugly fucker. */
-        struct ip6t_rateinfo *master;
-};
-#endif /*_IPT_RATE_H*/
+#endif /*_IP6T_RATE_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_mac.h b/include/linux/netfilter_ipv6/ip6t_mac.h
index 87c088c21848..ac58e83e9423 100644
--- a/include/linux/netfilter_ipv6/ip6t_mac.h
+++ b/include/linux/netfilter_ipv6/ip6t_mac.h
@@ -1,8 +1,7 @@
 #ifndef _IP6T_MAC_H
 #define _IP6T_MAC_H
 
-struct ip6t_mac_info {
-    unsigned char srcaddr[ETH_ALEN];
-    int invert;
-};
-#endif /*_IPT_MAC_H*/
+#include <linux/netfilter/xt_mac.h>
+#define ip6t_mac_info xt_mac_info
+
+#endif /*_IP6T_MAC_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_mark.h b/include/linux/netfilter_ipv6/ip6t_mark.h
index a734441e1c19..ff204951ddc3 100644
--- a/include/linux/netfilter_ipv6/ip6t_mark.h
+++ b/include/linux/netfilter_ipv6/ip6t_mark.h
@@ -1,9 +1,9 @@
 #ifndef _IP6T_MARK_H
 #define _IP6T_MARK_H
 
-struct ip6t_mark_info {
-    unsigned long mark, mask;
-    u_int8_t invert;
-};
+/* Backwards compatibility for old userspace */
+#include <linux/netfilter/xt_mark.h>
+
+#define ip6t_mark_info xt_mark_info
 
 #endif /*_IPT_MARK_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_physdev.h b/include/linux/netfilter_ipv6/ip6t_physdev.h
index c234731cd66b..c161c0a81b55 100644
--- a/include/linux/netfilter_ipv6/ip6t_physdev.h
+++ b/include/linux/netfilter_ipv6/ip6t_physdev.h
@@ -1,24 +1,17 @@
 #ifndef _IP6T_PHYSDEV_H
 #define _IP6T_PHYSDEV_H
 
-#ifdef __KERNEL__
-#include <linux/if.h>
-#endif
+/* Backwards compatibility for old userspace */
 
-#define IP6T_PHYSDEV_OP_IN              0x01
-#define IP6T_PHYSDEV_OP_OUT             0x02
-#define IP6T_PHYSDEV_OP_BRIDGED         0x04
-#define IP6T_PHYSDEV_OP_ISIN            0x08
-#define IP6T_PHYSDEV_OP_ISOUT           0x10
-#define IP6T_PHYSDEV_OP_MASK            (0x20 - 1)
+#include <linux/netfilter/xt_physdev.h>
 
-struct ip6t_physdev_info {
-        char physindev[IFNAMSIZ];
-        char in_mask[IFNAMSIZ];
-        char physoutdev[IFNAMSIZ];
-        char out_mask[IFNAMSIZ];
-        u_int8_t invert;
-        u_int8_t bitmask;
-};
+#define IP6T_PHYSDEV_OP_IN              XT_PHYSDEV_OP_IN
+#define IP6T_PHYSDEV_OP_OUT             XT_PHYSDEV_OP_OUT
+#define IP6T_PHYSDEV_OP_BRIDGED         XT_PHYSDEV_OP_BRIDGED
+#define IP6T_PHYSDEV_OP_ISIN            XT_PHYSDEV_OP_ISIN
+#define IP6T_PHYSDEV_OP_ISOUT           XT_PHYSDEV_OP_ISOUT
+#define IP6T_PHYSDEV_OP_MASK            XT_PHYSDEV_OP_MASK
+
+#define ip6t_physdev_info xt_physdev_info
 
 #endif /*_IP6T_PHYSDEV_H*/