Merge branch 'net-next' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables

Pablo Neira Ayuso says: ==================== netfilter updates: nf_tables pull request The following patchset contains the current original nf_tables tree condensed in 17 patches. I have organized them by chronogical order since the original nf_tables code was released in 2009 and by dependencies between the different patches. The patches are: 1) Adapt all existing hooks in the tree to pass hook ops to the hook callback function, required by nf_tables, from Patrick McHardy. 2) Move alloc_null_binding to nf_nat_core, as it is now also needed by nf_tables and ip_tables, original patch from Patrick McHardy but required major changes to adapt it to the current tree that I made. 3) Add nf_tables core, including the netlink API, the packet filtering engine, expressions and built-in tables, from Patrick McHardy. This patch includes accumulated fixes since 2009 and minor enhancements. The patch description contains a list of references to the original patches for the record. For those that are not familiar to the original work, see [1], [2] and [3]. 4) Add netlink set API, this replaces the original set infrastructure to introduce a netlink API to add/delete sets and to add/delete set elements. This includes two set types: the hash and the rb-tree sets (used for interval based matching). The main difference with ipset is that this infrastructure is data type agnostic. Patch from Patrick McHardy. 5) Allow expression operation overload, this API change allows us to provide define expression subtypes depending on the configuration that is received from user-space via Netlink. It is used by follow up patches to provide optimized versions of the payload and cmp expressions and the x_tables compatibility layer, from Patrick McHardy. 6) Add optimized data comparison operation, it requires the previous patch, from Patrick McHardy. 7) Add optimized payload implementation, it requires patch 5, from Patrick McHardy. 8) Convert built-in tables to chain types. Each chain type have special semantics (filter, route and nat) that are used by userspace to configure the chain behaviour. The main chain regarding iptables is that tables become containers of chain, with no specific semantics. However, you may still configure your tables and chains to retain iptables like semantics, patch from me. 9) Add compatibility layer for x_tables. This patch adds support to use all existing x_tables extensions from nf_tables, this is used to provide a userspace utility that accepts iptables syntax but used internally the nf_tables kernel core. This patch includes missing features in the nf_tables core such as the per-chain stats, default chain policy and number of chain references, which are required by the iptables compatibility userspace tool. Patch from me. 10) Fix transport protocol matching, this fix is a side effect of the x_tables compatibility layer, which now provides a pointer to the transport header, from me. 11) Add support for dormant tables, this feature allows you to disable all chains and rules that are contained in one table, from me. 12) Add IPv6 NAT support. At the time nf_tables was made, there was no NAT IPv6 support yet, from Tomasz Bursztyka. 13) Complete net namespace support. This patch register the protocol family per net namespace, so tables (thus, other objects contained in tables such as sets, chains and rules) are only visible from the corresponding net namespace, from me. 14) Add the insert operation to the nf_tables netlink API, this requires adding a new position attribute that allow us to locate where in the ruleset a rule needs to be inserted, from Eric Leblond. 15) Add rule batching support, including atomic rule-set updates by using rule-set generations. This patch includes a change to nfnetlink to include two new control messages to indicate the beginning and the end of a batch. The end message is interpreted as the commit message, if it's missing, then the rule-set updates contained in the batch are aborted, from me. 16) Add trace support to the nf_tables packet filtering core, from me. 17) Add ARP filtering support, original patch from Patrick McHardy, but adapted to fit into the chain type infrastructure. This was recovered to be used by nft userspace tool and our compatibility arptables userspace tool. There is still work to do to fully replace x_tables [4] [5] but that can be done incrementally by extending our netlink API. Moreover, looking at netfilter-devel and the amount of contributions to nf_tables we've been getting, I think it would be good to have it mainstream to avoid accumulating large patchsets skip continuous rebases. I tried to provide a reasonable patchset, we have more than 100 accumulated patches in the original nf_tables tree, so I collapsed many of the small fixes to the main patch we had since 2009 and provide a small batch for review to netdev, while trying to retain part of the history. For those who didn't give a try to nf_tables yet, there's a quick howto available from Eric Leblond that describes how to get things working [6]. Comments/reviews welcome. Thanks! [1] http://lwn.net/Articles/324251/ [2] http://workshop.netfilter.org/2013/wiki/images/e/ee/Nftables-osd-2013-developer.pdf [3] http://lwn.net/Articles/564095/ [4] http://people.netfilter.org/pablo/map-pending-work.txt [4] http://people.netfilter.org/pablo/nftables-todo.txt [5] https://home.regit.org/netfilter-en/nftables-quick-howto/ ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-10-17 15:22:05 -0400
committer: David S. Miller <davem@davemloft.net> 2013-10-17 15:22:05 -0400
commit: da33edccebcc36d387423dcdb557094fbda55994 (patch)
tree: 9f426a52f875169ae24e54a395beedc697c96e02 /net/ipv4
parent: 78dea8cc4942c6adbcccc8f483463906a078f039 (diff)
parent: ed683f138b3dbc8a5e878e24a0bfa0bb61043a09 (diff)
17 files changed, 719 insertions, 39 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1657e39b291f..40d56073cd19 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -36,6 +36,27 @@ config NF_CONNTRACK_PROC_COMPAT
          If unsure, say Y.
+config NF_TABLES_IPV4
+        depends on NF_TABLES
+        tristate "IPv4 nf_tables support"
+config NFT_REJECT_IPV4
+        depends on NF_TABLES_IPV4
+        tristate "nf_tables IPv4 reject support"
+config NFT_CHAIN_ROUTE_IPV4
+        depends on NF_TABLES_IPV4
+        tristate "IPv4 nf_tables route chain support"
+config NFT_CHAIN_NAT_IPV4
+        depends on NF_TABLES_IPV4
+        depends on NF_NAT_IPV4 && NFT_NAT
+        tristate "IPv4 nf_tables nat chain support"
+config NF_TABLES_ARP
+        depends on NF_TABLES
+        tristate "ARP nf_tables support"
 config IP_NF_IPTABLES
        tristate "IP tables support (required for filtering/masq/NAT)"
        default m if NETFILTER_ADVANCED=n
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 3622b248b6dd..19df72b7ba88 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -27,6 +27,12 @@ obj-$(CONFIG_NF_NAT_SNMP_BASIC) += nf_nat_snmp_basic.o
 # NAT protocols (nf_nat)
 obj-$(CONFIG_NF_NAT_PROTO_GRE) += nf_nat_proto_gre.o
+obj-$(CONFIG_NF_TABLES_IPV4) += nf_tables_ipv4.o
+obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o
+obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV4) += nft_chain_route_ipv4.o
+obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o
+obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o
 # generic IP tables 
 obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index a865f6f94013..802ddecb30b8 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -27,13 +27,14 @@ static const struct xt_table packet_filter = {
 /* The work comes in here from netfilter.c */
 static unsigned int
-arptable_filter_hook(unsigned int hook, struct sk_buff *skb,
+arptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
                     const struct net_device *in, const struct net_device *out,
                     int (*okfn)(struct sk_buff *))
 {
        const struct net *net = dev_net((in != NULL) ? in : out);
-        return arpt_do_table(skb, hook, in, out, net->ipv4.arptable_filter);
+        return arpt_do_table(skb, ops->hooknum, in, out,
+                             net->ipv4.arptable_filter);
 }
 static struct nf_hook_ops *arpfilter_ops __read_mostly;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 0b732efd32e2..a2e2b61cd7da 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -483,7 +483,7 @@ static void arp_print(struct arp_payload *payload)
 #endif
 static unsigned int
-arp_mangle(unsigned int hook,
+arp_mangle(const struct nf_hook_ops *ops,
           struct sk_buff *skb,
           const struct net_device *in,
           const struct net_device *out,
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index b6346bf2fde3..01cffeaa0085 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -297,7 +297,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
        return XT_CONTINUE;
 }
-static unsigned int ipv4_synproxy_hook(unsigned int hooknum,
+static unsigned int ipv4_synproxy_hook(const struct nf_hook_ops *ops,
                                       struct sk_buff *skb,
                                       const struct net_device *in,
                                       const struct net_device *out,
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 50af5b45c050..e08a74a243a8 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -33,20 +33,21 @@ static const struct xt_table packet_filter = {
 };
 static unsigned int
-iptable_filter_hook(unsigned int hook, struct sk_buff *skb,
+iptable_filter_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
                    const struct net_device *in, const struct net_device *out,
                    int (*okfn)(struct sk_buff *))
 {
        const struct net *net;
-        if (hook == NF_INET_LOCAL_OUT &&
+        if (ops->hooknum == NF_INET_LOCAL_OUT &&
            (skb->len < sizeof(struct iphdr) ||
             ip_hdrlen(skb) < sizeof(struct iphdr)))
                /* root is playing with raw sockets. */
                return NF_ACCEPT;
        net = dev_net((in != NULL) ? in : out);
-        return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_filter);
+        return ipt_do_table(skb, ops->hooknum, in, out,
+                            net->ipv4.iptable_filter);
 }
 static struct nf_hook_ops *filter_ops __read_mostly;
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 0d8cd82e0fad..6a5079c34bb3 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -79,19 +79,19 @@ ipt_mangle_out(struct sk_buff *skb, const struct net_device *out)
 /* The work comes in here from netfilter.c. */
 static unsigned int
-iptable_mangle_hook(unsigned int hook,
+iptable_mangle_hook(const struct nf_hook_ops *ops,
                     struct sk_buff *skb,
                     const struct net_device *in,
                     const struct net_device *out,
                     int (*okfn)(struct sk_buff *))
 {
-        if (hook == NF_INET_LOCAL_OUT)
+        if (ops->hooknum == NF_INET_LOCAL_OUT)
                return ipt_mangle_out(skb, out);
-        if (hook == NF_INET_POST_ROUTING)
+        if (ops->hooknum == NF_INET_POST_ROUTING)
-                return ipt_do_table(skb, hook, in, out,
+                return ipt_do_table(skb, ops->hooknum, in, out,
                                    dev_net(out)->ipv4.iptable_mangle);
        /* PREROUTING/INPUT/FORWARD: */
-        return ipt_do_table(skb, hook, in, out,
+        return ipt_do_table(skb, ops->hooknum, in, out,
                            dev_net(in)->ipv4.iptable_mangle);
 }
diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index 683bfaffed65..ee2886126e3d 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -61,7 +61,7 @@ static unsigned int nf_nat_rule_find(struct sk_buff *skb, unsigned int hooknum,
 }
 static unsigned int
-nf_nat_ipv4_fn(unsigned int hooknum,
+nf_nat_ipv4_fn(const struct nf_hook_ops *ops,
               struct sk_buff *skb,
               const struct net_device *in,
               const struct net_device *out,
@@ -71,7 +71,7 @@ nf_nat_ipv4_fn(unsigned int hooknum,
        enum ip_conntrack_info ctinfo;
        struct nf_conn_nat *nat;
        /* maniptype == SRC for postrouting. */
-        enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum);
+        enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
        /* We never see fragments: conntrack defrags on pre-routing
         * and local-out, and nf_nat_out protects post-routing.
@@ -108,7 +108,7 @@ nf_nat_ipv4_fn(unsigned int hooknum,
        case IP_CT_RELATED_REPLY:
                if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
                        if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
-                                                           hooknum))
+                                                           ops->hooknum))
                                return NF_DROP;
                        else
                                return NF_ACCEPT;
@@ -121,14 +121,14 @@ nf_nat_ipv4_fn(unsigned int hooknum,
                if (!nf_nat_initialized(ct, maniptype)) {
                        unsigned int ret;
-                        ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
+                        ret = nf_nat_rule_find(skb, ops->hooknum, in, out, ct);
                        if (ret != NF_ACCEPT)
                                return ret;
                } else {
                        pr_debug("Already setup manip %s for ct %p\n",
                                 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
                                 ct);
-                        if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+                        if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))
                                goto oif_changed;
                }
                break;
@@ -137,11 +137,11 @@ nf_nat_ipv4_fn(unsigned int hooknum,
                /* ESTABLISHED */
                NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
                             ctinfo == IP_CT_ESTABLISHED_REPLY);
-                if (nf_nat_oif_changed(hooknum, ctinfo, nat, out))
+                if (nf_nat_oif_changed(ops->hooknum, ctinfo, nat, out))
                        goto oif_changed;
        }
-        return nf_nat_packet(ct, ctinfo, hooknum, skb);
+        return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
 oif_changed:
        nf_ct_kill_acct(ct, ctinfo, skb);
@@ -149,7 +149,7 @@ oif_changed:
 }
 static unsigned int
-nf_nat_ipv4_in(unsigned int hooknum,
+nf_nat_ipv4_in(const struct nf_hook_ops *ops,
               struct sk_buff *skb,
               const struct net_device *in,
               const struct net_device *out,
@@ -158,7 +158,7 @@ nf_nat_ipv4_in(unsigned int hooknum,
        unsigned int ret;
        __be32 daddr = ip_hdr(skb)->daddr;
-        ret = nf_nat_ipv4_fn(hooknum, skb, in, out, okfn);
+        ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn);
        if (ret != NF_DROP && ret != NF_STOLEN &&
            daddr != ip_hdr(skb)->daddr)
                skb_dst_drop(skb);
@@ -167,7 +167,7 @@ nf_nat_ipv4_in(unsigned int hooknum,
 }
 static unsigned int
-nf_nat_ipv4_out(unsigned int hooknum,
+nf_nat_ipv4_out(const struct nf_hook_ops *ops,
                struct sk_buff *skb,
                const struct net_device *in,
                const struct net_device *out,
@@ -185,7 +185,7 @@ nf_nat_ipv4_out(unsigned int hooknum,
            ip_hdrlen(skb) < sizeof(struct iphdr))
                return NF_ACCEPT;
-        ret = nf_nat_ipv4_fn(hooknum, skb, in, out, okfn);
+        ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn);
 #ifdef CONFIG_XFRM
        if (ret != NF_DROP && ret != NF_STOLEN &&
            !(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
@@ -207,7 +207,7 @@ nf_nat_ipv4_out(unsigned int hooknum,
 }
 static unsigned int
-nf_nat_ipv4_local_fn(unsigned int hooknum,
+nf_nat_ipv4_local_fn(const struct nf_hook_ops *ops,
                     struct sk_buff *skb,
                     const struct net_device *in,
                     const struct net_device *out,
@@ -223,7 +223,7 @@ nf_nat_ipv4_local_fn(unsigned int hooknum,
            ip_hdrlen(skb) < sizeof(struct iphdr))
                return NF_ACCEPT;
-        ret = nf_nat_ipv4_fn(hooknum, skb, in, out, okfn);
+        ret = nf_nat_ipv4_fn(ops, skb, in, out, okfn);
        if (ret != NF_DROP && ret != NF_STOLEN &&
            (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index 1f82aea11df6..b2f7e8f98316 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -20,20 +20,20 @@ static const struct xt_table packet_raw = {
 /* The work comes in here from netfilter.c. */
 static unsigned int
-iptable_raw_hook(unsigned int hook, struct sk_buff *skb,
+iptable_raw_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
                 const struct net_device *in, const struct net_device *out,
                 int (*okfn)(struct sk_buff *))
 {
        const struct net *net;
-        if (hook == NF_INET_LOCAL_OUT && 
+        if (ops->hooknum == NF_INET_LOCAL_OUT &&
            (skb->len < sizeof(struct iphdr) ||
             ip_hdrlen(skb) < sizeof(struct iphdr)))
                /* root is playing with raw sockets. */
                return NF_ACCEPT;
        net = dev_net((in != NULL) ? in : out);
-        return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_raw);
+        return ipt_do_table(skb, ops->hooknum, in, out, net->ipv4.iptable_raw);
 }
 static struct nf_hook_ops *rawtable_ops __read_mostly;
diff --git a/net/ipv4/netfilter/iptable_security.c b/net/ipv4/netfilter/iptable_security.c
index f867a8d38bf7..c86647ed2078 100644
--- a/net/ipv4/netfilter/iptable_security.c
+++ b/net/ipv4/netfilter/iptable_security.c
@@ -37,21 +37,22 @@ static const struct xt_table security_table = {
 };
 static unsigned int
-iptable_security_hook(unsigned int hook, struct sk_buff *skb,
+iptable_security_hook(const struct nf_hook_ops *ops, struct sk_buff *skb,
                      const struct net_device *in,
                      const struct net_device *out,
                      int (*okfn)(struct sk_buff *))
 {
        const struct net *net;
-        if (hook == NF_INET_LOCAL_OUT &&
+        if (ops->hooknum == NF_INET_LOCAL_OUT &&
            (skb->len < sizeof(struct iphdr) ||
             ip_hdrlen(skb) < sizeof(struct iphdr)))
                /* Somebody is playing with raw sockets. */
                return NF_ACCEPT;
        net = dev_net((in != NULL) ? in : out);
-        return ipt_do_table(skb, hook, in, out, net->ipv4.iptable_security);
+        return ipt_do_table(skb, ops->hooknum, in, out,
+                            net->ipv4.iptable_security);
 }
 static struct nf_hook_ops *sectbl_ops __read_mostly;
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 86f5b34a4ed1..ecd8bec411c9 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -92,7 +92,7 @@ static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
        return NF_ACCEPT;
 }
-static unsigned int ipv4_helper(unsigned int hooknum,
+static unsigned int ipv4_helper(const struct nf_hook_ops *ops,
                                struct sk_buff *skb,
                                const struct net_device *in,
                                const struct net_device *out,
@@ -121,7 +121,7 @@ static unsigned int ipv4_helper(unsigned int hooknum,
                            ct, ctinfo);
 }
-static unsigned int ipv4_confirm(unsigned int hooknum,
+static unsigned int ipv4_confirm(const struct nf_hook_ops *ops,
                                 struct sk_buff *skb,
                                 const struct net_device *in,
                                 const struct net_device *out,
@@ -147,16 +147,16 @@ out:
        return nf_conntrack_confirm(skb);
 }
-static unsigned int ipv4_conntrack_in(unsigned int hooknum,
+static unsigned int ipv4_conntrack_in(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
                                      const struct net_device *in,
                                      const struct net_device *out,
                                      int (*okfn)(struct sk_buff *))
 {
-        return nf_conntrack_in(dev_net(in), PF_INET, hooknum, skb);
+        return nf_conntrack_in(dev_net(in), PF_INET, ops->hooknum, skb);
 }
-static unsigned int ipv4_conntrack_local(unsigned int hooknum,
+static unsigned int ipv4_conntrack_local(const struct nf_hook_ops *ops,
                                         struct sk_buff *skb,
                                         const struct net_device *in,
                                         const struct net_device *out,
@@ -166,7 +166,7 @@ static unsigned int ipv4_conntrack_local(unsigned int hooknum,
        if (skb->len < sizeof(struct iphdr) ||
            ip_hdrlen(skb) < sizeof(struct iphdr))
                return NF_ACCEPT;
-        return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb);
+        return nf_conntrack_in(dev_net(out), PF_INET, ops->hooknum, skb);
 }
 /* Connection tracking may drop packets, but never alters them, so
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index 742815518b0f..12e13bd82b5b 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -60,7 +60,7 @@ static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
                return IP_DEFRAG_CONNTRACK_OUT + zone;
 }
-static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
+static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops,
                                          struct sk_buff *skb,
                                          const struct net_device *in,
                                          const struct net_device *out,
@@ -83,7 +83,9 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 #endif
        /* Gather fragments. */
        if (ip_is_fragment(ip_hdr(skb))) {
-                enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
+                enum ip_defrag_users user =
+                        nf_ct_defrag_user(ops->hooknum, skb);
                if (nf_ct_ipv4_gather_frags(skb, user))
                        return NF_STOLEN;
        }
diff --git a/net/ipv4/netfilter/nf_tables_arp.c b/net/ipv4/netfilter/nf_tables_arp.c
new file mode 100644
index 000000000000..3e67ef1c676f
--- /dev/null
+++ b/net/ipv4/netfilter/nf_tables_arp.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2008-2010 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/netfilter_arp.h>
+#include <net/netfilter/nf_tables.h>
+static struct nft_af_info nft_af_arp __read_mostly = {
+        .family         = NFPROTO_ARP,
+        .nhooks         = NF_ARP_NUMHOOKS,
+        .owner          = THIS_MODULE,
+};
+static int nf_tables_arp_init_net(struct net *net)
+{
+        net->nft.arp = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
+        if (net->nft.arp== NULL)
+                return -ENOMEM;
+        memcpy(net->nft.arp, &nft_af_arp, sizeof(nft_af_arp));
+        if (nft_register_afinfo(net, net->nft.arp) < 0)
+                goto err;
+        return 0;
+err:
+        kfree(net->nft.arp);
+        return -ENOMEM;
+}
+static void nf_tables_arp_exit_net(struct net *net)
+{
+        nft_unregister_afinfo(net->nft.arp);
+        kfree(net->nft.arp);
+}
+static struct pernet_operations nf_tables_arp_net_ops = {
+        .init   = nf_tables_arp_init_net,
+        .exit   = nf_tables_arp_exit_net,
+};
+static unsigned int
+nft_do_chain_arp(const struct nf_hook_ops *ops,
+                  struct sk_buff *skb,
+                  const struct net_device *in,
+                  const struct net_device *out,
+                  int (*okfn)(struct sk_buff *))
+{
+        struct nft_pktinfo pkt;
+        nft_set_pktinfo(&pkt, ops, skb, in, out);
+        return nft_do_chain_pktinfo(&pkt, ops);
+}
+static struct nf_chain_type filter_arp = {
+        .family         = NFPROTO_ARP,
+        .name           = "filter",
+        .type           = NFT_CHAIN_T_DEFAULT,
+        .hook_mask      = (1 << NF_ARP_IN) |
+                          (1 << NF_ARP_OUT) |
+                          (1 << NF_ARP_FORWARD),
+        .fn             = {
+                [NF_ARP_IN]             = nft_do_chain_arp,
+                [NF_ARP_OUT]            = nft_do_chain_arp,
+                [NF_ARP_FORWARD]        = nft_do_chain_arp,
+        },
+};
+static int __init nf_tables_arp_init(void)
+{
+        int ret;
+        nft_register_chain_type(&filter_arp);
+        ret = register_pernet_subsys(&nf_tables_arp_net_ops);
+        if (ret < 0)
+                nft_unregister_chain_type(&filter_arp);
+        return ret;
+}
+static void __exit nf_tables_arp_exit(void)
+{
+        unregister_pernet_subsys(&nf_tables_arp_net_ops);
+        nft_unregister_chain_type(&filter_arp);
+}
+module_init(nf_tables_arp_init);
+module_exit(nf_tables_arp_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_FAMILY(3); /* NFPROTO_ARP */
diff --git a/net/ipv4/netfilter/nf_tables_ipv4.c b/net/ipv4/netfilter/nf_tables_ipv4.c
new file mode 100644
index 000000000000..8f7536be1322
--- /dev/null
+++ b/net/ipv4/netfilter/nf_tables_ipv4.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2012-2013 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/netfilter_ipv4.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/net_namespace.h>
+#include <net/ip.h>
+#include <net/net_namespace.h>
+#include <net/netfilter/nf_tables_ipv4.h>
+static unsigned int nft_ipv4_output(const struct nf_hook_ops *ops,
+                                    struct sk_buff *skb,
+                                    const struct net_device *in,
+                                    const struct net_device *out,
+                                    int (*okfn)(struct sk_buff *))
+{
+        struct nft_pktinfo pkt;
+        if (unlikely(skb->len < sizeof(struct iphdr) ||
+                     ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
+                if (net_ratelimit())
+                        pr_info("nf_tables_ipv4: ignoring short SOCK_RAW "
+                                "packet\n");
+                return NF_ACCEPT;
+        }
+        nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+        return nft_do_chain_pktinfo(&pkt, ops);
+}
+static struct nft_af_info nft_af_ipv4 __read_mostly = {
+        .family         = NFPROTO_IPV4,
+        .nhooks         = NF_INET_NUMHOOKS,
+        .owner          = THIS_MODULE,
+        .hooks          = {
+                [NF_INET_LOCAL_OUT]     = nft_ipv4_output,
+        },
+};
+static int nf_tables_ipv4_init_net(struct net *net)
+{
+        net->nft.ipv4 = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
+        if (net->nft.ipv4 == NULL)
+                return -ENOMEM;
+        memcpy(net->nft.ipv4, &nft_af_ipv4, sizeof(nft_af_ipv4));
+        if (nft_register_afinfo(net, net->nft.ipv4) < 0)
+                goto err;
+        return 0;
+err:
+        kfree(net->nft.ipv4);
+        return -ENOMEM;
+}
+static void nf_tables_ipv4_exit_net(struct net *net)
+{
+        nft_unregister_afinfo(net->nft.ipv4);
+        kfree(net->nft.ipv4);
+}
+static struct pernet_operations nf_tables_ipv4_net_ops = {
+        .init   = nf_tables_ipv4_init_net,
+        .exit   = nf_tables_ipv4_exit_net,
+};
+static unsigned int
+nft_do_chain_ipv4(const struct nf_hook_ops *ops,
+                  struct sk_buff *skb,
+                  const struct net_device *in,
+                  const struct net_device *out,
+                  int (*okfn)(struct sk_buff *))
+{
+        struct nft_pktinfo pkt;
+        nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+        return nft_do_chain_pktinfo(&pkt, ops);
+}
+static struct nf_chain_type filter_ipv4 = {
+        .family         = NFPROTO_IPV4,
+        .name           = "filter",
+        .type           = NFT_CHAIN_T_DEFAULT,
+        .hook_mask      = (1 << NF_INET_LOCAL_IN) |
+                          (1 << NF_INET_LOCAL_OUT) |
+                          (1 << NF_INET_FORWARD) |
+                          (1 << NF_INET_PRE_ROUTING) |
+                          (1 << NF_INET_POST_ROUTING),
+        .fn             = {
+                [NF_INET_LOCAL_IN]      = nft_do_chain_ipv4,
+                [NF_INET_LOCAL_OUT]     = nft_ipv4_output,
+                [NF_INET_FORWARD]       = nft_do_chain_ipv4,
+                [NF_INET_PRE_ROUTING]   = nft_do_chain_ipv4,
+                [NF_INET_POST_ROUTING]  = nft_do_chain_ipv4,
+        },
+};
+static int __init nf_tables_ipv4_init(void)
+{
+        nft_register_chain_type(&filter_ipv4);
+        return register_pernet_subsys(&nf_tables_ipv4_net_ops);
+}
+static void __exit nf_tables_ipv4_exit(void)
+{
+        unregister_pernet_subsys(&nf_tables_ipv4_net_ops);
+        nft_unregister_chain_type(&filter_ipv4);
+}
+module_init(nf_tables_ipv4_init);
+module_exit(nf_tables_ipv4_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_FAMILY(AF_INET);
diff --git a/net/ipv4/netfilter/nft_chain_nat_ipv4.c b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
new file mode 100644
index 000000000000..cf2c792cd971
--- /dev/null
+++ b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
@@ -0,0 +1,205 @@
+/*
+ * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
+ * Copyright (c) 2012 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/list.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_nat.h>
+#include <net/netfilter/nf_nat_core.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables_ipv4.h>
+#include <net/netfilter/nf_nat_l3proto.h>
+#include <net/ip.h>
+/*
+ * NAT chains
+ */
+static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
+                              struct sk_buff *skb,
+                              const struct net_device *in,
+                              const struct net_device *out,
+                              int (*okfn)(struct sk_buff *))
+{
+        enum ip_conntrack_info ctinfo;
+        struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+        struct nf_conn_nat *nat;
+        enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
+        struct nft_pktinfo pkt;
+        unsigned int ret;
+        if (ct == NULL || nf_ct_is_untracked(ct))
+                return NF_ACCEPT;
+        NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
+        nat = nfct_nat(ct);
+        if (nat == NULL) {
+                /* Conntrack module was loaded late, can't add extension. */
+                if (nf_ct_is_confirmed(ct))
+                        return NF_ACCEPT;
+                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
+                if (nat == NULL)
+                        return NF_ACCEPT;
+        }
+        switch (ctinfo) {
+        case IP_CT_RELATED:
+        case IP_CT_RELATED + IP_CT_IS_REPLY:
+                if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
+                        if (!nf_nat_icmp_reply_translation(skb, ct, ctinfo,
+                                                           ops->hooknum))
+                                return NF_DROP;
+                        else
+                                return NF_ACCEPT;
+                }
+                /* Fall through */
+        case IP_CT_NEW:
+                if (nf_nat_initialized(ct, maniptype))
+                        break;
+                nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+                ret = nft_do_chain_pktinfo(&pkt, ops);
+                if (ret != NF_ACCEPT)
+                        return ret;
+                if (!nf_nat_initialized(ct, maniptype)) {
+                        ret = nf_nat_alloc_null_binding(ct, ops->hooknum);
+                        if (ret != NF_ACCEPT)
+                                return ret;
+                }
+        default:
+                break;
+        }
+        return nf_nat_packet(ct, ctinfo, ops->hooknum, skb);
+}
+static unsigned int nf_nat_prerouting(const struct nf_hook_ops *ops,
+                                      struct sk_buff *skb,
+                                      const struct net_device *in,
+                                      const struct net_device *out,
+                                      int (*okfn)(struct sk_buff *))
+{
+        __be32 daddr = ip_hdr(skb)->daddr;
+        unsigned int ret;
+        ret = nf_nat_fn(ops, skb, in, out, okfn);
+        if (ret != NF_DROP && ret != NF_STOLEN &&
+            ip_hdr(skb)->daddr != daddr) {
+                skb_dst_drop(skb);
+        }
+        return ret;
+}
+static unsigned int nf_nat_postrouting(const struct nf_hook_ops *ops,
+                                       struct sk_buff *skb,
+                                       const struct net_device *in,
+                                       const struct net_device *out,
+                                       int (*okfn)(struct sk_buff *))
+{
+        enum ip_conntrack_info ctinfo __maybe_unused;
+        const struct nf_conn *ct __maybe_unused;
+        unsigned int ret;
+        ret = nf_nat_fn(ops, skb, in, out, okfn);
+#ifdef CONFIG_XFRM
+        if (ret != NF_DROP && ret != NF_STOLEN &&
+            (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
+                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+                if (ct->tuplehash[dir].tuple.src.u3.ip !=
+                    ct->tuplehash[!dir].tuple.dst.u3.ip ||
+                    ct->tuplehash[dir].tuple.src.u.all !=
+                    ct->tuplehash[!dir].tuple.dst.u.all)
+                        return nf_xfrm_me_harder(skb, AF_INET) == 0 ?
+                                                                ret : NF_DROP;
+        }
+#endif
+        return ret;
+}
+static unsigned int nf_nat_output(const struct nf_hook_ops *ops,
+                                  struct sk_buff *skb,
+                                  const struct net_device *in,
+                                  const struct net_device *out,
+                                  int (*okfn)(struct sk_buff *))
+{
+        enum ip_conntrack_info ctinfo;
+        const struct nf_conn *ct;
+        unsigned int ret;
+        ret = nf_nat_fn(ops, skb, in, out, okfn);
+        if (ret != NF_DROP && ret != NF_STOLEN &&
+            (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
+                enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
+                if (ct->tuplehash[dir].tuple.dst.u3.ip !=
+                    ct->tuplehash[!dir].tuple.src.u3.ip) {
+                        if (ip_route_me_harder(skb, RTN_UNSPEC))
+                                ret = NF_DROP;
+                }
+#ifdef CONFIG_XFRM
+                else if (ct->tuplehash[dir].tuple.dst.u.all !=
+                         ct->tuplehash[!dir].tuple.src.u.all)
+                        if (nf_xfrm_me_harder(skb, AF_INET))
+                                ret = NF_DROP;
+#endif
+        }
+        return ret;
+}
+static struct nf_chain_type nft_chain_nat_ipv4 = {
+        .family         = NFPROTO_IPV4,
+        .name           = "nat",
+        .type           = NFT_CHAIN_T_NAT,
+        .hook_mask      = (1 << NF_INET_PRE_ROUTING) |
+                          (1 << NF_INET_POST_ROUTING) |
+                          (1 << NF_INET_LOCAL_OUT) |
+                          (1 << NF_INET_LOCAL_IN),
+        .fn             = {
+                [NF_INET_PRE_ROUTING]   = nf_nat_prerouting,
+                [NF_INET_POST_ROUTING]  = nf_nat_postrouting,
+                [NF_INET_LOCAL_OUT]     = nf_nat_output,
+                [NF_INET_LOCAL_IN]      = nf_nat_fn,
+        },
+        .me             = THIS_MODULE,
+};
+static int __init nft_chain_nat_init(void)
+{
+        int err;
+        err = nft_register_chain_type(&nft_chain_nat_ipv4);
+        if (err < 0)
+                return err;
+        return 0;
+}
+static void __exit nft_chain_nat_exit(void)
+{
+        nft_unregister_chain_type(&nft_chain_nat_ipv4);
+}
+module_init(nft_chain_nat_init);
+module_exit(nft_chain_nat_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
diff --git a/net/ipv4/netfilter/nft_chain_route_ipv4.c b/net/ipv4/netfilter/nft_chain_route_ipv4.c
new file mode 100644
index 000000000000..4e6bf9a3d7aa
--- /dev/null
+++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/list.h>
+#include <linux/skbuff.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables_ipv4.h>
+#include <net/route.h>
+#include <net/ip.h>
+static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
+                                        struct sk_buff *skb,
+                                        const struct net_device *in,
+                                        const struct net_device *out,
+                                        int (*okfn)(struct sk_buff *))
+{
+        unsigned int ret;
+        struct nft_pktinfo pkt;
+        u32 mark;
+        __be32 saddr, daddr;
+        u_int8_t tos;
+        const struct iphdr *iph;
+        /* root is playing with raw sockets. */
+        if (skb->len < sizeof(struct iphdr) ||
+            ip_hdrlen(skb) < sizeof(struct iphdr))
+                return NF_ACCEPT;
+        nft_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+        mark = skb->mark;
+        iph = ip_hdr(skb);
+        saddr = iph->saddr;
+        daddr = iph->daddr;
+        tos = iph->tos;
+        ret = nft_do_chain_pktinfo(&pkt, ops);
+        if (ret != NF_DROP && ret != NF_QUEUE) {
+                iph = ip_hdr(skb);
+                if (iph->saddr != saddr ||
+                    iph->daddr != daddr ||
+                    skb->mark != mark ||
+                    iph->tos != tos)
+                        if (ip_route_me_harder(skb, RTN_UNSPEC))
+                                ret = NF_DROP;
+        }
+        return ret;
+}
+static struct nf_chain_type nft_chain_route_ipv4 = {
+        .family         = NFPROTO_IPV4,
+        .name           = "route",
+        .type           = NFT_CHAIN_T_ROUTE,
+        .hook_mask      = (1 << NF_INET_LOCAL_OUT),
+        .fn             = {
+                [NF_INET_LOCAL_OUT]     = nf_route_table_hook,
+        },
+        .me             = THIS_MODULE,
+};
+static int __init nft_chain_route_init(void)
+{
+        return nft_register_chain_type(&nft_chain_route_ipv4);
+}
+static void __exit nft_chain_route_exit(void)
+{
+        nft_unregister_chain_type(&nft_chain_route_ipv4);
+}
+module_init(nft_chain_route_init);
+module_exit(nft_chain_route_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_CHAIN(AF_INET, "route");
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
new file mode 100644
index 000000000000..fff5ba1a33b7
--- /dev/null
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/icmp.h>
+struct nft_reject {
+        enum nft_reject_types   type:8;
+        u8                      icmp_code;
+};
+static void nft_reject_eval(const struct nft_expr *expr,
+                              struct nft_data data[NFT_REG_MAX + 1],
+                              const struct nft_pktinfo *pkt)
+{
+        struct nft_reject *priv = nft_expr_priv(expr);
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                icmp_send(pkt->skb, ICMP_DEST_UNREACH, priv->icmp_code, 0);
+                break;
+        case NFT_REJECT_TCP_RST:
+                break;
+        }
+        data[NFT_REG_VERDICT].verdict = NF_DROP;
+}
+static const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
+        [NFTA_REJECT_TYPE]              = { .type = NLA_U32 },
+        [NFTA_REJECT_ICMP_CODE]         = { .type = NLA_U8 },
+};
+static int nft_reject_init(const struct nft_ctx *ctx,
+                           const struct nft_expr *expr,
+                           const struct nlattr * const tb[])
+{
+        struct nft_reject *priv = nft_expr_priv(expr);
+        if (tb[NFTA_REJECT_TYPE] == NULL)
+                return -EINVAL;
+        priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                if (tb[NFTA_REJECT_ICMP_CODE] == NULL)
+                        return -EINVAL;
+                priv->icmp_code = nla_get_u8(tb[NFTA_REJECT_ICMP_CODE]);
+        case NFT_REJECT_TCP_RST:
+                break;
+        default:
+                return -EINVAL;
+        }
+        return 0;
+}
+static int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr)
+{
+        const struct nft_reject *priv = nft_expr_priv(expr);
+        if (nla_put_be32(skb, NFTA_REJECT_TYPE, priv->type))
+                goto nla_put_failure;
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                if (nla_put_u8(skb, NFTA_REJECT_ICMP_CODE, priv->icmp_code))
+                        goto nla_put_failure;
+                break;
+        }
+        return 0;
+nla_put_failure:
+        return -1;
+}
+static struct nft_expr_type nft_reject_type;
+static const struct nft_expr_ops nft_reject_ops = {
+        .type           = &nft_reject_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
+        .eval           = nft_reject_eval,
+        .init           = nft_reject_init,
+        .dump           = nft_reject_dump,
+};
+static struct nft_expr_type nft_reject_type __read_mostly = {
+        .name           = "reject",
+        .ops            = &nft_reject_ops,
+        .policy         = nft_reject_policy,
+        .maxattr        = NFTA_REJECT_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_reject_module_init(void)
+{
+        return nft_register_expr(&nft_reject_type);
+}
+static void __exit nft_reject_module_exit(void)
+{
+        nft_unregister_expr(&nft_reject_type);
+}
+module_init(nft_reject_module_init);
+module_exit(nft_reject_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_EXPR("reject");
author	David S. Miller <davem@davemloft.net>	2013-10-17 15:22:05 -0400
committer	David S. Miller <davem@davemloft.net>	2013-10-17 15:22:05 -0400
commit	da33edccebcc36d387423dcdb557094fbda55994 (patch)
tree	9f426a52f875169ae24e54a395beedc697c96e02 /net/ipv4
parent	78dea8cc4942c6adbcccc8f483463906a078f039 (diff)
parent	ed683f138b3dbc8a5e878e24a0bfa0bb61043a09 (diff)