Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking updates from David Miller: 1) UAPI changes for networking from David Howells 2) A netlink dump is an operation we can sleep within, and therefore we need to make sure the dump provider module doesn't disappear on us meanwhile. Fix from Gao Feng. 3) Now that tunnels support GRO, we have to be more careful in skb_gro_reset_offset() otherwise we OOPS, from Eric Dumazet. 4) We can end up processing packets for VLANs we aren't actually configured to be on, fix from Florian Zumbiehl. 5) Fix routing cache removal regression in redirects and IPVS. The core issue on the IPVS side is that it wants to rewrite who the nexthop is and we have to explicitly accomodate that case. From Julian Anastasov. 6) Error code return fixes all over the networking drivers from Peter Senna Tschudin. 7) Fix routing cache removal regressions in IPSEC, from Steffen Klassert. 8) Fix deadlock in RDS during pings, from Jeff Liu. 9) Neighbour packet queue can trigger skb_under_panic() because we do not reset the network header of the SKB in the right spot. From Ramesh Nagappa. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (61 commits) RDS: fix rds-ping spinlock recursion netdev/phy: Prototype of_mdio_find_bus() farsync: fix support for over 30 cards be2net: Remove code that stops further access to BE NIC based on UE bits pch_gbe: Fix build error by selecting all the possible dependencies. e1000e: add device IDs for i218 ixgbe/ixgbevf: Limit maximum jumbo frame size to 9.5K to avoid Tx hangs ixgbevf: Set the netdev number of Tx queues UAPI: (Scripted) Disintegrate include/linux/tc_ematch UAPI: (Scripted) Disintegrate include/linux/tc_act UAPI: (Scripted) Disintegrate include/linux/netfilter_ipv6 UAPI: (Scripted) Disintegrate include/linux/netfilter_ipv4 UAPI: (Scripted) Disintegrate include/linux/netfilter_bridge UAPI: (Scripted) Disintegrate include/linux/netfilter_arp UAPI: (Scripted) Disintegrate include/linux/netfilter/ipset UAPI: (Scripted) Disintegrate include/linux/netfilter UAPI: (Scripted) Disintegrate include/linux/isdn UAPI: (Scripted) Disintegrate include/linux/caif net: fix typo in freescale/ucc_geth.c vxlan: fix more sparse warnings ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-09 22:12:54 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2012-10-09 22:12:54 -0400
commit: aac2b1f5747ea34696d0da5bdc4d8247aa6437af (patch)
tree: 8fc8499aad6a28b044c9bdab3f920f64a98460c1 /include
parent: 23d5385f382a7c7d8b6bf19b0c2cfb3acbb12d31 (diff)
parent: 5175a5e76bbdf20a614fb47ce7a38f0f39e70226 (diff)
180 files changed, 2063 insertions, 1958 deletions
diff --git a/include/linux/caif/Kbuild b/include/linux/caif/Kbuild
index a9cf250689dc..e69de29bb2d1 100644
--- a/include/linux/caif/Kbuild
+++ b/include/linux/caif/Kbuild
@@ -1,2 +0,0 @@
-header-y += caif_socket.h
-header-y += if_caif.h
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index e6ff12dd717b..c0ff748d0aa5 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -80,6 +80,8 @@ static inline int is_vlan_dev(struct net_device *dev)
 }
 #define vlan_tx_tag_present(__skb)      ((__skb)->vlan_tci & VLAN_TAG_PRESENT)
+#define vlan_tx_nonzero_tag_present(__skb) \
+        (vlan_tx_tag_present(__skb) && ((__skb)->vlan_tci & VLAN_VID_MASK))
 #define vlan_tx_tag_get(__skb)          ((__skb)->vlan_tci & ~VLAN_TAG_PRESENT)
 #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
@@ -89,7 +91,7 @@ extern struct net_device *__vlan_find_dev_deep(struct net_device *real_dev,
 extern struct net_device *vlan_dev_real_dev(const struct net_device *dev);
 extern u16 vlan_dev_vlan_id(const struct net_device *dev);
-extern bool vlan_do_receive(struct sk_buff **skb, bool last_handler);
+extern bool vlan_do_receive(struct sk_buff **skb);
 extern struct sk_buff *vlan_untag(struct sk_buff *skb);
 extern int vlan_vid_add(struct net_device *dev, unsigned short vid);
@@ -120,10 +122,8 @@ static inline u16 vlan_dev_vlan_id(const struct net_device *dev)
        return 0;
 }
-static inline bool vlan_do_receive(struct sk_buff **skb, bool last_handler)
+static inline bool vlan_do_receive(struct sk_buff **skb)
 {
-        if (((*skb)->vlan_tci & VLAN_VID_MASK) && last_handler)
-                (*skb)->pkt_type = PACKET_OTHERHOST;
        return false;
 }
diff --git a/include/linux/isdn/Kbuild b/include/linux/isdn/Kbuild
index 991cdb29ab2e..e69de29bb2d1 100644
--- a/include/linux/isdn/Kbuild
+++ b/include/linux/isdn/Kbuild
@@ -1 +0,0 @@
-header-y += capicmd.h
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 01646aa53b0e..561c8bc8976d 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1497,19 +1497,25 @@ struct napi_gro_cb {
        /* This indicates where we are processing relative to skb->data. */
        int data_offset;
-        /* This is non-zero if the packet may be of the same flow. */
-        int same_flow;
        /* This is non-zero if the packet cannot be merged with the new skb. */
        int flush;
        /* Number of segments aggregated. */
-        int count;
+        u16     count;
+        /* This is non-zero if the packet may be of the same flow. */
+        u8      same_flow;
        /* Free the skb? */
-        int free;
+        u8      free;
 #define NAPI_GRO_FREE             1
 #define NAPI_GRO_FREE_STOLEN_HEAD 2
+        /* jiffies when first packet was created/queued */
+        unsigned long age;
+        /* Used in ipv6_gro_receive() */
+        int     proto;
 };
 #define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb)
@@ -1663,7 +1669,6 @@ extern int		netpoll_trap(void);
 #endif
 extern int             skb_gro_receive(struct sk_buff **head,
                                       struct sk_buff *skb);
-extern void            skb_gro_reset_offset(struct sk_buff *skb);
 static inline unsigned int skb_gro_offset(const struct sk_buff *skb)
 {
@@ -2157,7 +2162,7 @@ extern gro_result_t	dev_gro_receive(struct napi_struct *napi,
 extern gro_result_t     napi_skb_finish(gro_result_t ret, struct sk_buff *skb);
 extern gro_result_t     napi_gro_receive(struct napi_struct *napi,
                                         struct sk_buff *skb);
-extern void             napi_gro_flush(struct napi_struct *napi);
+extern void             napi_gro_flush(struct napi_struct *napi, bool flush_old);
 extern struct sk_buff * napi_get_frags(struct napi_struct *napi);
 extern gro_result_t     napi_frags_finish(struct napi_struct *napi,
                                          struct sk_buff *skb,
diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index 874ae8f2706b..b3322023e9a5 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -1,78 +1 @@
 header-y += ipset/
-header-y += nf_conntrack_common.h
-header-y += nf_conntrack_ftp.h
-header-y += nf_conntrack_sctp.h
-header-y += nf_conntrack_tcp.h
-header-y += nf_conntrack_tuple_common.h
-header-y += nf_nat.h
-header-y += nfnetlink.h
-header-y += nfnetlink_acct.h
-header-y += nfnetlink_compat.h
-header-y += nfnetlink_conntrack.h
-header-y += nfnetlink_cthelper.h
-header-y += nfnetlink_cttimeout.h
-header-y += nfnetlink_log.h
-header-y += nfnetlink_queue.h
-header-y += x_tables.h
-header-y += xt_AUDIT.h
-header-y += xt_CHECKSUM.h
-header-y += xt_CLASSIFY.h
-header-y += xt_CONNMARK.h
-header-y += xt_CONNSECMARK.h
-header-y += xt_CT.h
-header-y += xt_DSCP.h
-header-y += xt_IDLETIMER.h
-header-y += xt_LED.h
-header-y += xt_LOG.h
-header-y += xt_MARK.h
-header-y += xt_nfacct.h
-header-y += xt_NFLOG.h
-header-y += xt_NFQUEUE.h
-header-y += xt_RATEEST.h
-header-y += xt_SECMARK.h
-header-y += xt_TCPMSS.h
-header-y += xt_TCPOPTSTRIP.h
-header-y += xt_TEE.h
-header-y += xt_TPROXY.h
-header-y += xt_addrtype.h
-header-y += xt_cluster.h
-header-y += xt_comment.h
-header-y += xt_connbytes.h
-header-y += xt_connlimit.h
-header-y += xt_connmark.h
-header-y += xt_conntrack.h
-header-y += xt_cpu.h
-header-y += xt_dccp.h
-header-y += xt_devgroup.h
-header-y += xt_dscp.h
-header-y += xt_ecn.h
-header-y += xt_esp.h
-header-y += xt_hashlimit.h
-header-y += xt_helper.h
-header-y += xt_iprange.h
-header-y += xt_ipvs.h
-header-y += xt_length.h
-header-y += xt_limit.h
-header-y += xt_mac.h
-header-y += xt_mark.h
-header-y += xt_multiport.h
-header-y += xt_osf.h
-header-y += xt_owner.h
-header-y += xt_physdev.h
-header-y += xt_pkttype.h
-header-y += xt_policy.h
-header-y += xt_quota.h
-header-y += xt_rateest.h
-header-y += xt_realm.h
-header-y += xt_recent.h
-header-y += xt_set.h
-header-y += xt_sctp.h
-header-y += xt_socket.h
-header-y += xt_state.h
-header-y += xt_statistic.h
-header-y += xt_string.h
-header-y += xt_tcpmss.h
-header-y += xt_tcpudp.h
-header-y += xt_time.h
-header-y += xt_u32.h
diff --git a/include/linux/netfilter/ipset/Kbuild b/include/linux/netfilter/ipset/Kbuild
index 601fe71d34d5..e69de29bb2d1 100644
--- a/include/linux/netfilter/ipset/Kbuild
+++ b/include/linux/netfilter/ipset/Kbuild
@@ -1,4 +0,0 @@
-header-y += ip_set.h
-header-y += ip_set_bitmap.h
-header-y += ip_set_hash.h
-header-y += ip_set_list.h
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 528697b3c152..7958e84a65af 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -1,6 +1,3 @@
-#ifndef _IP_SET_H
-#define _IP_SET_H
 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
 *                         Patrick Schaaf <bof@bof.de>
 *                         Martin Josefsson <gandalf@wlug.westbo.se>
@@ -10,199 +7,9 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#ifndef _IP_SET_H
+#define _IP_SET_H
-#include <linux/types.h>
-/* The protocol version */
-#define IPSET_PROTOCOL          6
-/* The max length of strings including NUL: set and type identifiers */
-#define IPSET_MAXNAMELEN        32
-/* Message types and commands */
-enum ipset_cmd {
-        IPSET_CMD_NONE,
-        IPSET_CMD_PROTOCOL,     /* 1: Return protocol version */
-        IPSET_CMD_CREATE,       /* 2: Create a new (empty) set */
-        IPSET_CMD_DESTROY,      /* 3: Destroy a (empty) set */
-        IPSET_CMD_FLUSH,        /* 4: Remove all elements from a set */
-        IPSET_CMD_RENAME,       /* 5: Rename a set */
-        IPSET_CMD_SWAP,         /* 6: Swap two sets */
-        IPSET_CMD_LIST,         /* 7: List sets */
-        IPSET_CMD_SAVE,         /* 8: Save sets */
-        IPSET_CMD_ADD,          /* 9: Add an element to a set */
-        IPSET_CMD_DEL,          /* 10: Delete an element from a set */
-        IPSET_CMD_TEST,         /* 11: Test an element in a set */
-        IPSET_CMD_HEADER,       /* 12: Get set header data only */
-        IPSET_CMD_TYPE,         /* 13: Get set type */
-        IPSET_MSG_MAX,          /* Netlink message commands */
-        /* Commands in userspace: */
-        IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
-        IPSET_CMD_HELP,         /* 15: Get help */
-        IPSET_CMD_VERSION,      /* 16: Get program version */
-        IPSET_CMD_QUIT,         /* 17: Quit from interactive mode */
-        IPSET_CMD_MAX,
-        IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
-};
-/* Attributes at command level */
-enum {
-        IPSET_ATTR_UNSPEC,
-        IPSET_ATTR_PROTOCOL,    /* 1: Protocol version */
-        IPSET_ATTR_SETNAME,     /* 2: Name of the set */
-        IPSET_ATTR_TYPENAME,    /* 3: Typename */
-        IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
-        IPSET_ATTR_REVISION,    /* 4: Settype revision */
-        IPSET_ATTR_FAMILY,      /* 5: Settype family */
-        IPSET_ATTR_FLAGS,       /* 6: Flags at command level */
-        IPSET_ATTR_DATA,        /* 7: Nested attributes */
-        IPSET_ATTR_ADT,         /* 8: Multiple data containers */
-        IPSET_ATTR_LINENO,      /* 9: Restore lineno */
-        IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
-        IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
-        __IPSET_ATTR_CMD_MAX,
-};
-#define IPSET_ATTR_CMD_MAX      (__IPSET_ATTR_CMD_MAX - 1)
-/* CADT specific attributes */
-enum {
-        IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
-        IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
-        IPSET_ATTR_IP_TO,       /* 2 */
-        IPSET_ATTR_CIDR,        /* 3 */
-        IPSET_ATTR_PORT,        /* 4 */
-        IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
-        IPSET_ATTR_PORT_TO,     /* 5 */
-        IPSET_ATTR_TIMEOUT,     /* 6 */
-        IPSET_ATTR_PROTO,       /* 7 */
-        IPSET_ATTR_CADT_FLAGS,  /* 8 */
-        IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,     /* 9 */
-        /* Reserve empty slots */
-        IPSET_ATTR_CADT_MAX = 16,
-        /* Create-only specific attributes */
-        IPSET_ATTR_GC,
-        IPSET_ATTR_HASHSIZE,
-        IPSET_ATTR_MAXELEM,
-        IPSET_ATTR_NETMASK,
-        IPSET_ATTR_PROBES,
-        IPSET_ATTR_RESIZE,
-        IPSET_ATTR_SIZE,
-        /* Kernel-only */
-        IPSET_ATTR_ELEMENTS,
-        IPSET_ATTR_REFERENCES,
-        IPSET_ATTR_MEMSIZE,
-        __IPSET_ATTR_CREATE_MAX,
-};
-#define IPSET_ATTR_CREATE_MAX   (__IPSET_ATTR_CREATE_MAX - 1)
-/* ADT specific attributes */
-enum {
-        IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
-        IPSET_ATTR_NAME,
-        IPSET_ATTR_NAMEREF,
-        IPSET_ATTR_IP2,
-        IPSET_ATTR_CIDR2,
-        IPSET_ATTR_IP2_TO,
-        IPSET_ATTR_IFACE,
-        __IPSET_ATTR_ADT_MAX,
-};
-#define IPSET_ATTR_ADT_MAX      (__IPSET_ATTR_ADT_MAX - 1)
-/* IP specific attributes */
-enum {
-        IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
-        IPSET_ATTR_IPADDR_IPV6,
-        __IPSET_ATTR_IPADDR_MAX,
-};
-#define IPSET_ATTR_IPADDR_MAX   (__IPSET_ATTR_IPADDR_MAX - 1)
-/* Error codes */
-enum ipset_errno {
-        IPSET_ERR_PRIVATE = 4096,
-        IPSET_ERR_PROTOCOL,
-        IPSET_ERR_FIND_TYPE,
-        IPSET_ERR_MAX_SETS,
-        IPSET_ERR_BUSY,
-        IPSET_ERR_EXIST_SETNAME2,
-        IPSET_ERR_TYPE_MISMATCH,
-        IPSET_ERR_EXIST,
-        IPSET_ERR_INVALID_CIDR,
-        IPSET_ERR_INVALID_NETMASK,
-        IPSET_ERR_INVALID_FAMILY,
-        IPSET_ERR_TIMEOUT,
-        IPSET_ERR_REFERENCED,
-        IPSET_ERR_IPADDR_IPV4,
-        IPSET_ERR_IPADDR_IPV6,
-        /* Type specific error codes */
-        IPSET_ERR_TYPE_SPECIFIC = 4352,
-};
-/* Flags at command level */
-enum ipset_cmd_flags {
-        IPSET_FLAG_BIT_EXIST    = 0,
-        IPSET_FLAG_EXIST        = (1 << IPSET_FLAG_BIT_EXIST),
-        IPSET_FLAG_BIT_LIST_SETNAME = 1,
-        IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME),
-        IPSET_FLAG_BIT_LIST_HEADER = 2,
-        IPSET_FLAG_LIST_HEADER  = (1 << IPSET_FLAG_BIT_LIST_HEADER),
-        IPSET_FLAG_CMD_MAX = 15,        /* Lower half */
-};
-/* Flags at CADT attribute level */
-enum ipset_cadt_flags {
-        IPSET_FLAG_BIT_BEFORE   = 0,
-        IPSET_FLAG_BEFORE       = (1 << IPSET_FLAG_BIT_BEFORE),
-        IPSET_FLAG_BIT_PHYSDEV  = 1,
-        IPSET_FLAG_PHYSDEV      = (1 << IPSET_FLAG_BIT_PHYSDEV),
-        IPSET_FLAG_BIT_NOMATCH  = 2,
-        IPSET_FLAG_NOMATCH      = (1 << IPSET_FLAG_BIT_NOMATCH),
-        IPSET_FLAG_CADT_MAX     = 15,   /* Upper half */
-};
-/* Commands with settype-specific attributes */
-enum ipset_adt {
-        IPSET_ADD,
-        IPSET_DEL,
-        IPSET_TEST,
-        IPSET_ADT_MAX,
-        IPSET_CREATE = IPSET_ADT_MAX,
-        IPSET_CADT_MAX,
-};
-/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
- * and IPSET_INVALID_ID if you want to increase the max number of sets.
- */
-typedef __u16 ip_set_id_t;
-#define IPSET_INVALID_ID                65535
-enum ip_set_dim {
-        IPSET_DIM_ZERO = 0,
-        IPSET_DIM_ONE,
-        IPSET_DIM_TWO,
-        IPSET_DIM_THREE,
-        /* Max dimension in elements.
-         * If changed, new revision of iptables match/target is required.
-         */
-        IPSET_DIM_MAX = 6,
-        IPSET_BIT_RETURN_NOMATCH = 7,
-};
-/* Option flags for kernel operations */
-enum ip_set_kopt {
-        IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
-        IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
-        IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
-        IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
-        IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
-};
-#ifdef __KERNEL__
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/netlink.h>
@@ -211,6 +18,7 @@ enum ip_set_kopt {
 #include <linux/stringify.h>
 #include <linux/vmalloc.h>
 #include <net/netlink.h>
+#include <uapi/linux/netfilter/ipset/ip_set.h>
 #define _IP_SET_MODULE_DESC(a, b, c)            \
        MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
@@ -476,31 +284,4 @@ bitmap_bytes(u32 a, u32 b)
        return 4 * ((((b - a + 8) / 8) + 3) / 4);
 }
-#endif /* __KERNEL__ */
-/* Interface to iptables/ip6tables */
-#define SO_IP_SET               83
-union ip_set_name_index {
-        char name[IPSET_MAXNAMELEN];
-        ip_set_id_t index;
-};
-#define IP_SET_OP_GET_BYNAME    0x00000006      /* Get set index by name */
-struct ip_set_req_get_set {
-        unsigned int op;
-        unsigned int version;
-        union ip_set_name_index set;
-};
-#define IP_SET_OP_GET_BYINDEX   0x00000007      /* Get set name by index */
-/* Uses ip_set_req_get_set */
-#define IP_SET_OP_VERSION       0x00000100      /* Ask kernel version */
-struct ip_set_req_version {
-        unsigned int op;
-        unsigned int version;
-};
 #endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/ipset/ip_set_bitmap.h b/include/linux/netfilter/ipset/ip_set_bitmap.h
index 61a9e8746c83..1a30646d5be8 100644
--- a/include/linux/netfilter/ipset/ip_set_bitmap.h
+++ b/include/linux/netfilter/ipset/ip_set_bitmap.h
@@ -1,15 +1,8 @@
 #ifndef __IP_SET_BITMAP_H
 #define __IP_SET_BITMAP_H
-/* Bitmap type specific error codes */
+#include <uapi/linux/netfilter/ipset/ip_set_bitmap.h>
-enum {
-        /* The element is out of the range of the set */
-        IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
-        /* The range exceeds the size limit of the set type */
-        IPSET_ERR_BITMAP_RANGE_SIZE,
-};
-#ifdef __KERNEL__
 #define IPSET_BITMAP_MAX_RANGE  0x0000FFFF
 /* Common functions */
@@ -26,6 +19,4 @@ range_to_mask(u32 from, u32 to, u8 *bits)
        return mask;
 }
-#endif /* __KERNEL__ */
 #endif /* __IP_SET_BITMAP_H */
diff --git a/include/linux/netfilter/ipset/ip_set_hash.h b/include/linux/netfilter/ipset/ip_set_hash.h
index e2a9fae767f6..f98ddfb094cb 100644
--- a/include/linux/netfilter/ipset/ip_set_hash.h
+++ b/include/linux/netfilter/ipset/ip_set_hash.h
@@ -1,23 +1,8 @@
 #ifndef __IP_SET_HASH_H
 #define __IP_SET_HASH_H
-/* Hash type specific error codes */
+#include <uapi/linux/netfilter/ipset/ip_set_hash.h>
-enum {
-        /* Hash is full */
-        IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
-        /* Null-valued element */
-        IPSET_ERR_HASH_ELEM,
-        /* Invalid protocol */
-        IPSET_ERR_INVALID_PROTO,
-        /* Protocol missing but must be specified */
-        IPSET_ERR_MISSING_PROTO,
-        /* Range not supported */
-        IPSET_ERR_HASH_RANGE_UNSUPPORTED,
-        /* Invalid range */
-        IPSET_ERR_HASH_RANGE,
-};
-#ifdef __KERNEL__
 #define IPSET_DEFAULT_HASHSIZE          1024
 #define IPSET_MIMINAL_HASHSIZE          64
@@ -25,6 +10,4 @@ enum {
 #define IPSET_DEFAULT_PROBES            4
 #define IPSET_DEFAULT_RESIZE            100
-#endif /* __KERNEL__ */
 #endif /* __IP_SET_HASH_H */
diff --git a/include/linux/netfilter/ipset/ip_set_list.h b/include/linux/netfilter/ipset/ip_set_list.h
index 40a63f302613..68c2aea897f5 100644
--- a/include/linux/netfilter/ipset/ip_set_list.h
+++ b/include/linux/netfilter/ipset/ip_set_list.h
@@ -1,27 +1,10 @@
 #ifndef __IP_SET_LIST_H
 #define __IP_SET_LIST_H
-/* List type specific error codes */
+#include <uapi/linux/netfilter/ipset/ip_set_list.h>
-enum {
-        /* Set name to be added/deleted/tested does not exist. */
-        IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
-        /* list:set type is not permitted to add */
-        IPSET_ERR_LOOP,
-        /* Missing reference set */
-        IPSET_ERR_BEFORE,
-        /* Reference set does not exist */
-        IPSET_ERR_NAMEREF,
-        /* Set is full */
-        IPSET_ERR_LIST_FULL,
-        /* Reference set is not added to the set */
-        IPSET_ERR_REF_EXIST,
-};
-#ifdef __KERNEL__
 #define IP_SET_LIST_DEFAULT_SIZE        8
 #define IP_SET_LIST_MIN_SIZE            4
-#endif /* __KERNEL__ */
 #endif /* __IP_SET_LIST_H */
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index d146872a0b91..127d0b90604f 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -1,119 +1,8 @@
 #ifndef _NF_CONNTRACK_COMMON_H
 #define _NF_CONNTRACK_COMMON_H
-/* Connection state tracking for netfilter.  This is separated from,
-   but required by, the NAT layer; it can also be used by an iptables
-   extension. */
-enum ip_conntrack_info {
-        /* Part of an established connection (either direction). */
-        IP_CT_ESTABLISHED,
-        /* Like NEW, but related to an existing connection, or ICMP error
+#include <uapi/linux/netfilter/nf_conntrack_common.h>
-           (in either direction). */
-        IP_CT_RELATED,
-        /* Started a new connection to track (only
-           IP_CT_DIR_ORIGINAL); may be a retransmission. */
-        IP_CT_NEW,
-        /* >= this indicates reply direction */
-        IP_CT_IS_REPLY,
-        IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
-        IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
-        IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,   
-        /* Number of distinct IP_CT types (no NEW in reply dirn). */
-        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
-};
-/* Bitset representing status of connection. */
-enum ip_conntrack_status {
-        /* It's an expected connection: bit 0 set.  This bit never changed */
-        IPS_EXPECTED_BIT = 0,
-        IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
-        /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
-        IPS_SEEN_REPLY_BIT = 1,
-        IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
-        /* Conntrack should never be early-expired. */
-        IPS_ASSURED_BIT = 2,
-        IPS_ASSURED = (1 << IPS_ASSURED_BIT),
-        /* Connection is confirmed: originating packet has left box */
-        IPS_CONFIRMED_BIT = 3,
-        IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
-        /* Connection needs src nat in orig dir.  This bit never changed. */
-        IPS_SRC_NAT_BIT = 4,
-        IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
-        /* Connection needs dst nat in orig dir.  This bit never changed. */
-        IPS_DST_NAT_BIT = 5,
-        IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
-        /* Both together. */
-        IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
-        /* Connection needs TCP sequence adjusted. */
-        IPS_SEQ_ADJUST_BIT = 6,
-        IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
-        /* NAT initialization bits. */
-        IPS_SRC_NAT_DONE_BIT = 7,
-        IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
-        IPS_DST_NAT_DONE_BIT = 8,
-        IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
-        /* Both together */
-        IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
-        /* Connection is dying (removed from lists), can not be unset. */
-        IPS_DYING_BIT = 9,
-        IPS_DYING = (1 << IPS_DYING_BIT),
-        /* Connection has fixed timeout. */
-        IPS_FIXED_TIMEOUT_BIT = 10,
-        IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
-        /* Conntrack is a template */
-        IPS_TEMPLATE_BIT = 11,
-        IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
-        /* Conntrack is a fake untracked entry */
-        IPS_UNTRACKED_BIT = 12,
-        IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
-        /* Conntrack got a helper explicitly attached via CT target. */
-        IPS_HELPER_BIT = 13,
-        IPS_HELPER = (1 << IPS_HELPER_BIT),
-};
-/* Connection tracking event types */
-enum ip_conntrack_events {
-        IPCT_NEW,               /* new conntrack */
-        IPCT_RELATED,           /* related conntrack */
-        IPCT_DESTROY,           /* destroyed conntrack */
-        IPCT_REPLY,             /* connection has seen two-way traffic */
-        IPCT_ASSURED,           /* connection status has changed to assured */
-        IPCT_PROTOINFO,         /* protocol information has changed */
-        IPCT_HELPER,            /* new helper has been set */
-        IPCT_MARK,              /* new mark has been set */
-        IPCT_NATSEQADJ,         /* NAT is doing sequence adjustment */
-        IPCT_SECMARK,           /* new security mark has been set */
-};
-enum ip_conntrack_expect_events {
-        IPEXP_NEW,              /* new expectation */
-        IPEXP_DESTROY,          /* destroyed expectation */
-};
-/* expectation flags */
-#define NF_CT_EXPECT_PERMANENT          0x1
-#define NF_CT_EXPECT_INACTIVE           0x2
-#define NF_CT_EXPECT_USERSPACE          0x4
-#ifdef __KERNEL__
 struct ip_conntrack_stat {
        unsigned int searched;
        unsigned int found;
@@ -136,6 +25,4 @@ struct ip_conntrack_stat {
 /* call to create an explicit dependency on nf_conntrack. */
 extern void need_conntrack(void);
-#endif /* __KERNEL__ */
 #endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
index 8faf3f792d13..5f818b01e035 100644
--- a/include/linux/netfilter/nf_conntrack_ftp.h
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -1,20 +1,8 @@
 #ifndef _NF_CONNTRACK_FTP_H
 #define _NF_CONNTRACK_FTP_H
-/* FTP tracking. */
-/* This enum is exposed to userspace */
+#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
-enum nf_ct_ftp_type {
-        /* PORT command from client */
-        NF_CT_FTP_PORT,
-        /* PASV response from server */
-        NF_CT_FTP_PASV,
-        /* EPRT command from client */
-        NF_CT_FTP_EPRT,
-        /* EPSV response from server */
-        NF_CT_FTP_EPSV,
-};
-#ifdef __KERNEL__
 #define FTP_PORT        21
@@ -42,6 +30,4 @@ extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,
                                       unsigned int matchoff,
                                       unsigned int matchlen,
                                       struct nf_conntrack_expect *exp);
-#endif /* __KERNEL__ */
 #endif /* _NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index e59868ae12d4..22db9614b584 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -1,53 +1,8 @@
 #ifndef _NF_CONNTRACK_TCP_H
 #define _NF_CONNTRACK_TCP_H
-/* TCP tracking. */
-#include <linux/types.h>
+#include <uapi/linux/netfilter/nf_conntrack_tcp.h>
-/* This is exposed to userspace (ctnetlink) */
-enum tcp_conntrack {
-        TCP_CONNTRACK_NONE,
-        TCP_CONNTRACK_SYN_SENT,
-        TCP_CONNTRACK_SYN_RECV,
-        TCP_CONNTRACK_ESTABLISHED,
-        TCP_CONNTRACK_FIN_WAIT,
-        TCP_CONNTRACK_CLOSE_WAIT,
-        TCP_CONNTRACK_LAST_ACK,
-        TCP_CONNTRACK_TIME_WAIT,
-        TCP_CONNTRACK_CLOSE,
-        TCP_CONNTRACK_LISTEN,   /* obsolete */
-#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
-        TCP_CONNTRACK_MAX,
-        TCP_CONNTRACK_IGNORE,
-        TCP_CONNTRACK_RETRANS,
-        TCP_CONNTRACK_UNACK,
-        TCP_CONNTRACK_TIMEOUT_MAX
-};
-/* Window scaling is advertised by the sender */
-#define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01
-/* SACK is permitted by the sender */
-#define IP_CT_TCP_FLAG_SACK_PERM                0x02
-/* This sender sent FIN first */
-#define IP_CT_TCP_FLAG_CLOSE_INIT               0x04
-/* Be liberal in window checking */
-#define IP_CT_TCP_FLAG_BE_LIBERAL               0x08
-/* Has unacknowledged data */
-#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED      0x10
-/* The field td_maxack has been set */
-#define IP_CT_TCP_FLAG_MAXACK_SET               0x20
-struct nf_ct_tcp_flags {
-        __u8 flags;
-        __u8 mask;
-};
-#ifdef __KERNEL__
 struct ip_ct_tcp_state {
        u_int32_t       td_end;         /* max of seq + len */
@@ -74,6 +29,4 @@ struct ip_ct_tcp {
        u_int8_t        last_flags;     /* Last flags set */
 };
-#endif /* __KERNEL__ */
 #endif /* _NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 18341cdb2443..4966ddec039b 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -1,63 +1,11 @@
 #ifndef _NFNETLINK_H
 #define _NFNETLINK_H
-#include <linux/types.h>
-#include <linux/netfilter/nfnetlink_compat.h>
-enum nfnetlink_groups {
-        NFNLGRP_NONE,
-#define NFNLGRP_NONE                    NFNLGRP_NONE
-        NFNLGRP_CONNTRACK_NEW,
-#define NFNLGRP_CONNTRACK_NEW           NFNLGRP_CONNTRACK_NEW
-        NFNLGRP_CONNTRACK_UPDATE,
-#define NFNLGRP_CONNTRACK_UPDATE        NFNLGRP_CONNTRACK_UPDATE
-        NFNLGRP_CONNTRACK_DESTROY,
-#define NFNLGRP_CONNTRACK_DESTROY       NFNLGRP_CONNTRACK_DESTROY
-        NFNLGRP_CONNTRACK_EXP_NEW,
-#define NFNLGRP_CONNTRACK_EXP_NEW       NFNLGRP_CONNTRACK_EXP_NEW
-        NFNLGRP_CONNTRACK_EXP_UPDATE,
-#define NFNLGRP_CONNTRACK_EXP_UPDATE    NFNLGRP_CONNTRACK_EXP_UPDATE
-        NFNLGRP_CONNTRACK_EXP_DESTROY,
-#define NFNLGRP_CONNTRACK_EXP_DESTROY   NFNLGRP_CONNTRACK_EXP_DESTROY
-        __NFNLGRP_MAX,
-};
-#define NFNLGRP_MAX     (__NFNLGRP_MAX - 1)
-/* General form of address family dependent message.
- */
-struct nfgenmsg {
-        __u8  nfgen_family;             /* AF_xxx */
-        __u8  version;          /* nfnetlink version */
-        __be16    res_id;               /* resource id */
-};
-#define NFNETLINK_V0    0
-/* netfilter netlink message types are split in two pieces:
- * 8 bit subsystem, 8bit operation.
- */
-#define NFNL_SUBSYS_ID(x)       ((x & 0xff00) >> 8)
-#define NFNL_MSG_TYPE(x)        (x & 0x00ff)
-/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
- * won't work anymore */
-#define NFNL_SUBSYS_NONE                0
-#define NFNL_SUBSYS_CTNETLINK           1
-#define NFNL_SUBSYS_CTNETLINK_EXP       2
-#define NFNL_SUBSYS_QUEUE               3
-#define NFNL_SUBSYS_ULOG                4
-#define NFNL_SUBSYS_OSF                 5
-#define NFNL_SUBSYS_IPSET               6
-#define NFNL_SUBSYS_ACCT                7
-#define NFNL_SUBSYS_CTNETLINK_TIMEOUT   8
-#define NFNL_SUBSYS_CTHELPER            9
-#define NFNL_SUBSYS_COUNT               10
-#ifdef __KERNEL__
 #include <linux/netlink.h>
 #include <linux/capability.h>
 #include <net/netlink.h>
+#include <uapi/linux/netfilter/nfnetlink.h>
 struct nfnl_callback {
        int (*call)(struct sock *nl, struct sk_buff *skb, 
@@ -92,5 +40,4 @@ extern void nfnl_unlock(void);
 #define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
        MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
-#endif  /* __KERNEL__ */
 #endif  /* _NFNETLINK_H */
diff --git a/include/linux/netfilter/nfnetlink_acct.h b/include/linux/netfilter/nfnetlink_acct.h
index 7c4279b4ae7a..bb4bbc9b7a18 100644
--- a/include/linux/netfilter/nfnetlink_acct.h
+++ b/include/linux/netfilter/nfnetlink_acct.h
@@ -1,29 +1,8 @@
 #ifndef _NFNL_ACCT_H_
 #define _NFNL_ACCT_H_
-#ifndef NFACCT_NAME_MAX
+#include <uapi/linux/netfilter/nfnetlink_acct.h>
-#define NFACCT_NAME_MAX         32
-#endif
-enum nfnl_acct_msg_types {
-        NFNL_MSG_ACCT_NEW,
-        NFNL_MSG_ACCT_GET,
-        NFNL_MSG_ACCT_GET_CTRZERO,
-        NFNL_MSG_ACCT_DEL,
-        NFNL_MSG_ACCT_MAX
-};
-enum nfnl_acct_type {
-        NFACCT_UNSPEC,
-        NFACCT_NAME,
-        NFACCT_PKTS,
-        NFACCT_BYTES,
-        NFACCT_USE,
-        __NFACCT_MAX
-};
-#define NFACCT_MAX (__NFACCT_MAX - 1)
-#ifdef __KERNEL__
 struct nf_acct;
@@ -31,6 +10,4 @@ extern struct nf_acct *nfnl_acct_find_get(const char *filter_name);
 extern void nfnl_acct_put(struct nf_acct *acct);
 extern void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct);
-#endif /* __KERNEL__ */
 #endif /* _NFNL_ACCT_H */
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 8d674a786744..dd49566315c6 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -1,191 +1,9 @@
 #ifndef _X_TABLES_H
 #define _X_TABLES_H
-#include <linux/kernel.h>
-#include <linux/types.h>
-#define XT_FUNCTION_MAXNAMELEN 30
-#define XT_EXTENSION_MAXNAMELEN 29
-#define XT_TABLE_MAXNAMELEN 32
-struct xt_entry_match {
-        union {
-                struct {
-                        __u16 match_size;
-                        /* Used by userspace */
-                        char name[XT_EXTENSION_MAXNAMELEN];
-                        __u8 revision;
-                } user;
-                struct {
-                        __u16 match_size;
-                        /* Used inside the kernel */
-                        struct xt_match *match;
-                } kernel;
-                /* Total length */
-                __u16 match_size;
-        } u;
-        unsigned char data[0];
-};
-struct xt_entry_target {
-        union {
-                struct {
-                        __u16 target_size;
-                        /* Used by userspace */
-                        char name[XT_EXTENSION_MAXNAMELEN];
-                        __u8 revision;
-                } user;
-                struct {
-                        __u16 target_size;
-                        /* Used inside the kernel */
-                        struct xt_target *target;
-                } kernel;
-                /* Total length */
-                __u16 target_size;
-        } u;
-        unsigned char data[0];
-};
-#define XT_TARGET_INIT(__name, __size)                                         \
-{                                                                              \
-        .target.u.user = {                                                     \
-                .target_size    = XT_ALIGN(__size),                            \
-                .name           = __name,                                      \
-        },                                                                     \
-}
-struct xt_standard_target {
-        struct xt_entry_target target;
-        int verdict;
-};
-struct xt_error_target {
-        struct xt_entry_target target;
-        char errorname[XT_FUNCTION_MAXNAMELEN];
-};
-/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
- * kernel supports, if >= revision. */
-struct xt_get_revision {
-        char name[XT_EXTENSION_MAXNAMELEN];
-        __u8 revision;
-};
-/* CONTINUE verdict for targets */
-#define XT_CONTINUE 0xFFFFFFFF
-/* For standard target */
-#define XT_RETURN (-NF_REPEAT - 1)
-/* this is a dummy structure to find out the alignment requirement for a struct
- * containing all the fundamental data types that are used in ipt_entry,
- * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
- * personal pleasure to remove it -HW
- */
-struct _xt_align {
-        __u8 u8;
-        __u16 u16;
-        __u32 u32;
-        __u64 u64;
-};
-#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
-/* Standard return verdict, or do jump. */
-#define XT_STANDARD_TARGET ""
-/* Error verdict. */
-#define XT_ERROR_TARGET "ERROR"
-#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
-#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
-struct xt_counters {
-        __u64 pcnt, bcnt;                       /* Packet and byte counters */
-};
-/* The argument to IPT_SO_ADD_COUNTERS. */
-struct xt_counters_info {
-        /* Which table. */
-        char name[XT_TABLE_MAXNAMELEN];
-        unsigned int num_counters;
-        /* The counters (actually `number' of these). */
-        struct xt_counters counters[0];
-};
-#define XT_INV_PROTO            0x40    /* Invert the sense of PROTO. */
-#ifndef __KERNEL__
-/* fn returns 0 to continue iteration */
-#define XT_MATCH_ITERATE(type, e, fn, args...)                  \
-({                                                              \
-        unsigned int __i;                                       \
-        int __ret = 0;                                          \
-        struct xt_entry_match *__m;                             \
-                                                                \
-        for (__i = sizeof(type);                                \
-             __i < (e)->target_offset;                          \
-             __i += __m->u.match_size) {                        \
-                __m = (void *)e + __i;                          \
-                                                                \
-                __ret = fn(__m , ## args);                      \
-                if (__ret != 0)                                 \
-                        break;                                  \
-        }                                                       \
-        __ret;                                                  \
-})
-/* fn returns 0 to continue iteration */
-#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
-({                                                              \
-        unsigned int __i, __n;                                  \
-        int __ret = 0;                                          \
-        type *__entry;                                          \
-                                                                \
-        for (__i = 0, __n = 0; __i < (size);                    \
-             __i += __entry->next_offset, __n++) {              \
-                __entry = (void *)(entries) + __i;              \
-                if (__n < n)                                    \
-                        continue;                               \
-                                                                \
-                __ret = fn(__entry , ## args);                  \
-                if (__ret != 0)                                 \
-                        break;                                  \
-        }                                                       \
-        __ret;                                                  \
-})
-/* fn returns 0 to continue iteration */
-#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
-        XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
-#endif /* !__KERNEL__ */
-/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
-#define xt_entry_foreach(pos, ehead, esize) \
-        for ((pos) = (typeof(pos))(ehead); \
-             (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
-             (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
-/* can only be xt_entry_match, so no use of typeof here */
-#define xt_ematch_foreach(pos, entry) \
-        for ((pos) = (struct xt_entry_match *)entry->elems; \
-             (pos) < (struct xt_entry_match *)((char *)(entry) + \
-                     (entry)->target_offset); \
-             (pos) = (struct xt_entry_match *)((char *)(pos) + \
-                     (pos)->u.match_size))
-#ifdef __KERNEL__
 #include <linux/netdevice.h>
+#include <uapi/linux/netfilter/x_tables.h>
 /**
 * struct xt_action_param - parameters for matches/targets
@@ -617,6 +435,4 @@ extern int xt_compat_target_to_user(const struct xt_entry_target *t,
                                    void __user **dstptr, unsigned int *size);
 #endif /* CONFIG_COMPAT */
-#endif /* __KERNEL__ */
 #endif /* _X_TABLES_H */
diff --git a/include/linux/netfilter/xt_hashlimit.h b/include/linux/netfilter/xt_hashlimit.h
index c42e52f39f8f..074790c0cf74 100644
--- a/include/linux/netfilter/xt_hashlimit.h
+++ b/include/linux/netfilter/xt_hashlimit.h
@@ -1,78 +1,9 @@
 #ifndef _XT_HASHLIMIT_H
 #define _XT_HASHLIMIT_H
-#include <linux/types.h>
+#include <uapi/linux/netfilter/xt_hashlimit.h>
-/* timings are in milliseconds. */
-#define XT_HASHLIMIT_SCALE 10000
-/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
- * seconds, or one packet every 59 hours.
- */
-/* packet length accounting is done in 16-byte steps */
-#define XT_HASHLIMIT_BYTE_SHIFT 4
-/* details of this structure hidden by the implementation */
-struct xt_hashlimit_htable;
-enum {
-        XT_HASHLIMIT_HASH_DIP = 1 << 0,
-        XT_HASHLIMIT_HASH_DPT = 1 << 1,
-        XT_HASHLIMIT_HASH_SIP = 1 << 2,
-        XT_HASHLIMIT_HASH_SPT = 1 << 3,
-        XT_HASHLIMIT_INVERT   = 1 << 4,
-        XT_HASHLIMIT_BYTES    = 1 << 5,
-};
-#ifdef __KERNEL__
 #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
                          XT_HASHLIMIT_HASH_SIP | XT_HASHLIMIT_HASH_SPT | \
                          XT_HASHLIMIT_INVERT | XT_HASHLIMIT_BYTES)
-#endif
-struct hashlimit_cfg {
-        __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
-        __u32 avg;    /* Average secs between packets * scale */
-        __u32 burst;  /* Period multiplier for upper limit. */
-        /* user specified */
-        __u32 size;             /* how many buckets */
-        __u32 max;              /* max number of entries */
-        __u32 gc_interval;      /* gc interval */
-        __u32 expire;   /* when do entries expire? */
-};
-struct xt_hashlimit_info {
-        char name [IFNAMSIZ];           /* name */
-        struct hashlimit_cfg cfg;
-        /* Used internally by the kernel */
-        struct xt_hashlimit_htable *hinfo;
-        union {
-                void *ptr;
-                struct xt_hashlimit_info *master;
-        } u;
-};
-struct hashlimit_cfg1 {
-        __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
-        __u32 avg;    /* Average secs between packets * scale */
-        __u32 burst;  /* Period multiplier for upper limit. */
-        /* user specified */
-        __u32 size;             /* how many buckets */
-        __u32 max;              /* max number of entries */
-        __u32 gc_interval;      /* gc interval */
-        __u32 expire;   /* when do entries expire? */
-        __u8 srcmask, dstmask;
-};
-struct xt_hashlimit_mtinfo1 {
-        char name[IFNAMSIZ];
-        struct hashlimit_cfg1 cfg;
-        /* Used internally by the kernel */
-        struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
-};
 #endif /*_XT_HASHLIMIT_H*/
diff --git a/include/linux/netfilter/xt_physdev.h b/include/linux/netfilter/xt_physdev.h
index 8555e399886d..5b5e41716d69 100644
--- a/include/linux/netfilter/xt_physdev.h
+++ b/include/linux/netfilter/xt_physdev.h
@@ -1,26 +1,7 @@
 #ifndef _XT_PHYSDEV_H
 #define _XT_PHYSDEV_H
-#include <linux/types.h>
-#ifdef __KERNEL__
 #include <linux/if.h>
-#endif
+#include <uapi/linux/netfilter/xt_physdev.h>
-#define XT_PHYSDEV_OP_IN                0x01
-#define XT_PHYSDEV_OP_OUT               0x02
-#define XT_PHYSDEV_OP_BRIDGED           0x04
-#define XT_PHYSDEV_OP_ISIN              0x08
-#define XT_PHYSDEV_OP_ISOUT             0x10
-#define XT_PHYSDEV_OP_MASK              (0x20 - 1)
-struct xt_physdev_info {
-        char physindev[IFNAMSIZ];
-        char in_mask[IFNAMSIZ];
-        char physoutdev[IFNAMSIZ];
-        char out_mask[IFNAMSIZ];
-        __u8 invert;
-        __u8 bitmask;
-};
 #endif /*_XT_PHYSDEV_H*/
diff --git a/include/linux/netfilter_arp/Kbuild b/include/linux/netfilter_arp/Kbuild
index b27439c71037..e69de29bb2d1 100644
--- a/include/linux/netfilter_arp/Kbuild
+++ b/include/linux/netfilter_arp/Kbuild
@@ -1,2 +0,0 @@
-header-y += arp_tables.h
-header-y += arpt_mangle.h
diff --git a/include/linux/netfilter_arp/arp_tables.h b/include/linux/netfilter_arp/arp_tables.h
index e08565d45178..cfb7191e6efa 100644
--- a/include/linux/netfilter_arp/arp_tables.h
+++ b/include/linux/netfilter_arp/arp_tables.h
@@ -5,211 +5,14 @@
 *      network byte order.
 *      flags are stored in host byte order (of course).
 */
 #ifndef _ARPTABLES_H
 #define _ARPTABLES_H
-#ifdef __KERNEL__
 #include <linux/if.h>
 #include <linux/in.h>
 #include <linux/if_arp.h>
 #include <linux/skbuff.h>
-#endif
+#include <uapi/linux/netfilter_arp/arp_tables.h>
-#include <linux/types.h>
-#include <linux/compiler.h>
-#include <linux/netfilter_arp.h>
-#include <linux/netfilter/x_tables.h>
-#ifndef __KERNEL__
-#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define arpt_entry_target xt_entry_target
-#define arpt_standard_target xt_standard_target
-#define arpt_error_target xt_error_target
-#define ARPT_CONTINUE XT_CONTINUE
-#define ARPT_RETURN XT_RETURN
-#define arpt_counters_info xt_counters_info
-#define arpt_counters xt_counters
-#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
-#define ARPT_ERROR_TARGET XT_ERROR_TARGET
-#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
-#endif
-#define ARPT_DEV_ADDR_LEN_MAX 16
-struct arpt_devaddr_info {
-        char addr[ARPT_DEV_ADDR_LEN_MAX];
-        char mask[ARPT_DEV_ADDR_LEN_MAX];
-};
-/* Yes, Virginia, you have to zero the padding. */
-struct arpt_arp {
-        /* Source and target IP addr */
-        struct in_addr src, tgt;
-        /* Mask for src and target IP addr */
-        struct in_addr smsk, tmsk;
-        /* Device hw address length, src+target device addresses */
-        __u8 arhln, arhln_mask;
-        struct arpt_devaddr_info src_devaddr;
-        struct arpt_devaddr_info tgt_devaddr;
-        /* ARP operation code. */
-        __be16 arpop, arpop_mask;
-        /* ARP hardware address and protocol address format. */
-        __be16 arhrd, arhrd_mask;
-        __be16 arpro, arpro_mask;
-        /* The protocol address length is only accepted if it is 4
-         * so there is no use in offering a way to do filtering on it.
-         */
-        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
-        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
-        /* Flags word */
-        __u8 flags;
-        /* Inverse flags */
-        __u16 invflags;
-};
-/* Values for "flag" field in struct arpt_ip (general arp structure).
- * No flags defined yet.
- */
-#define ARPT_F_MASK             0x00    /* All possible flag bits mask. */
-/* Values for "inv" field in struct arpt_arp. */
-#define ARPT_INV_VIA_IN         0x0001  /* Invert the sense of IN IFACE. */
-#define ARPT_INV_VIA_OUT        0x0002  /* Invert the sense of OUT IFACE */
-#define ARPT_INV_SRCIP          0x0004  /* Invert the sense of SRC IP. */
-#define ARPT_INV_TGTIP          0x0008  /* Invert the sense of TGT IP. */
-#define ARPT_INV_SRCDEVADDR     0x0010  /* Invert the sense of SRC DEV ADDR. */
-#define ARPT_INV_TGTDEVADDR     0x0020  /* Invert the sense of TGT DEV ADDR. */
-#define ARPT_INV_ARPOP          0x0040  /* Invert the sense of ARP OP. */
-#define ARPT_INV_ARPHRD         0x0080  /* Invert the sense of ARP HRD. */
-#define ARPT_INV_ARPPRO         0x0100  /* Invert the sense of ARP PRO. */
-#define ARPT_INV_ARPHLN         0x0200  /* Invert the sense of ARP HLN. */
-#define ARPT_INV_MASK           0x03FF  /* All possible flag bits mask. */
-/* This structure defines each of the firewall rules.  Consists of 3
-   parts which are 1) general ARP header stuff 2) match specific
-   stuff 3) the target to perform if the rule matches */
-struct arpt_entry
-{
-        struct arpt_arp arp;
-        /* Size of arpt_entry + matches */
-        __u16 target_offset;
-        /* Size of arpt_entry + matches + target */
-        __u16 next_offset;
-        /* Back pointer */
-        unsigned int comefrom;
-        /* Packet and byte counters. */
-        struct xt_counters counters;
-        /* The matches (if any), then the target. */
-        unsigned char elems[0];
-};
-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- * Unlike BSD Linux inherits IP options so you don't have to use a raw
- * socket for this. Instead we check rights in the calls.
- *
- * ATTENTION: check linux/in.h before adding new number here.
- */
-#define ARPT_BASE_CTL           96
-#define ARPT_SO_SET_REPLACE             (ARPT_BASE_CTL)
-#define ARPT_SO_SET_ADD_COUNTERS        (ARPT_BASE_CTL + 1)
-#define ARPT_SO_SET_MAX                 ARPT_SO_SET_ADD_COUNTERS
-#define ARPT_SO_GET_INFO                (ARPT_BASE_CTL)
-#define ARPT_SO_GET_ENTRIES             (ARPT_BASE_CTL + 1)
-/* #define ARPT_SO_GET_REVISION_MATCH   (APRT_BASE_CTL + 2) */
-#define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
-#define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
-/* The argument to ARPT_SO_GET_INFO */
-struct arpt_getinfo {
-        /* Which table: caller fills this in. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* Kernel fills these in. */
-        /* Which hook entry points are valid: bitmask */
-        unsigned int valid_hooks;
-        /* Hook entry points: one per netfilter hook. */
-        unsigned int hook_entry[NF_ARP_NUMHOOKS];
-        /* Underflow points. */
-        unsigned int underflow[NF_ARP_NUMHOOKS];
-        /* Number of entries */
-        unsigned int num_entries;
-        /* Size of entries. */
-        unsigned int size;
-};
-/* The argument to ARPT_SO_SET_REPLACE. */
-struct arpt_replace {
-        /* Which table. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* Which hook entry points are valid: bitmask.  You can't
-           change this. */
-        unsigned int valid_hooks;
-        /* Number of entries */
-        unsigned int num_entries;
-        /* Total size of new entries */
-        unsigned int size;
-        /* Hook entry points. */
-        unsigned int hook_entry[NF_ARP_NUMHOOKS];
-        /* Underflow points. */
-        unsigned int underflow[NF_ARP_NUMHOOKS];
-        /* Information about old entries: */
-        /* Number of counters (must be equal to current number of entries). */
-        unsigned int num_counters;
-        /* The old entries' counters. */
-        struct xt_counters __user *counters;
-        /* The entries (hang off end: not really an array). */
-        struct arpt_entry entries[0];
-};
-/* The argument to ARPT_SO_GET_ENTRIES. */
-struct arpt_get_entries {
-        /* Which table: user fills this in. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* User fills this in: total entry size. */
-        unsigned int size;
-        /* The entries. */
-        struct arpt_entry entrytable[0];
-};
-/* Helper functions */
-static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
-{
-        return (void *)e + e->target_offset;
-}
-/*
- *      Main firewall chains definitions and global var's definitions.
- */
-#ifdef __KERNEL__
 /* Standard entry. */
 struct arpt_standard {
@@ -274,5 +77,4 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
 }
 #endif /* CONFIG_COMPAT */
-#endif /*__KERNEL__*/
 #endif /* _ARPTABLES_H */
diff --git a/include/linux/netfilter_bridge/Kbuild b/include/linux/netfilter_bridge/Kbuild
index e48f1a3f5a4a..e69de29bb2d1 100644
--- a/include/linux/netfilter_bridge/Kbuild
+++ b/include/linux/netfilter_bridge/Kbuild
@@ -1,18 +0,0 @@
-header-y += ebt_802_3.h
-header-y += ebt_among.h
-header-y += ebt_arp.h
-header-y += ebt_arpreply.h
-header-y += ebt_ip.h
-header-y += ebt_ip6.h
-header-y += ebt_limit.h
-header-y += ebt_log.h
-header-y += ebt_mark_m.h
-header-y += ebt_mark_t.h
-header-y += ebt_nat.h
-header-y += ebt_nflog.h
-header-y += ebt_pkttype.h
-header-y += ebt_redirect.h
-header-y += ebt_stp.h
-header-y += ebt_ulog.h
-header-y += ebt_vlan.h
-header-y += ebtables.h
diff --git a/include/linux/netfilter_bridge/ebt_802_3.h b/include/linux/netfilter_bridge/ebt_802_3.h
index be5be1577a56..e17e8bfb4e8b 100644
--- a/include/linux/netfilter_bridge/ebt_802_3.h
+++ b/include/linux/netfilter_bridge/ebt_802_3.h
@@ -1,70 +1,11 @@
 #ifndef __LINUX_BRIDGE_EBT_802_3_H
 #define __LINUX_BRIDGE_EBT_802_3_H
-#include <linux/types.h>
-#define EBT_802_3_SAP 0x01
-#define EBT_802_3_TYPE 0x02
-#define EBT_802_3_MATCH "802_3"
-/*
- * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
- * to discover what kind of packet we're carrying. 
- */
-#define CHECK_TYPE 0xaa
-/*
- * Control field may be one or two bytes.  If the first byte has
- * the value 0x03 then the entire length is one byte, otherwise it is two.
- * One byte controls are used in Unnumbered Information frames.
- * Two byte controls are used in Numbered Information frames.
- */
-#define IS_UI 0x03
-#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
-/* ui has one byte ctrl, ni has two */
-struct hdr_ui {
-        __u8 dsap;
-        __u8 ssap;
-        __u8 ctrl;
-        __u8 orig[3];
-        __be16 type;
-};
-struct hdr_ni {
-        __u8 dsap;
-        __u8 ssap;
-        __be16 ctrl;
-        __u8  orig[3];
-        __be16 type;
-};
-struct ebt_802_3_hdr {
-        __u8  daddr[6];
-        __u8  saddr[6];
-        __be16 len;
-        union {
-                struct hdr_ui ui;
-                struct hdr_ni ni;
-        } llc;
-};
-#ifdef __KERNEL__
 #include <linux/skbuff.h>
+#include <uapi/linux/netfilter_bridge/ebt_802_3.h>
 static inline struct ebt_802_3_hdr *ebt_802_3_hdr(const struct sk_buff *skb)
 {
        return (struct ebt_802_3_hdr *)skb_mac_header(skb);
 }
 #endif
-struct ebt_802_3_info {
-        __u8  sap;
-        __be16 type;
-        __u8  bitmask;
-        __u8  invflags;
-};
-#endif
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 4dd5bd6994a8..34e7a2b7f867 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -9,191 +9,11 @@
 *  This code is stongly inspired on the iptables code which is
 *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
 */
 #ifndef __LINUX_BRIDGE_EFF_H
 #define __LINUX_BRIDGE_EFF_H
-#include <linux/if.h>
-#include <linux/netfilter_bridge.h>
-#include <linux/if_ether.h>
-#define EBT_TABLE_MAXNAMELEN 32
-#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
-#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
-/* verdicts >0 are "branches" */
-#define EBT_ACCEPT   -1
-#define EBT_DROP     -2
-#define EBT_CONTINUE -3
-#define EBT_RETURN   -4
-#define NUM_STANDARD_TARGETS   4
-/* ebtables target modules store the verdict inside an int. We can
- * reclaim a part of this int for backwards compatible extensions.
- * The 4 lsb are more than enough to store the verdict. */
-#define EBT_VERDICT_BITS 0x0000000F
-struct xt_match;
-struct xt_target;
-struct ebt_counter {
-        uint64_t pcnt;
-        uint64_t bcnt;
-};
-struct ebt_replace {
+#include <uapi/linux/netfilter_bridge/ebtables.h>
-        char name[EBT_TABLE_MAXNAMELEN];
-        unsigned int valid_hooks;
-        /* nr of rules in the table */
-        unsigned int nentries;
-        /* total size of the entries */
-        unsigned int entries_size;
-        /* start of the chains */
-        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
-        /* nr of counters userspace expects back */
-        unsigned int num_counters;
-        /* where the kernel will put the old counters */
-        struct ebt_counter __user *counters;
-        char __user *entries;
-};
-struct ebt_replace_kernel {
-        char name[EBT_TABLE_MAXNAMELEN];
-        unsigned int valid_hooks;
-        /* nr of rules in the table */
-        unsigned int nentries;
-        /* total size of the entries */
-        unsigned int entries_size;
-        /* start of the chains */
-        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
-        /* nr of counters userspace expects back */
-        unsigned int num_counters;
-        /* where the kernel will put the old counters */
-        struct ebt_counter *counters;
-        char *entries;
-};
-struct ebt_entries {
-        /* this field is always set to zero
-         * See EBT_ENTRY_OR_ENTRIES.
-         * Must be same size as ebt_entry.bitmask */
-        unsigned int distinguisher;
-        /* the chain name */
-        char name[EBT_CHAIN_MAXNAMELEN];
-        /* counter offset for this chain */
-        unsigned int counter_offset;
-        /* one standard (accept, drop, return) per hook */
-        int policy;
-        /* nr. of entries */
-        unsigned int nentries;
-        /* entry list */
-        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-/* used for the bitmask of struct ebt_entry */
-/* This is a hack to make a difference between an ebt_entry struct and an
- * ebt_entries struct when traversing the entries from start to end.
- * Using this simplifies the code a lot, while still being able to use
- * ebt_entries.
- * Contrary, iptables doesn't use something like ebt_entries and therefore uses
- * different techniques for naming the policy and such. So, iptables doesn't
- * need a hack like this.
- */
-#define EBT_ENTRY_OR_ENTRIES 0x01
-/* these are the normal masks */
-#define EBT_NOPROTO 0x02
-#define EBT_802_3 0x04
-#define EBT_SOURCEMAC 0x08
-#define EBT_DESTMAC 0x10
-#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
-   | EBT_ENTRY_OR_ENTRIES)
-#define EBT_IPROTO 0x01
-#define EBT_IIN 0x02
-#define EBT_IOUT 0x04
-#define EBT_ISOURCE 0x8
-#define EBT_IDEST 0x10
-#define EBT_ILOGICALIN 0x20
-#define EBT_ILOGICALOUT 0x40
-#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
-   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
-struct ebt_entry_match {
-        union {
-                char name[EBT_FUNCTION_MAXNAMELEN];
-                struct xt_match *match;
-        } u;
-        /* size of data */
-        unsigned int match_size;
-        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-struct ebt_entry_watcher {
-        union {
-                char name[EBT_FUNCTION_MAXNAMELEN];
-                struct xt_target *watcher;
-        } u;
-        /* size of data */
-        unsigned int watcher_size;
-        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-struct ebt_entry_target {
-        union {
-                char name[EBT_FUNCTION_MAXNAMELEN];
-                struct xt_target *target;
-        } u;
-        /* size of data */
-        unsigned int target_size;
-        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-#define EBT_STANDARD_TARGET "standard"
-struct ebt_standard_target {
-        struct ebt_entry_target target;
-        int verdict;
-};
-/* one entry */
-struct ebt_entry {
-        /* this needs to be the first field */
-        unsigned int bitmask;
-        unsigned int invflags;
-        __be16 ethproto;
-        /* the physical in-dev */
-        char in[IFNAMSIZ];
-        /* the logical in-dev */
-        char logical_in[IFNAMSIZ];
-        /* the physical out-dev */
-        char out[IFNAMSIZ];
-        /* the logical out-dev */
-        char logical_out[IFNAMSIZ];
-        unsigned char sourcemac[ETH_ALEN];
-        unsigned char sourcemsk[ETH_ALEN];
-        unsigned char destmac[ETH_ALEN];
-        unsigned char destmsk[ETH_ALEN];
-        /* sizeof ebt_entry + matches */
-        unsigned int watchers_offset;
-        /* sizeof ebt_entry + matches + watchers */
-        unsigned int target_offset;
-        /* sizeof ebt_entry + matches + watchers + target */
-        unsigned int next_offset;
-        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
-};
-/* {g,s}etsockopt numbers */
-#define EBT_BASE_CTL            128
-#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
-#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
-#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
-#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
-#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
-#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
-#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
-#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
-#ifdef __KERNEL__
 /* return values for match() functions */
 #define EBT_MATCH 0
@@ -304,77 +124,4 @@ extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
 /* True if the target is not a standard target */
 #define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)
-#endif /* __KERNEL__ */
-/* blatently stolen from ip_tables.h
- * fn returns 0 to continue iteration */
-#define EBT_MATCH_ITERATE(e, fn, args...)                   \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct ebt_entry_match *__match;                    \
-                                                            \
-        for (__i = sizeof(struct ebt_entry);                \
-             __i < (e)->watchers_offset;                    \
-             __i += __match->match_size +                   \
-             sizeof(struct ebt_entry_match)) {              \
-                __match = (void *)(e) + __i;                \
-                                                            \
-                __ret = fn(__match , ## args);              \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->watchers_offset)            \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
-#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct ebt_entry_watcher *__watcher;                \
-                                                            \
-        for (__i = e->watchers_offset;                      \
-             __i < (e)->target_offset;                      \
-             __i += __watcher->watcher_size +               \
-             sizeof(struct ebt_entry_watcher)) {            \
-                __watcher = (void *)(e) + __i;              \
-                                                            \
-                __ret = fn(__watcher , ## args);            \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->target_offset)              \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
-#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct ebt_entry *__entry;                          \
-                                                            \
-        for (__i = 0; __i < (size);) {                      \
-                __entry = (void *)(entries) + __i;          \
-                __ret = fn(__entry , ## args);              \
-                if (__ret != 0)                             \
-                        break;                              \
-                if (__entry->bitmask != 0)                  \
-                        __i += __entry->next_offset;        \
-                else                                        \
-                        __i += sizeof(struct ebt_entries);  \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (size))                          \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
 #endif
diff --git a/include/linux/netfilter_ipv4/Kbuild b/include/linux/netfilter_ipv4/Kbuild
index 8ba0c5b72ea9..e69de29bb2d1 100644
--- a/include/linux/netfilter_ipv4/Kbuild
+++ b/include/linux/netfilter_ipv4/Kbuild
@@ -1,10 +0,0 @@
-header-y += ip_tables.h
-header-y += ipt_CLUSTERIP.h
-header-y += ipt_ECN.h
-header-y += ipt_LOG.h
-header-y += ipt_REJECT.h
-header-y += ipt_TTL.h
-header-y += ipt_ULOG.h
-header-y += ipt_ah.h
-header-y += ipt_ecn.h
-header-y += ipt_ttl.h
diff --git a/include/linux/netfilter_ipv4/ip_tables.h b/include/linux/netfilter_ipv4/ip_tables.h
index db79231914ce..901e84db847d 100644
--- a/include/linux/netfilter_ipv4/ip_tables.h
+++ b/include/linux/netfilter_ipv4/ip_tables.h
@@ -11,230 +11,17 @@
 *      flags are stored in host byte order (of course).
 *      Port numbers are stored in HOST byte order.
 */
 #ifndef _IPTABLES_H
 #define _IPTABLES_H
-#ifdef __KERNEL__
 #include <linux/if.h>
 #include <linux/in.h>
 #include <linux/ip.h>
 #include <linux/skbuff.h>
-#endif
-#include <linux/types.h>
-#include <linux/compiler.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter/x_tables.h>
-#ifndef __KERNEL__
-#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ipt_match xt_match
-#define ipt_target xt_target
-#define ipt_table xt_table
-#define ipt_get_revision xt_get_revision
-#define ipt_entry_match xt_entry_match
-#define ipt_entry_target xt_entry_target
-#define ipt_standard_target xt_standard_target
-#define ipt_error_target xt_error_target
-#define ipt_counters xt_counters
-#define IPT_CONTINUE XT_CONTINUE
-#define IPT_RETURN XT_RETURN
-/* This group is older than old (iptables < v1.4.0-rc1~89) */
-#include <linux/netfilter/xt_tcpudp.h>
-#define ipt_udp xt_udp
-#define ipt_tcp xt_tcp
-#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
-#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
-#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
-#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
-#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
-#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
-#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
-#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
-/* The argument to IPT_SO_ADD_COUNTERS. */
-#define ipt_counters_info xt_counters_info
-/* Standard return verdict, or do jump. */
-#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
-/* Error verdict. */
-#define IPT_ERROR_TARGET XT_ERROR_TARGET
-/* fn returns 0 to continue iteration */
-#define IPT_MATCH_ITERATE(e, fn, args...) \
-        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
-/* fn returns 0 to continue iteration */
-#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
-#endif
-/* Yes, Virginia, you have to zero the padding. */
-struct ipt_ip {
-        /* Source and destination IP addr */
-        struct in_addr src, dst;
-        /* Mask for src and dest IP addr */
-        struct in_addr smsk, dmsk;
-        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
-        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
-        /* Protocol, 0 = ANY */
-        __u16 proto;
-        /* Flags word */
-        __u8 flags;
-        /* Inverse flags */
-        __u8 invflags;
-};
-/* Values for "flag" field in struct ipt_ip (general ip structure). */
-#define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
-#define IPT_F_GOTO              0x02    /* Set if jump is a goto */
-#define IPT_F_MASK              0x03    /* All possible flag bits mask. */
-/* Values for "inv" field in struct ipt_ip. */
-#define IPT_INV_VIA_IN          0x01    /* Invert the sense of IN IFACE. */
-#define IPT_INV_VIA_OUT         0x02    /* Invert the sense of OUT IFACE */
-#define IPT_INV_TOS             0x04    /* Invert the sense of TOS. */
-#define IPT_INV_SRCIP           0x08    /* Invert the sense of SRC IP. */
-#define IPT_INV_DSTIP           0x10    /* Invert the sense of DST OP. */
-#define IPT_INV_FRAG            0x20    /* Invert the sense of FRAG. */
-#define IPT_INV_PROTO           XT_INV_PROTO
-#define IPT_INV_MASK            0x7F    /* All possible flag bits mask. */
-/* This structure defines each of the firewall rules.  Consists of 3
-   parts which are 1) general IP header stuff 2) match specific
-   stuff 3) the target to perform if the rule matches */
-struct ipt_entry {
-        struct ipt_ip ip;
-        /* Mark with fields that we care about. */
-        unsigned int nfcache;
-        /* Size of ipt_entry + matches */
-        __u16 target_offset;
-        /* Size of ipt_entry + matches + target */
-        __u16 next_offset;
-        /* Back pointer */
-        unsigned int comefrom;
-        /* Packet and byte counters. */
-        struct xt_counters counters;
-        /* The matches (if any), then the target. */
-        unsigned char elems[0];
-};
-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- * Unlike BSD Linux inherits IP options so you don't have to use a raw
- * socket for this. Instead we check rights in the calls.
- *
- * ATTENTION: check linux/in.h before adding new number here.
- */
-#define IPT_BASE_CTL            64
-#define IPT_SO_SET_REPLACE      (IPT_BASE_CTL)
-#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
-#define IPT_SO_SET_MAX          IPT_SO_SET_ADD_COUNTERS
-#define IPT_SO_GET_INFO                 (IPT_BASE_CTL)
-#define IPT_SO_GET_ENTRIES              (IPT_BASE_CTL + 1)
-#define IPT_SO_GET_REVISION_MATCH       (IPT_BASE_CTL + 2)
-#define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)
-#define IPT_SO_GET_MAX                  IPT_SO_GET_REVISION_TARGET
-/* ICMP matching stuff */
-struct ipt_icmp {
-        __u8 type;                              /* type to match */
-        __u8 code[2];                           /* range of code */
-        __u8 invflags;                          /* Inverse flags */
-};
-/* Values for "inv" field for struct ipt_icmp. */
-#define IPT_ICMP_INV    0x01    /* Invert the sense of type/code test */
-/* The argument to IPT_SO_GET_INFO */
-struct ipt_getinfo {
-        /* Which table: caller fills this in. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* Kernel fills these in. */
-        /* Which hook entry points are valid: bitmask */
-        unsigned int valid_hooks;
-        /* Hook entry points: one per netfilter hook. */
-        unsigned int hook_entry[NF_INET_NUMHOOKS];
-        /* Underflow points. */
-        unsigned int underflow[NF_INET_NUMHOOKS];
-        /* Number of entries */
-        unsigned int num_entries;
-        /* Size of entries. */
-        unsigned int size;
-};
-/* The argument to IPT_SO_SET_REPLACE. */
-struct ipt_replace {
-        /* Which table. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* Which hook entry points are valid: bitmask.  You can't
-           change this. */
-        unsigned int valid_hooks;
-        /* Number of entries */
-        unsigned int num_entries;
-        /* Total size of new entries */
-        unsigned int size;
-        /* Hook entry points. */
-        unsigned int hook_entry[NF_INET_NUMHOOKS];
-        /* Underflow points. */
-        unsigned int underflow[NF_INET_NUMHOOKS];
-        /* Information about old entries: */
-        /* Number of counters (must be equal to current number of entries). */
-        unsigned int num_counters;
-        /* The old entries' counters. */
-        struct xt_counters __user *counters;
-        /* The entries (hang off end: not really an array). */
-        struct ipt_entry entries[0];
-};
-/* The argument to IPT_SO_GET_ENTRIES. */
-struct ipt_get_entries {
-        /* Which table: user fills this in. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* User fills this in: total entry size. */
-        unsigned int size;
-        /* The entries. */
-        struct ipt_entry entrytable[0];
-};
-/* Helper functions */
-static __inline__ struct xt_entry_target *
-ipt_get_target(struct ipt_entry *e)
-{
-        return (void *)e + e->target_offset;
-}
-/*
- *      Main firewall chains definitions and global var's definitions.
- */
-#ifdef __KERNEL__
 #include <linux/init.h>
+#include <uapi/linux/netfilter_ipv4/ip_tables.h>
 extern void ipt_init(void) __init;
 extern struct xt_table *ipt_register_table(struct net *net,
@@ -303,5 +90,4 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
 }
 #endif /* CONFIG_COMPAT */
-#endif /*__KERNEL__*/
 #endif /* _IPTABLES_H */
diff --git a/include/linux/netfilter_ipv6/Kbuild b/include/linux/netfilter_ipv6/Kbuild
index b88c0058bf73..e69de29bb2d1 100644
--- a/include/linux/netfilter_ipv6/Kbuild
+++ b/include/linux/netfilter_ipv6/Kbuild
@@ -1,12 +0,0 @@
-header-y += ip6_tables.h
-header-y += ip6t_HL.h
-header-y += ip6t_LOG.h
-header-y += ip6t_NPT.h
-header-y += ip6t_REJECT.h
-header-y += ip6t_ah.h
-header-y += ip6t_frag.h
-header-y += ip6t_hl.h
-header-y += ip6t_ipv6header.h
-header-y += ip6t_mh.h
-header-y += ip6t_opts.h
-header-y += ip6t_rt.h
diff --git a/include/linux/netfilter_ipv6/ip6_tables.h b/include/linux/netfilter_ipv6/ip6_tables.h
index 08c2cbbaa32b..5f84c6229dc6 100644
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -11,268 +11,17 @@
 *      flags are stored in host byte order (of course).
 *      Port numbers are stored in HOST byte order.
 */
 #ifndef _IP6_TABLES_H
 #define _IP6_TABLES_H
-#ifdef __KERNEL__
 #include <linux/if.h>
 #include <linux/in6.h>
 #include <linux/ipv6.h>
 #include <linux/skbuff.h>
-#endif
-#include <linux/types.h>
-#include <linux/compiler.h>
-#include <linux/netfilter_ipv6.h>
-#include <linux/netfilter/x_tables.h>
-#ifndef __KERNEL__
-#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
-#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
-#define ip6t_match xt_match
-#define ip6t_target xt_target
-#define ip6t_table xt_table
-#define ip6t_get_revision xt_get_revision
-#define ip6t_entry_match xt_entry_match
-#define ip6t_entry_target xt_entry_target
-#define ip6t_standard_target xt_standard_target
-#define ip6t_error_target xt_error_target
-#define ip6t_counters xt_counters
-#define IP6T_CONTINUE XT_CONTINUE
-#define IP6T_RETURN XT_RETURN
-/* Pre-iptables-1.4.0 */
-#include <linux/netfilter/xt_tcpudp.h>
-#define ip6t_tcp xt_tcp
-#define ip6t_udp xt_udp
-#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
-#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
-#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
-#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
-#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
-#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
-#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
-#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
-#define ip6t_counters_info xt_counters_info
-#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
-#define IP6T_ERROR_TARGET XT_ERROR_TARGET
-#define IP6T_MATCH_ITERATE(e, fn, args...) \
-        XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
-#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
-        XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
-#endif
-/* Yes, Virginia, you have to zero the padding. */
-struct ip6t_ip6 {
-        /* Source and destination IP6 addr */
-        struct in6_addr src, dst;               
-        /* Mask for src and dest IP6 addr */
-        struct in6_addr smsk, dmsk;
-        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
-        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
-        /* Upper protocol number
-         * - The allowed value is 0 (any) or protocol number of last parsable
-         *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
-         *   the non IPv6 extension headers.
-         * - The protocol numbers of IPv6 extension headers except of ESP and
-         *   MH do not match any packets.
-         * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
-         */
-        __u16 proto;
-        /* TOS to match iff flags & IP6T_F_TOS */
-        __u8 tos;
-        /* Flags word */
-        __u8 flags;
-        /* Inverse flags */
-        __u8 invflags;
-};
-/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
-#define IP6T_F_PROTO            0x01    /* Set if rule cares about upper 
-                                           protocols */
-#define IP6T_F_TOS              0x02    /* Match the TOS. */
-#define IP6T_F_GOTO             0x04    /* Set if jump is a goto */
-#define IP6T_F_MASK             0x07    /* All possible flag bits mask. */
-/* Values for "inv" field in struct ip6t_ip6. */
-#define IP6T_INV_VIA_IN         0x01    /* Invert the sense of IN IFACE. */
-#define IP6T_INV_VIA_OUT                0x02    /* Invert the sense of OUT IFACE */
-#define IP6T_INV_TOS            0x04    /* Invert the sense of TOS. */
-#define IP6T_INV_SRCIP          0x08    /* Invert the sense of SRC IP. */
-#define IP6T_INV_DSTIP          0x10    /* Invert the sense of DST OP. */
-#define IP6T_INV_FRAG           0x20    /* Invert the sense of FRAG. */
-#define IP6T_INV_PROTO          XT_INV_PROTO
-#define IP6T_INV_MASK           0x7F    /* All possible flag bits mask. */
-/* This structure defines each of the firewall rules.  Consists of 3
-   parts which are 1) general IP header stuff 2) match specific
-   stuff 3) the target to perform if the rule matches */
-struct ip6t_entry {
-        struct ip6t_ip6 ipv6;
-        /* Mark with fields that we care about. */
-        unsigned int nfcache;
-        /* Size of ipt_entry + matches */
-        __u16 target_offset;
-        /* Size of ipt_entry + matches + target */
-        __u16 next_offset;
-        /* Back pointer */
-        unsigned int comefrom;
-        /* Packet and byte counters. */
-        struct xt_counters counters;
-        /* The matches (if any), then the target. */
-        unsigned char elems[0];
-};
-/* Standard entry */
-struct ip6t_standard {
-        struct ip6t_entry entry;
-        struct xt_standard_target target;
-};
-struct ip6t_error {
-        struct ip6t_entry entry;
-        struct xt_error_target target;
-};
-#define IP6T_ENTRY_INIT(__size)                                                \
-{                                                                              \
-        .target_offset  = sizeof(struct ip6t_entry),                           \
-        .next_offset    = (__size),                                            \
-}
-#define IP6T_STANDARD_INIT(__verdict)                                          \
-{                                                                              \
-        .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
-        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
-                                         sizeof(struct xt_standard_target)),   \
-        .target.verdict = -(__verdict) - 1,                                    \
-}
-#define IP6T_ERROR_INIT                                                        \
-{                                                                              \
-        .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),          \
-        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
-                                         sizeof(struct xt_error_target)),      \
-        .target.errorname = "ERROR",                                           \
-}
-/*
- * New IP firewall options for [gs]etsockopt at the RAW IP level.
- * Unlike BSD Linux inherits IP options so you don't have to use
- * a raw socket for this. Instead we check rights in the calls.
- *
- * ATTENTION: check linux/in6.h before adding new number here.
- */
-#define IP6T_BASE_CTL                   64
-#define IP6T_SO_SET_REPLACE             (IP6T_BASE_CTL)
-#define IP6T_SO_SET_ADD_COUNTERS        (IP6T_BASE_CTL + 1)
-#define IP6T_SO_SET_MAX                 IP6T_SO_SET_ADD_COUNTERS
-#define IP6T_SO_GET_INFO                (IP6T_BASE_CTL)
-#define IP6T_SO_GET_ENTRIES             (IP6T_BASE_CTL + 1)
-#define IP6T_SO_GET_REVISION_MATCH      (IP6T_BASE_CTL + 4)
-#define IP6T_SO_GET_REVISION_TARGET     (IP6T_BASE_CTL + 5)
-#define IP6T_SO_GET_MAX                 IP6T_SO_GET_REVISION_TARGET
-/* ICMP matching stuff */
-struct ip6t_icmp {
-        __u8 type;                              /* type to match */
-        __u8 code[2];                           /* range of code */
-        __u8 invflags;                          /* Inverse flags */
-};
-/* Values for "inv" field for struct ipt_icmp. */
-#define IP6T_ICMP_INV   0x01    /* Invert the sense of type/code test */
-/* The argument to IP6T_SO_GET_INFO */
-struct ip6t_getinfo {
-        /* Which table: caller fills this in. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* Kernel fills these in. */
-        /* Which hook entry points are valid: bitmask */
-        unsigned int valid_hooks;
-        /* Hook entry points: one per netfilter hook. */
-        unsigned int hook_entry[NF_INET_NUMHOOKS];
-        /* Underflow points. */
-        unsigned int underflow[NF_INET_NUMHOOKS];
-        /* Number of entries */
-        unsigned int num_entries;
-        /* Size of entries. */
-        unsigned int size;
-};
-/* The argument to IP6T_SO_SET_REPLACE. */
-struct ip6t_replace {
-        /* Which table. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* Which hook entry points are valid: bitmask.  You can't
-           change this. */
-        unsigned int valid_hooks;
-        /* Number of entries */
-        unsigned int num_entries;
-        /* Total size of new entries */
-        unsigned int size;
-        /* Hook entry points. */
-        unsigned int hook_entry[NF_INET_NUMHOOKS];
-        /* Underflow points. */
-        unsigned int underflow[NF_INET_NUMHOOKS];
-        /* Information about old entries: */
-        /* Number of counters (must be equal to current number of entries). */
-        unsigned int num_counters;
-        /* The old entries' counters. */
-        struct xt_counters __user *counters;
-        /* The entries (hang off end: not really an array). */
-        struct ip6t_entry entries[0];
-};
-/* The argument to IP6T_SO_GET_ENTRIES. */
-struct ip6t_get_entries {
-        /* Which table: user fills this in. */
-        char name[XT_TABLE_MAXNAMELEN];
-        /* User fills this in: total entry size. */
-        unsigned int size;
-        /* The entries. */
-        struct ip6t_entry entrytable[0];
-};
-/* Helper functions */
-static __inline__ struct xt_entry_target *
-ip6t_get_target(struct ip6t_entry *e)
-{
-        return (void *)e + e->target_offset;
-}
-/*
- *      Main firewall chains definitions and global var's definitions.
- */
-#ifdef __KERNEL__
 #include <linux/init.h>
+#include <uapi/linux/netfilter_ipv6/ip6_tables.h>
 extern void ip6t_init(void) __init;
 extern void *ip6t_alloc_initial_table(const struct xt_table *);
@@ -327,5 +76,4 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
 }
 #endif /* CONFIG_COMPAT */
-#endif /*__KERNEL__*/
 #endif /* _IP6_TABLES_H */
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index f80c56ac4d82..6d3af05c107c 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -245,6 +245,8 @@ struct netlink_callback {
                                        struct netlink_callback *cb);
        int                     (*done)(struct netlink_callback *cb);
        void                    *data;
+        /* the module that dump function belong to */
+        struct module           *module;
        u16                     family;
        u16                     min_dump_alloc;
        unsigned int            prev_seq, seq;
@@ -262,14 +264,24 @@ __nlmsg_put(struct sk_buff *skb, u32 portid, u32 seq, int type, int len, int fla
 struct netlink_dump_control {
        int (*dump)(struct sk_buff *skb, struct netlink_callback *);
-        int (*done)(struct netlink_callback*);
+        int (*done)(struct netlink_callback *);
        void *data;
+        struct module *module;
        u16 min_dump_alloc;
 };
-extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+extern int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
-                              const struct nlmsghdr *nlh,
+                                const struct nlmsghdr *nlh,
-                              struct netlink_dump_control *control);
+                                struct netlink_dump_control *control);
+static inline int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+                                     const struct nlmsghdr *nlh,
+                                     struct netlink_dump_control *control)
+{
+        if (!control->module)
+                control->module = THIS_MODULE;
+        return __netlink_dump_start(ssk, skb, nlh, control);
+}
 #endif /* __KERNEL__ */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index b33a3a1f205e..6a2c34e6d962 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -589,9 +589,6 @@ static inline struct sk_buff *alloc_skb_fclone(unsigned int size,
        return __alloc_skb(size, priority, SKB_ALLOC_FCLONE, NUMA_NO_NODE);
 }
-extern void skb_recycle(struct sk_buff *skb);
-extern bool skb_recycle_check(struct sk_buff *skb, int skb_size);
 extern struct sk_buff *skb_morph(struct sk_buff *dst, struct sk_buff *src);
 extern int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask);
 extern struct sk_buff *skb_clone(struct sk_buff *skb,
@@ -2645,27 +2642,6 @@ static inline void skb_checksum_none_assert(const struct sk_buff *skb)
 bool skb_partial_csum_set(struct sk_buff *skb, u16 start, u16 off);
-static inline bool skb_is_recycleable(const struct sk_buff *skb, int skb_size)
-{
-        if (irqs_disabled())
-                return false;
-        if (skb_shinfo(skb)->tx_flags & SKBTX_DEV_ZEROCOPY)
-                return false;
-        if (skb_is_nonlinear(skb) || skb->fclone != SKB_FCLONE_UNAVAILABLE)
-                return false;
-        skb_size = SKB_DATA_ALIGN(skb_size + NET_SKB_PAD);
-        if (skb_end_offset(skb) < skb_size)
-                return false;
-        if (skb_shared(skb) || skb_cloned(skb))
-                return false;
-        return true;
-}
 /**
 * skb_head_is_locked - Determine if the skb->head is locked down
 * @skb: skb to check
diff --git a/include/linux/tc_act/Kbuild b/include/linux/tc_act/Kbuild
index 67b501c302b2..e69de29bb2d1 100644
--- a/include/linux/tc_act/Kbuild
+++ b/include/linux/tc_act/Kbuild
@@ -1,7 +0,0 @@
-header-y += tc_gact.h
-header-y += tc_ipt.h
-header-y += tc_mirred.h
-header-y += tc_pedit.h
-header-y += tc_nat.h
-header-y += tc_skbedit.h
-header-y += tc_csum.h
diff --git a/include/linux/tc_ematch/Kbuild b/include/linux/tc_ematch/Kbuild
index 4a58a1c32a00..e69de29bb2d1 100644
--- a/include/linux/tc_ematch/Kbuild
+++ b/include/linux/tc_ematch/Kbuild
@@ -1,4 +0,0 @@
-header-y += tc_em_cmp.h
-header-y += tc_em_meta.h
-header-y += tc_em_nbyte.h
-header-y += tc_em_text.h
diff --git a/include/net/flow.h b/include/net/flow.h
index e1dd5082ec7e..628e11b98c58 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -21,6 +21,7 @@ struct flowi_common {
        __u8    flowic_flags;
 #define FLOWI_FLAG_ANYSRC               0x01
 #define FLOWI_FLAG_CAN_SLEEP            0x02
+#define FLOWI_FLAG_KNOWN_NH             0x04
        __u32   flowic_secid;
 };
diff --git a/include/net/route.h b/include/net/route.h
index da22243d2760..bc40b633a5c4 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -48,7 +48,8 @@ struct rtable {
        int                     rt_genid;
        unsigned int            rt_flags;
        __u16                   rt_type;
-        __u16                   rt_is_input;
+        __u8                    rt_is_input;
+        __u8                    rt_uses_gateway;
        int                     rt_iif;
diff --git a/include/rdma/rdma_netlink.h b/include/rdma/rdma_netlink.h
index 3c5363ab867b..bd3d8b24b420 100644
--- a/include/rdma/rdma_netlink.h
+++ b/include/rdma/rdma_netlink.h
@@ -39,6 +39,7 @@ struct rdma_cm_id_stats {
 struct ibnl_client_cbs {
        int (*dump)(struct sk_buff *skb, struct netlink_callback *nlcb);
+        struct module *module;
 };
 int ibnl_init(void);
diff --git a/include/uapi/linux/caif/Kbuild b/include/uapi/linux/caif/Kbuild
index aafaa5aa54d4..43396612d3a3 100644
--- a/include/uapi/linux/caif/Kbuild
+++ b/include/uapi/linux/caif/Kbuild
@@ -1 +1,3 @@
 # UAPI Header export list
+header-y += caif_socket.h
+header-y += if_caif.h
diff --git a/include/linux/caif/caif_socket.h b/include/uapi/linux/caif/caif_socket.h
index 3f3bac6af7bc..3f3bac6af7bc 100644
--- a/include/linux/caif/caif_socket.h
+++ b/include/uapi/linux/caif/caif_socket.h
diff --git a/include/linux/caif/if_caif.h b/include/uapi/linux/caif/if_caif.h
index 5e7eed4edf51..5e7eed4edf51 100644
--- a/include/linux/caif/if_caif.h
+++ b/include/uapi/linux/caif/if_caif.h
diff --git a/include/uapi/linux/isdn/Kbuild b/include/uapi/linux/isdn/Kbuild
index aafaa5aa54d4..89e52850bf29 100644
--- a/include/uapi/linux/isdn/Kbuild
+++ b/include/uapi/linux/isdn/Kbuild
@@ -1 +1,2 @@
 # UAPI Header export list
+header-y += capicmd.h
diff --git a/include/linux/isdn/capicmd.h b/include/uapi/linux/isdn/capicmd.h
index b58635f722da..b58635f722da 100644
--- a/include/linux/isdn/capicmd.h
+++ b/include/uapi/linux/isdn/capicmd.h
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 4afbace8e869..08f555fef13f 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -1,2 +1,78 @@
 # UAPI Header export list
 header-y += ipset/
+header-y += nf_conntrack_common.h
+header-y += nf_conntrack_ftp.h
+header-y += nf_conntrack_sctp.h
+header-y += nf_conntrack_tcp.h
+header-y += nf_conntrack_tuple_common.h
+header-y += nf_nat.h
+header-y += nfnetlink.h
+header-y += nfnetlink_acct.h
+header-y += nfnetlink_compat.h
+header-y += nfnetlink_conntrack.h
+header-y += nfnetlink_cthelper.h
+header-y += nfnetlink_cttimeout.h
+header-y += nfnetlink_log.h
+header-y += nfnetlink_queue.h
+header-y += x_tables.h
+header-y += xt_AUDIT.h
+header-y += xt_CHECKSUM.h
+header-y += xt_CLASSIFY.h
+header-y += xt_CONNMARK.h
+header-y += xt_CONNSECMARK.h
+header-y += xt_CT.h
+header-y += xt_DSCP.h
+header-y += xt_IDLETIMER.h
+header-y += xt_LED.h
+header-y += xt_LOG.h
+header-y += xt_MARK.h
+header-y += xt_NFLOG.h
+header-y += xt_NFQUEUE.h
+header-y += xt_RATEEST.h
+header-y += xt_SECMARK.h
+header-y += xt_TCPMSS.h
+header-y += xt_TCPOPTSTRIP.h
+header-y += xt_TEE.h
+header-y += xt_TPROXY.h
+header-y += xt_addrtype.h
+header-y += xt_cluster.h
+header-y += xt_comment.h
+header-y += xt_connbytes.h
+header-y += xt_connlimit.h
+header-y += xt_connmark.h
+header-y += xt_conntrack.h
+header-y += xt_cpu.h
+header-y += xt_dccp.h
+header-y += xt_devgroup.h
+header-y += xt_dscp.h
+header-y += xt_ecn.h
+header-y += xt_esp.h
+header-y += xt_hashlimit.h
+header-y += xt_helper.h
+header-y += xt_iprange.h
+header-y += xt_ipvs.h
+header-y += xt_length.h
+header-y += xt_limit.h
+header-y += xt_mac.h
+header-y += xt_mark.h
+header-y += xt_multiport.h
+header-y += xt_nfacct.h
+header-y += xt_osf.h
+header-y += xt_owner.h
+header-y += xt_physdev.h
+header-y += xt_pkttype.h
+header-y += xt_policy.h
+header-y += xt_quota.h
+header-y += xt_rateest.h
+header-y += xt_realm.h
+header-y += xt_recent.h
+header-y += xt_sctp.h
+header-y += xt_set.h
+header-y += xt_socket.h
+header-y += xt_state.h
+header-y += xt_statistic.h
+header-y += xt_string.h
+header-y += xt_tcpmss.h
+header-y += xt_tcpudp.h
+header-y += xt_time.h
+header-y += xt_u32.h
diff --git a/include/uapi/linux/netfilter/ipset/Kbuild b/include/uapi/linux/netfilter/ipset/Kbuild
index aafaa5aa54d4..d2680423d9ab 100644
--- a/include/uapi/linux/netfilter/ipset/Kbuild
+++ b/include/uapi/linux/netfilter/ipset/Kbuild
@@ -1 +1,5 @@
 # UAPI Header export list
+header-y += ip_set.h
+header-y += ip_set_bitmap.h
+header-y += ip_set_hash.h
+header-y += ip_set_list.h
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
new file mode 100644
index 000000000000..fbee42807a11
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -0,0 +1,231 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _UAPI_IP_SET_H
+#define _UAPI_IP_SET_H
+#include <linux/types.h>
+/* The protocol version */
+#define IPSET_PROTOCOL          6
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN        32
+/* Message types and commands */
+enum ipset_cmd {
+        IPSET_CMD_NONE,
+        IPSET_CMD_PROTOCOL,     /* 1: Return protocol version */
+        IPSET_CMD_CREATE,       /* 2: Create a new (empty) set */
+        IPSET_CMD_DESTROY,      /* 3: Destroy a (empty) set */
+        IPSET_CMD_FLUSH,        /* 4: Remove all elements from a set */
+        IPSET_CMD_RENAME,       /* 5: Rename a set */
+        IPSET_CMD_SWAP,         /* 6: Swap two sets */
+        IPSET_CMD_LIST,         /* 7: List sets */
+        IPSET_CMD_SAVE,         /* 8: Save sets */
+        IPSET_CMD_ADD,          /* 9: Add an element to a set */
+        IPSET_CMD_DEL,          /* 10: Delete an element from a set */
+        IPSET_CMD_TEST,         /* 11: Test an element in a set */
+        IPSET_CMD_HEADER,       /* 12: Get set header data only */
+        IPSET_CMD_TYPE,         /* 13: Get set type */
+        IPSET_MSG_MAX,          /* Netlink message commands */
+        /* Commands in userspace: */
+        IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
+        IPSET_CMD_HELP,         /* 15: Get help */
+        IPSET_CMD_VERSION,      /* 16: Get program version */
+        IPSET_CMD_QUIT,         /* 17: Quit from interactive mode */
+        IPSET_CMD_MAX,
+        IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
+};
+/* Attributes at command level */
+enum {
+        IPSET_ATTR_UNSPEC,
+        IPSET_ATTR_PROTOCOL,    /* 1: Protocol version */
+        IPSET_ATTR_SETNAME,     /* 2: Name of the set */
+        IPSET_ATTR_TYPENAME,    /* 3: Typename */
+        IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
+        IPSET_ATTR_REVISION,    /* 4: Settype revision */
+        IPSET_ATTR_FAMILY,      /* 5: Settype family */
+        IPSET_ATTR_FLAGS,       /* 6: Flags at command level */
+        IPSET_ATTR_DATA,        /* 7: Nested attributes */
+        IPSET_ATTR_ADT,         /* 8: Multiple data containers */
+        IPSET_ATTR_LINENO,      /* 9: Restore lineno */
+        IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
+        IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+        __IPSET_ATTR_CMD_MAX,
+};
+#define IPSET_ATTR_CMD_MAX      (__IPSET_ATTR_CMD_MAX - 1)
+/* CADT specific attributes */
+enum {
+        IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
+        IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
+        IPSET_ATTR_IP_TO,       /* 2 */
+        IPSET_ATTR_CIDR,        /* 3 */
+        IPSET_ATTR_PORT,        /* 4 */
+        IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
+        IPSET_ATTR_PORT_TO,     /* 5 */
+        IPSET_ATTR_TIMEOUT,     /* 6 */
+        IPSET_ATTR_PROTO,       /* 7 */
+        IPSET_ATTR_CADT_FLAGS,  /* 8 */
+        IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,     /* 9 */
+        /* Reserve empty slots */
+        IPSET_ATTR_CADT_MAX = 16,
+        /* Create-only specific attributes */
+        IPSET_ATTR_GC,
+        IPSET_ATTR_HASHSIZE,
+        IPSET_ATTR_MAXELEM,
+        IPSET_ATTR_NETMASK,
+        IPSET_ATTR_PROBES,
+        IPSET_ATTR_RESIZE,
+        IPSET_ATTR_SIZE,
+        /* Kernel-only */
+        IPSET_ATTR_ELEMENTS,
+        IPSET_ATTR_REFERENCES,
+        IPSET_ATTR_MEMSIZE,
+        __IPSET_ATTR_CREATE_MAX,
+};
+#define IPSET_ATTR_CREATE_MAX   (__IPSET_ATTR_CREATE_MAX - 1)
+/* ADT specific attributes */
+enum {
+        IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
+        IPSET_ATTR_NAME,
+        IPSET_ATTR_NAMEREF,
+        IPSET_ATTR_IP2,
+        IPSET_ATTR_CIDR2,
+        IPSET_ATTR_IP2_TO,
+        IPSET_ATTR_IFACE,
+        __IPSET_ATTR_ADT_MAX,
+};
+#define IPSET_ATTR_ADT_MAX      (__IPSET_ATTR_ADT_MAX - 1)
+/* IP specific attributes */
+enum {
+        IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
+        IPSET_ATTR_IPADDR_IPV6,
+        __IPSET_ATTR_IPADDR_MAX,
+};
+#define IPSET_ATTR_IPADDR_MAX   (__IPSET_ATTR_IPADDR_MAX - 1)
+/* Error codes */
+enum ipset_errno {
+        IPSET_ERR_PRIVATE = 4096,
+        IPSET_ERR_PROTOCOL,
+        IPSET_ERR_FIND_TYPE,
+        IPSET_ERR_MAX_SETS,
+        IPSET_ERR_BUSY,
+        IPSET_ERR_EXIST_SETNAME2,
+        IPSET_ERR_TYPE_MISMATCH,
+        IPSET_ERR_EXIST,
+        IPSET_ERR_INVALID_CIDR,
+        IPSET_ERR_INVALID_NETMASK,
+        IPSET_ERR_INVALID_FAMILY,
+        IPSET_ERR_TIMEOUT,
+        IPSET_ERR_REFERENCED,
+        IPSET_ERR_IPADDR_IPV4,
+        IPSET_ERR_IPADDR_IPV6,
+        /* Type specific error codes */
+        IPSET_ERR_TYPE_SPECIFIC = 4352,
+};
+/* Flags at command level */
+enum ipset_cmd_flags {
+        IPSET_FLAG_BIT_EXIST    = 0,
+        IPSET_FLAG_EXIST        = (1 << IPSET_FLAG_BIT_EXIST),
+        IPSET_FLAG_BIT_LIST_SETNAME = 1,
+        IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME),
+        IPSET_FLAG_BIT_LIST_HEADER = 2,
+        IPSET_FLAG_LIST_HEADER  = (1 << IPSET_FLAG_BIT_LIST_HEADER),
+        IPSET_FLAG_CMD_MAX = 15,        /* Lower half */
+};
+/* Flags at CADT attribute level */
+enum ipset_cadt_flags {
+        IPSET_FLAG_BIT_BEFORE   = 0,
+        IPSET_FLAG_BEFORE       = (1 << IPSET_FLAG_BIT_BEFORE),
+        IPSET_FLAG_BIT_PHYSDEV  = 1,
+        IPSET_FLAG_PHYSDEV      = (1 << IPSET_FLAG_BIT_PHYSDEV),
+        IPSET_FLAG_BIT_NOMATCH  = 2,
+        IPSET_FLAG_NOMATCH      = (1 << IPSET_FLAG_BIT_NOMATCH),
+        IPSET_FLAG_CADT_MAX     = 15,   /* Upper half */
+};
+/* Commands with settype-specific attributes */
+enum ipset_adt {
+        IPSET_ADD,
+        IPSET_DEL,
+        IPSET_TEST,
+        IPSET_ADT_MAX,
+        IPSET_CREATE = IPSET_ADT_MAX,
+        IPSET_CADT_MAX,
+};
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef __u16 ip_set_id_t;
+#define IPSET_INVALID_ID                65535
+enum ip_set_dim {
+        IPSET_DIM_ZERO = 0,
+        IPSET_DIM_ONE,
+        IPSET_DIM_TWO,
+        IPSET_DIM_THREE,
+        /* Max dimension in elements.
+         * If changed, new revision of iptables match/target is required.
+         */
+        IPSET_DIM_MAX = 6,
+        IPSET_BIT_RETURN_NOMATCH = 7,
+};
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+        IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+        IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+        IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+        IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+        IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
+};
+/* Interface to iptables/ip6tables */
+#define SO_IP_SET               83
+union ip_set_name_index {
+        char name[IPSET_MAXNAMELEN];
+        ip_set_id_t index;
+};
+#define IP_SET_OP_GET_BYNAME    0x00000006      /* Get set index by name */
+struct ip_set_req_get_set {
+        unsigned int op;
+        unsigned int version;
+        union ip_set_name_index set;
+};
+#define IP_SET_OP_GET_BYINDEX   0x00000007      /* Get set name by index */
+/* Uses ip_set_req_get_set */
+#define IP_SET_OP_VERSION       0x00000100      /* Ask kernel version */
+struct ip_set_req_version {
+        unsigned int op;
+        unsigned int version;
+};
+#endif /* _UAPI_IP_SET_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h
new file mode 100644
index 000000000000..6a2c038d1888
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h
@@ -0,0 +1,13 @@
+#ifndef _UAPI__IP_SET_BITMAP_H
+#define _UAPI__IP_SET_BITMAP_H
+/* Bitmap type specific error codes */
+enum {
+        /* The element is out of the range of the set */
+        IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
+        /* The range exceeds the size limit of the set type */
+        IPSET_ERR_BITMAP_RANGE_SIZE,
+};
+#endif /* _UAPI__IP_SET_BITMAP_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_hash.h b/include/uapi/linux/netfilter/ipset/ip_set_hash.h
new file mode 100644
index 000000000000..352eeccdc7f2
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_hash.h
@@ -0,0 +1,21 @@
+#ifndef _UAPI__IP_SET_HASH_H
+#define _UAPI__IP_SET_HASH_H
+/* Hash type specific error codes */
+enum {
+        /* Hash is full */
+        IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
+        /* Null-valued element */
+        IPSET_ERR_HASH_ELEM,
+        /* Invalid protocol */
+        IPSET_ERR_INVALID_PROTO,
+        /* Protocol missing but must be specified */
+        IPSET_ERR_MISSING_PROTO,
+        /* Range not supported */
+        IPSET_ERR_HASH_RANGE_UNSUPPORTED,
+        /* Invalid range */
+        IPSET_ERR_HASH_RANGE,
+};
+#endif /* _UAPI__IP_SET_HASH_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_list.h b/include/uapi/linux/netfilter/ipset/ip_set_list.h
new file mode 100644
index 000000000000..a44efaa98213
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_list.h
@@ -0,0 +1,21 @@
+#ifndef _UAPI__IP_SET_LIST_H
+#define _UAPI__IP_SET_LIST_H
+/* List type specific error codes */
+enum {
+        /* Set name to be added/deleted/tested does not exist. */
+        IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
+        /* list:set type is not permitted to add */
+        IPSET_ERR_LOOP,
+        /* Missing reference set */
+        IPSET_ERR_BEFORE,
+        /* Reference set does not exist */
+        IPSET_ERR_NAMEREF,
+        /* Set is full */
+        IPSET_ERR_LIST_FULL,
+        /* Reference set is not added to the set */
+        IPSET_ERR_REF_EXIST,
+};
+#endif /* _UAPI__IP_SET_LIST_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
new file mode 100644
index 000000000000..1644cdd8be91
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,117 @@
+#ifndef _UAPI_NF_CONNTRACK_COMMON_H
+#define _UAPI_NF_CONNTRACK_COMMON_H
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info {
+        /* Part of an established connection (either direction). */
+        IP_CT_ESTABLISHED,
+        /* Like NEW, but related to an existing connection, or ICMP error
+           (in either direction). */
+        IP_CT_RELATED,
+        /* Started a new connection to track (only
+           IP_CT_DIR_ORIGINAL); may be a retransmission. */
+        IP_CT_NEW,
+        /* >= this indicates reply direction */
+        IP_CT_IS_REPLY,
+        IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+        IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+        IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,   
+        /* Number of distinct IP_CT types (no NEW in reply dirn). */
+        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+        /* It's an expected connection: bit 0 set.  This bit never changed */
+        IPS_EXPECTED_BIT = 0,
+        IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+        /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
+        IPS_SEEN_REPLY_BIT = 1,
+        IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+        /* Conntrack should never be early-expired. */
+        IPS_ASSURED_BIT = 2,
+        IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+        /* Connection is confirmed: originating packet has left box */
+        IPS_CONFIRMED_BIT = 3,
+        IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+        /* Connection needs src nat in orig dir.  This bit never changed. */
+        IPS_SRC_NAT_BIT = 4,
+        IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+        /* Connection needs dst nat in orig dir.  This bit never changed. */
+        IPS_DST_NAT_BIT = 5,
+        IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+        /* Both together. */
+        IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+        /* Connection needs TCP sequence adjusted. */
+        IPS_SEQ_ADJUST_BIT = 6,
+        IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+        /* NAT initialization bits. */
+        IPS_SRC_NAT_DONE_BIT = 7,
+        IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+        IPS_DST_NAT_DONE_BIT = 8,
+        IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+        /* Both together */
+        IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+        /* Connection is dying (removed from lists), can not be unset. */
+        IPS_DYING_BIT = 9,
+        IPS_DYING = (1 << IPS_DYING_BIT),
+        /* Connection has fixed timeout. */
+        IPS_FIXED_TIMEOUT_BIT = 10,
+        IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+        /* Conntrack is a template */
+        IPS_TEMPLATE_BIT = 11,
+        IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+        /* Conntrack is a fake untracked entry */
+        IPS_UNTRACKED_BIT = 12,
+        IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
+        /* Conntrack got a helper explicitly attached via CT target. */
+        IPS_HELPER_BIT = 13,
+        IPS_HELPER = (1 << IPS_HELPER_BIT),
+};
+/* Connection tracking event types */
+enum ip_conntrack_events {
+        IPCT_NEW,               /* new conntrack */
+        IPCT_RELATED,           /* related conntrack */
+        IPCT_DESTROY,           /* destroyed conntrack */
+        IPCT_REPLY,             /* connection has seen two-way traffic */
+        IPCT_ASSURED,           /* connection status has changed to assured */
+        IPCT_PROTOINFO,         /* protocol information has changed */
+        IPCT_HELPER,            /* new helper has been set */
+        IPCT_MARK,              /* new mark has been set */
+        IPCT_NATSEQADJ,         /* NAT is doing sequence adjustment */
+        IPCT_SECMARK,           /* new security mark has been set */
+};
+enum ip_conntrack_expect_events {
+        IPEXP_NEW,              /* new expectation */
+        IPEXP_DESTROY,          /* destroyed expectation */
+};
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT          0x1
+#define NF_CT_EXPECT_INACTIVE           0x2
+#define NF_CT_EXPECT_USERSPACE          0x4
+#endif /* _UAPI_NF_CONNTRACK_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644
index 000000000000..1030315a41b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,18 @@
+#ifndef _UAPI_NF_CONNTRACK_FTP_H
+#define _UAPI_NF_CONNTRACK_FTP_H
+/* FTP tracking. */
+/* This enum is exposed to userspace */
+enum nf_ct_ftp_type {
+        /* PORT command from client */
+        NF_CT_FTP_PORT,
+        /* PASV response from server */
+        NF_CT_FTP_PASV,
+        /* EPRT command from client */
+        NF_CT_FTP_EPRT,
+        /* EPSV response from server */
+        NF_CT_FTP_EPSV,
+};
+#endif /* _UAPI_NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
index ceeefe6681b5..ceeefe6681b5 100644
--- a/include/linux/netfilter/nf_conntrack_sctp.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644
index 000000000000..9993a421201c
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,51 @@
+#ifndef _UAPI_NF_CONNTRACK_TCP_H
+#define _UAPI_NF_CONNTRACK_TCP_H
+/* TCP tracking. */
+#include <linux/types.h>
+/* This is exposed to userspace (ctnetlink) */
+enum tcp_conntrack {
+        TCP_CONNTRACK_NONE,
+        TCP_CONNTRACK_SYN_SENT,
+        TCP_CONNTRACK_SYN_RECV,
+        TCP_CONNTRACK_ESTABLISHED,
+        TCP_CONNTRACK_FIN_WAIT,
+        TCP_CONNTRACK_CLOSE_WAIT,
+        TCP_CONNTRACK_LAST_ACK,
+        TCP_CONNTRACK_TIME_WAIT,
+        TCP_CONNTRACK_CLOSE,
+        TCP_CONNTRACK_LISTEN,   /* obsolete */
+#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
+        TCP_CONNTRACK_MAX,
+        TCP_CONNTRACK_IGNORE,
+        TCP_CONNTRACK_RETRANS,
+        TCP_CONNTRACK_UNACK,
+        TCP_CONNTRACK_TIMEOUT_MAX
+};
+/* Window scaling is advertised by the sender */
+#define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01
+/* SACK is permitted by the sender */
+#define IP_CT_TCP_FLAG_SACK_PERM                0x02
+/* This sender sent FIN first */
+#define IP_CT_TCP_FLAG_CLOSE_INIT               0x04
+/* Be liberal in window checking */
+#define IP_CT_TCP_FLAG_BE_LIBERAL               0x08
+/* Has unacknowledged data */
+#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED      0x10
+/* The field td_maxack has been set */
+#define IP_CT_TCP_FLAG_MAXACK_SET               0x20
+struct nf_ct_tcp_flags {
+        __u8 flags;
+        __u8 mask;
+};
+#endif /* _UAPI_NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
index 2f6bbc5b8125..2f6bbc5b8125 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
diff --git a/include/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
index bf0cc373ffb6..bf0cc373ffb6 100644
--- a/include/linux/netfilter/nf_nat.h
+++ b/include/uapi/linux/netfilter/nf_nat.h
diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
new file mode 100644
index 000000000000..4a4efafad5f4
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -0,0 +1,56 @@
+#ifndef _UAPI_NFNETLINK_H
+#define _UAPI_NFNETLINK_H
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink_compat.h>
+enum nfnetlink_groups {
+        NFNLGRP_NONE,
+#define NFNLGRP_NONE                    NFNLGRP_NONE
+        NFNLGRP_CONNTRACK_NEW,
+#define NFNLGRP_CONNTRACK_NEW           NFNLGRP_CONNTRACK_NEW
+        NFNLGRP_CONNTRACK_UPDATE,
+#define NFNLGRP_CONNTRACK_UPDATE        NFNLGRP_CONNTRACK_UPDATE
+        NFNLGRP_CONNTRACK_DESTROY,
+#define NFNLGRP_CONNTRACK_DESTROY       NFNLGRP_CONNTRACK_DESTROY
+        NFNLGRP_CONNTRACK_EXP_NEW,
+#define NFNLGRP_CONNTRACK_EXP_NEW       NFNLGRP_CONNTRACK_EXP_NEW
+        NFNLGRP_CONNTRACK_EXP_UPDATE,
+#define NFNLGRP_CONNTRACK_EXP_UPDATE    NFNLGRP_CONNTRACK_EXP_UPDATE
+        NFNLGRP_CONNTRACK_EXP_DESTROY,
+#define NFNLGRP_CONNTRACK_EXP_DESTROY   NFNLGRP_CONNTRACK_EXP_DESTROY
+        __NFNLGRP_MAX,
+};
+#define NFNLGRP_MAX     (__NFNLGRP_MAX - 1)
+/* General form of address family dependent message.
+ */
+struct nfgenmsg {
+        __u8  nfgen_family;             /* AF_xxx */
+        __u8  version;          /* nfnetlink version */
+        __be16    res_id;               /* resource id */
+};
+#define NFNETLINK_V0    0
+/* netfilter netlink message types are split in two pieces:
+ * 8 bit subsystem, 8bit operation.
+ */
+#define NFNL_SUBSYS_ID(x)       ((x & 0xff00) >> 8)
+#define NFNL_MSG_TYPE(x)        (x & 0x00ff)
+/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
+ * won't work anymore */
+#define NFNL_SUBSYS_NONE                0
+#define NFNL_SUBSYS_CTNETLINK           1
+#define NFNL_SUBSYS_CTNETLINK_EXP       2
+#define NFNL_SUBSYS_QUEUE               3
+#define NFNL_SUBSYS_ULOG                4
+#define NFNL_SUBSYS_OSF                 5
+#define NFNL_SUBSYS_IPSET               6
+#define NFNL_SUBSYS_ACCT                7
+#define NFNL_SUBSYS_CTNETLINK_TIMEOUT   8
+#define NFNL_SUBSYS_CTHELPER            9
+#define NFNL_SUBSYS_COUNT               10
+#endif /* _UAPI_NFNETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h
new file mode 100644
index 000000000000..c7b6269e760b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
@@ -0,0 +1,27 @@
+#ifndef _UAPI_NFNL_ACCT_H_
+#define _UAPI_NFNL_ACCT_H_
+#ifndef NFACCT_NAME_MAX
+#define NFACCT_NAME_MAX         32
+#endif
+enum nfnl_acct_msg_types {
+        NFNL_MSG_ACCT_NEW,
+        NFNL_MSG_ACCT_GET,
+        NFNL_MSG_ACCT_GET_CTRZERO,
+        NFNL_MSG_ACCT_DEL,
+        NFNL_MSG_ACCT_MAX
+};
+enum nfnl_acct_type {
+        NFACCT_UNSPEC,
+        NFACCT_NAME,
+        NFACCT_PKTS,
+        NFACCT_BYTES,
+        NFACCT_USE,
+        __NFACCT_MAX
+};
+#define NFACCT_MAX (__NFACCT_MAX - 1)
+#endif /* _UAPI_NFNL_ACCT_H_ */
diff --git a/include/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h
index ffb95036bbd4..ffb95036bbd4 100644
--- a/include/linux/netfilter/nfnetlink_compat.h
+++ b/include/uapi/linux/netfilter/nfnetlink_compat.h
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
index 43bfe3e1685b..43bfe3e1685b 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
index 33659f6fad3e..33659f6fad3e 100644
--- a/include/linux/netfilter/nfnetlink_cthelper.h
+++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
index a2810a7c5e30..a2810a7c5e30 100644
--- a/include/linux/netfilter/nfnetlink_cttimeout.h
+++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
diff --git a/include/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
index 90c2c9575bac..90c2c9575bac 100644
--- a/include/linux/netfilter/nfnetlink_log.h
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index 70ec8c2bc11a..70ec8c2bc11a 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h
new file mode 100644
index 000000000000..c36969b91533
--- /dev/null
+++ b/include/uapi/linux/netfilter/x_tables.h
@@ -0,0 +1,187 @@
+#ifndef _UAPI_X_TABLES_H
+#define _UAPI_X_TABLES_H
+#include <linux/kernel.h>
+#include <linux/types.h>
+#define XT_FUNCTION_MAXNAMELEN 30
+#define XT_EXTENSION_MAXNAMELEN 29
+#define XT_TABLE_MAXNAMELEN 32
+struct xt_entry_match {
+        union {
+                struct {
+                        __u16 match_size;
+                        /* Used by userspace */
+                        char name[XT_EXTENSION_MAXNAMELEN];
+                        __u8 revision;
+                } user;
+                struct {
+                        __u16 match_size;
+                        /* Used inside the kernel */
+                        struct xt_match *match;
+                } kernel;
+                /* Total length */
+                __u16 match_size;
+        } u;
+        unsigned char data[0];
+};
+struct xt_entry_target {
+        union {
+                struct {
+                        __u16 target_size;
+                        /* Used by userspace */
+                        char name[XT_EXTENSION_MAXNAMELEN];
+                        __u8 revision;
+                } user;
+                struct {
+                        __u16 target_size;
+                        /* Used inside the kernel */
+                        struct xt_target *target;
+                } kernel;
+                /* Total length */
+                __u16 target_size;
+        } u;
+        unsigned char data[0];
+};
+#define XT_TARGET_INIT(__name, __size)                                         \
+{                                                                              \
+        .target.u.user = {                                                     \
+                .target_size    = XT_ALIGN(__size),                            \
+                .name           = __name,                                      \
+        },                                                                     \
+}
+struct xt_standard_target {
+        struct xt_entry_target target;
+        int verdict;
+};
+struct xt_error_target {
+        struct xt_entry_target target;
+        char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
+ * kernel supports, if >= revision. */
+struct xt_get_revision {
+        char name[XT_EXTENSION_MAXNAMELEN];
+        __u8 revision;
+};
+/* CONTINUE verdict for targets */
+#define XT_CONTINUE 0xFFFFFFFF
+/* For standard target */
+#define XT_RETURN (-NF_REPEAT - 1)
+/* this is a dummy structure to find out the alignment requirement for a struct
+ * containing all the fundamental data types that are used in ipt_entry,
+ * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
+ * personal pleasure to remove it -HW
+ */
+struct _xt_align {
+        __u8 u8;
+        __u16 u16;
+        __u32 u32;
+        __u64 u64;
+};
+#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
+/* Standard return verdict, or do jump. */
+#define XT_STANDARD_TARGET ""
+/* Error verdict. */
+#define XT_ERROR_TARGET "ERROR"
+#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
+#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
+struct xt_counters {
+        __u64 pcnt, bcnt;                       /* Packet and byte counters */
+};
+/* The argument to IPT_SO_ADD_COUNTERS. */
+struct xt_counters_info {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+        unsigned int num_counters;
+        /* The counters (actually `number' of these). */
+        struct xt_counters counters[0];
+};
+#define XT_INV_PROTO            0x40    /* Invert the sense of PROTO. */
+#ifndef __KERNEL__
+/* fn returns 0 to continue iteration */
+#define XT_MATCH_ITERATE(type, e, fn, args...)                  \
+({                                                              \
+        unsigned int __i;                                       \
+        int __ret = 0;                                          \
+        struct xt_entry_match *__m;                             \
+                                                                \
+        for (__i = sizeof(type);                                \
+             __i < (e)->target_offset;                          \
+             __i += __m->u.match_size) {                        \
+                __m = (void *)e + __i;                          \
+                                                                \
+                __ret = fn(__m , ## args);                      \
+                if (__ret != 0)                                 \
+                        break;                                  \
+        }                                                       \
+        __ret;                                                  \
+})
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
+({                                                              \
+        unsigned int __i, __n;                                  \
+        int __ret = 0;                                          \
+        type *__entry;                                          \
+                                                                \
+        for (__i = 0, __n = 0; __i < (size);                    \
+             __i += __entry->next_offset, __n++) {              \
+                __entry = (void *)(entries) + __i;              \
+                if (__n < n)                                    \
+                        continue;                               \
+                                                                \
+                __ret = fn(__entry , ## args);                  \
+                if (__ret != 0)                                 \
+                        break;                                  \
+        }                                                       \
+        __ret;                                                  \
+})
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
+        XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
+#endif /* !__KERNEL__ */
+/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
+#define xt_entry_foreach(pos, ehead, esize) \
+        for ((pos) = (typeof(pos))(ehead); \
+             (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
+             (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+/* can only be xt_entry_match, so no use of typeof here */
+#define xt_ematch_foreach(pos, entry) \
+        for ((pos) = (struct xt_entry_match *)entry->elems; \
+             (pos) < (struct xt_entry_match *)((char *)(entry) + \
+                     (entry)->target_offset); \
+             (pos) = (struct xt_entry_match *)((char *)(pos) + \
+                     (pos)->u.match_size))
+#endif /* _UAPI_X_TABLES_H */
diff --git a/include/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h
index 38751d2ea52b..38751d2ea52b 100644
--- a/include/linux/netfilter/xt_AUDIT.h
+++ b/include/uapi/linux/netfilter/xt_AUDIT.h
diff --git a/include/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h
index 9a2e4661654e..9a2e4661654e 100644
--- a/include/linux/netfilter/xt_CHECKSUM.h
+++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h
diff --git a/include/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h
index a813bf14dd63..a813bf14dd63 100644
--- a/include/linux/netfilter/xt_CLASSIFY.h
+++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h
diff --git a/include/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h
index 2f2e48ec8023..2f2e48ec8023 100644
--- a/include/linux/netfilter/xt_CONNMARK.h
+++ b/include/uapi/linux/netfilter/xt_CONNMARK.h
diff --git a/include/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
index b973ff80fa1e..b973ff80fa1e 100644
--- a/include/linux/netfilter/xt_CONNSECMARK.h
+++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
diff --git a/include/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h
index a064b8af360c..a064b8af360c 100644
--- a/include/linux/netfilter/xt_CT.h
+++ b/include/uapi/linux/netfilter/xt_CT.h
diff --git a/include/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h
index 648e0b3bed29..648e0b3bed29 100644
--- a/include/linux/netfilter/xt_DSCP.h
+++ b/include/uapi/linux/netfilter/xt_DSCP.h
diff --git a/include/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h
index 208ae9387331..208ae9387331 100644
--- a/include/linux/netfilter/xt_IDLETIMER.h
+++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h
diff --git a/include/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h
index f5509e7524d3..f5509e7524d3 100644
--- a/include/linux/netfilter/xt_LED.h
+++ b/include/uapi/linux/netfilter/xt_LED.h
diff --git a/include/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h
index cac079095305..cac079095305 100644
--- a/include/linux/netfilter/xt_LOG.h
+++ b/include/uapi/linux/netfilter/xt_LOG.h
diff --git a/include/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h
index 41c456deba22..41c456deba22 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/uapi/linux/netfilter/xt_MARK.h
diff --git a/include/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h
index 87b58311ce6b..87b58311ce6b 100644
--- a/include/linux/netfilter/xt_NFLOG.h
+++ b/include/uapi/linux/netfilter/xt_NFLOG.h
diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h
index 9eafdbbb401c..9eafdbbb401c 100644
--- a/include/linux/netfilter/xt_NFQUEUE.h
+++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h
diff --git a/include/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h
index 6605e20ad8cf..6605e20ad8cf 100644
--- a/include/linux/netfilter/xt_RATEEST.h
+++ b/include/uapi/linux/netfilter/xt_RATEEST.h
diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
index 989092bd6274..989092bd6274 100644
--- a/include/linux/netfilter/xt_SECMARK.h
+++ b/include/uapi/linux/netfilter/xt_SECMARK.h
diff --git a/include/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h
index 9a6960afc134..9a6960afc134 100644
--- a/include/linux/netfilter/xt_TCPMSS.h
+++ b/include/uapi/linux/netfilter/xt_TCPMSS.h
diff --git a/include/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
index 7157318499c2..7157318499c2 100644
--- a/include/linux/netfilter/xt_TCPOPTSTRIP.h
+++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
diff --git a/include/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h
index 5c21d5c829af..5c21d5c829af 100644
--- a/include/linux/netfilter/xt_TEE.h
+++ b/include/uapi/linux/netfilter/xt_TEE.h
diff --git a/include/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h
index 902043c2073f..902043c2073f 100644
--- a/include/linux/netfilter/xt_TPROXY.h
+++ b/include/uapi/linux/netfilter/xt_TPROXY.h
diff --git a/include/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h
index b156baa9d55e..b156baa9d55e 100644
--- a/include/linux/netfilter/xt_addrtype.h
+++ b/include/uapi/linux/netfilter/xt_addrtype.h
diff --git a/include/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h
index 9b883c8fbf54..9b883c8fbf54 100644
--- a/include/linux/netfilter/xt_cluster.h
+++ b/include/uapi/linux/netfilter/xt_cluster.h
diff --git a/include/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h
index 0ea5e79f5bd7..0ea5e79f5bd7 100644
--- a/include/linux/netfilter/xt_comment.h
+++ b/include/uapi/linux/netfilter/xt_comment.h
diff --git a/include/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h
index f1d6c15bd9e3..f1d6c15bd9e3 100644
--- a/include/linux/netfilter/xt_connbytes.h
+++ b/include/uapi/linux/netfilter/xt_connbytes.h
diff --git a/include/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h
index f1656096121e..f1656096121e 100644
--- a/include/linux/netfilter/xt_connlimit.h
+++ b/include/uapi/linux/netfilter/xt_connlimit.h
diff --git a/include/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
index efc17a8305fb..efc17a8305fb 100644
--- a/include/linux/netfilter/xt_connmark.h
+++ b/include/uapi/linux/netfilter/xt_connmark.h
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h
index e3c041d54020..e3c041d54020 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/uapi/linux/netfilter/xt_conntrack.h
diff --git a/include/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h
index 93c7f11d8f42..93c7f11d8f42 100644
--- a/include/linux/netfilter/xt_cpu.h
+++ b/include/uapi/linux/netfilter/xt_cpu.h
diff --git a/include/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h
index a579e1b6f040..a579e1b6f040 100644
--- a/include/linux/netfilter/xt_dccp.h
+++ b/include/uapi/linux/netfilter/xt_dccp.h
diff --git a/include/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h
index 1babde0ec900..1babde0ec900 100644
--- a/include/linux/netfilter/xt_devgroup.h
+++ b/include/uapi/linux/netfilter/xt_devgroup.h
diff --git a/include/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h
index 15f8932ad5ce..15f8932ad5ce 100644
--- a/include/linux/netfilter/xt_dscp.h
+++ b/include/uapi/linux/netfilter/xt_dscp.h
diff --git a/include/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h
index 7158fca364f2..7158fca364f2 100644
--- a/include/linux/netfilter/xt_ecn.h
+++ b/include/uapi/linux/netfilter/xt_ecn.h
diff --git a/include/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h
index ee6882408000..ee6882408000 100644
--- a/include/linux/netfilter/xt_esp.h
+++ b/include/uapi/linux/netfilter/xt_esp.h
diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h
new file mode 100644
index 000000000000..cbfc43d1af68
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -0,0 +1,73 @@
+#ifndef _UAPI_XT_HASHLIMIT_H
+#define _UAPI_XT_HASHLIMIT_H
+#include <linux/types.h>
+/* timings are in milliseconds. */
+#define XT_HASHLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+ * seconds, or one packet every 59 hours.
+ */
+/* packet length accounting is done in 16-byte steps */
+#define XT_HASHLIMIT_BYTE_SHIFT 4
+/* details of this structure hidden by the implementation */
+struct xt_hashlimit_htable;
+enum {
+        XT_HASHLIMIT_HASH_DIP = 1 << 0,
+        XT_HASHLIMIT_HASH_DPT = 1 << 1,
+        XT_HASHLIMIT_HASH_SIP = 1 << 2,
+        XT_HASHLIMIT_HASH_SPT = 1 << 3,
+        XT_HASHLIMIT_INVERT   = 1 << 4,
+        XT_HASHLIMIT_BYTES    = 1 << 5,
+};
+struct hashlimit_cfg {
+        __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
+        __u32 avg;    /* Average secs between packets * scale */
+        __u32 burst;  /* Period multiplier for upper limit. */
+        /* user specified */
+        __u32 size;             /* how many buckets */
+        __u32 max;              /* max number of entries */
+        __u32 gc_interval;      /* gc interval */
+        __u32 expire;   /* when do entries expire? */
+};
+struct xt_hashlimit_info {
+        char name [IFNAMSIZ];           /* name */
+        struct hashlimit_cfg cfg;
+        /* Used internally by the kernel */
+        struct xt_hashlimit_htable *hinfo;
+        union {
+                void *ptr;
+                struct xt_hashlimit_info *master;
+        } u;
+};
+struct hashlimit_cfg1 {
+        __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
+        __u32 avg;    /* Average secs between packets * scale */
+        __u32 burst;  /* Period multiplier for upper limit. */
+        /* user specified */
+        __u32 size;             /* how many buckets */
+        __u32 max;              /* max number of entries */
+        __u32 gc_interval;      /* gc interval */
+        __u32 expire;   /* when do entries expire? */
+        __u8 srcmask, dstmask;
+};
+struct xt_hashlimit_mtinfo1 {
+        char name[IFNAMSIZ];
+        struct hashlimit_cfg1 cfg;
+        /* Used internally by the kernel */
+        struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+#endif /* _UAPI_XT_HASHLIMIT_H */
diff --git a/include/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h
index 6b42763f999d..6b42763f999d 100644
--- a/include/linux/netfilter/xt_helper.h
+++ b/include/uapi/linux/netfilter/xt_helper.h
diff --git a/include/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h
index 25fd7cf851f0..25fd7cf851f0 100644
--- a/include/linux/netfilter/xt_iprange.h
+++ b/include/uapi/linux/netfilter/xt_iprange.h
diff --git a/include/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h
index eff34ac18808..eff34ac18808 100644
--- a/include/linux/netfilter/xt_ipvs.h
+++ b/include/uapi/linux/netfilter/xt_ipvs.h
diff --git a/include/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h
index b82ed7c4b1e0..b82ed7c4b1e0 100644
--- a/include/linux/netfilter/xt_length.h
+++ b/include/uapi/linux/netfilter/xt_length.h
diff --git a/include/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h
index bb47fc4d2ade..bb47fc4d2ade 100644
--- a/include/linux/netfilter/xt_limit.h
+++ b/include/uapi/linux/netfilter/xt_limit.h
diff --git a/include/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h
index b892cdc67e06..b892cdc67e06 100644
--- a/include/linux/netfilter/xt_mac.h
+++ b/include/uapi/linux/netfilter/xt_mac.h
diff --git a/include/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h
index ecadc40d5cde..ecadc40d5cde 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/uapi/linux/netfilter/xt_mark.h
diff --git a/include/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h
index 5b7e72dfffc5..5b7e72dfffc5 100644
--- a/include/linux/netfilter/xt_multiport.h
+++ b/include/uapi/linux/netfilter/xt_multiport.h
diff --git a/include/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h
index 3e19c8a86576..3e19c8a86576 100644
--- a/include/linux/netfilter/xt_nfacct.h
+++ b/include/uapi/linux/netfilter/xt_nfacct.h
diff --git a/include/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
index 18afa495f973..18afa495f973 100644
--- a/include/linux/netfilter/xt_osf.h
+++ b/include/uapi/linux/netfilter/xt_osf.h
diff --git a/include/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h
index 2081761714b5..2081761714b5 100644
--- a/include/linux/netfilter/xt_owner.h
+++ b/include/uapi/linux/netfilter/xt_owner.h
diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h
new file mode 100644
index 000000000000..db7a2982e9c0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_physdev.h
@@ -0,0 +1,23 @@
+#ifndef _UAPI_XT_PHYSDEV_H
+#define _UAPI_XT_PHYSDEV_H
+#include <linux/types.h>
+#define XT_PHYSDEV_OP_IN                0x01
+#define XT_PHYSDEV_OP_OUT               0x02
+#define XT_PHYSDEV_OP_BRIDGED           0x04
+#define XT_PHYSDEV_OP_ISIN              0x08
+#define XT_PHYSDEV_OP_ISOUT             0x10
+#define XT_PHYSDEV_OP_MASK              (0x20 - 1)
+struct xt_physdev_info {
+        char physindev[IFNAMSIZ];
+        char in_mask[IFNAMSIZ];
+        char physoutdev[IFNAMSIZ];
+        char out_mask[IFNAMSIZ];
+        __u8 invert;
+        __u8 bitmask;
+};
+#endif /* _UAPI_XT_PHYSDEV_H */
diff --git a/include/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h
index f265cf52faea..f265cf52faea 100644
--- a/include/linux/netfilter/xt_pkttype.h
+++ b/include/uapi/linux/netfilter/xt_pkttype.h
diff --git a/include/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h
index be8ead05c316..be8ead05c316 100644
--- a/include/linux/netfilter/xt_policy.h
+++ b/include/uapi/linux/netfilter/xt_policy.h
diff --git a/include/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h
index 9314723f39ca..9314723f39ca 100644
--- a/include/linux/netfilter/xt_quota.h
+++ b/include/uapi/linux/netfilter/xt_quota.h
diff --git a/include/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h
index d40a6196842a..d40a6196842a 100644
--- a/include/linux/netfilter/xt_rateest.h
+++ b/include/uapi/linux/netfilter/xt_rateest.h
diff --git a/include/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h
index d4a82ee56a02..d4a82ee56a02 100644
--- a/include/linux/netfilter/xt_realm.h
+++ b/include/uapi/linux/netfilter/xt_realm.h
diff --git a/include/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h
index 6ef36c113e89..6ef36c113e89 100644
--- a/include/linux/netfilter/xt_recent.h
+++ b/include/uapi/linux/netfilter/xt_recent.h
diff --git a/include/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
index 29287be696a2..29287be696a2 100644
--- a/include/linux/netfilter/xt_sctp.h
+++ b/include/uapi/linux/netfilter/xt_sctp.h
diff --git a/include/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h
index e3a9978f259f..e3a9978f259f 100644
--- a/include/linux/netfilter/xt_set.h
+++ b/include/uapi/linux/netfilter/xt_set.h
diff --git a/include/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
index 26d7217bd4f1..26d7217bd4f1 100644
--- a/include/linux/netfilter/xt_socket.h
+++ b/include/uapi/linux/netfilter/xt_socket.h
diff --git a/include/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h
index 7b32de886613..7b32de886613 100644
--- a/include/linux/netfilter/xt_state.h
+++ b/include/uapi/linux/netfilter/xt_state.h
diff --git a/include/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h
index 4e983ef0c968..4e983ef0c968 100644
--- a/include/linux/netfilter/xt_statistic.h
+++ b/include/uapi/linux/netfilter/xt_statistic.h
diff --git a/include/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h
index 235347c02eab..235347c02eab 100644
--- a/include/linux/netfilter/xt_string.h
+++ b/include/uapi/linux/netfilter/xt_string.h
diff --git a/include/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h
index fbac56b9e667..fbac56b9e667 100644
--- a/include/linux/netfilter/xt_tcpmss.h
+++ b/include/uapi/linux/netfilter/xt_tcpmss.h
diff --git a/include/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h
index 38aa7b399021..38aa7b399021 100644
--- a/include/linux/netfilter/xt_tcpudp.h
+++ b/include/uapi/linux/netfilter/xt_tcpudp.h
diff --git a/include/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h
index 095886019396..095886019396 100644
--- a/include/linux/netfilter/xt_time.h
+++ b/include/uapi/linux/netfilter/xt_time.h
diff --git a/include/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h
index 04d1bfea03c2..04d1bfea03c2 100644
--- a/include/linux/netfilter/xt_u32.h
+++ b/include/uapi/linux/netfilter/xt_u32.h
diff --git a/include/uapi/linux/netfilter_arp/Kbuild b/include/uapi/linux/netfilter_arp/Kbuild
index aafaa5aa54d4..62d5637cc0ac 100644
--- a/include/uapi/linux/netfilter_arp/Kbuild
+++ b/include/uapi/linux/netfilter_arp/Kbuild
@@ -1 +1,3 @@
 # UAPI Header export list
+header-y += arp_tables.h
+header-y += arpt_mangle.h
diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h
new file mode 100644
index 000000000000..a5a86a4db6b3
--- /dev/null
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -0,0 +1,206 @@
+/*
+ *      Format of an ARP firewall descriptor
+ *
+ *      src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
+ *      network byte order.
+ *      flags are stored in host byte order (of course).
+ */
+#ifndef _UAPI_ARPTABLES_H
+#define _UAPI_ARPTABLES_H
+#include <linux/types.h>
+#include <linux/compiler.h>
+#include <linux/netfilter_arp.h>
+#include <linux/netfilter/x_tables.h>
+#ifndef __KERNEL__
+#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define arpt_entry_target xt_entry_target
+#define arpt_standard_target xt_standard_target
+#define arpt_error_target xt_error_target
+#define ARPT_CONTINUE XT_CONTINUE
+#define ARPT_RETURN XT_RETURN
+#define arpt_counters_info xt_counters_info
+#define arpt_counters xt_counters
+#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
+#define ARPT_ERROR_TARGET XT_ERROR_TARGET
+#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
+#endif
+#define ARPT_DEV_ADDR_LEN_MAX 16
+struct arpt_devaddr_info {
+        char addr[ARPT_DEV_ADDR_LEN_MAX];
+        char mask[ARPT_DEV_ADDR_LEN_MAX];
+};
+/* Yes, Virginia, you have to zero the padding. */
+struct arpt_arp {
+        /* Source and target IP addr */
+        struct in_addr src, tgt;
+        /* Mask for src and target IP addr */
+        struct in_addr smsk, tmsk;
+        /* Device hw address length, src+target device addresses */
+        __u8 arhln, arhln_mask;
+        struct arpt_devaddr_info src_devaddr;
+        struct arpt_devaddr_info tgt_devaddr;
+        /* ARP operation code. */
+        __be16 arpop, arpop_mask;
+        /* ARP hardware address and protocol address format. */
+        __be16 arhrd, arhrd_mask;
+        __be16 arpro, arpro_mask;
+        /* The protocol address length is only accepted if it is 4
+         * so there is no use in offering a way to do filtering on it.
+         */
+        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+        /* Flags word */
+        __u8 flags;
+        /* Inverse flags */
+        __u16 invflags;
+};
+/* Values for "flag" field in struct arpt_ip (general arp structure).
+ * No flags defined yet.
+ */
+#define ARPT_F_MASK             0x00    /* All possible flag bits mask. */
+/* Values for "inv" field in struct arpt_arp. */
+#define ARPT_INV_VIA_IN         0x0001  /* Invert the sense of IN IFACE. */
+#define ARPT_INV_VIA_OUT        0x0002  /* Invert the sense of OUT IFACE */
+#define ARPT_INV_SRCIP          0x0004  /* Invert the sense of SRC IP. */
+#define ARPT_INV_TGTIP          0x0008  /* Invert the sense of TGT IP. */
+#define ARPT_INV_SRCDEVADDR     0x0010  /* Invert the sense of SRC DEV ADDR. */
+#define ARPT_INV_TGTDEVADDR     0x0020  /* Invert the sense of TGT DEV ADDR. */
+#define ARPT_INV_ARPOP          0x0040  /* Invert the sense of ARP OP. */
+#define ARPT_INV_ARPHRD         0x0080  /* Invert the sense of ARP HRD. */
+#define ARPT_INV_ARPPRO         0x0100  /* Invert the sense of ARP PRO. */
+#define ARPT_INV_ARPHLN         0x0200  /* Invert the sense of ARP HLN. */
+#define ARPT_INV_MASK           0x03FF  /* All possible flag bits mask. */
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general ARP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct arpt_entry
+{
+        struct arpt_arp arp;
+        /* Size of arpt_entry + matches */
+        __u16 target_offset;
+        /* Size of arpt_entry + matches + target */
+        __u16 next_offset;
+        /* Back pointer */
+        unsigned int comefrom;
+        /* Packet and byte counters. */
+        struct xt_counters counters;
+        /* The matches (if any), then the target. */
+        unsigned char elems[0];
+};
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use a raw
+ * socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in.h before adding new number here.
+ */
+#define ARPT_BASE_CTL           96
+#define ARPT_SO_SET_REPLACE             (ARPT_BASE_CTL)
+#define ARPT_SO_SET_ADD_COUNTERS        (ARPT_BASE_CTL + 1)
+#define ARPT_SO_SET_MAX                 ARPT_SO_SET_ADD_COUNTERS
+#define ARPT_SO_GET_INFO                (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES             (ARPT_BASE_CTL + 1)
+/* #define ARPT_SO_GET_REVISION_MATCH   (APRT_BASE_CTL + 2) */
+#define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
+#define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
+/* The argument to ARPT_SO_GET_INFO */
+struct arpt_getinfo {
+        /* Which table: caller fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Kernel fills these in. */
+        /* Which hook entry points are valid: bitmask */
+        unsigned int valid_hooks;
+        /* Hook entry points: one per netfilter hook. */
+        unsigned int hook_entry[NF_ARP_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_ARP_NUMHOOKS];
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Size of entries. */
+        unsigned int size;
+};
+/* The argument to ARPT_SO_SET_REPLACE. */
+struct arpt_replace {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+        unsigned int valid_hooks;
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Total size of new entries */
+        unsigned int size;
+        /* Hook entry points. */
+        unsigned int hook_entry[NF_ARP_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_ARP_NUMHOOKS];
+        /* Information about old entries: */
+        /* Number of counters (must be equal to current number of entries). */
+        unsigned int num_counters;
+        /* The old entries' counters. */
+        struct xt_counters __user *counters;
+        /* The entries (hang off end: not really an array). */
+        struct arpt_entry entries[0];
+};
+/* The argument to ARPT_SO_GET_ENTRIES. */
+struct arpt_get_entries {
+        /* Which table: user fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* User fills this in: total entry size. */
+        unsigned int size;
+        /* The entries. */
+        struct arpt_entry entrytable[0];
+};
+/* Helper functions */
+static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
+{
+        return (void *)e + e->target_offset;
+}
+/*
+ *      Main firewall chains definitions and global var's definitions.
+ */
+#endif /* _UAPI_ARPTABLES_H */
diff --git a/include/linux/netfilter_arp/arpt_mangle.h b/include/uapi/linux/netfilter_arp/arpt_mangle.h
index 250f502902bb..250f502902bb 100644
--- a/include/linux/netfilter_arp/arpt_mangle.h
+++ b/include/uapi/linux/netfilter_arp/arpt_mangle.h
diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild
index aafaa5aa54d4..348717c3a22f 100644
--- a/include/uapi/linux/netfilter_bridge/Kbuild
+++ b/include/uapi/linux/netfilter_bridge/Kbuild
@@ -1 +1,19 @@
 # UAPI Header export list
+header-y += ebt_802_3.h
+header-y += ebt_among.h
+header-y += ebt_arp.h
+header-y += ebt_arpreply.h
+header-y += ebt_ip.h
+header-y += ebt_ip6.h
+header-y += ebt_limit.h
+header-y += ebt_log.h
+header-y += ebt_mark_m.h
+header-y += ebt_mark_t.h
+header-y += ebt_nat.h
+header-y += ebt_nflog.h
+header-y += ebt_pkttype.h
+header-y += ebt_redirect.h
+header-y += ebt_stp.h
+header-y += ebt_ulog.h
+header-y += ebt_vlan.h
+header-y += ebtables.h
diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
new file mode 100644
index 000000000000..5bf84912a082
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
@@ -0,0 +1,62 @@
+#ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H
+#define _UAPI__LINUX_BRIDGE_EBT_802_3_H
+#include <linux/types.h>
+#define EBT_802_3_SAP 0x01
+#define EBT_802_3_TYPE 0x02
+#define EBT_802_3_MATCH "802_3"
+/*
+ * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
+ * to discover what kind of packet we're carrying. 
+ */
+#define CHECK_TYPE 0xaa
+/*
+ * Control field may be one or two bytes.  If the first byte has
+ * the value 0x03 then the entire length is one byte, otherwise it is two.
+ * One byte controls are used in Unnumbered Information frames.
+ * Two byte controls are used in Numbered Information frames.
+ */
+#define IS_UI 0x03
+#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
+/* ui has one byte ctrl, ni has two */
+struct hdr_ui {
+        __u8 dsap;
+        __u8 ssap;
+        __u8 ctrl;
+        __u8 orig[3];
+        __be16 type;
+};
+struct hdr_ni {
+        __u8 dsap;
+        __u8 ssap;
+        __be16 ctrl;
+        __u8  orig[3];
+        __be16 type;
+};
+struct ebt_802_3_hdr {
+        __u8  daddr[6];
+        __u8  saddr[6];
+        __be16 len;
+        union {
+                struct hdr_ui ui;
+                struct hdr_ni ni;
+        } llc;
+};
+struct ebt_802_3_info {
+        __u8  sap;
+        __be16 type;
+        __u8  bitmask;
+        __u8  invflags;
+};
+#endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */
diff --git a/include/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h
index bd4e3ad0b706..bd4e3ad0b706 100644
--- a/include/linux/netfilter_bridge/ebt_among.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_among.h
diff --git a/include/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h
index 522f3e427f49..522f3e427f49 100644
--- a/include/linux/netfilter_bridge/ebt_arp.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h
diff --git a/include/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
index 7e77896e1fbf..7e77896e1fbf 100644
--- a/include/linux/netfilter_bridge/ebt_arpreply.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
diff --git a/include/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h
index c4bbc41b0ea4..c4bbc41b0ea4 100644
--- a/include/linux/netfilter_bridge/ebt_ip.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h
diff --git a/include/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
index 42b889682721..42b889682721 100644
--- a/include/linux/netfilter_bridge/ebt_ip6.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
diff --git a/include/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h
index 66d80b30ba0e..66d80b30ba0e 100644
--- a/include/linux/netfilter_bridge/ebt_limit.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h
diff --git a/include/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h
index 7e7f1d1fe494..7e7f1d1fe494 100644
--- a/include/linux/netfilter_bridge/ebt_log.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_log.h
diff --git a/include/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
index 410f9e5a71d4..410f9e5a71d4 100644
--- a/include/linux/netfilter_bridge/ebt_mark_m.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
diff --git a/include/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
index 7d5a268a4311..7d5a268a4311 100644
--- a/include/linux/netfilter_bridge/ebt_mark_t.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
diff --git a/include/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h
index 5e74e3b03bd6..5e74e3b03bd6 100644
--- a/include/linux/netfilter_bridge/ebt_nat.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h
diff --git a/include/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
index df829fce9125..df829fce9125 100644
--- a/include/linux/netfilter_bridge/ebt_nflog.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
diff --git a/include/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
index c241badcd036..c241badcd036 100644
--- a/include/linux/netfilter_bridge/ebt_pkttype.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
diff --git a/include/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
index dd9622ce8488..dd9622ce8488 100644
--- a/include/linux/netfilter_bridge/ebt_redirect.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
diff --git a/include/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h
index 1025b9f5fb7d..1025b9f5fb7d 100644
--- a/include/linux/netfilter_bridge/ebt_stp.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h
diff --git a/include/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
index 89a6becb5269..89a6becb5269 100644
--- a/include/linux/netfilter_bridge/ebt_ulog.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
diff --git a/include/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
index 967d1d5cf98d..967d1d5cf98d 100644
--- a/include/linux/netfilter_bridge/ebt_vlan.h
+++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h
new file mode 100644
index 000000000000..ba993360dbe9
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebtables.h
@@ -0,0 +1,268 @@
+/*
+ *  ebtables
+ *
+ *      Authors:
+ *      Bart De Schuymer                <bdschuym@pandora.be>
+ *
+ *  ebtables.c,v 2.0, April, 2002
+ *
+ *  This code is stongly inspired on the iptables code which is
+ *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
+ */
+#ifndef _UAPI__LINUX_BRIDGE_EFF_H
+#define _UAPI__LINUX_BRIDGE_EFF_H
+#include <linux/if.h>
+#include <linux/netfilter_bridge.h>
+#include <linux/if_ether.h>
+#define EBT_TABLE_MAXNAMELEN 32
+#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
+#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
+/* verdicts >0 are "branches" */
+#define EBT_ACCEPT   -1
+#define EBT_DROP     -2
+#define EBT_CONTINUE -3
+#define EBT_RETURN   -4
+#define NUM_STANDARD_TARGETS   4
+/* ebtables target modules store the verdict inside an int. We can
+ * reclaim a part of this int for backwards compatible extensions.
+ * The 4 lsb are more than enough to store the verdict. */
+#define EBT_VERDICT_BITS 0x0000000F
+struct xt_match;
+struct xt_target;
+struct ebt_counter {
+        uint64_t pcnt;
+        uint64_t bcnt;
+};
+struct ebt_replace {
+        char name[EBT_TABLE_MAXNAMELEN];
+        unsigned int valid_hooks;
+        /* nr of rules in the table */
+        unsigned int nentries;
+        /* total size of the entries */
+        unsigned int entries_size;
+        /* start of the chains */
+        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
+        /* nr of counters userspace expects back */
+        unsigned int num_counters;
+        /* where the kernel will put the old counters */
+        struct ebt_counter __user *counters;
+        char __user *entries;
+};
+struct ebt_replace_kernel {
+        char name[EBT_TABLE_MAXNAMELEN];
+        unsigned int valid_hooks;
+        /* nr of rules in the table */
+        unsigned int nentries;
+        /* total size of the entries */
+        unsigned int entries_size;
+        /* start of the chains */
+        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
+        /* nr of counters userspace expects back */
+        unsigned int num_counters;
+        /* where the kernel will put the old counters */
+        struct ebt_counter *counters;
+        char *entries;
+};
+struct ebt_entries {
+        /* this field is always set to zero
+         * See EBT_ENTRY_OR_ENTRIES.
+         * Must be same size as ebt_entry.bitmask */
+        unsigned int distinguisher;
+        /* the chain name */
+        char name[EBT_CHAIN_MAXNAMELEN];
+        /* counter offset for this chain */
+        unsigned int counter_offset;
+        /* one standard (accept, drop, return) per hook */
+        int policy;
+        /* nr. of entries */
+        unsigned int nentries;
+        /* entry list */
+        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+/* used for the bitmask of struct ebt_entry */
+/* This is a hack to make a difference between an ebt_entry struct and an
+ * ebt_entries struct when traversing the entries from start to end.
+ * Using this simplifies the code a lot, while still being able to use
+ * ebt_entries.
+ * Contrary, iptables doesn't use something like ebt_entries and therefore uses
+ * different techniques for naming the policy and such. So, iptables doesn't
+ * need a hack like this.
+ */
+#define EBT_ENTRY_OR_ENTRIES 0x01
+/* these are the normal masks */
+#define EBT_NOPROTO 0x02
+#define EBT_802_3 0x04
+#define EBT_SOURCEMAC 0x08
+#define EBT_DESTMAC 0x10
+#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
+   | EBT_ENTRY_OR_ENTRIES)
+#define EBT_IPROTO 0x01
+#define EBT_IIN 0x02
+#define EBT_IOUT 0x04
+#define EBT_ISOURCE 0x8
+#define EBT_IDEST 0x10
+#define EBT_ILOGICALIN 0x20
+#define EBT_ILOGICALOUT 0x40
+#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
+   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
+struct ebt_entry_match {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_match *match;
+        } u;
+        /* size of data */
+        unsigned int match_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+struct ebt_entry_watcher {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_target *watcher;
+        } u;
+        /* size of data */
+        unsigned int watcher_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+struct ebt_entry_target {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_target *target;
+        } u;
+        /* size of data */
+        unsigned int target_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+#define EBT_STANDARD_TARGET "standard"
+struct ebt_standard_target {
+        struct ebt_entry_target target;
+        int verdict;
+};
+/* one entry */
+struct ebt_entry {
+        /* this needs to be the first field */
+        unsigned int bitmask;
+        unsigned int invflags;
+        __be16 ethproto;
+        /* the physical in-dev */
+        char in[IFNAMSIZ];
+        /* the logical in-dev */
+        char logical_in[IFNAMSIZ];
+        /* the physical out-dev */
+        char out[IFNAMSIZ];
+        /* the logical out-dev */
+        char logical_out[IFNAMSIZ];
+        unsigned char sourcemac[ETH_ALEN];
+        unsigned char sourcemsk[ETH_ALEN];
+        unsigned char destmac[ETH_ALEN];
+        unsigned char destmsk[ETH_ALEN];
+        /* sizeof ebt_entry + matches */
+        unsigned int watchers_offset;
+        /* sizeof ebt_entry + matches + watchers */
+        unsigned int target_offset;
+        /* sizeof ebt_entry + matches + watchers + target */
+        unsigned int next_offset;
+        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+/* {g,s}etsockopt numbers */
+#define EBT_BASE_CTL            128
+#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
+#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
+#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
+#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
+#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
+#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
+#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
+#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
+/* blatently stolen from ip_tables.h
+ * fn returns 0 to continue iteration */
+#define EBT_MATCH_ITERATE(e, fn, args...)                   \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry_match *__match;                    \
+                                                            \
+        for (__i = sizeof(struct ebt_entry);                \
+             __i < (e)->watchers_offset;                    \
+             __i += __match->match_size +                   \
+             sizeof(struct ebt_entry_match)) {              \
+                __match = (void *)(e) + __i;                \
+                                                            \
+                __ret = fn(__match , ## args);              \
+                if (__ret != 0)                             \
+                        break;                              \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (e)->watchers_offset)            \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry_watcher *__watcher;                \
+                                                            \
+        for (__i = e->watchers_offset;                      \
+             __i < (e)->target_offset;                      \
+             __i += __watcher->watcher_size +               \
+             sizeof(struct ebt_entry_watcher)) {            \
+                __watcher = (void *)(e) + __i;              \
+                                                            \
+                __ret = fn(__watcher , ## args);            \
+                if (__ret != 0)                             \
+                        break;                              \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (e)->target_offset)              \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry *__entry;                          \
+                                                            \
+        for (__i = 0; __i < (size);) {                      \
+                __entry = (void *)(entries) + __i;          \
+                __ret = fn(__entry , ## args);              \
+                if (__ret != 0)                             \
+                        break;                              \
+                if (__entry->bitmask != 0)                  \
+                        __i += __entry->next_offset;        \
+                else                                        \
+                        __i += sizeof(struct ebt_entries);  \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (size))                          \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
diff --git a/include/uapi/linux/netfilter_ipv4/Kbuild b/include/uapi/linux/netfilter_ipv4/Kbuild
index aafaa5aa54d4..fb008437dde1 100644
--- a/include/uapi/linux/netfilter_ipv4/Kbuild
+++ b/include/uapi/linux/netfilter_ipv4/Kbuild
@@ -1 +1,11 @@
 # UAPI Header export list
+header-y += ip_tables.h
+header-y += ipt_CLUSTERIP.h
+header-y += ipt_ECN.h
+header-y += ipt_LOG.h
+header-y += ipt_REJECT.h
+header-y += ipt_TTL.h
+header-y += ipt_ULOG.h
+header-y += ipt_ah.h
+header-y += ipt_ecn.h
+header-y += ipt_ttl.h
diff --git a/include/uapi/linux/netfilter_ipv4/ip_tables.h b/include/uapi/linux/netfilter_ipv4/ip_tables.h
new file mode 100644
index 000000000000..f1e6ef256034
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ip_tables.h
@@ -0,0 +1,229 @@
+/*
+ * 25-Jul-1998 Major changes to allow for ip chain table
+ *
+ * 3-Jan-2000 Named tables to allow packet selection for different uses.
+ */
+/*
+ *      Format of an IP firewall descriptor
+ *
+ *      src, dst, src_mask, dst_mask are always stored in network byte order.
+ *      flags are stored in host byte order (of course).
+ *      Port numbers are stored in HOST byte order.
+ */
+#ifndef _UAPI_IPTABLES_H
+#define _UAPI_IPTABLES_H
+#include <linux/types.h>
+#include <linux/compiler.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
+#ifndef __KERNEL__
+#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define ipt_match xt_match
+#define ipt_target xt_target
+#define ipt_table xt_table
+#define ipt_get_revision xt_get_revision
+#define ipt_entry_match xt_entry_match
+#define ipt_entry_target xt_entry_target
+#define ipt_standard_target xt_standard_target
+#define ipt_error_target xt_error_target
+#define ipt_counters xt_counters
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
+/* This group is older than old (iptables < v1.4.0-rc1~89) */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
+#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
+#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
+/* The argument to IPT_SO_ADD_COUNTERS. */
+#define ipt_counters_info xt_counters_info
+/* Standard return verdict, or do jump. */
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
+/* fn returns 0 to continue iteration */
+#define IPT_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
+#endif
+/* Yes, Virginia, you have to zero the padding. */
+struct ipt_ip {
+        /* Source and destination IP addr */
+        struct in_addr src, dst;
+        /* Mask for src and dest IP addr */
+        struct in_addr smsk, dmsk;
+        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+        /* Protocol, 0 = ANY */
+        __u16 proto;
+        /* Flags word */
+        __u8 flags;
+        /* Inverse flags */
+        __u8 invflags;
+};
+/* Values for "flag" field in struct ipt_ip (general ip structure). */
+#define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
+#define IPT_F_GOTO              0x02    /* Set if jump is a goto */
+#define IPT_F_MASK              0x03    /* All possible flag bits mask. */
+/* Values for "inv" field in struct ipt_ip. */
+#define IPT_INV_VIA_IN          0x01    /* Invert the sense of IN IFACE. */
+#define IPT_INV_VIA_OUT         0x02    /* Invert the sense of OUT IFACE */
+#define IPT_INV_TOS             0x04    /* Invert the sense of TOS. */
+#define IPT_INV_SRCIP           0x08    /* Invert the sense of SRC IP. */
+#define IPT_INV_DSTIP           0x10    /* Invert the sense of DST OP. */
+#define IPT_INV_FRAG            0x20    /* Invert the sense of FRAG. */
+#define IPT_INV_PROTO           XT_INV_PROTO
+#define IPT_INV_MASK            0x7F    /* All possible flag bits mask. */
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general IP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct ipt_entry {
+        struct ipt_ip ip;
+        /* Mark with fields that we care about. */
+        unsigned int nfcache;
+        /* Size of ipt_entry + matches */
+        __u16 target_offset;
+        /* Size of ipt_entry + matches + target */
+        __u16 next_offset;
+        /* Back pointer */
+        unsigned int comefrom;
+        /* Packet and byte counters. */
+        struct xt_counters counters;
+        /* The matches (if any), then the target. */
+        unsigned char elems[0];
+};
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use a raw
+ * socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in.h before adding new number here.
+ */
+#define IPT_BASE_CTL            64
+#define IPT_SO_SET_REPLACE      (IPT_BASE_CTL)
+#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
+#define IPT_SO_SET_MAX          IPT_SO_SET_ADD_COUNTERS
+#define IPT_SO_GET_INFO                 (IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES              (IPT_BASE_CTL + 1)
+#define IPT_SO_GET_REVISION_MATCH       (IPT_BASE_CTL + 2)
+#define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)
+#define IPT_SO_GET_MAX                  IPT_SO_GET_REVISION_TARGET
+/* ICMP matching stuff */
+struct ipt_icmp {
+        __u8 type;                              /* type to match */
+        __u8 code[2];                           /* range of code */
+        __u8 invflags;                          /* Inverse flags */
+};
+/* Values for "inv" field for struct ipt_icmp. */
+#define IPT_ICMP_INV    0x01    /* Invert the sense of type/code test */
+/* The argument to IPT_SO_GET_INFO */
+struct ipt_getinfo {
+        /* Which table: caller fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Kernel fills these in. */
+        /* Which hook entry points are valid: bitmask */
+        unsigned int valid_hooks;
+        /* Hook entry points: one per netfilter hook. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Size of entries. */
+        unsigned int size;
+};
+/* The argument to IPT_SO_SET_REPLACE. */
+struct ipt_replace {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+        unsigned int valid_hooks;
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Total size of new entries */
+        unsigned int size;
+        /* Hook entry points. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+        /* Information about old entries: */
+        /* Number of counters (must be equal to current number of entries). */
+        unsigned int num_counters;
+        /* The old entries' counters. */
+        struct xt_counters __user *counters;
+        /* The entries (hang off end: not really an array). */
+        struct ipt_entry entries[0];
+};
+/* The argument to IPT_SO_GET_ENTRIES. */
+struct ipt_get_entries {
+        /* Which table: user fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* User fills this in: total entry size. */
+        unsigned int size;
+        /* The entries. */
+        struct ipt_entry entrytable[0];
+};
+/* Helper functions */
+static __inline__ struct xt_entry_target *
+ipt_get_target(struct ipt_entry *e)
+{
+        return (void *)e + e->target_offset;
+}
+/*
+ *      Main firewall chains definitions and global var's definitions.
+ */
+#endif /* _UAPI_IPTABLES_H */
diff --git a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h
index c6a204c97047..c6a204c97047 100644
--- a/include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h
diff --git a/include/linux/netfilter_ipv4/ipt_ECN.h b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h
index bb88d5315a4d..bb88d5315a4d 100644
--- a/include/linux/netfilter_ipv4/ipt_ECN.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h
diff --git a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h
index 5d8152077d71..5d8152077d71 100644
--- a/include/linux/netfilter_ipv4/ipt_LOG.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h
diff --git a/include/linux/netfilter_ipv4/ipt_REJECT.h b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h
index 4293a1ad1b01..4293a1ad1b01 100644
--- a/include/linux/netfilter_ipv4/ipt_REJECT.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h
diff --git a/include/linux/netfilter_ipv4/ipt_TTL.h b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h
index f6ac169d92f9..f6ac169d92f9 100644
--- a/include/linux/netfilter_ipv4/ipt_TTL.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h
diff --git a/include/linux/netfilter_ipv4/ipt_ULOG.h b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h
index 417aad280bcc..417aad280bcc 100644
--- a/include/linux/netfilter_ipv4/ipt_ULOG.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h
diff --git a/include/linux/netfilter_ipv4/ipt_ah.h b/include/uapi/linux/netfilter_ipv4/ipt_ah.h
index 4e02bb0119e3..4e02bb0119e3 100644
--- a/include/linux/netfilter_ipv4/ipt_ah.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ah.h
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h
index 0e0c063dbf60..0e0c063dbf60 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h
diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h
index 37bee4442486..37bee4442486 100644
--- a/include/linux/netfilter_ipv4/ipt_ttl.h
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h
diff --git a/include/uapi/linux/netfilter_ipv6/Kbuild b/include/uapi/linux/netfilter_ipv6/Kbuild
index aafaa5aa54d4..75a668ca2353 100644
--- a/include/uapi/linux/netfilter_ipv6/Kbuild
+++ b/include/uapi/linux/netfilter_ipv6/Kbuild
@@ -1 +1,13 @@
 # UAPI Header export list
+header-y += ip6_tables.h
+header-y += ip6t_HL.h
+header-y += ip6t_LOG.h
+header-y += ip6t_NPT.h
+header-y += ip6t_REJECT.h
+header-y += ip6t_ah.h
+header-y += ip6t_frag.h
+header-y += ip6t_hl.h
+header-y += ip6t_ipv6header.h
+header-y += ip6t_mh.h
+header-y += ip6t_opts.h
+header-y += ip6t_rt.h
diff --git a/include/uapi/linux/netfilter_ipv6/ip6_tables.h b/include/uapi/linux/netfilter_ipv6/ip6_tables.h
new file mode 100644
index 000000000000..bf1ef65cc582
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6_tables.h
@@ -0,0 +1,267 @@
+/*
+ * 25-Jul-1998 Major changes to allow for ip chain table
+ *
+ * 3-Jan-2000 Named tables to allow packet selection for different uses.
+ */
+/*
+ *      Format of an IP6 firewall descriptor
+ *
+ *      src, dst, src_mask, dst_mask are always stored in network byte order.
+ *      flags are stored in host byte order (of course).
+ *      Port numbers are stored in HOST byte order.
+ */
+#ifndef _UAPI_IP6_TABLES_H
+#define _UAPI_IP6_TABLES_H
+#include <linux/types.h>
+#include <linux/compiler.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/netfilter/x_tables.h>
+#ifndef __KERNEL__
+#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define ip6t_match xt_match
+#define ip6t_target xt_target
+#define ip6t_table xt_table
+#define ip6t_get_revision xt_get_revision
+#define ip6t_entry_match xt_entry_match
+#define ip6t_entry_target xt_entry_target
+#define ip6t_standard_target xt_standard_target
+#define ip6t_error_target xt_error_target
+#define ip6t_counters xt_counters
+#define IP6T_CONTINUE XT_CONTINUE
+#define IP6T_RETURN XT_RETURN
+/* Pre-iptables-1.4.0 */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
+#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
+#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
+#define ip6t_counters_info xt_counters_info
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
+#endif
+/* Yes, Virginia, you have to zero the padding. */
+struct ip6t_ip6 {
+        /* Source and destination IP6 addr */
+        struct in6_addr src, dst;               
+        /* Mask for src and dest IP6 addr */
+        struct in6_addr smsk, dmsk;
+        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+        /* Upper protocol number
+         * - The allowed value is 0 (any) or protocol number of last parsable
+         *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
+         *   the non IPv6 extension headers.
+         * - The protocol numbers of IPv6 extension headers except of ESP and
+         *   MH do not match any packets.
+         * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
+         */
+        __u16 proto;
+        /* TOS to match iff flags & IP6T_F_TOS */
+        __u8 tos;
+        /* Flags word */
+        __u8 flags;
+        /* Inverse flags */
+        __u8 invflags;
+};
+/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
+#define IP6T_F_PROTO            0x01    /* Set if rule cares about upper 
+                                           protocols */
+#define IP6T_F_TOS              0x02    /* Match the TOS. */
+#define IP6T_F_GOTO             0x04    /* Set if jump is a goto */
+#define IP6T_F_MASK             0x07    /* All possible flag bits mask. */
+/* Values for "inv" field in struct ip6t_ip6. */
+#define IP6T_INV_VIA_IN         0x01    /* Invert the sense of IN IFACE. */
+#define IP6T_INV_VIA_OUT                0x02    /* Invert the sense of OUT IFACE */
+#define IP6T_INV_TOS            0x04    /* Invert the sense of TOS. */
+#define IP6T_INV_SRCIP          0x08    /* Invert the sense of SRC IP. */
+#define IP6T_INV_DSTIP          0x10    /* Invert the sense of DST OP. */
+#define IP6T_INV_FRAG           0x20    /* Invert the sense of FRAG. */
+#define IP6T_INV_PROTO          XT_INV_PROTO
+#define IP6T_INV_MASK           0x7F    /* All possible flag bits mask. */
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general IP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct ip6t_entry {
+        struct ip6t_ip6 ipv6;
+        /* Mark with fields that we care about. */
+        unsigned int nfcache;
+        /* Size of ipt_entry + matches */
+        __u16 target_offset;
+        /* Size of ipt_entry + matches + target */
+        __u16 next_offset;
+        /* Back pointer */
+        unsigned int comefrom;
+        /* Packet and byte counters. */
+        struct xt_counters counters;
+        /* The matches (if any), then the target. */
+        unsigned char elems[0];
+};
+/* Standard entry */
+struct ip6t_standard {
+        struct ip6t_entry entry;
+        struct xt_standard_target target;
+};
+struct ip6t_error {
+        struct ip6t_entry entry;
+        struct xt_error_target target;
+};
+#define IP6T_ENTRY_INIT(__size)                                                \
+{                                                                              \
+        .target_offset  = sizeof(struct ip6t_entry),                           \
+        .next_offset    = (__size),                                            \
+}
+#define IP6T_STANDARD_INIT(__verdict)                                          \
+{                                                                              \
+        .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
+                                         sizeof(struct xt_standard_target)),   \
+        .target.verdict = -(__verdict) - 1,                                    \
+}
+#define IP6T_ERROR_INIT                                                        \
+{                                                                              \
+        .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),          \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
+        .target.errorname = "ERROR",                                           \
+}
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use
+ * a raw socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in6.h before adding new number here.
+ */
+#define IP6T_BASE_CTL                   64
+#define IP6T_SO_SET_REPLACE             (IP6T_BASE_CTL)
+#define IP6T_SO_SET_ADD_COUNTERS        (IP6T_BASE_CTL + 1)
+#define IP6T_SO_SET_MAX                 IP6T_SO_SET_ADD_COUNTERS
+#define IP6T_SO_GET_INFO                (IP6T_BASE_CTL)
+#define IP6T_SO_GET_ENTRIES             (IP6T_BASE_CTL + 1)
+#define IP6T_SO_GET_REVISION_MATCH      (IP6T_BASE_CTL + 4)
+#define IP6T_SO_GET_REVISION_TARGET     (IP6T_BASE_CTL + 5)
+#define IP6T_SO_GET_MAX                 IP6T_SO_GET_REVISION_TARGET
+/* ICMP matching stuff */
+struct ip6t_icmp {
+        __u8 type;                              /* type to match */
+        __u8 code[2];                           /* range of code */
+        __u8 invflags;                          /* Inverse flags */
+};
+/* Values for "inv" field for struct ipt_icmp. */
+#define IP6T_ICMP_INV   0x01    /* Invert the sense of type/code test */
+/* The argument to IP6T_SO_GET_INFO */
+struct ip6t_getinfo {
+        /* Which table: caller fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Kernel fills these in. */
+        /* Which hook entry points are valid: bitmask */
+        unsigned int valid_hooks;
+        /* Hook entry points: one per netfilter hook. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Size of entries. */
+        unsigned int size;
+};
+/* The argument to IP6T_SO_SET_REPLACE. */
+struct ip6t_replace {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+        unsigned int valid_hooks;
+        /* Number of entries */
+        unsigned int num_entries;
+        /* Total size of new entries */
+        unsigned int size;
+        /* Hook entry points. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+        /* Information about old entries: */
+        /* Number of counters (must be equal to current number of entries). */
+        unsigned int num_counters;
+        /* The old entries' counters. */
+        struct xt_counters __user *counters;
+        /* The entries (hang off end: not really an array). */
+        struct ip6t_entry entries[0];
+};
+/* The argument to IP6T_SO_GET_ENTRIES. */
+struct ip6t_get_entries {
+        /* Which table: user fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+        /* User fills this in: total entry size. */
+        unsigned int size;
+        /* The entries. */
+        struct ip6t_entry entrytable[0];
+};
+/* Helper functions */
+static __inline__ struct xt_entry_target *
+ip6t_get_target(struct ip6t_entry *e)
+{
+        return (void *)e + e->target_offset;
+}
+/*
+ *      Main firewall chains definitions and global var's definitions.
+ */
+#endif /* _UAPI_IP6_TABLES_H */
diff --git a/include/linux/netfilter_ipv6/ip6t_HL.h b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h
index ebd8ead1bb63..ebd8ead1bb63 100644
--- a/include/linux/netfilter_ipv6/ip6t_HL.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h
diff --git a/include/linux/netfilter_ipv6/ip6t_LOG.h b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h
index 3dd0bc4e0735..3dd0bc4e0735 100644
--- a/include/linux/netfilter_ipv6/ip6t_LOG.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h
diff --git a/include/linux/netfilter_ipv6/ip6t_NPT.h b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h
index f763355481b5..f763355481b5 100644
--- a/include/linux/netfilter_ipv6/ip6t_NPT.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h
diff --git a/include/linux/netfilter_ipv6/ip6t_REJECT.h b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h
index 205ed62e4605..205ed62e4605 100644
--- a/include/linux/netfilter_ipv6/ip6t_REJECT.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h
diff --git a/include/linux/netfilter_ipv6/ip6t_ah.h b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h
index 5da2b65cb3ad..5da2b65cb3ad 100644
--- a/include/linux/netfilter_ipv6/ip6t_ah.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h
diff --git a/include/linux/netfilter_ipv6/ip6t_frag.h b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h
index b47f61b9e082..b47f61b9e082 100644
--- a/include/linux/netfilter_ipv6/ip6t_frag.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h
diff --git a/include/linux/netfilter_ipv6/ip6t_hl.h b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h
index 6e76dbc6c19a..6e76dbc6c19a 100644
--- a/include/linux/netfilter_ipv6/ip6t_hl.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h
diff --git a/include/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h
index efae3a20c214..efae3a20c214 100644
--- a/include/linux/netfilter_ipv6/ip6t_ipv6header.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h
diff --git a/include/linux/netfilter_ipv6/ip6t_mh.h b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h
index a7729a5025cd..a7729a5025cd 100644
--- a/include/linux/netfilter_ipv6/ip6t_mh.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h
diff --git a/include/linux/netfilter_ipv6/ip6t_opts.h b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h
index 17d419a811fd..17d419a811fd 100644
--- a/include/linux/netfilter_ipv6/ip6t_opts.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h
diff --git a/include/linux/netfilter_ipv6/ip6t_rt.h b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h
index 7605a5ff81cd..7605a5ff81cd 100644
--- a/include/linux/netfilter_ipv6/ip6t_rt.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h
diff --git a/include/uapi/linux/tc_act/Kbuild b/include/uapi/linux/tc_act/Kbuild
index aafaa5aa54d4..0623ec4e728f 100644
--- a/include/uapi/linux/tc_act/Kbuild
+++ b/include/uapi/linux/tc_act/Kbuild
@@ -1 +1,8 @@
 # UAPI Header export list
+header-y += tc_csum.h
+header-y += tc_gact.h
+header-y += tc_ipt.h
+header-y += tc_mirred.h
+header-y += tc_nat.h
+header-y += tc_pedit.h
+header-y += tc_skbedit.h
diff --git a/include/linux/tc_act/tc_csum.h b/include/uapi/linux/tc_act/tc_csum.h
index a047c49a3153..a047c49a3153 100644
--- a/include/linux/tc_act/tc_csum.h
+++ b/include/uapi/linux/tc_act/tc_csum.h
diff --git a/include/linux/tc_act/tc_gact.h b/include/uapi/linux/tc_act/tc_gact.h
index f7bf94eed510..f7bf94eed510 100644
--- a/include/linux/tc_act/tc_gact.h
+++ b/include/uapi/linux/tc_act/tc_gact.h
diff --git a/include/linux/tc_act/tc_ipt.h b/include/uapi/linux/tc_act/tc_ipt.h
index a2335563d21f..a2335563d21f 100644
--- a/include/linux/tc_act/tc_ipt.h
+++ b/include/uapi/linux/tc_act/tc_ipt.h
diff --git a/include/linux/tc_act/tc_mirred.h b/include/uapi/linux/tc_act/tc_mirred.h
index 7561750e8fd6..7561750e8fd6 100644
--- a/include/linux/tc_act/tc_mirred.h
+++ b/include/uapi/linux/tc_act/tc_mirred.h
diff --git a/include/linux/tc_act/tc_nat.h b/include/uapi/linux/tc_act/tc_nat.h
index 6663aeba0b9a..6663aeba0b9a 100644
--- a/include/linux/tc_act/tc_nat.h
+++ b/include/uapi/linux/tc_act/tc_nat.h
diff --git a/include/linux/tc_act/tc_pedit.h b/include/uapi/linux/tc_act/tc_pedit.h
index 716cfabcd5b2..716cfabcd5b2 100644
--- a/include/linux/tc_act/tc_pedit.h
+++ b/include/uapi/linux/tc_act/tc_pedit.h
diff --git a/include/linux/tc_act/tc_skbedit.h b/include/uapi/linux/tc_act/tc_skbedit.h
index 7a2e910a5f08..7a2e910a5f08 100644
--- a/include/linux/tc_act/tc_skbedit.h
+++ b/include/uapi/linux/tc_act/tc_skbedit.h
diff --git a/include/uapi/linux/tc_ematch/Kbuild b/include/uapi/linux/tc_ematch/Kbuild
index aafaa5aa54d4..53fca3925535 100644
--- a/include/uapi/linux/tc_ematch/Kbuild
+++ b/include/uapi/linux/tc_ematch/Kbuild
@@ -1 +1,5 @@
 # UAPI Header export list
+header-y += tc_em_cmp.h
+header-y += tc_em_meta.h
+header-y += tc_em_nbyte.h
+header-y += tc_em_text.h
diff --git a/include/linux/tc_ematch/tc_em_cmp.h b/include/uapi/linux/tc_ematch/tc_em_cmp.h
index f34bb1bae083..f34bb1bae083 100644
--- a/include/linux/tc_ematch/tc_em_cmp.h
+++ b/include/uapi/linux/tc_ematch/tc_em_cmp.h
diff --git a/include/linux/tc_ematch/tc_em_meta.h b/include/uapi/linux/tc_ematch/tc_em_meta.h
index b11f8ce2d3c0..b11f8ce2d3c0 100644
--- a/include/linux/tc_ematch/tc_em_meta.h
+++ b/include/uapi/linux/tc_ematch/tc_em_meta.h
diff --git a/include/linux/tc_ematch/tc_em_nbyte.h b/include/uapi/linux/tc_ematch/tc_em_nbyte.h
index 7172cfb999c1..7172cfb999c1 100644
--- a/include/linux/tc_ematch/tc_em_nbyte.h
+++ b/include/uapi/linux/tc_ematch/tc_em_nbyte.h
diff --git a/include/linux/tc_ematch/tc_em_text.h b/include/uapi/linux/tc_ematch/tc_em_text.h
index 5aac4045ba88..5aac4045ba88 100644
--- a/include/linux/tc_ematch/tc_em_text.h
+++ b/include/uapi/linux/tc_ematch/tc_em_text.h
author	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-09 22:12:54 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-10-09 22:12:54 -0400
commit	aac2b1f5747ea34696d0da5bdc4d8247aa6437af (patch)
tree	8fc8499aad6a28b044c9bdab3f920f64a98460c1 /include
parent	23d5385f382a7c7d8b6bf19b0c2cfb3acbb12d31 (diff)
parent	5175a5e76bbdf20a614fb47ce7a38f0f39e70226 (diff)