144 files changed, 5967 insertions, 0 deletions

diff --git a/include/uapi/linux/caif/Kbuild b/include/uapi/linux/caif/Kbuild
index aafaa5aa54d4..43396612d3a3 100644
--- a/include/uapi/linux/caif/Kbuild
+++ b/include/uapi/linux/caif/Kbuild
@@ -1 +1,3 @@
 # UAPI Header export list
+header-y += caif_socket.h
+header-y += if_caif.h
diff --git a/include/uapi/linux/caif/caif_socket.h b/include/uapi/linux/caif/caif_socket.h
new file mode 100644
index 000000000000..3f3bac6af7bc
--- /dev/null
+++ b/include/uapi/linux/caif/caif_socket.h
@@ -0,0 +1,194 @@
+/* linux/caif_socket.h
+ * CAIF Definitions for CAIF socket and network layer
+ * Copyright (C) ST-Ericsson AB 2010
+ * Author:       Sjur Brendeland/ sjur.brandeland@stericsson.com
+ * License terms: GNU General Public License (GPL) version 2
+ */
+
+#ifndef _LINUX_CAIF_SOCKET_H
+#define _LINUX_CAIF_SOCKET_H
+
+#include <linux/types.h>
+#include <linux/socket.h>
+
+/**
+ * enum caif_link_selector -    Physical Link Selection.
+ * @CAIF_LINK_HIGH_BANDW:       Physical interface for high-bandwidth
+ *                              traffic.
+ * @CAIF_LINK_LOW_LATENCY:      Physical interface for low-latency
+ *                              traffic.
+ *
+ * CAIF Link Layers can register their link properties.
+ * This enum is used for choosing between CAIF Link Layers when
+ * setting up CAIF Channels when multiple CAIF Link Layers exists.
+ */
+enum caif_link_selector {
+        CAIF_LINK_HIGH_BANDW,
+        CAIF_LINK_LOW_LATENCY
+};
+
+/**
+ * enum caif_channel_priority - CAIF channel priorities.
+ *
+ * @CAIF_PRIO_MIN:      Min priority for a channel.
+ * @CAIF_PRIO_LOW:      Low-priority channel.
+ * @CAIF_PRIO_NORMAL:   Normal/default priority level.
+ * @CAIF_PRIO_HIGH:     High priority level
+ * @CAIF_PRIO_MAX:      Max priority for channel
+ *
+ * Priority can be set on CAIF Channels in order to
+ * prioritize between traffic on different CAIF Channels.
+ * These priority levels are recommended, but the priority value
+ * is not restricted to the values defined in this enum, any value
+ * between CAIF_PRIO_MIN and CAIF_PRIO_MAX could be used.
+ */
+enum caif_channel_priority {
+        CAIF_PRIO_MIN    = 0x01,
+        CAIF_PRIO_LOW    = 0x04,
+        CAIF_PRIO_NORMAL = 0x0f,
+        CAIF_PRIO_HIGH   = 0x14,
+        CAIF_PRIO_MAX    = 0x1F
+};
+
+/**
+ * enum caif_protocol_type  -   CAIF Channel type.
+ * @CAIFPROTO_AT:               Classic AT channel.
+ * @CAIFPROTO_DATAGRAM: Datagram channel.
+ * @CAIFPROTO_DATAGRAM_LOOP:    Datagram loopback channel, used for testing.
+ * @CAIFPROTO_UTIL:             Utility (Psock) channel.
+ * @CAIFPROTO_RFM:              Remote File Manager
+ * @CAIFPROTO_DEBUG:            Debug link
+ *
+ * This enum defines the CAIF Channel type to be used. This defines
+ * the service to connect to on the modem.
+ */
+enum caif_protocol_type {
+        CAIFPROTO_AT,
+        CAIFPROTO_DATAGRAM,
+        CAIFPROTO_DATAGRAM_LOOP,
+        CAIFPROTO_UTIL,
+        CAIFPROTO_RFM,
+        CAIFPROTO_DEBUG,
+        _CAIFPROTO_MAX
+};
+#define CAIFPROTO_MAX _CAIFPROTO_MAX
+
+/**
+ * enum caif_at_type - AT Service Endpoint
+ * @CAIF_ATTYPE_PLAIN:       Connects to a plain vanilla AT channel.
+ */
+enum caif_at_type {
+        CAIF_ATTYPE_PLAIN = 2
+};
+ /**
+ * enum caif_debug_type - Content selection for debug connection
+ * @CAIF_DEBUG_TRACE_INTERACTIVE: Connection will contain
+ *                              both trace and interactive debug.
+ * @CAIF_DEBUG_TRACE:           Connection contains trace only.
+ * @CAIF_DEBUG_INTERACTIVE:     Connection to interactive debug.
+ */
+enum caif_debug_type {
+        CAIF_DEBUG_TRACE_INTERACTIVE = 0,
+        CAIF_DEBUG_TRACE,
+        CAIF_DEBUG_INTERACTIVE,
+};
+
+/**
+ * enum caif_debug_service - Debug Service Endpoint
+ * @CAIF_RADIO_DEBUG_SERVICE:   Debug service on the Radio sub-system
+ * @CAIF_APP_DEBUG_SERVICE:     Debug for the applications sub-system
+ */
+enum caif_debug_service {
+        CAIF_RADIO_DEBUG_SERVICE = 1,
+        CAIF_APP_DEBUG_SERVICE
+};
+
+/**
+ * struct sockaddr_caif - the sockaddr structure for CAIF sockets.
+ * @family:                  Address family number, must be AF_CAIF.
+ * @u:                       Union of address data 'switched' by family.
+ * :
+ * @u.at:                    Applies when family = CAIFPROTO_AT.
+ *
+ * @u.at.type:               Type of AT link to set up (enum caif_at_type).
+ *
+ * @u.util:                  Applies when family = CAIFPROTO_UTIL
+ *
+ * @u.util.service:          Utility service name.
+ *
+ * @u.dgm:                   Applies when family = CAIFPROTO_DATAGRAM
+ *
+ * @u.dgm.connection_id:     Datagram connection id.
+ *
+ * @u.dgm.nsapi:             NSAPI of the PDP-Context.
+ *
+ * @u.rfm:                   Applies when family = CAIFPROTO_RFM
+ *
+ * @u.rfm.connection_id:     Connection ID for RFM.
+ *
+ * @u.rfm.volume:            Volume to mount.
+ *
+ * @u.dbg:                    Applies when family = CAIFPROTO_DEBUG.
+ *
+ * @u.dbg.type:                      Type of debug connection to set up
+ *                            (caif_debug_type).
+ *
+ * @u.dbg.service:            Service sub-system to connect (caif_debug_service
+ * Description:
+ * This structure holds the connect parameters used for setting up a
+ * CAIF Channel. It defines the service to connect to on the modem.
+ */
+struct sockaddr_caif {
+        __kernel_sa_family_t  family;
+        union {
+                struct {
+                        __u8  type;             /* type: enum caif_at_type */
+                } at;                           /* CAIFPROTO_AT */
+                struct {
+                        char      service[16];
+                } util;                         /* CAIFPROTO_UTIL */
+                union {
+                        __u32 connection_id;
+                        __u8  nsapi;
+                } dgm;                          /* CAIFPROTO_DATAGRAM(_LOOP)*/
+                struct {
+                        __u32 connection_id;
+                        char      volume[16];
+                } rfm;                          /* CAIFPROTO_RFM */
+                struct {
+                        __u8  type;             /* type:enum caif_debug_type */
+                        __u8  service;          /* service:caif_debug_service */
+                } dbg;                          /* CAIFPROTO_DEBUG */
+        } u;
+};
+
+/**
+ * enum caif_socket_opts - CAIF option values for getsockopt and setsockopt.
+ *
+ * @CAIFSO_LINK_SELECT:         Selector used if multiple CAIF Link layers are
+ *                              available. Either a high bandwidth
+ *                              link can be selected (CAIF_LINK_HIGH_BANDW) or
+ *                              or a low latency link (CAIF_LINK_LOW_LATENCY).
+ *                              This option is of type __u32.
+ *                              Alternatively SO_BINDTODEVICE can be used.
+ *
+ * @CAIFSO_REQ_PARAM:           Used to set the request parameters for a
+ *                              utility channel. (maximum 256 bytes). This
+ *                              option must be set before connecting.
+ *
+ * @CAIFSO_RSP_PARAM:           Gets the response parameters for a utility
+ *                              channel. (maximum 256 bytes). This option
+ *                              is valid after a successful connect.
+ *
+ *
+ * This enum defines the CAIF Socket options to be used on a socket
+ * of type PF_CAIF.
+ *
+ */
+enum caif_socket_opts {
+        CAIFSO_LINK_SELECT      = 127,
+        CAIFSO_REQ_PARAM        = 128,
+        CAIFSO_RSP_PARAM        = 129,
+};
+
+#endif /* _LINUX_CAIF_SOCKET_H */
diff --git a/include/uapi/linux/caif/if_caif.h b/include/uapi/linux/caif/if_caif.h
new file mode 100644
index 000000000000..5e7eed4edf51
--- /dev/null
+++ b/include/uapi/linux/caif/if_caif.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) ST-Ericsson AB 2010
+ * Author:      Sjur Brendeland/ sjur.brandeland@stericsson.com
+ * License terms: GNU General Public License (GPL) version 2
+ */
+
+#ifndef IF_CAIF_H_
+#define IF_CAIF_H_
+#include <linux/sockios.h>
+#include <linux/types.h>
+#include <linux/socket.h>
+
+/**
+ * enum ifla_caif - CAIF NetlinkRT parameters.
+ * @IFLA_CAIF_IPV4_CONNID:  Connection ID for IPv4 PDP Context.
+ *                          The type of attribute is NLA_U32.
+ * @IFLA_CAIF_IPV6_CONNID:  Connection ID for IPv6 PDP Context.
+ *                          The type of attribute is NLA_U32.
+ * @IFLA_CAIF_LOOPBACK:     If different from zero, device is doing loopback
+ *                          The type of attribute is NLA_U8.
+ *
+ * When using RT Netlink to create, destroy or configure a CAIF IP interface,
+ * enum ifla_caif is used to specify the configuration attributes.
+ */
+enum ifla_caif {
+        __IFLA_CAIF_UNSPEC,
+        IFLA_CAIF_IPV4_CONNID,
+        IFLA_CAIF_IPV6_CONNID,
+        IFLA_CAIF_LOOPBACK,
+        __IFLA_CAIF_MAX
+};
+#define IFLA_CAIF_MAX (__IFLA_CAIF_MAX-1)
+
+#endif /*IF_CAIF_H_*/
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 4afbace8e869..08f555fef13f 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -1,2 +1,78 @@
 # UAPI Header export list
 header-y += ipset/
+header-y += nf_conntrack_common.h
+header-y += nf_conntrack_ftp.h
+header-y += nf_conntrack_sctp.h
+header-y += nf_conntrack_tcp.h
+header-y += nf_conntrack_tuple_common.h
+header-y += nf_nat.h
+header-y += nfnetlink.h
+header-y += nfnetlink_acct.h
+header-y += nfnetlink_compat.h
+header-y += nfnetlink_conntrack.h
+header-y += nfnetlink_cthelper.h
+header-y += nfnetlink_cttimeout.h
+header-y += nfnetlink_log.h
+header-y += nfnetlink_queue.h
+header-y += x_tables.h
+header-y += xt_AUDIT.h
+header-y += xt_CHECKSUM.h
+header-y += xt_CLASSIFY.h
+header-y += xt_CONNMARK.h
+header-y += xt_CONNSECMARK.h
+header-y += xt_CT.h
+header-y += xt_DSCP.h
+header-y += xt_IDLETIMER.h
+header-y += xt_LED.h
+header-y += xt_LOG.h
+header-y += xt_MARK.h
+header-y += xt_NFLOG.h
+header-y += xt_NFQUEUE.h
+header-y += xt_RATEEST.h
+header-y += xt_SECMARK.h
+header-y += xt_TCPMSS.h
+header-y += xt_TCPOPTSTRIP.h
+header-y += xt_TEE.h
+header-y += xt_TPROXY.h
+header-y += xt_addrtype.h
+header-y += xt_cluster.h
+header-y += xt_comment.h
+header-y += xt_connbytes.h
+header-y += xt_connlimit.h
+header-y += xt_connmark.h
+header-y += xt_conntrack.h
+header-y += xt_cpu.h
+header-y += xt_dccp.h
+header-y += xt_devgroup.h
+header-y += xt_dscp.h
+header-y += xt_ecn.h
+header-y += xt_esp.h
+header-y += xt_hashlimit.h
+header-y += xt_helper.h
+header-y += xt_iprange.h
+header-y += xt_ipvs.h
+header-y += xt_length.h
+header-y += xt_limit.h
+header-y += xt_mac.h
+header-y += xt_mark.h
+header-y += xt_multiport.h
+header-y += xt_nfacct.h
+header-y += xt_osf.h
+header-y += xt_owner.h
+header-y += xt_physdev.h
+header-y += xt_pkttype.h
+header-y += xt_policy.h
+header-y += xt_quota.h
+header-y += xt_rateest.h
+header-y += xt_realm.h
+header-y += xt_recent.h
+header-y += xt_sctp.h
+header-y += xt_set.h
+header-y += xt_socket.h
+header-y += xt_state.h
+header-y += xt_statistic.h
+header-y += xt_string.h
+header-y += xt_tcpmss.h
+header-y += xt_tcpudp.h
+header-y += xt_time.h
+header-y += xt_u32.h
diff --git a/include/uapi/linux/netfilter/ipset/Kbuild b/include/uapi/linux/netfilter/ipset/Kbuild
index aafaa5aa54d4..d2680423d9ab 100644
--- a/include/uapi/linux/netfilter/ipset/Kbuild
+++ b/include/uapi/linux/netfilter/ipset/Kbuild
@@ -1 +1,5 @@
 # UAPI Header export list
+header-y += ip_set.h
+header-y += ip_set_bitmap.h
+header-y += ip_set_hash.h
+header-y += ip_set_list.h
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
new file mode 100644
index 000000000000..fbee42807a11
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -0,0 +1,231 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef _UAPI_IP_SET_H
+#define _UAPI_IP_SET_H
+
+
+#include <linux/types.h>
+
+/* The protocol version */
+#define IPSET_PROTOCOL          6
+
+/* The max length of strings including NUL: set and type identifiers */
+#define IPSET_MAXNAMELEN        32
+
+/* Message types and commands */
+enum ipset_cmd {
+        IPSET_CMD_NONE,
+        IPSET_CMD_PROTOCOL,     /* 1: Return protocol version */
+        IPSET_CMD_CREATE,       /* 2: Create a new (empty) set */
+        IPSET_CMD_DESTROY,      /* 3: Destroy a (empty) set */
+        IPSET_CMD_FLUSH,        /* 4: Remove all elements from a set */
+        IPSET_CMD_RENAME,       /* 5: Rename a set */
+        IPSET_CMD_SWAP,         /* 6: Swap two sets */
+        IPSET_CMD_LIST,         /* 7: List sets */
+        IPSET_CMD_SAVE,         /* 8: Save sets */
+        IPSET_CMD_ADD,          /* 9: Add an element to a set */
+        IPSET_CMD_DEL,          /* 10: Delete an element from a set */
+        IPSET_CMD_TEST,         /* 11: Test an element in a set */
+        IPSET_CMD_HEADER,       /* 12: Get set header data only */
+        IPSET_CMD_TYPE,         /* 13: Get set type */
+        IPSET_MSG_MAX,          /* Netlink message commands */
+
+        /* Commands in userspace: */
+        IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
+        IPSET_CMD_HELP,         /* 15: Get help */
+        IPSET_CMD_VERSION,      /* 16: Get program version */
+        IPSET_CMD_QUIT,         /* 17: Quit from interactive mode */
+
+        IPSET_CMD_MAX,
+
+        IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
+};
+
+/* Attributes at command level */
+enum {
+        IPSET_ATTR_UNSPEC,
+        IPSET_ATTR_PROTOCOL,    /* 1: Protocol version */
+        IPSET_ATTR_SETNAME,     /* 2: Name of the set */
+        IPSET_ATTR_TYPENAME,    /* 3: Typename */
+        IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
+        IPSET_ATTR_REVISION,    /* 4: Settype revision */
+        IPSET_ATTR_FAMILY,      /* 5: Settype family */
+        IPSET_ATTR_FLAGS,       /* 6: Flags at command level */
+        IPSET_ATTR_DATA,        /* 7: Nested attributes */
+        IPSET_ATTR_ADT,         /* 8: Multiple data containers */
+        IPSET_ATTR_LINENO,      /* 9: Restore lineno */
+        IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
+        IPSET_ATTR_REVISION_MIN = IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
+        __IPSET_ATTR_CMD_MAX,
+};
+#define IPSET_ATTR_CMD_MAX      (__IPSET_ATTR_CMD_MAX - 1)
+
+/* CADT specific attributes */
+enum {
+        IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
+        IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
+        IPSET_ATTR_IP_TO,       /* 2 */
+        IPSET_ATTR_CIDR,        /* 3 */
+        IPSET_ATTR_PORT,        /* 4 */
+        IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
+        IPSET_ATTR_PORT_TO,     /* 5 */
+        IPSET_ATTR_TIMEOUT,     /* 6 */
+        IPSET_ATTR_PROTO,       /* 7 */
+        IPSET_ATTR_CADT_FLAGS,  /* 8 */
+        IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,     /* 9 */
+        /* Reserve empty slots */
+        IPSET_ATTR_CADT_MAX = 16,
+        /* Create-only specific attributes */
+        IPSET_ATTR_GC,
+        IPSET_ATTR_HASHSIZE,
+        IPSET_ATTR_MAXELEM,
+        IPSET_ATTR_NETMASK,
+        IPSET_ATTR_PROBES,
+        IPSET_ATTR_RESIZE,
+        IPSET_ATTR_SIZE,
+        /* Kernel-only */
+        IPSET_ATTR_ELEMENTS,
+        IPSET_ATTR_REFERENCES,
+        IPSET_ATTR_MEMSIZE,
+
+        __IPSET_ATTR_CREATE_MAX,
+};
+#define IPSET_ATTR_CREATE_MAX   (__IPSET_ATTR_CREATE_MAX - 1)
+
+/* ADT specific attributes */
+enum {
+        IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
+        IPSET_ATTR_NAME,
+        IPSET_ATTR_NAMEREF,
+        IPSET_ATTR_IP2,
+        IPSET_ATTR_CIDR2,
+        IPSET_ATTR_IP2_TO,
+        IPSET_ATTR_IFACE,
+        __IPSET_ATTR_ADT_MAX,
+};
+#define IPSET_ATTR_ADT_MAX      (__IPSET_ATTR_ADT_MAX - 1)
+
+/* IP specific attributes */
+enum {
+        IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
+        IPSET_ATTR_IPADDR_IPV6,
+        __IPSET_ATTR_IPADDR_MAX,
+};
+#define IPSET_ATTR_IPADDR_MAX   (__IPSET_ATTR_IPADDR_MAX - 1)
+
+/* Error codes */
+enum ipset_errno {
+        IPSET_ERR_PRIVATE = 4096,
+        IPSET_ERR_PROTOCOL,
+        IPSET_ERR_FIND_TYPE,
+        IPSET_ERR_MAX_SETS,
+        IPSET_ERR_BUSY,
+        IPSET_ERR_EXIST_SETNAME2,
+        IPSET_ERR_TYPE_MISMATCH,
+        IPSET_ERR_EXIST,
+        IPSET_ERR_INVALID_CIDR,
+        IPSET_ERR_INVALID_NETMASK,
+        IPSET_ERR_INVALID_FAMILY,
+        IPSET_ERR_TIMEOUT,
+        IPSET_ERR_REFERENCED,
+        IPSET_ERR_IPADDR_IPV4,
+        IPSET_ERR_IPADDR_IPV6,
+
+        /* Type specific error codes */
+        IPSET_ERR_TYPE_SPECIFIC = 4352,
+};
+
+/* Flags at command level */
+enum ipset_cmd_flags {
+        IPSET_FLAG_BIT_EXIST    = 0,
+        IPSET_FLAG_EXIST        = (1 << IPSET_FLAG_BIT_EXIST),
+        IPSET_FLAG_BIT_LIST_SETNAME = 1,
+        IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME),
+        IPSET_FLAG_BIT_LIST_HEADER = 2,
+        IPSET_FLAG_LIST_HEADER  = (1 << IPSET_FLAG_BIT_LIST_HEADER),
+        IPSET_FLAG_CMD_MAX = 15,        /* Lower half */
+};
+
+/* Flags at CADT attribute level */
+enum ipset_cadt_flags {
+        IPSET_FLAG_BIT_BEFORE   = 0,
+        IPSET_FLAG_BEFORE       = (1 << IPSET_FLAG_BIT_BEFORE),
+        IPSET_FLAG_BIT_PHYSDEV  = 1,
+        IPSET_FLAG_PHYSDEV      = (1 << IPSET_FLAG_BIT_PHYSDEV),
+        IPSET_FLAG_BIT_NOMATCH  = 2,
+        IPSET_FLAG_NOMATCH      = (1 << IPSET_FLAG_BIT_NOMATCH),
+        IPSET_FLAG_CADT_MAX     = 15,   /* Upper half */
+};
+
+/* Commands with settype-specific attributes */
+enum ipset_adt {
+        IPSET_ADD,
+        IPSET_DEL,
+        IPSET_TEST,
+        IPSET_ADT_MAX,
+        IPSET_CREATE = IPSET_ADT_MAX,
+        IPSET_CADT_MAX,
+};
+
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef __u16 ip_set_id_t;
+
+#define IPSET_INVALID_ID                65535
+
+enum ip_set_dim {
+        IPSET_DIM_ZERO = 0,
+        IPSET_DIM_ONE,
+        IPSET_DIM_TWO,
+        IPSET_DIM_THREE,
+        /* Max dimension in elements.
+         * If changed, new revision of iptables match/target is required.
+         */
+        IPSET_DIM_MAX = 6,
+        IPSET_BIT_RETURN_NOMATCH = 7,
+};
+
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+        IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+        IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+        IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+        IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+        IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
+};
+
+
+/* Interface to iptables/ip6tables */
+
+#define SO_IP_SET               83
+
+union ip_set_name_index {
+        char name[IPSET_MAXNAMELEN];
+        ip_set_id_t index;
+};
+
+#define IP_SET_OP_GET_BYNAME    0x00000006      /* Get set index by name */
+struct ip_set_req_get_set {
+        unsigned int op;
+        unsigned int version;
+        union ip_set_name_index set;
+};
+
+#define IP_SET_OP_GET_BYINDEX   0x00000007      /* Get set name by index */
+/* Uses ip_set_req_get_set */
+
+#define IP_SET_OP_VERSION       0x00000100      /* Ask kernel version */
+struct ip_set_req_version {
+        unsigned int op;
+        unsigned int version;
+};
+
+#endif /* _UAPI_IP_SET_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h
new file mode 100644
index 000000000000..6a2c038d1888
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_bitmap.h
@@ -0,0 +1,13 @@
+#ifndef _UAPI__IP_SET_BITMAP_H
+#define _UAPI__IP_SET_BITMAP_H
+
+/* Bitmap type specific error codes */
+enum {
+        /* The element is out of the range of the set */
+        IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
+        /* The range exceeds the size limit of the set type */
+        IPSET_ERR_BITMAP_RANGE_SIZE,
+};
+
+
+#endif /* _UAPI__IP_SET_BITMAP_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_hash.h b/include/uapi/linux/netfilter/ipset/ip_set_hash.h
new file mode 100644
index 000000000000..352eeccdc7f2
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_hash.h
@@ -0,0 +1,21 @@
+#ifndef _UAPI__IP_SET_HASH_H
+#define _UAPI__IP_SET_HASH_H
+
+/* Hash type specific error codes */
+enum {
+        /* Hash is full */
+        IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
+        /* Null-valued element */
+        IPSET_ERR_HASH_ELEM,
+        /* Invalid protocol */
+        IPSET_ERR_INVALID_PROTO,
+        /* Protocol missing but must be specified */
+        IPSET_ERR_MISSING_PROTO,
+        /* Range not supported */
+        IPSET_ERR_HASH_RANGE_UNSUPPORTED,
+        /* Invalid range */
+        IPSET_ERR_HASH_RANGE,
+};
+
+
+#endif /* _UAPI__IP_SET_HASH_H */
diff --git a/include/uapi/linux/netfilter/ipset/ip_set_list.h b/include/uapi/linux/netfilter/ipset/ip_set_list.h
new file mode 100644
index 000000000000..a44efaa98213
--- /dev/null
+++ b/include/uapi/linux/netfilter/ipset/ip_set_list.h
@@ -0,0 +1,21 @@
+#ifndef _UAPI__IP_SET_LIST_H
+#define _UAPI__IP_SET_LIST_H
+
+/* List type specific error codes */
+enum {
+        /* Set name to be added/deleted/tested does not exist. */
+        IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
+        /* list:set type is not permitted to add */
+        IPSET_ERR_LOOP,
+        /* Missing reference set */
+        IPSET_ERR_BEFORE,
+        /* Reference set does not exist */
+        IPSET_ERR_NAMEREF,
+        /* Set is full */
+        IPSET_ERR_LIST_FULL,
+        /* Reference set is not added to the set */
+        IPSET_ERR_REF_EXIST,
+};
+
+
+#endif /* _UAPI__IP_SET_LIST_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
new file mode 100644
index 000000000000..1644cdd8be91
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,117 @@
+#ifndef _UAPI_NF_CONNTRACK_COMMON_H
+#define _UAPI_NF_CONNTRACK_COMMON_H
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info {
+        /* Part of an established connection (either direction). */
+        IP_CT_ESTABLISHED,
+
+        /* Like NEW, but related to an existing connection, or ICMP error
+           (in either direction). */
+        IP_CT_RELATED,
+
+        /* Started a new connection to track (only
+           IP_CT_DIR_ORIGINAL); may be a retransmission. */
+        IP_CT_NEW,
+
+        /* >= this indicates reply direction */
+        IP_CT_IS_REPLY,
+
+        IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+        IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+        IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,   
+        /* Number of distinct IP_CT types (no NEW in reply dirn). */
+        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+        /* It's an expected connection: bit 0 set.  This bit never changed */
+        IPS_EXPECTED_BIT = 0,
+        IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+
+        /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
+        IPS_SEEN_REPLY_BIT = 1,
+        IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+
+        /* Conntrack should never be early-expired. */
+        IPS_ASSURED_BIT = 2,
+        IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+
+        /* Connection is confirmed: originating packet has left box */
+        IPS_CONFIRMED_BIT = 3,
+        IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+
+        /* Connection needs src nat in orig dir.  This bit never changed. */
+        IPS_SRC_NAT_BIT = 4,
+        IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+
+        /* Connection needs dst nat in orig dir.  This bit never changed. */
+        IPS_DST_NAT_BIT = 5,
+        IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+
+        /* Both together. */
+        IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+
+        /* Connection needs TCP sequence adjusted. */
+        IPS_SEQ_ADJUST_BIT = 6,
+        IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+
+        /* NAT initialization bits. */
+        IPS_SRC_NAT_DONE_BIT = 7,
+        IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+
+        IPS_DST_NAT_DONE_BIT = 8,
+        IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+
+        /* Both together */
+        IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+
+        /* Connection is dying (removed from lists), can not be unset. */
+        IPS_DYING_BIT = 9,
+        IPS_DYING = (1 << IPS_DYING_BIT),
+
+        /* Connection has fixed timeout. */
+        IPS_FIXED_TIMEOUT_BIT = 10,
+        IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
+
+        /* Conntrack is a template */
+        IPS_TEMPLATE_BIT = 11,
+        IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),
+
+        /* Conntrack is a fake untracked entry */
+        IPS_UNTRACKED_BIT = 12,
+        IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
+
+        /* Conntrack got a helper explicitly attached via CT target. */
+        IPS_HELPER_BIT = 13,
+        IPS_HELPER = (1 << IPS_HELPER_BIT),
+};
+
+/* Connection tracking event types */
+enum ip_conntrack_events {
+        IPCT_NEW,               /* new conntrack */
+        IPCT_RELATED,           /* related conntrack */
+        IPCT_DESTROY,           /* destroyed conntrack */
+        IPCT_REPLY,             /* connection has seen two-way traffic */
+        IPCT_ASSURED,           /* connection status has changed to assured */
+        IPCT_PROTOINFO,         /* protocol information has changed */
+        IPCT_HELPER,            /* new helper has been set */
+        IPCT_MARK,              /* new mark has been set */
+        IPCT_NATSEQADJ,         /* NAT is doing sequence adjustment */
+        IPCT_SECMARK,           /* new security mark has been set */
+};
+
+enum ip_conntrack_expect_events {
+        IPEXP_NEW,              /* new expectation */
+        IPEXP_DESTROY,          /* destroyed expectation */
+};
+
+/* expectation flags */
+#define NF_CT_EXPECT_PERMANENT          0x1
+#define NF_CT_EXPECT_INACTIVE           0x2
+#define NF_CT_EXPECT_USERSPACE          0x4
+
+
+#endif /* _UAPI_NF_CONNTRACK_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_ftp.h b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644
index 000000000000..1030315a41b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,18 @@
+#ifndef _UAPI_NF_CONNTRACK_FTP_H
+#define _UAPI_NF_CONNTRACK_FTP_H
+/* FTP tracking. */
+
+/* This enum is exposed to userspace */
+enum nf_ct_ftp_type {
+        /* PORT command from client */
+        NF_CT_FTP_PORT,
+        /* PASV response from server */
+        NF_CT_FTP_PASV,
+        /* EPRT command from client */
+        NF_CT_FTP_EPRT,
+        /* EPSV response from server */
+        NF_CT_FTP_EPSV,
+};
+
+
+#endif /* _UAPI_NF_CONNTRACK_FTP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_sctp.h b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
new file mode 100644
index 000000000000..ceeefe6681b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_sctp.h
@@ -0,0 +1,25 @@
+#ifndef _NF_CONNTRACK_SCTP_H
+#define _NF_CONNTRACK_SCTP_H
+/* SCTP tracking. */
+
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+enum sctp_conntrack {
+        SCTP_CONNTRACK_NONE,
+        SCTP_CONNTRACK_CLOSED,
+        SCTP_CONNTRACK_COOKIE_WAIT,
+        SCTP_CONNTRACK_COOKIE_ECHOED,
+        SCTP_CONNTRACK_ESTABLISHED,
+        SCTP_CONNTRACK_SHUTDOWN_SENT,
+        SCTP_CONNTRACK_SHUTDOWN_RECD,
+        SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
+        SCTP_CONNTRACK_MAX
+};
+
+struct ip_ct_sctp {
+        enum sctp_conntrack state;
+
+        __be32 vtag[IP_CT_DIR_MAX];
+};
+
+#endif /* _NF_CONNTRACK_SCTP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tcp.h b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644
index 000000000000..9993a421201c
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,51 @@
+#ifndef _UAPI_NF_CONNTRACK_TCP_H
+#define _UAPI_NF_CONNTRACK_TCP_H
+/* TCP tracking. */
+
+#include <linux/types.h>
+
+/* This is exposed to userspace (ctnetlink) */
+enum tcp_conntrack {
+        TCP_CONNTRACK_NONE,
+        TCP_CONNTRACK_SYN_SENT,
+        TCP_CONNTRACK_SYN_RECV,
+        TCP_CONNTRACK_ESTABLISHED,
+        TCP_CONNTRACK_FIN_WAIT,
+        TCP_CONNTRACK_CLOSE_WAIT,
+        TCP_CONNTRACK_LAST_ACK,
+        TCP_CONNTRACK_TIME_WAIT,
+        TCP_CONNTRACK_CLOSE,
+        TCP_CONNTRACK_LISTEN,   /* obsolete */
+#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
+        TCP_CONNTRACK_MAX,
+        TCP_CONNTRACK_IGNORE,
+        TCP_CONNTRACK_RETRANS,
+        TCP_CONNTRACK_UNACK,
+        TCP_CONNTRACK_TIMEOUT_MAX
+};
+
+/* Window scaling is advertised by the sender */
+#define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01
+
+/* SACK is permitted by the sender */
+#define IP_CT_TCP_FLAG_SACK_PERM                0x02
+
+/* This sender sent FIN first */
+#define IP_CT_TCP_FLAG_CLOSE_INIT               0x04
+
+/* Be liberal in window checking */
+#define IP_CT_TCP_FLAG_BE_LIBERAL               0x08
+
+/* Has unacknowledged data */
+#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED      0x10
+
+/* The field td_maxack has been set */
+#define IP_CT_TCP_FLAG_MAXACK_SET               0x20
+
+struct nf_ct_tcp_flags {
+        __u8 flags;
+        __u8 mask;
+};
+
+
+#endif /* _UAPI_NF_CONNTRACK_TCP_H */
diff --git a/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
new file mode 100644
index 000000000000..2f6bbc5b8125
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_conntrack_tuple_common.h
@@ -0,0 +1,39 @@
+#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
+#define _NF_CONNTRACK_TUPLE_COMMON_H
+
+enum ip_conntrack_dir {
+        IP_CT_DIR_ORIGINAL,
+        IP_CT_DIR_REPLY,
+        IP_CT_DIR_MAX
+};
+
+/* The protocol-specific manipulable parts of the tuple: always in
+ * network order
+ */
+union nf_conntrack_man_proto {
+        /* Add other protocols here. */
+        __be16 all;
+
+        struct {
+                __be16 port;
+        } tcp;
+        struct {
+                __be16 port;
+        } udp;
+        struct {
+                __be16 id;
+        } icmp;
+        struct {
+                __be16 port;
+        } dccp;
+        struct {
+                __be16 port;
+        } sctp;
+        struct {
+                __be16 key;     /* GRE key is 32bit, PPtP only uses 16bit */
+        } gre;
+};
+
+#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
+
+#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
new file mode 100644
index 000000000000..bf0cc373ffb6
--- /dev/null
+++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -0,0 +1,33 @@
+#ifndef _NETFILTER_NF_NAT_H
+#define _NETFILTER_NF_NAT_H
+
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+#define NF_NAT_RANGE_MAP_IPS            1
+#define NF_NAT_RANGE_PROTO_SPECIFIED    2
+#define NF_NAT_RANGE_PROTO_RANDOM       4
+#define NF_NAT_RANGE_PERSISTENT         8
+
+struct nf_nat_ipv4_range {
+        unsigned int                    flags;
+        __be32                          min_ip;
+        __be32                          max_ip;
+        union nf_conntrack_man_proto    min;
+        union nf_conntrack_man_proto    max;
+};
+
+struct nf_nat_ipv4_multi_range_compat {
+        unsigned int                    rangesize;
+        struct nf_nat_ipv4_range        range[1];
+};
+
+struct nf_nat_range {
+        unsigned int                    flags;
+        union nf_inet_addr              min_addr;
+        union nf_inet_addr              max_addr;
+        union nf_conntrack_man_proto    min_proto;
+        union nf_conntrack_man_proto    max_proto;
+};
+
+#endif /* _NETFILTER_NF_NAT_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink.h b/include/uapi/linux/netfilter/nfnetlink.h
new file mode 100644
index 000000000000..4a4efafad5f4
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink.h
@@ -0,0 +1,56 @@
+#ifndef _UAPI_NFNETLINK_H
+#define _UAPI_NFNETLINK_H
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink_compat.h>
+
+enum nfnetlink_groups {
+        NFNLGRP_NONE,
+#define NFNLGRP_NONE                    NFNLGRP_NONE
+        NFNLGRP_CONNTRACK_NEW,
+#define NFNLGRP_CONNTRACK_NEW           NFNLGRP_CONNTRACK_NEW
+        NFNLGRP_CONNTRACK_UPDATE,
+#define NFNLGRP_CONNTRACK_UPDATE        NFNLGRP_CONNTRACK_UPDATE
+        NFNLGRP_CONNTRACK_DESTROY,
+#define NFNLGRP_CONNTRACK_DESTROY       NFNLGRP_CONNTRACK_DESTROY
+        NFNLGRP_CONNTRACK_EXP_NEW,
+#define NFNLGRP_CONNTRACK_EXP_NEW       NFNLGRP_CONNTRACK_EXP_NEW
+        NFNLGRP_CONNTRACK_EXP_UPDATE,
+#define NFNLGRP_CONNTRACK_EXP_UPDATE    NFNLGRP_CONNTRACK_EXP_UPDATE
+        NFNLGRP_CONNTRACK_EXP_DESTROY,
+#define NFNLGRP_CONNTRACK_EXP_DESTROY   NFNLGRP_CONNTRACK_EXP_DESTROY
+        __NFNLGRP_MAX,
+};
+#define NFNLGRP_MAX     (__NFNLGRP_MAX - 1)
+
+/* General form of address family dependent message.
+ */
+struct nfgenmsg {
+        __u8  nfgen_family;             /* AF_xxx */
+        __u8  version;          /* nfnetlink version */
+        __be16    res_id;               /* resource id */
+};
+
+#define NFNETLINK_V0    0
+
+/* netfilter netlink message types are split in two pieces:
+ * 8 bit subsystem, 8bit operation.
+ */
+
+#define NFNL_SUBSYS_ID(x)       ((x & 0xff00) >> 8)
+#define NFNL_MSG_TYPE(x)        (x & 0x00ff)
+
+/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
+ * won't work anymore */
+#define NFNL_SUBSYS_NONE                0
+#define NFNL_SUBSYS_CTNETLINK           1
+#define NFNL_SUBSYS_CTNETLINK_EXP       2
+#define NFNL_SUBSYS_QUEUE               3
+#define NFNL_SUBSYS_ULOG                4
+#define NFNL_SUBSYS_OSF                 5
+#define NFNL_SUBSYS_IPSET               6
+#define NFNL_SUBSYS_ACCT                7
+#define NFNL_SUBSYS_CTNETLINK_TIMEOUT   8
+#define NFNL_SUBSYS_CTHELPER            9
+#define NFNL_SUBSYS_COUNT               10
+
+#endif /* _UAPI_NFNETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h
new file mode 100644
index 000000000000..c7b6269e760b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_acct.h
@@ -0,0 +1,27 @@
+#ifndef _UAPI_NFNL_ACCT_H_
+#define _UAPI_NFNL_ACCT_H_
+
+#ifndef NFACCT_NAME_MAX
+#define NFACCT_NAME_MAX         32
+#endif
+
+enum nfnl_acct_msg_types {
+        NFNL_MSG_ACCT_NEW,
+        NFNL_MSG_ACCT_GET,
+        NFNL_MSG_ACCT_GET_CTRZERO,
+        NFNL_MSG_ACCT_DEL,
+        NFNL_MSG_ACCT_MAX
+};
+
+enum nfnl_acct_type {
+        NFACCT_UNSPEC,
+        NFACCT_NAME,
+        NFACCT_PKTS,
+        NFACCT_BYTES,
+        NFACCT_USE,
+        __NFACCT_MAX
+};
+#define NFACCT_MAX (__NFACCT_MAX - 1)
+
+
+#endif /* _UAPI_NFNL_ACCT_H_ */
diff --git a/include/uapi/linux/netfilter/nfnetlink_compat.h b/include/uapi/linux/netfilter/nfnetlink_compat.h
new file mode 100644
index 000000000000..ffb95036bbd4
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_compat.h
@@ -0,0 +1,63 @@
+#ifndef _NFNETLINK_COMPAT_H
+#define _NFNETLINK_COMPAT_H
+
+#include <linux/types.h>
+
+#ifndef __KERNEL__
+/* Old nfnetlink macros for userspace */
+
+/* nfnetlink groups: Up to 32 maximum */
+#define NF_NETLINK_CONNTRACK_NEW                0x00000001
+#define NF_NETLINK_CONNTRACK_UPDATE             0x00000002
+#define NF_NETLINK_CONNTRACK_DESTROY            0x00000004
+#define NF_NETLINK_CONNTRACK_EXP_NEW            0x00000008
+#define NF_NETLINK_CONNTRACK_EXP_UPDATE         0x00000010
+#define NF_NETLINK_CONNTRACK_EXP_DESTROY        0x00000020
+
+/* Generic structure for encapsulation optional netfilter information.
+ * It is reminiscent of sockaddr, but with sa_family replaced
+ * with attribute type.
+ * ! This should someday be put somewhere generic as now rtnetlink and
+ * ! nfnetlink use the same attributes methods. - J. Schulist.
+ */
+
+struct nfattr {
+        __u16 nfa_len;
+        __u16 nfa_type; /* we use 15 bits for the type, and the highest
+                                 * bit to indicate whether the payload is nested */
+};
+
+/* FIXME: Apart from NFNL_NFA_NESTED shamelessly copy and pasted from
+ * rtnetlink.h, it's time to put this in a generic file */
+
+#define NFNL_NFA_NEST   0x8000
+#define NFA_TYPE(attr)  ((attr)->nfa_type & 0x7fff)
+
+#define NFA_ALIGNTO     4
+#define NFA_ALIGN(len)  (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
+#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
+        && (nfa)->nfa_len <= (len))
+#define NFA_NEXT(nfa,attrlen)   ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
+        (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
+#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
+#define NFA_SPACE(len)  NFA_ALIGN(NFA_LENGTH(len))
+#define NFA_DATA(nfa)   ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
+#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
+#define NFA_NEST(skb, type) \
+({      struct nfattr *__start = (struct nfattr *)skb_tail_pointer(skb); \
+        NFA_PUT(skb, (NFNL_NFA_NEST | type), 0, NULL); \
+        __start;  })
+#define NFA_NEST_END(skb, start) \
+({      (start)->nfa_len = skb_tail_pointer(skb) - (unsigned char *)(start); \
+        (skb)->len; })
+#define NFA_NEST_CANCEL(skb, start) \
+({      if (start) \
+                skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
+        -1; })
+
+#define NFM_NFA(n)      ((struct nfattr *)(((char *)(n)) \
+        + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
+#define NFM_PAYLOAD(n)  NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
+
+#endif /* ! __KERNEL__ */
+#endif /* _NFNETLINK_COMPAT_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
new file mode 100644
index 000000000000..43bfe3e1685b
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
@@ -0,0 +1,248 @@
+#ifndef _IPCONNTRACK_NETLINK_H
+#define _IPCONNTRACK_NETLINK_H
+#include <linux/netfilter/nfnetlink.h>
+
+enum cntl_msg_types {
+        IPCTNL_MSG_CT_NEW,
+        IPCTNL_MSG_CT_GET,
+        IPCTNL_MSG_CT_DELETE,
+        IPCTNL_MSG_CT_GET_CTRZERO,
+        IPCTNL_MSG_CT_GET_STATS_CPU,
+        IPCTNL_MSG_CT_GET_STATS,
+
+        IPCTNL_MSG_MAX
+};
+
+enum ctnl_exp_msg_types {
+        IPCTNL_MSG_EXP_NEW,
+        IPCTNL_MSG_EXP_GET,
+        IPCTNL_MSG_EXP_DELETE,
+        IPCTNL_MSG_EXP_GET_STATS_CPU,
+
+        IPCTNL_MSG_EXP_MAX
+};
+
+
+enum ctattr_type {
+        CTA_UNSPEC,
+        CTA_TUPLE_ORIG,
+        CTA_TUPLE_REPLY,
+        CTA_STATUS,
+        CTA_PROTOINFO,
+        CTA_HELP,
+        CTA_NAT_SRC,
+#define CTA_NAT CTA_NAT_SRC     /* backwards compatibility */
+        CTA_TIMEOUT,
+        CTA_MARK,
+        CTA_COUNTERS_ORIG,
+        CTA_COUNTERS_REPLY,
+        CTA_USE,
+        CTA_ID,
+        CTA_NAT_DST,
+        CTA_TUPLE_MASTER,
+        CTA_NAT_SEQ_ADJ_ORIG,
+        CTA_NAT_SEQ_ADJ_REPLY,
+        CTA_SECMARK,            /* obsolete */
+        CTA_ZONE,
+        CTA_SECCTX,
+        CTA_TIMESTAMP,
+        CTA_MARK_MASK,
+        __CTA_MAX
+};
+#define CTA_MAX (__CTA_MAX - 1)
+
+enum ctattr_tuple {
+        CTA_TUPLE_UNSPEC,
+        CTA_TUPLE_IP,
+        CTA_TUPLE_PROTO,
+        __CTA_TUPLE_MAX
+};
+#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
+
+enum ctattr_ip {
+        CTA_IP_UNSPEC,
+        CTA_IP_V4_SRC,
+        CTA_IP_V4_DST,
+        CTA_IP_V6_SRC,
+        CTA_IP_V6_DST,
+        __CTA_IP_MAX
+};
+#define CTA_IP_MAX (__CTA_IP_MAX - 1)
+
+enum ctattr_l4proto {
+        CTA_PROTO_UNSPEC,
+        CTA_PROTO_NUM,
+        CTA_PROTO_SRC_PORT,
+        CTA_PROTO_DST_PORT,
+        CTA_PROTO_ICMP_ID,
+        CTA_PROTO_ICMP_TYPE,
+        CTA_PROTO_ICMP_CODE,
+        CTA_PROTO_ICMPV6_ID,
+        CTA_PROTO_ICMPV6_TYPE,
+        CTA_PROTO_ICMPV6_CODE,
+        __CTA_PROTO_MAX
+};
+#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
+
+enum ctattr_protoinfo {
+        CTA_PROTOINFO_UNSPEC,
+        CTA_PROTOINFO_TCP,
+        CTA_PROTOINFO_DCCP,
+        CTA_PROTOINFO_SCTP,
+        __CTA_PROTOINFO_MAX
+};
+#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
+
+enum ctattr_protoinfo_tcp {
+        CTA_PROTOINFO_TCP_UNSPEC,
+        CTA_PROTOINFO_TCP_STATE,
+        CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
+        CTA_PROTOINFO_TCP_WSCALE_REPLY,
+        CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
+        CTA_PROTOINFO_TCP_FLAGS_REPLY,
+        __CTA_PROTOINFO_TCP_MAX
+};
+#define CTA_PROTOINFO_TCP_MAX (__CTA_PROTOINFO_TCP_MAX - 1)
+
+enum ctattr_protoinfo_dccp {
+        CTA_PROTOINFO_DCCP_UNSPEC,
+        CTA_PROTOINFO_DCCP_STATE,
+        CTA_PROTOINFO_DCCP_ROLE,
+        CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
+        __CTA_PROTOINFO_DCCP_MAX,
+};
+#define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
+
+enum ctattr_protoinfo_sctp {
+        CTA_PROTOINFO_SCTP_UNSPEC,
+        CTA_PROTOINFO_SCTP_STATE,
+        CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
+        CTA_PROTOINFO_SCTP_VTAG_REPLY,
+        __CTA_PROTOINFO_SCTP_MAX
+};
+#define CTA_PROTOINFO_SCTP_MAX (__CTA_PROTOINFO_SCTP_MAX - 1)
+
+enum ctattr_counters {
+        CTA_COUNTERS_UNSPEC,
+        CTA_COUNTERS_PACKETS,           /* 64bit counters */
+        CTA_COUNTERS_BYTES,             /* 64bit counters */
+        CTA_COUNTERS32_PACKETS,         /* old 32bit counters, unused */
+        CTA_COUNTERS32_BYTES,           /* old 32bit counters, unused */
+        __CTA_COUNTERS_MAX
+};
+#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
+
+enum ctattr_tstamp {
+        CTA_TIMESTAMP_UNSPEC,
+        CTA_TIMESTAMP_START,
+        CTA_TIMESTAMP_STOP,
+        __CTA_TIMESTAMP_MAX
+};
+#define CTA_TIMESTAMP_MAX (__CTA_TIMESTAMP_MAX - 1)
+
+enum ctattr_nat {
+        CTA_NAT_UNSPEC,
+        CTA_NAT_V4_MINIP,
+#define CTA_NAT_MINIP CTA_NAT_V4_MINIP
+        CTA_NAT_V4_MAXIP,
+#define CTA_NAT_MAXIP CTA_NAT_V4_MAXIP
+        CTA_NAT_PROTO,
+        CTA_NAT_V6_MINIP,
+        CTA_NAT_V6_MAXIP,
+        __CTA_NAT_MAX
+};
+#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
+
+enum ctattr_protonat {
+        CTA_PROTONAT_UNSPEC,
+        CTA_PROTONAT_PORT_MIN,
+        CTA_PROTONAT_PORT_MAX,
+        __CTA_PROTONAT_MAX
+};
+#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
+
+enum ctattr_natseq {
+        CTA_NAT_SEQ_UNSPEC,
+        CTA_NAT_SEQ_CORRECTION_POS,
+        CTA_NAT_SEQ_OFFSET_BEFORE,
+        CTA_NAT_SEQ_OFFSET_AFTER,
+        __CTA_NAT_SEQ_MAX
+};
+#define CTA_NAT_SEQ_MAX (__CTA_NAT_SEQ_MAX - 1)
+
+enum ctattr_expect {
+        CTA_EXPECT_UNSPEC,
+        CTA_EXPECT_MASTER,
+        CTA_EXPECT_TUPLE,
+        CTA_EXPECT_MASK,
+        CTA_EXPECT_TIMEOUT,
+        CTA_EXPECT_ID,
+        CTA_EXPECT_HELP_NAME,
+        CTA_EXPECT_ZONE,
+        CTA_EXPECT_FLAGS,
+        CTA_EXPECT_CLASS,
+        CTA_EXPECT_NAT,
+        CTA_EXPECT_FN,
+        __CTA_EXPECT_MAX
+};
+#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
+
+enum ctattr_expect_nat {
+        CTA_EXPECT_NAT_UNSPEC,
+        CTA_EXPECT_NAT_DIR,
+        CTA_EXPECT_NAT_TUPLE,
+        __CTA_EXPECT_NAT_MAX
+};
+#define CTA_EXPECT_NAT_MAX (__CTA_EXPECT_NAT_MAX - 1)
+
+enum ctattr_help {
+        CTA_HELP_UNSPEC,
+        CTA_HELP_NAME,
+        CTA_HELP_INFO,
+        __CTA_HELP_MAX
+};
+#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
+
+enum ctattr_secctx {
+        CTA_SECCTX_UNSPEC,
+        CTA_SECCTX_NAME,
+        __CTA_SECCTX_MAX
+};
+#define CTA_SECCTX_MAX (__CTA_SECCTX_MAX - 1)
+
+enum ctattr_stats_cpu {
+        CTA_STATS_UNSPEC,
+        CTA_STATS_SEARCHED,
+        CTA_STATS_FOUND,
+        CTA_STATS_NEW,
+        CTA_STATS_INVALID,
+        CTA_STATS_IGNORE,
+        CTA_STATS_DELETE,
+        CTA_STATS_DELETE_LIST,
+        CTA_STATS_INSERT,
+        CTA_STATS_INSERT_FAILED,
+        CTA_STATS_DROP,
+        CTA_STATS_EARLY_DROP,
+        CTA_STATS_ERROR,
+        CTA_STATS_SEARCH_RESTART,
+        __CTA_STATS_MAX,
+};
+#define CTA_STATS_MAX (__CTA_STATS_MAX - 1)
+
+enum ctattr_stats_global {
+        CTA_STATS_GLOBAL_UNSPEC,
+        CTA_STATS_GLOBAL_ENTRIES,
+        __CTA_STATS_GLOBAL_MAX,
+};
+#define CTA_STATS_GLOBAL_MAX (__CTA_STATS_GLOBAL_MAX - 1)
+
+enum ctattr_expect_stats {
+        CTA_STATS_EXP_UNSPEC,
+        CTA_STATS_EXP_NEW,
+        CTA_STATS_EXP_CREATE,
+        CTA_STATS_EXP_DELETE,
+        __CTA_STATS_EXP_MAX,
+};
+#define CTA_STATS_EXP_MAX (__CTA_STATS_EXP_MAX - 1)
+
+#endif /* _IPCONNTRACK_NETLINK_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_cthelper.h b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
new file mode 100644
index 000000000000..33659f6fad3e
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cthelper.h
@@ -0,0 +1,55 @@
+#ifndef _NFNL_CTHELPER_H_
+#define _NFNL_CTHELPER_H_
+
+#define NFCT_HELPER_STATUS_DISABLED     0
+#define NFCT_HELPER_STATUS_ENABLED      1
+
+enum nfnl_acct_msg_types {
+        NFNL_MSG_CTHELPER_NEW,
+        NFNL_MSG_CTHELPER_GET,
+        NFNL_MSG_CTHELPER_DEL,
+        NFNL_MSG_CTHELPER_MAX
+};
+
+enum nfnl_cthelper_type {
+        NFCTH_UNSPEC,
+        NFCTH_NAME,
+        NFCTH_TUPLE,
+        NFCTH_QUEUE_NUM,
+        NFCTH_POLICY,
+        NFCTH_PRIV_DATA_LEN,
+        NFCTH_STATUS,
+        __NFCTH_MAX
+};
+#define NFCTH_MAX (__NFCTH_MAX - 1)
+
+enum nfnl_cthelper_policy_type {
+        NFCTH_POLICY_SET_UNSPEC,
+        NFCTH_POLICY_SET_NUM,
+        NFCTH_POLICY_SET,
+        NFCTH_POLICY_SET1       = NFCTH_POLICY_SET,
+        NFCTH_POLICY_SET2,
+        NFCTH_POLICY_SET3,
+        NFCTH_POLICY_SET4,
+        __NFCTH_POLICY_SET_MAX
+};
+#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
+
+enum nfnl_cthelper_pol_type {
+        NFCTH_POLICY_UNSPEC,
+        NFCTH_POLICY_NAME,
+        NFCTH_POLICY_EXPECT_MAX,
+        NFCTH_POLICY_EXPECT_TIMEOUT,
+        __NFCTH_POLICY_MAX
+};
+#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
+
+enum nfnl_cthelper_tuple_type {
+        NFCTH_TUPLE_UNSPEC,
+        NFCTH_TUPLE_L3PROTONUM,
+        NFCTH_TUPLE_L4PROTONUM,
+        __NFCTH_TUPLE_MAX,
+};
+#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
+
+#endif /* _NFNL_CTHELPER_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_cttimeout.h b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
new file mode 100644
index 000000000000..a2810a7c5e30
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_cttimeout.h
@@ -0,0 +1,114 @@
+#ifndef _CTTIMEOUT_NETLINK_H
+#define _CTTIMEOUT_NETLINK_H
+#include <linux/netfilter/nfnetlink.h>
+
+enum ctnl_timeout_msg_types {
+        IPCTNL_MSG_TIMEOUT_NEW,
+        IPCTNL_MSG_TIMEOUT_GET,
+        IPCTNL_MSG_TIMEOUT_DELETE,
+
+        IPCTNL_MSG_TIMEOUT_MAX
+};
+
+enum ctattr_timeout {
+        CTA_TIMEOUT_UNSPEC,
+        CTA_TIMEOUT_NAME,
+        CTA_TIMEOUT_L3PROTO,
+        CTA_TIMEOUT_L4PROTO,
+        CTA_TIMEOUT_DATA,
+        CTA_TIMEOUT_USE,
+        __CTA_TIMEOUT_MAX
+};
+#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)
+
+enum ctattr_timeout_generic {
+        CTA_TIMEOUT_GENERIC_UNSPEC,
+        CTA_TIMEOUT_GENERIC_TIMEOUT,
+        __CTA_TIMEOUT_GENERIC_MAX
+};
+#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)
+
+enum ctattr_timeout_tcp {
+        CTA_TIMEOUT_TCP_UNSPEC,
+        CTA_TIMEOUT_TCP_SYN_SENT,
+        CTA_TIMEOUT_TCP_SYN_RECV,
+        CTA_TIMEOUT_TCP_ESTABLISHED,
+        CTA_TIMEOUT_TCP_FIN_WAIT,
+        CTA_TIMEOUT_TCP_CLOSE_WAIT,
+        CTA_TIMEOUT_TCP_LAST_ACK,
+        CTA_TIMEOUT_TCP_TIME_WAIT,
+        CTA_TIMEOUT_TCP_CLOSE,
+        CTA_TIMEOUT_TCP_SYN_SENT2,
+        CTA_TIMEOUT_TCP_RETRANS,
+        CTA_TIMEOUT_TCP_UNACK,
+        __CTA_TIMEOUT_TCP_MAX
+};
+#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)
+
+enum ctattr_timeout_udp {
+        CTA_TIMEOUT_UDP_UNSPEC,
+        CTA_TIMEOUT_UDP_UNREPLIED,
+        CTA_TIMEOUT_UDP_REPLIED,
+        __CTA_TIMEOUT_UDP_MAX
+};
+#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)
+
+enum ctattr_timeout_udplite {
+        CTA_TIMEOUT_UDPLITE_UNSPEC,
+        CTA_TIMEOUT_UDPLITE_UNREPLIED,
+        CTA_TIMEOUT_UDPLITE_REPLIED,
+        __CTA_TIMEOUT_UDPLITE_MAX
+};
+#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)
+
+enum ctattr_timeout_icmp {
+        CTA_TIMEOUT_ICMP_UNSPEC,
+        CTA_TIMEOUT_ICMP_TIMEOUT,
+        __CTA_TIMEOUT_ICMP_MAX
+};
+#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)
+
+enum ctattr_timeout_dccp {
+        CTA_TIMEOUT_DCCP_UNSPEC,
+        CTA_TIMEOUT_DCCP_REQUEST,
+        CTA_TIMEOUT_DCCP_RESPOND,
+        CTA_TIMEOUT_DCCP_PARTOPEN,
+        CTA_TIMEOUT_DCCP_OPEN,
+        CTA_TIMEOUT_DCCP_CLOSEREQ,
+        CTA_TIMEOUT_DCCP_CLOSING,
+        CTA_TIMEOUT_DCCP_TIMEWAIT,
+        __CTA_TIMEOUT_DCCP_MAX
+};
+#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)
+
+enum ctattr_timeout_sctp {
+        CTA_TIMEOUT_SCTP_UNSPEC,
+        CTA_TIMEOUT_SCTP_CLOSED,
+        CTA_TIMEOUT_SCTP_COOKIE_WAIT,
+        CTA_TIMEOUT_SCTP_COOKIE_ECHOED,
+        CTA_TIMEOUT_SCTP_ESTABLISHED,
+        CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,
+        CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,
+        CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
+        __CTA_TIMEOUT_SCTP_MAX
+};
+#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)
+
+enum ctattr_timeout_icmpv6 {
+        CTA_TIMEOUT_ICMPV6_UNSPEC,
+        CTA_TIMEOUT_ICMPV6_TIMEOUT,
+        __CTA_TIMEOUT_ICMPV6_MAX
+};
+#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)
+
+enum ctattr_timeout_gre {
+        CTA_TIMEOUT_GRE_UNSPEC,
+        CTA_TIMEOUT_GRE_UNREPLIED,
+        CTA_TIMEOUT_GRE_REPLIED,
+        __CTA_TIMEOUT_GRE_MAX
+};
+#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)
+
+#define CTNL_TIMEOUT_NAME_MAX   32
+
+#endif
diff --git a/include/uapi/linux/netfilter/nfnetlink_log.h b/include/uapi/linux/netfilter/nfnetlink_log.h
new file mode 100644
index 000000000000..90c2c9575bac
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_log.h
@@ -0,0 +1,97 @@
+#ifndef _NFNETLINK_LOG_H
+#define _NFNETLINK_LOG_H
+
+/* This file describes the netlink messages (i.e. 'protocol packets'),
+ * and not any kind of function definitions.  It is shared between kernel and
+ * userspace.  Don't put kernel specific stuff in here */
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nfulnl_msg_types {
+        NFULNL_MSG_PACKET,              /* packet from kernel to userspace */
+        NFULNL_MSG_CONFIG,              /* connect to a particular queue */
+
+        NFULNL_MSG_MAX
+};
+
+struct nfulnl_msg_packet_hdr {
+        __be16          hw_protocol;    /* hw protocol (network order) */
+        __u8    hook;           /* netfilter hook */
+        __u8    _pad;
+};
+
+struct nfulnl_msg_packet_hw {
+        __be16          hw_addrlen;
+        __u16   _pad;
+        __u8    hw_addr[8];
+};
+
+struct nfulnl_msg_packet_timestamp {
+        __aligned_be64  sec;
+        __aligned_be64  usec;
+};
+
+enum nfulnl_attr_type {
+        NFULA_UNSPEC,
+        NFULA_PACKET_HDR,
+        NFULA_MARK,                     /* __u32 nfmark */
+        NFULA_TIMESTAMP,                /* nfulnl_msg_packet_timestamp */
+        NFULA_IFINDEX_INDEV,            /* __u32 ifindex */
+        NFULA_IFINDEX_OUTDEV,           /* __u32 ifindex */
+        NFULA_IFINDEX_PHYSINDEV,        /* __u32 ifindex */
+        NFULA_IFINDEX_PHYSOUTDEV,       /* __u32 ifindex */
+        NFULA_HWADDR,                   /* nfulnl_msg_packet_hw */
+        NFULA_PAYLOAD,                  /* opaque data payload */
+        NFULA_PREFIX,                   /* string prefix */
+        NFULA_UID,                      /* user id of socket */
+        NFULA_SEQ,                      /* instance-local sequence number */
+        NFULA_SEQ_GLOBAL,               /* global sequence number */
+        NFULA_GID,                      /* group id of socket */
+        NFULA_HWTYPE,                   /* hardware type */
+        NFULA_HWHEADER,                 /* hardware header */
+        NFULA_HWLEN,                    /* hardware header length */
+
+        __NFULA_MAX
+};
+#define NFULA_MAX (__NFULA_MAX - 1)
+
+enum nfulnl_msg_config_cmds {
+        NFULNL_CFG_CMD_NONE,
+        NFULNL_CFG_CMD_BIND,
+        NFULNL_CFG_CMD_UNBIND,
+        NFULNL_CFG_CMD_PF_BIND,
+        NFULNL_CFG_CMD_PF_UNBIND,
+};
+
+struct nfulnl_msg_config_cmd {
+        __u8    command;        /* nfulnl_msg_config_cmds */
+} __attribute__ ((packed));
+
+struct nfulnl_msg_config_mode {
+        __be32          copy_range;
+        __u8    copy_mode;
+        __u8    _pad;
+} __attribute__ ((packed));
+
+enum nfulnl_attr_config {
+        NFULA_CFG_UNSPEC,
+        NFULA_CFG_CMD,                  /* nfulnl_msg_config_cmd */
+        NFULA_CFG_MODE,                 /* nfulnl_msg_config_mode */
+        NFULA_CFG_NLBUFSIZ,             /* __u32 buffer size */
+        NFULA_CFG_TIMEOUT,              /* __u32 in 1/100 s */
+        NFULA_CFG_QTHRESH,              /* __u32 */
+        NFULA_CFG_FLAGS,                /* __u16 */
+        __NFULA_CFG_MAX
+};
+#define NFULA_CFG_MAX (__NFULA_CFG_MAX -1)
+
+#define NFULNL_COPY_NONE        0x00
+#define NFULNL_COPY_META        0x01
+#define NFULNL_COPY_PACKET      0x02
+/* 0xff is reserved, don't use it for new copy modes. */
+
+#define NFULNL_CFG_F_SEQ        0x0001
+#define NFULNL_CFG_F_SEQ_GLOBAL 0x0002
+
+#endif /* _NFNETLINK_LOG_H */
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
new file mode 100644
index 000000000000..70ec8c2bc11a
--- /dev/null
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -0,0 +1,101 @@
+#ifndef _NFNETLINK_QUEUE_H
+#define _NFNETLINK_QUEUE_H
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nfqnl_msg_types {
+        NFQNL_MSG_PACKET,               /* packet from kernel to userspace */
+        NFQNL_MSG_VERDICT,              /* verdict from userspace to kernel */
+        NFQNL_MSG_CONFIG,               /* connect to a particular queue */
+        NFQNL_MSG_VERDICT_BATCH,        /* batchv from userspace to kernel */
+
+        NFQNL_MSG_MAX
+};
+
+struct nfqnl_msg_packet_hdr {
+        __be32          packet_id;      /* unique ID of packet in queue */
+        __be16          hw_protocol;    /* hw protocol (network order) */
+        __u8    hook;           /* netfilter hook */
+} __attribute__ ((packed));
+
+struct nfqnl_msg_packet_hw {
+        __be16          hw_addrlen;
+        __u16   _pad;
+        __u8    hw_addr[8];
+};
+
+struct nfqnl_msg_packet_timestamp {
+        __aligned_be64  sec;
+        __aligned_be64  usec;
+};
+
+enum nfqnl_attr_type {
+        NFQA_UNSPEC,
+        NFQA_PACKET_HDR,
+        NFQA_VERDICT_HDR,               /* nfqnl_msg_verdict_hrd */
+        NFQA_MARK,                      /* __u32 nfmark */
+        NFQA_TIMESTAMP,                 /* nfqnl_msg_packet_timestamp */
+        NFQA_IFINDEX_INDEV,             /* __u32 ifindex */
+        NFQA_IFINDEX_OUTDEV,            /* __u32 ifindex */
+        NFQA_IFINDEX_PHYSINDEV,         /* __u32 ifindex */
+        NFQA_IFINDEX_PHYSOUTDEV,        /* __u32 ifindex */
+        NFQA_HWADDR,                    /* nfqnl_msg_packet_hw */
+        NFQA_PAYLOAD,                   /* opaque data payload */
+        NFQA_CT,                        /* nf_conntrack_netlink.h */
+        NFQA_CT_INFO,                   /* enum ip_conntrack_info */
+        NFQA_CAP_LEN,                   /* __u32 length of captured packet */
+
+        __NFQA_MAX
+};
+#define NFQA_MAX (__NFQA_MAX - 1)
+
+struct nfqnl_msg_verdict_hdr {
+        __be32 verdict;
+        __be32 id;
+};
+
+
+enum nfqnl_msg_config_cmds {
+        NFQNL_CFG_CMD_NONE,
+        NFQNL_CFG_CMD_BIND,
+        NFQNL_CFG_CMD_UNBIND,
+        NFQNL_CFG_CMD_PF_BIND,
+        NFQNL_CFG_CMD_PF_UNBIND,
+};
+
+struct nfqnl_msg_config_cmd {
+        __u8    command;        /* nfqnl_msg_config_cmds */
+        __u8    _pad;
+        __be16          pf;             /* AF_xxx for PF_[UN]BIND */
+};
+
+enum nfqnl_config_mode {
+        NFQNL_COPY_NONE,
+        NFQNL_COPY_META,
+        NFQNL_COPY_PACKET,
+};
+
+struct nfqnl_msg_config_params {
+        __be32          copy_range;
+        __u8    copy_mode;      /* enum nfqnl_config_mode */
+} __attribute__ ((packed));
+
+
+enum nfqnl_attr_config {
+        NFQA_CFG_UNSPEC,
+        NFQA_CFG_CMD,                   /* nfqnl_msg_config_cmd */
+        NFQA_CFG_PARAMS,                /* nfqnl_msg_config_params */
+        NFQA_CFG_QUEUE_MAXLEN,          /* __u32 */
+        NFQA_CFG_MASK,                  /* identify which flags to change */
+        NFQA_CFG_FLAGS,                 /* value of these flags (__u32) */
+        __NFQA_CFG_MAX
+};
+#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
+
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN                    (1 << 0)
+#define NFQA_CFG_F_CONNTRACK                    (1 << 1)
+#define NFQA_CFG_F_MAX                          (1 << 2)
+
+#endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/uapi/linux/netfilter/x_tables.h b/include/uapi/linux/netfilter/x_tables.h
new file mode 100644
index 000000000000..c36969b91533
--- /dev/null
+++ b/include/uapi/linux/netfilter/x_tables.h
@@ -0,0 +1,187 @@
+#ifndef _UAPI_X_TABLES_H
+#define _UAPI_X_TABLES_H
+#include <linux/kernel.h>
+#include <linux/types.h>
+
+#define XT_FUNCTION_MAXNAMELEN 30
+#define XT_EXTENSION_MAXNAMELEN 29
+#define XT_TABLE_MAXNAMELEN 32
+
+struct xt_entry_match {
+        union {
+                struct {
+                        __u16 match_size;
+
+                        /* Used by userspace */
+                        char name[XT_EXTENSION_MAXNAMELEN];
+                        __u8 revision;
+                } user;
+                struct {
+                        __u16 match_size;
+
+                        /* Used inside the kernel */
+                        struct xt_match *match;
+                } kernel;
+
+                /* Total length */
+                __u16 match_size;
+        } u;
+
+        unsigned char data[0];
+};
+
+struct xt_entry_target {
+        union {
+                struct {
+                        __u16 target_size;
+
+                        /* Used by userspace */
+                        char name[XT_EXTENSION_MAXNAMELEN];
+                        __u8 revision;
+                } user;
+                struct {
+                        __u16 target_size;
+
+                        /* Used inside the kernel */
+                        struct xt_target *target;
+                } kernel;
+
+                /* Total length */
+                __u16 target_size;
+        } u;
+
+        unsigned char data[0];
+};
+
+#define XT_TARGET_INIT(__name, __size)                                         \
+{                                                                              \
+        .target.u.user = {                                                     \
+                .target_size    = XT_ALIGN(__size),                            \
+                .name           = __name,                                      \
+        },                                                                     \
+}
+
+struct xt_standard_target {
+        struct xt_entry_target target;
+        int verdict;
+};
+
+struct xt_error_target {
+        struct xt_entry_target target;
+        char errorname[XT_FUNCTION_MAXNAMELEN];
+};
+
+/* The argument to IPT_SO_GET_REVISION_*.  Returns highest revision
+ * kernel supports, if >= revision. */
+struct xt_get_revision {
+        char name[XT_EXTENSION_MAXNAMELEN];
+        __u8 revision;
+};
+
+/* CONTINUE verdict for targets */
+#define XT_CONTINUE 0xFFFFFFFF
+
+/* For standard target */
+#define XT_RETURN (-NF_REPEAT - 1)
+
+/* this is a dummy structure to find out the alignment requirement for a struct
+ * containing all the fundamental data types that are used in ipt_entry,
+ * ip6t_entry and arpt_entry.  This sucks, and it is a hack.  It will be my
+ * personal pleasure to remove it -HW
+ */
+struct _xt_align {
+        __u8 u8;
+        __u16 u16;
+        __u32 u32;
+        __u64 u64;
+};
+
+#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
+
+/* Standard return verdict, or do jump. */
+#define XT_STANDARD_TARGET ""
+/* Error verdict. */
+#define XT_ERROR_TARGET "ERROR"
+
+#define SET_COUNTER(c,b,p) do { (c).bcnt = (b); (c).pcnt = (p); } while(0)
+#define ADD_COUNTER(c,b,p) do { (c).bcnt += (b); (c).pcnt += (p); } while(0)
+
+struct xt_counters {
+        __u64 pcnt, bcnt;                       /* Packet and byte counters */
+};
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+struct xt_counters_info {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        unsigned int num_counters;
+
+        /* The counters (actually `number' of these). */
+        struct xt_counters counters[0];
+};
+
+#define XT_INV_PROTO            0x40    /* Invert the sense of PROTO. */
+
+#ifndef __KERNEL__
+/* fn returns 0 to continue iteration */
+#define XT_MATCH_ITERATE(type, e, fn, args...)                  \
+({                                                              \
+        unsigned int __i;                                       \
+        int __ret = 0;                                          \
+        struct xt_entry_match *__m;                             \
+                                                                \
+        for (__i = sizeof(type);                                \
+             __i < (e)->target_offset;                          \
+             __i += __m->u.match_size) {                        \
+                __m = (void *)e + __i;                          \
+                                                                \
+                __ret = fn(__m , ## args);                      \
+                if (__ret != 0)                                 \
+                        break;                                  \
+        }                                                       \
+        __ret;                                                  \
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE_CONTINUE(type, entries, size, n, fn, args...) \
+({                                                              \
+        unsigned int __i, __n;                                  \
+        int __ret = 0;                                          \
+        type *__entry;                                          \
+                                                                \
+        for (__i = 0, __n = 0; __i < (size);                    \
+             __i += __entry->next_offset, __n++) {              \
+                __entry = (void *)(entries) + __i;              \
+                if (__n < n)                                    \
+                        continue;                               \
+                                                                \
+                __ret = fn(__entry , ## args);                  \
+                if (__ret != 0)                                 \
+                        break;                                  \
+        }                                                       \
+        __ret;                                                  \
+})
+
+/* fn returns 0 to continue iteration */
+#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
+        XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
+
+#endif /* !__KERNEL__ */
+
+/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
+#define xt_entry_foreach(pos, ehead, esize) \
+        for ((pos) = (typeof(pos))(ehead); \
+             (pos) < (typeof(pos))((char *)(ehead) + (esize)); \
+             (pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
+
+/* can only be xt_entry_match, so no use of typeof here */
+#define xt_ematch_foreach(pos, entry) \
+        for ((pos) = (struct xt_entry_match *)entry->elems; \
+             (pos) < (struct xt_entry_match *)((char *)(entry) + \
+                     (entry)->target_offset); \
+             (pos) = (struct xt_entry_match *)((char *)(pos) + \
+                     (pos)->u.match_size))
+
+
+#endif /* _UAPI_X_TABLES_H */
diff --git a/include/uapi/linux/netfilter/xt_AUDIT.h b/include/uapi/linux/netfilter/xt_AUDIT.h
new file mode 100644
index 000000000000..38751d2ea52b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_AUDIT.h
@@ -0,0 +1,30 @@
+/*
+ * Header file for iptables xt_AUDIT target
+ *
+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
+ * (C) 2010-2011 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#ifndef _XT_AUDIT_TARGET_H
+#define _XT_AUDIT_TARGET_H
+
+#include <linux/types.h>
+
+enum {
+        XT_AUDIT_TYPE_ACCEPT = 0,
+        XT_AUDIT_TYPE_DROP,
+        XT_AUDIT_TYPE_REJECT,
+        __XT_AUDIT_TYPE_MAX,
+};
+
+#define XT_AUDIT_TYPE_MAX (__XT_AUDIT_TYPE_MAX - 1)
+
+struct xt_audit_info {
+        __u8 type; /* XT_AUDIT_TYPE_* */
+};
+
+#endif /* _XT_AUDIT_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_CHECKSUM.h b/include/uapi/linux/netfilter/xt_CHECKSUM.h
new file mode 100644
index 000000000000..9a2e4661654e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CHECKSUM.h
@@ -0,0 +1,20 @@
+/* Header file for iptables ipt_CHECKSUM target
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2010 Red Hat Inc
+ * Author: Michael S. Tsirkin <mst@redhat.com>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+*/
+#ifndef _XT_CHECKSUM_TARGET_H
+#define _XT_CHECKSUM_TARGET_H
+
+#include <linux/types.h>
+
+#define XT_CHECKSUM_OP_FILL     0x01    /* fill in checksum in IP header */
+
+struct xt_CHECKSUM_info {
+        __u8 operation; /* bitset of operations */
+};
+
+#endif /* _XT_CHECKSUM_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_CLASSIFY.h b/include/uapi/linux/netfilter/xt_CLASSIFY.h
new file mode 100644
index 000000000000..a813bf14dd63
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CLASSIFY.h
@@ -0,0 +1,10 @@
+#ifndef _XT_CLASSIFY_H
+#define _XT_CLASSIFY_H
+
+#include <linux/types.h>
+
+struct xt_classify_target_info {
+        __u32 priority;
+};
+
+#endif /*_XT_CLASSIFY_H */
diff --git a/include/uapi/linux/netfilter/xt_CONNMARK.h b/include/uapi/linux/netfilter/xt_CONNMARK.h
new file mode 100644
index 000000000000..2f2e48ec8023
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNMARK.h
@@ -0,0 +1,6 @@
+#ifndef _XT_CONNMARK_H_target
+#define _XT_CONNMARK_H_target
+
+#include <linux/netfilter/xt_connmark.h>
+
+#endif /*_XT_CONNMARK_H_target*/
diff --git a/include/uapi/linux/netfilter/xt_CONNSECMARK.h b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
new file mode 100644
index 000000000000..b973ff80fa1e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CONNSECMARK.h
@@ -0,0 +1,15 @@
+#ifndef _XT_CONNSECMARK_H_target
+#define _XT_CONNSECMARK_H_target
+
+#include <linux/types.h>
+
+enum {
+        CONNSECMARK_SAVE = 1,
+        CONNSECMARK_RESTORE,
+};
+
+struct xt_connsecmark_target_info {
+        __u8 mode;
+};
+
+#endif /*_XT_CONNSECMARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_CT.h b/include/uapi/linux/netfilter/xt_CT.h
new file mode 100644
index 000000000000..a064b8af360c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_CT.h
@@ -0,0 +1,31 @@
+#ifndef _XT_CT_H
+#define _XT_CT_H
+
+#include <linux/types.h>
+
+#define XT_CT_NOTRACK   0x1
+
+struct xt_ct_target_info {
+        __u16 flags;
+        __u16 zone;
+        __u32 ct_events;
+        __u32 exp_events;
+        char helper[16];
+
+        /* Used internally by the kernel */
+        struct nf_conn  *ct __attribute__((aligned(8)));
+};
+
+struct xt_ct_target_info_v1 {
+        __u16 flags;
+        __u16 zone;
+        __u32 ct_events;
+        __u32 exp_events;
+        char helper[16];
+        char timeout[32];
+
+        /* Used internally by the kernel */
+        struct nf_conn  *ct __attribute__((aligned(8)));
+};
+
+#endif /* _XT_CT_H */
diff --git a/include/uapi/linux/netfilter/xt_DSCP.h b/include/uapi/linux/netfilter/xt_DSCP.h
new file mode 100644
index 000000000000..648e0b3bed29
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_DSCP.h
@@ -0,0 +1,26 @@
+/* x_tables module for setting the IPv4/IPv6 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * xt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
+*/
+#ifndef _XT_DSCP_TARGET_H
+#define _XT_DSCP_TARGET_H
+#include <linux/netfilter/xt_dscp.h>
+#include <linux/types.h>
+
+/* target info */
+struct xt_DSCP_info {
+        __u8 dscp;
+};
+
+struct xt_tos_target_info {
+        __u8 tos_value;
+        __u8 tos_mask;
+};
+
+#endif /* _XT_DSCP_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_IDLETIMER.h b/include/uapi/linux/netfilter/xt_IDLETIMER.h
new file mode 100644
index 000000000000..208ae9387331
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_IDLETIMER.h
@@ -0,0 +1,45 @@
+/*
+ * linux/include/linux/netfilter/xt_IDLETIMER.h
+ *
+ * Header file for Xtables timer target module.
+ *
+ * Copyright (C) 2004, 2010 Nokia Corporation
+ * Written by Timo Teras <ext-timo.teras@nokia.com>
+ *
+ * Converted to x_tables and forward-ported to 2.6.34
+ * by Luciano Coelho <luciano.coelho@nokia.com>
+ *
+ * Contact: Luciano Coelho <luciano.coelho@nokia.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA
+ */
+
+#ifndef _XT_IDLETIMER_H
+#define _XT_IDLETIMER_H
+
+#include <linux/types.h>
+
+#define MAX_IDLETIMER_LABEL_SIZE 28
+
+struct idletimer_tg_info {
+        __u32 timeout;
+
+        char label[MAX_IDLETIMER_LABEL_SIZE];
+
+        /* for kernel module internal use only */
+        struct idletimer_tg *timer __attribute__((aligned(8)));
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter/xt_LED.h b/include/uapi/linux/netfilter/xt_LED.h
new file mode 100644
index 000000000000..f5509e7524d3
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LED.h
@@ -0,0 +1,15 @@
+#ifndef _XT_LED_H
+#define _XT_LED_H
+
+#include <linux/types.h>
+
+struct xt_led_info {
+        char id[27];        /* Unique ID for this trigger in the LED class */
+        __u8 always_blink;  /* Blink even if the LED is already on */
+        __u32 delay;        /* Delay until LED is switched off after trigger */
+
+        /* Kernel data used in the module */
+        void *internal_data __attribute__((aligned(8)));
+};
+
+#endif /* _XT_LED_H */
diff --git a/include/uapi/linux/netfilter/xt_LOG.h b/include/uapi/linux/netfilter/xt_LOG.h
new file mode 100644
index 000000000000..cac079095305
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_LOG.h
@@ -0,0 +1,19 @@
+#ifndef _XT_LOG_H
+#define _XT_LOG_H
+
+/* make sure not to change this without changing nf_log.h:NF_LOG_* (!) */
+#define XT_LOG_TCPSEQ           0x01    /* Log TCP sequence numbers */
+#define XT_LOG_TCPOPT           0x02    /* Log TCP options */
+#define XT_LOG_IPOPT            0x04    /* Log IP options */
+#define XT_LOG_UID              0x08    /* Log UID owning local socket */
+#define XT_LOG_NFLOG            0x10    /* Unsupported, don't reuse */
+#define XT_LOG_MACDECODE        0x20    /* Decode MAC header */
+#define XT_LOG_MASK             0x2f
+
+struct xt_log_info {
+        unsigned char level;
+        unsigned char logflags;
+        char prefix[30];
+};
+
+#endif /* _XT_LOG_H */
diff --git a/include/uapi/linux/netfilter/xt_MARK.h b/include/uapi/linux/netfilter/xt_MARK.h
new file mode 100644
index 000000000000..41c456deba22
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_MARK.h
@@ -0,0 +1,6 @@
+#ifndef _XT_MARK_H_target
+#define _XT_MARK_H_target
+
+#include <linux/netfilter/xt_mark.h>
+
+#endif /*_XT_MARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_NFLOG.h b/include/uapi/linux/netfilter/xt_NFLOG.h
new file mode 100644
index 000000000000..87b58311ce6b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFLOG.h
@@ -0,0 +1,20 @@
+#ifndef _XT_NFLOG_TARGET
+#define _XT_NFLOG_TARGET
+
+#include <linux/types.h>
+
+#define XT_NFLOG_DEFAULT_GROUP          0x1
+#define XT_NFLOG_DEFAULT_THRESHOLD      0
+
+#define XT_NFLOG_MASK                   0x0
+
+struct xt_nflog_info {
+        __u32   len;
+        __u16   group;
+        __u16   threshold;
+        __u16   flags;
+        __u16   pad;
+        char            prefix[64];
+};
+
+#endif /* _XT_NFLOG_TARGET */
diff --git a/include/uapi/linux/netfilter/xt_NFQUEUE.h b/include/uapi/linux/netfilter/xt_NFQUEUE.h
new file mode 100644
index 000000000000..9eafdbbb401c
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_NFQUEUE.h
@@ -0,0 +1,29 @@
+/* iptables module for using NFQUEUE mechanism
+ *
+ * (C) 2005 Harald Welte <laforge@netfilter.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+*/
+#ifndef _XT_NFQ_TARGET_H
+#define _XT_NFQ_TARGET_H
+
+#include <linux/types.h>
+
+/* target info */
+struct xt_NFQ_info {
+        __u16 queuenum;
+};
+
+struct xt_NFQ_info_v1 {
+        __u16 queuenum;
+        __u16 queues_total;
+};
+
+struct xt_NFQ_info_v2 {
+        __u16 queuenum;
+        __u16 queues_total;
+        __u16 bypass;
+};
+
+#endif /* _XT_NFQ_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_RATEEST.h b/include/uapi/linux/netfilter/xt_RATEEST.h
new file mode 100644
index 000000000000..6605e20ad8cf
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_RATEEST.h
@@ -0,0 +1,15 @@
+#ifndef _XT_RATEEST_TARGET_H
+#define _XT_RATEEST_TARGET_H
+
+#include <linux/types.h>
+
+struct xt_rateest_target_info {
+        char                    name[IFNAMSIZ];
+        __s8                    interval;
+        __u8            ewma_log;
+
+        /* Used internally by the kernel */
+        struct xt_rateest       *est __attribute__((aligned(8)));
+};
+
+#endif /* _XT_RATEEST_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
new file mode 100644
index 000000000000..989092bd6274
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_SECMARK.h
@@ -0,0 +1,22 @@
+#ifndef _XT_SECMARK_H_target
+#define _XT_SECMARK_H_target
+
+#include <linux/types.h>
+
+/*
+ * This is intended for use by various security subsystems (but not
+ * at the same time).
+ *
+ * 'mode' refers to the specific security subsystem which the
+ * packets are being marked for.
+ */
+#define SECMARK_MODE_SEL        0x01            /* SELinux */
+#define SECMARK_SECCTX_MAX      256
+
+struct xt_secmark_target_info {
+        __u8 mode;
+        __u32 secid;
+        char secctx[SECMARK_SECCTX_MAX];
+};
+
+#endif /*_XT_SECMARK_H_target */
diff --git a/include/uapi/linux/netfilter/xt_TCPMSS.h b/include/uapi/linux/netfilter/xt_TCPMSS.h
new file mode 100644
index 000000000000..9a6960afc134
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPMSS.h
@@ -0,0 +1,12 @@
+#ifndef _XT_TCPMSS_H
+#define _XT_TCPMSS_H
+
+#include <linux/types.h>
+
+struct xt_tcpmss_info {
+        __u16 mss;
+};
+
+#define XT_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /* _XT_TCPMSS_H */
diff --git a/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
new file mode 100644
index 000000000000..7157318499c2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TCPOPTSTRIP.h
@@ -0,0 +1,15 @@
+#ifndef _XT_TCPOPTSTRIP_H
+#define _XT_TCPOPTSTRIP_H
+
+#include <linux/types.h>
+
+#define tcpoptstrip_set_bit(bmap, idx) \
+        (bmap[(idx) >> 5] |= 1U << (idx & 31))
+#define tcpoptstrip_test_bit(bmap, idx) \
+        (((1U << (idx & 31)) & bmap[(idx) >> 5]) != 0)
+
+struct xt_tcpoptstrip_target_info {
+        __u32 strip_bmap[8];
+};
+
+#endif /* _XT_TCPOPTSTRIP_H */
diff --git a/include/uapi/linux/netfilter/xt_TEE.h b/include/uapi/linux/netfilter/xt_TEE.h
new file mode 100644
index 000000000000..5c21d5c829af
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TEE.h
@@ -0,0 +1,12 @@
+#ifndef _XT_TEE_TARGET_H
+#define _XT_TEE_TARGET_H
+
+struct xt_tee_tginfo {
+        union nf_inet_addr gw;
+        char oif[16];
+
+        /* used internally by the kernel */
+        struct xt_tee_priv *priv __attribute__((aligned(8)));
+};
+
+#endif /* _XT_TEE_TARGET_H */
diff --git a/include/uapi/linux/netfilter/xt_TPROXY.h b/include/uapi/linux/netfilter/xt_TPROXY.h
new file mode 100644
index 000000000000..902043c2073f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_TPROXY.h
@@ -0,0 +1,23 @@
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
+
+#include <linux/types.h>
+
+/* TPROXY target is capable of marking the packet to perform
+ * redirection. We can get rid of that whenever we get support for
+ * mutliple targets in the same rule. */
+struct xt_tproxy_target_info {
+        __u32 mark_mask;
+        __u32 mark_value;
+        __be32 laddr;
+        __be16 lport;
+};
+
+struct xt_tproxy_target_info_v1 {
+        __u32 mark_mask;
+        __u32 mark_value;
+        union nf_inet_addr laddr;
+        __be16 lport;
+};
+
+#endif /* _XT_TPROXY_H */
diff --git a/include/uapi/linux/netfilter/xt_addrtype.h b/include/uapi/linux/netfilter/xt_addrtype.h
new file mode 100644
index 000000000000..b156baa9d55e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_addrtype.h
@@ -0,0 +1,44 @@
+#ifndef _XT_ADDRTYPE_H
+#define _XT_ADDRTYPE_H
+
+#include <linux/types.h>
+
+enum {
+        XT_ADDRTYPE_INVERT_SOURCE       = 0x0001,
+        XT_ADDRTYPE_INVERT_DEST         = 0x0002,
+        XT_ADDRTYPE_LIMIT_IFACE_IN      = 0x0004,
+        XT_ADDRTYPE_LIMIT_IFACE_OUT     = 0x0008,
+};
+
+
+/* rtn_type enum values from rtnetlink.h, but shifted */
+enum {
+        XT_ADDRTYPE_UNSPEC = 1 << 0,
+        XT_ADDRTYPE_UNICAST = 1 << 1,   /* 1 << RTN_UNICAST */
+        XT_ADDRTYPE_LOCAL  = 1 << 2,    /* 1 << RTN_LOCAL, etc */
+        XT_ADDRTYPE_BROADCAST = 1 << 3,
+        XT_ADDRTYPE_ANYCAST = 1 << 4,
+        XT_ADDRTYPE_MULTICAST = 1 << 5,
+        XT_ADDRTYPE_BLACKHOLE = 1 << 6,
+        XT_ADDRTYPE_UNREACHABLE = 1 << 7,
+        XT_ADDRTYPE_PROHIBIT = 1 << 8,
+        XT_ADDRTYPE_THROW = 1 << 9,
+        XT_ADDRTYPE_NAT = 1 << 10,
+        XT_ADDRTYPE_XRESOLVE = 1 << 11,
+};
+
+struct xt_addrtype_info_v1 {
+        __u16   source;         /* source-type mask */
+        __u16   dest;           /* dest-type mask */
+        __u32   flags;
+};
+
+/* revision 0 */
+struct xt_addrtype_info {
+        __u16   source;         /* source-type mask */
+        __u16   dest;           /* dest-type mask */
+        __u32   invert_source;
+        __u32   invert_dest;
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter/xt_cluster.h b/include/uapi/linux/netfilter/xt_cluster.h
new file mode 100644
index 000000000000..9b883c8fbf54
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cluster.h
@@ -0,0 +1,19 @@
+#ifndef _XT_CLUSTER_MATCH_H
+#define _XT_CLUSTER_MATCH_H
+
+#include <linux/types.h>
+
+enum xt_cluster_flags {
+        XT_CLUSTER_F_INV        = (1 << 0)
+};
+
+struct xt_cluster_match_info {
+        __u32 total_nodes;
+        __u32 node_mask;
+        __u32 hash_seed;
+        __u32 flags;
+};
+
+#define XT_CLUSTER_NODES_MAX    32
+
+#endif /* _XT_CLUSTER_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_comment.h b/include/uapi/linux/netfilter/xt_comment.h
new file mode 100644
index 000000000000..0ea5e79f5bd7
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_comment.h
@@ -0,0 +1,10 @@
+#ifndef _XT_COMMENT_H
+#define _XT_COMMENT_H
+
+#define XT_MAX_COMMENT_LEN 256
+
+struct xt_comment_info {
+        char comment[XT_MAX_COMMENT_LEN];
+};
+
+#endif /* XT_COMMENT_H */
diff --git a/include/uapi/linux/netfilter/xt_connbytes.h b/include/uapi/linux/netfilter/xt_connbytes.h
new file mode 100644
index 000000000000..f1d6c15bd9e3
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connbytes.h
@@ -0,0 +1,26 @@
+#ifndef _XT_CONNBYTES_H
+#define _XT_CONNBYTES_H
+
+#include <linux/types.h>
+
+enum xt_connbytes_what {
+        XT_CONNBYTES_PKTS,
+        XT_CONNBYTES_BYTES,
+        XT_CONNBYTES_AVGPKT,
+};
+
+enum xt_connbytes_direction {
+        XT_CONNBYTES_DIR_ORIGINAL,
+        XT_CONNBYTES_DIR_REPLY,
+        XT_CONNBYTES_DIR_BOTH,
+};
+
+struct xt_connbytes_info {
+        struct {
+                __aligned_u64 from;     /* count to be matched */
+                __aligned_u64 to;       /* count to be matched */
+        } count;
+        __u8 what;              /* ipt_connbytes_what */
+        __u8 direction; /* ipt_connbytes_direction */
+};
+#endif
diff --git a/include/uapi/linux/netfilter/xt_connlimit.h b/include/uapi/linux/netfilter/xt_connlimit.h
new file mode 100644
index 000000000000..f1656096121e
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connlimit.h
@@ -0,0 +1,32 @@
+#ifndef _XT_CONNLIMIT_H
+#define _XT_CONNLIMIT_H
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+
+struct xt_connlimit_data;
+
+enum {
+        XT_CONNLIMIT_INVERT = 1 << 0,
+        XT_CONNLIMIT_DADDR  = 1 << 1,
+};
+
+struct xt_connlimit_info {
+        union {
+                union nf_inet_addr mask;
+#ifndef __KERNEL__
+                union {
+                        __be32 v4_mask;
+                        __be32 v6_mask[4];
+                };
+#endif
+        };
+        unsigned int limit;
+        /* revision 1 */
+        __u32 flags;
+
+        /* Used internally by the kernel */
+        struct xt_connlimit_data *data __attribute__((aligned(8)));
+};
+
+#endif /* _XT_CONNLIMIT_H */
diff --git a/include/uapi/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
new file mode 100644
index 000000000000..efc17a8305fb
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connmark.h
@@ -0,0 +1,31 @@
+#ifndef _XT_CONNMARK_H
+#define _XT_CONNMARK_H
+
+#include <linux/types.h>
+
+/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
+ * by Henrik Nordstrom <hno@marasystems.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+enum {
+        XT_CONNMARK_SET = 0,
+        XT_CONNMARK_SAVE,
+        XT_CONNMARK_RESTORE
+};
+
+struct xt_connmark_tginfo1 {
+        __u32 ctmark, ctmask, nfmask;
+        __u8 mode;
+};
+
+struct xt_connmark_mtinfo1 {
+        __u32 mark, mask;
+        __u8 invert;
+};
+
+#endif /*_XT_CONNMARK_H*/
diff --git a/include/uapi/linux/netfilter/xt_conntrack.h b/include/uapi/linux/netfilter/xt_conntrack.h
new file mode 100644
index 000000000000..e3c041d54020
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_conntrack.h
@@ -0,0 +1,77 @@
+/* Header file for kernel module to match connection tracking information.
+ * GPL (C) 2001  Marc Boucher (marc@mbsi.ca).
+ */
+
+#ifndef _XT_CONNTRACK_H
+#define _XT_CONNTRACK_H
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_CONNTRACK_STATE_INVALID (1 << 0)
+
+#define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
+#define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
+#define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
+
+/* flags, invflags: */
+enum {
+        XT_CONNTRACK_STATE        = 1 << 0,
+        XT_CONNTRACK_PROTO        = 1 << 1,
+        XT_CONNTRACK_ORIGSRC      = 1 << 2,
+        XT_CONNTRACK_ORIGDST      = 1 << 3,
+        XT_CONNTRACK_REPLSRC      = 1 << 4,
+        XT_CONNTRACK_REPLDST      = 1 << 5,
+        XT_CONNTRACK_STATUS       = 1 << 6,
+        XT_CONNTRACK_EXPIRES      = 1 << 7,
+        XT_CONNTRACK_ORIGSRC_PORT = 1 << 8,
+        XT_CONNTRACK_ORIGDST_PORT = 1 << 9,
+        XT_CONNTRACK_REPLSRC_PORT = 1 << 10,
+        XT_CONNTRACK_REPLDST_PORT = 1 << 11,
+        XT_CONNTRACK_DIRECTION    = 1 << 12,
+};
+
+struct xt_conntrack_mtinfo1 {
+        union nf_inet_addr origsrc_addr, origsrc_mask;
+        union nf_inet_addr origdst_addr, origdst_mask;
+        union nf_inet_addr replsrc_addr, replsrc_mask;
+        union nf_inet_addr repldst_addr, repldst_mask;
+        __u32 expires_min, expires_max;
+        __u16 l4proto;
+        __be16 origsrc_port, origdst_port;
+        __be16 replsrc_port, repldst_port;
+        __u16 match_flags, invert_flags;
+        __u8 state_mask, status_mask;
+};
+
+struct xt_conntrack_mtinfo2 {
+        union nf_inet_addr origsrc_addr, origsrc_mask;
+        union nf_inet_addr origdst_addr, origdst_mask;
+        union nf_inet_addr replsrc_addr, replsrc_mask;
+        union nf_inet_addr repldst_addr, repldst_mask;
+        __u32 expires_min, expires_max;
+        __u16 l4proto;
+        __be16 origsrc_port, origdst_port;
+        __be16 replsrc_port, repldst_port;
+        __u16 match_flags, invert_flags;
+        __u16 state_mask, status_mask;
+};
+
+struct xt_conntrack_mtinfo3 {
+        union nf_inet_addr origsrc_addr, origsrc_mask;
+        union nf_inet_addr origdst_addr, origdst_mask;
+        union nf_inet_addr replsrc_addr, replsrc_mask;
+        union nf_inet_addr repldst_addr, repldst_mask;
+        __u32 expires_min, expires_max;
+        __u16 l4proto;
+        __u16 origsrc_port, origdst_port;
+        __u16 replsrc_port, repldst_port;
+        __u16 match_flags, invert_flags;
+        __u16 state_mask, status_mask;
+        __u16 origsrc_port_high, origdst_port_high;
+        __u16 replsrc_port_high, repldst_port_high;
+};
+
+#endif /*_XT_CONNTRACK_H*/
diff --git a/include/uapi/linux/netfilter/xt_cpu.h b/include/uapi/linux/netfilter/xt_cpu.h
new file mode 100644
index 000000000000..93c7f11d8f42
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cpu.h
@@ -0,0 +1,11 @@
+#ifndef _XT_CPU_H
+#define _XT_CPU_H
+
+#include <linux/types.h>
+
+struct xt_cpu_info {
+        __u32   cpu;
+        __u32   invert;
+};
+
+#endif /*_XT_CPU_H*/
diff --git a/include/uapi/linux/netfilter/xt_dccp.h b/include/uapi/linux/netfilter/xt_dccp.h
new file mode 100644
index 000000000000..a579e1b6f040
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dccp.h
@@ -0,0 +1,25 @@
+#ifndef _XT_DCCP_H_
+#define _XT_DCCP_H_
+
+#include <linux/types.h>
+
+#define XT_DCCP_SRC_PORTS               0x01
+#define XT_DCCP_DEST_PORTS              0x02
+#define XT_DCCP_TYPE                    0x04
+#define XT_DCCP_OPTION                  0x08
+
+#define XT_DCCP_VALID_FLAGS             0x0f
+
+struct xt_dccp_info {
+        __u16 dpts[2];  /* Min, Max */
+        __u16 spts[2];  /* Min, Max */
+
+        __u16 flags;
+        __u16 invflags;
+
+        __u16 typemask;
+        __u8 option;
+};
+
+#endif /* _XT_DCCP_H_ */
+
diff --git a/include/uapi/linux/netfilter/xt_devgroup.h b/include/uapi/linux/netfilter/xt_devgroup.h
new file mode 100644
index 000000000000..1babde0ec900
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_devgroup.h
@@ -0,0 +1,21 @@
+#ifndef _XT_DEVGROUP_H
+#define _XT_DEVGROUP_H
+
+#include <linux/types.h>
+
+enum xt_devgroup_flags {
+        XT_DEVGROUP_MATCH_SRC   = 0x1,
+        XT_DEVGROUP_INVERT_SRC  = 0x2,
+        XT_DEVGROUP_MATCH_DST   = 0x4,
+        XT_DEVGROUP_INVERT_DST  = 0x8,
+};
+
+struct xt_devgroup_info {
+        __u32   flags;
+        __u32   src_group;
+        __u32   src_mask;
+        __u32   dst_group;
+        __u32   dst_mask;
+};
+
+#endif /* _XT_DEVGROUP_H */
diff --git a/include/uapi/linux/netfilter/xt_dscp.h b/include/uapi/linux/netfilter/xt_dscp.h
new file mode 100644
index 000000000000..15f8932ad5ce
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_dscp.h
@@ -0,0 +1,31 @@
+/* x_tables module for matching the IPv4/IPv6 DSCP field
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ * This software is distributed under GNU GPL v2, 1991
+ *
+ * See RFC2474 for a description of the DSCP field within the IP Header.
+ *
+ * xt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
+*/
+#ifndef _XT_DSCP_H
+#define _XT_DSCP_H
+
+#include <linux/types.h>
+
+#define XT_DSCP_MASK    0xfc    /* 11111100 */
+#define XT_DSCP_SHIFT   2
+#define XT_DSCP_MAX     0x3f    /* 00111111 */
+
+/* match info */
+struct xt_dscp_info {
+        __u8 dscp;
+        __u8 invert;
+};
+
+struct xt_tos_match_info {
+        __u8 tos_mask;
+        __u8 tos_value;
+        __u8 invert;
+};
+
+#endif /* _XT_DSCP_H */
diff --git a/include/uapi/linux/netfilter/xt_ecn.h b/include/uapi/linux/netfilter/xt_ecn.h
new file mode 100644
index 000000000000..7158fca364f2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ecn.h
@@ -0,0 +1,35 @@
+/* iptables module for matching the ECN header in IPv4 and TCP header
+ *
+ * (C) 2002 Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+ * ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
+*/
+#ifndef _XT_ECN_H
+#define _XT_ECN_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_dscp.h>
+
+#define XT_ECN_IP_MASK  (~XT_DSCP_MASK)
+
+#define XT_ECN_OP_MATCH_IP      0x01
+#define XT_ECN_OP_MATCH_ECE     0x10
+#define XT_ECN_OP_MATCH_CWR     0x20
+
+#define XT_ECN_OP_MATCH_MASK    0xce
+
+/* match info */
+struct xt_ecn_info {
+        __u8 operation;
+        __u8 invert;
+        __u8 ip_ect;
+        union {
+                struct {
+                        __u8 ect;
+                } tcp;
+        } proto;
+};
+
+#endif /* _XT_ECN_H */
diff --git a/include/uapi/linux/netfilter/xt_esp.h b/include/uapi/linux/netfilter/xt_esp.h
new file mode 100644
index 000000000000..ee6882408000
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_esp.h
@@ -0,0 +1,15 @@
+#ifndef _XT_ESP_H
+#define _XT_ESP_H
+
+#include <linux/types.h>
+
+struct xt_esp {
+        __u32 spis[2];  /* Security Parameter Index */
+        __u8  invflags; /* Inverse flags */
+};
+
+/* Values for "invflags" field in struct xt_esp. */
+#define XT_ESP_INV_SPI  0x01    /* Invert the sense of spi. */
+#define XT_ESP_INV_MASK 0x01    /* All possible flags. */
+
+#endif /*_XT_ESP_H*/
diff --git a/include/uapi/linux/netfilter/xt_hashlimit.h b/include/uapi/linux/netfilter/xt_hashlimit.h
new file mode 100644
index 000000000000..cbfc43d1af68
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -0,0 +1,73 @@
+#ifndef _UAPI_XT_HASHLIMIT_H
+#define _UAPI_XT_HASHLIMIT_H
+
+#include <linux/types.h>
+
+/* timings are in milliseconds. */
+#define XT_HASHLIMIT_SCALE 10000
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+ * seconds, or one packet every 59 hours.
+ */
+
+/* packet length accounting is done in 16-byte steps */
+#define XT_HASHLIMIT_BYTE_SHIFT 4
+
+/* details of this structure hidden by the implementation */
+struct xt_hashlimit_htable;
+
+enum {
+        XT_HASHLIMIT_HASH_DIP = 1 << 0,
+        XT_HASHLIMIT_HASH_DPT = 1 << 1,
+        XT_HASHLIMIT_HASH_SIP = 1 << 2,
+        XT_HASHLIMIT_HASH_SPT = 1 << 3,
+        XT_HASHLIMIT_INVERT   = 1 << 4,
+        XT_HASHLIMIT_BYTES    = 1 << 5,
+};
+
+struct hashlimit_cfg {
+        __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
+        __u32 avg;    /* Average secs between packets * scale */
+        __u32 burst;  /* Period multiplier for upper limit. */
+
+        /* user specified */
+        __u32 size;             /* how many buckets */
+        __u32 max;              /* max number of entries */
+        __u32 gc_interval;      /* gc interval */
+        __u32 expire;   /* when do entries expire? */
+};
+
+struct xt_hashlimit_info {
+        char name [IFNAMSIZ];           /* name */
+        struct hashlimit_cfg cfg;
+
+        /* Used internally by the kernel */
+        struct xt_hashlimit_htable *hinfo;
+        union {
+                void *ptr;
+                struct xt_hashlimit_info *master;
+        } u;
+};
+
+struct hashlimit_cfg1 {
+        __u32 mode;       /* bitmask of XT_HASHLIMIT_HASH_* */
+        __u32 avg;    /* Average secs between packets * scale */
+        __u32 burst;  /* Period multiplier for upper limit. */
+
+        /* user specified */
+        __u32 size;             /* how many buckets */
+        __u32 max;              /* max number of entries */
+        __u32 gc_interval;      /* gc interval */
+        __u32 expire;   /* when do entries expire? */
+
+        __u8 srcmask, dstmask;
+};
+
+struct xt_hashlimit_mtinfo1 {
+        char name[IFNAMSIZ];
+        struct hashlimit_cfg1 cfg;
+
+        /* Used internally by the kernel */
+        struct xt_hashlimit_htable *hinfo __attribute__((aligned(8)));
+};
+
+#endif /* _UAPI_XT_HASHLIMIT_H */
diff --git a/include/uapi/linux/netfilter/xt_helper.h b/include/uapi/linux/netfilter/xt_helper.h
new file mode 100644
index 000000000000..6b42763f999d
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_helper.h
@@ -0,0 +1,8 @@
+#ifndef _XT_HELPER_H
+#define _XT_HELPER_H
+
+struct xt_helper_info {
+        int invert;
+        char name[30];
+};
+#endif /* _XT_HELPER_H */
diff --git a/include/uapi/linux/netfilter/xt_iprange.h b/include/uapi/linux/netfilter/xt_iprange.h
new file mode 100644
index 000000000000..25fd7cf851f0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_iprange.h
@@ -0,0 +1,20 @@
+#ifndef _LINUX_NETFILTER_XT_IPRANGE_H
+#define _LINUX_NETFILTER_XT_IPRANGE_H 1
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+
+enum {
+        IPRANGE_SRC     = 1 << 0,       /* match source IP address */
+        IPRANGE_DST     = 1 << 1,       /* match destination IP address */
+        IPRANGE_SRC_INV = 1 << 4,       /* negate the condition */
+        IPRANGE_DST_INV = 1 << 5,       /* -"- */
+};
+
+struct xt_iprange_mtinfo {
+        union nf_inet_addr src_min, src_max;
+        union nf_inet_addr dst_min, dst_max;
+        __u8 flags;
+};
+
+#endif /* _LINUX_NETFILTER_XT_IPRANGE_H */
diff --git a/include/uapi/linux/netfilter/xt_ipvs.h b/include/uapi/linux/netfilter/xt_ipvs.h
new file mode 100644
index 000000000000..eff34ac18808
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ipvs.h
@@ -0,0 +1,29 @@
+#ifndef _XT_IPVS_H
+#define _XT_IPVS_H
+
+#include <linux/types.h>
+
+enum {
+        XT_IPVS_IPVS_PROPERTY = 1 << 0, /* all other options imply this one */
+        XT_IPVS_PROTO =         1 << 1,
+        XT_IPVS_VADDR =         1 << 2,
+        XT_IPVS_VPORT =         1 << 3,
+        XT_IPVS_DIR =           1 << 4,
+        XT_IPVS_METHOD =        1 << 5,
+        XT_IPVS_VPORTCTL =      1 << 6,
+        XT_IPVS_MASK =          (1 << 7) - 1,
+        XT_IPVS_ONCE_MASK =     XT_IPVS_MASK & ~XT_IPVS_IPVS_PROPERTY
+};
+
+struct xt_ipvs_mtinfo {
+        union nf_inet_addr      vaddr, vmask;
+        __be16                  vport;
+        __u8                    l4proto;
+        __u8                    fwd_method;
+        __be16                  vportctl;
+
+        __u8                    invert;
+        __u8                    bitmask;
+};
+
+#endif /* _XT_IPVS_H */
diff --git a/include/uapi/linux/netfilter/xt_length.h b/include/uapi/linux/netfilter/xt_length.h
new file mode 100644
index 000000000000..b82ed7c4b1e0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_length.h
@@ -0,0 +1,11 @@
+#ifndef _XT_LENGTH_H
+#define _XT_LENGTH_H
+
+#include <linux/types.h>
+
+struct xt_length_info {
+    __u16       min, max;
+    __u8        invert;
+};
+
+#endif /*_XT_LENGTH_H*/
diff --git a/include/uapi/linux/netfilter/xt_limit.h b/include/uapi/linux/netfilter/xt_limit.h
new file mode 100644
index 000000000000..bb47fc4d2ade
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_limit.h
@@ -0,0 +1,24 @@
+#ifndef _XT_RATE_H
+#define _XT_RATE_H
+
+#include <linux/types.h>
+
+/* timings are in milliseconds. */
+#define XT_LIMIT_SCALE 10000
+
+struct xt_limit_priv;
+
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+struct xt_rateinfo {
+        __u32 avg;    /* Average secs between packets * scale */
+        __u32 burst;  /* Period multiplier for upper limit. */
+
+        /* Used internally by the kernel */
+        unsigned long prev; /* moved to xt_limit_priv */
+        __u32 credit; /* moved to xt_limit_priv */
+        __u32 credit_cap, cost;
+
+        struct xt_limit_priv *master;
+};
+#endif /*_XT_RATE_H*/
diff --git a/include/uapi/linux/netfilter/xt_mac.h b/include/uapi/linux/netfilter/xt_mac.h
new file mode 100644
index 000000000000..b892cdc67e06
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mac.h
@@ -0,0 +1,8 @@
+#ifndef _XT_MAC_H
+#define _XT_MAC_H
+
+struct xt_mac_info {
+    unsigned char srcaddr[ETH_ALEN];
+    int invert;
+};
+#endif /*_XT_MAC_H*/
diff --git a/include/uapi/linux/netfilter/xt_mark.h b/include/uapi/linux/netfilter/xt_mark.h
new file mode 100644
index 000000000000..ecadc40d5cde
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_mark.h
@@ -0,0 +1,15 @@
+#ifndef _XT_MARK_H
+#define _XT_MARK_H
+
+#include <linux/types.h>
+
+struct xt_mark_tginfo2 {
+        __u32 mark, mask;
+};
+
+struct xt_mark_mtinfo1 {
+        __u32 mark, mask;
+        __u8 invert;
+};
+
+#endif /*_XT_MARK_H*/
diff --git a/include/uapi/linux/netfilter/xt_multiport.h b/include/uapi/linux/netfilter/xt_multiport.h
new file mode 100644
index 000000000000..5b7e72dfffc5
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_multiport.h
@@ -0,0 +1,29 @@
+#ifndef _XT_MULTIPORT_H
+#define _XT_MULTIPORT_H
+
+#include <linux/types.h>
+
+enum xt_multiport_flags {
+        XT_MULTIPORT_SOURCE,
+        XT_MULTIPORT_DESTINATION,
+        XT_MULTIPORT_EITHER
+};
+
+#define XT_MULTI_PORTS  15
+
+/* Must fit inside union xt_matchinfo: 16 bytes */
+struct xt_multiport {
+        __u8 flags;                             /* Type of comparison */
+        __u8 count;                             /* Number of ports */
+        __u16 ports[XT_MULTI_PORTS];    /* Ports */
+};
+
+struct xt_multiport_v1 {
+        __u8 flags;                             /* Type of comparison */
+        __u8 count;                             /* Number of ports */
+        __u16 ports[XT_MULTI_PORTS];    /* Ports */
+        __u8 pflags[XT_MULTI_PORTS];    /* Port flags */
+        __u8 invert;                    /* Invert flag */
+};
+
+#endif /*_XT_MULTIPORT_H*/
diff --git a/include/uapi/linux/netfilter/xt_nfacct.h b/include/uapi/linux/netfilter/xt_nfacct.h
new file mode 100644
index 000000000000..3e19c8a86576
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_nfacct.h
@@ -0,0 +1,13 @@
+#ifndef _XT_NFACCT_MATCH_H
+#define _XT_NFACCT_MATCH_H
+
+#include <linux/netfilter/nfnetlink_acct.h>
+
+struct nf_acct;
+
+struct xt_nfacct_match_info {
+        char            name[NFACCT_NAME_MAX];
+        struct nf_acct  *nfacct;
+};
+
+#endif /* _XT_NFACCT_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
new file mode 100644
index 000000000000..18afa495f973
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_osf.h
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _XT_OSF_H
+#define _XT_OSF_H
+
+#include <linux/types.h>
+
+#define MAXGENRELEN             32
+
+#define XT_OSF_GENRE            (1<<0)
+#define XT_OSF_TTL              (1<<1)
+#define XT_OSF_LOG              (1<<2)
+#define XT_OSF_INVERT           (1<<3)
+
+#define XT_OSF_LOGLEVEL_ALL     0       /* log all matched fingerprints */
+#define XT_OSF_LOGLEVEL_FIRST   1       /* log only the first matced fingerprint */
+#define XT_OSF_LOGLEVEL_ALL_KNOWN       2 /* do not log unknown packets */
+
+#define XT_OSF_TTL_TRUE         0       /* True ip and fingerprint TTL comparison */
+#define XT_OSF_TTL_LESS         1       /* Check if ip TTL is less than fingerprint one */
+#define XT_OSF_TTL_NOCHECK      2       /* Do not compare ip and fingerprint TTL at all */
+
+struct xt_osf_info {
+        char                    genre[MAXGENRELEN];
+        __u32                   len;
+        __u32                   flags;
+        __u32                   loglevel;
+        __u32                   ttl;
+};
+
+/*
+ * Wildcard MSS (kind of).
+ * It is used to implement a state machine for the different wildcard values
+ * of the MSS and window sizes.
+ */
+struct xt_osf_wc {
+        __u32                   wc;
+        __u32                   val;
+};
+
+/*
+ * This struct represents IANA options
+ * http://www.iana.org/assignments/tcp-parameters
+ */
+struct xt_osf_opt {
+        __u16                   kind, length;
+        struct xt_osf_wc        wc;
+};
+
+struct xt_osf_user_finger {
+        struct xt_osf_wc        wss;
+
+        __u8                    ttl, df;
+        __u16                   ss, mss;
+        __u16                   opt_num;
+
+        char                    genre[MAXGENRELEN];
+        char                    version[MAXGENRELEN];
+        char                    subtype[MAXGENRELEN];
+
+        /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
+        struct xt_osf_opt       opt[MAX_IPOPTLEN];
+};
+
+struct xt_osf_nlmsg {
+        struct xt_osf_user_finger       f;
+        struct iphdr            ip;
+        struct tcphdr           tcp;
+};
+
+/* Defines for IANA option kinds */
+
+enum iana_options {
+        OSFOPT_EOL = 0,         /* End of options */
+        OSFOPT_NOP,             /* NOP */
+        OSFOPT_MSS,             /* Maximum segment size */
+        OSFOPT_WSO,             /* Window scale option */
+        OSFOPT_SACKP,           /* SACK permitted */
+        OSFOPT_SACK,            /* SACK */
+        OSFOPT_ECHO,
+        OSFOPT_ECHOREPLY,
+        OSFOPT_TS,              /* Timestamp option */
+        OSFOPT_POCP,            /* Partial Order Connection Permitted */
+        OSFOPT_POSP,            /* Partial Order Service Profile */
+
+        /* Others are not used in the current OSF */
+        OSFOPT_EMPTY = 255,
+};
+
+/*
+ * Initial window size option state machine: multiple of mss, mtu or
+ * plain numeric value. Can also be made as plain numeric value which
+ * is not a multiple of specified value.
+ */
+enum xt_osf_window_size_options {
+        OSF_WSS_PLAIN   = 0,
+        OSF_WSS_MSS,
+        OSF_WSS_MTU,
+        OSF_WSS_MODULO,
+        OSF_WSS_MAX,
+};
+
+/*
+ * Add/remove fingerprint from the kernel.
+ */
+enum xt_osf_msg_types {
+        OSF_MSG_ADD,
+        OSF_MSG_REMOVE,
+        OSF_MSG_MAX,
+};
+
+enum xt_osf_attr_type {
+        OSF_ATTR_UNSPEC,
+        OSF_ATTR_FINGER,
+        OSF_ATTR_MAX,
+};
+
+#endif                          /* _XT_OSF_H */
diff --git a/include/uapi/linux/netfilter/xt_owner.h b/include/uapi/linux/netfilter/xt_owner.h
new file mode 100644
index 000000000000..2081761714b5
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_owner.h
@@ -0,0 +1,18 @@
+#ifndef _XT_OWNER_MATCH_H
+#define _XT_OWNER_MATCH_H
+
+#include <linux/types.h>
+
+enum {
+        XT_OWNER_UID    = 1 << 0,
+        XT_OWNER_GID    = 1 << 1,
+        XT_OWNER_SOCKET = 1 << 2,
+};
+
+struct xt_owner_match_info {
+        __u32 uid_min, uid_max;
+        __u32 gid_min, gid_max;
+        __u8 match, invert;
+};
+
+#endif /* _XT_OWNER_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_physdev.h b/include/uapi/linux/netfilter/xt_physdev.h
new file mode 100644
index 000000000000..db7a2982e9c0
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_physdev.h
@@ -0,0 +1,23 @@
+#ifndef _UAPI_XT_PHYSDEV_H
+#define _UAPI_XT_PHYSDEV_H
+
+#include <linux/types.h>
+
+
+#define XT_PHYSDEV_OP_IN                0x01
+#define XT_PHYSDEV_OP_OUT               0x02
+#define XT_PHYSDEV_OP_BRIDGED           0x04
+#define XT_PHYSDEV_OP_ISIN              0x08
+#define XT_PHYSDEV_OP_ISOUT             0x10
+#define XT_PHYSDEV_OP_MASK              (0x20 - 1)
+
+struct xt_physdev_info {
+        char physindev[IFNAMSIZ];
+        char in_mask[IFNAMSIZ];
+        char physoutdev[IFNAMSIZ];
+        char out_mask[IFNAMSIZ];
+        __u8 invert;
+        __u8 bitmask;
+};
+
+#endif /* _UAPI_XT_PHYSDEV_H */
diff --git a/include/uapi/linux/netfilter/xt_pkttype.h b/include/uapi/linux/netfilter/xt_pkttype.h
new file mode 100644
index 000000000000..f265cf52faea
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_pkttype.h
@@ -0,0 +1,8 @@
+#ifndef _XT_PKTTYPE_H
+#define _XT_PKTTYPE_H
+
+struct xt_pkttype_info {
+        int     pkttype;
+        int     invert;
+};
+#endif /*_XT_PKTTYPE_H*/
diff --git a/include/uapi/linux/netfilter/xt_policy.h b/include/uapi/linux/netfilter/xt_policy.h
new file mode 100644
index 000000000000..be8ead05c316
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_policy.h
@@ -0,0 +1,69 @@
+#ifndef _XT_POLICY_H
+#define _XT_POLICY_H
+
+#include <linux/types.h>
+
+#define XT_POLICY_MAX_ELEM      4
+
+enum xt_policy_flags {
+        XT_POLICY_MATCH_IN      = 0x1,
+        XT_POLICY_MATCH_OUT     = 0x2,
+        XT_POLICY_MATCH_NONE    = 0x4,
+        XT_POLICY_MATCH_STRICT  = 0x8,
+};
+
+enum xt_policy_modes {
+        XT_POLICY_MODE_TRANSPORT,
+        XT_POLICY_MODE_TUNNEL
+};
+
+struct xt_policy_spec {
+        __u8    saddr:1,
+                        daddr:1,
+                        proto:1,
+                        mode:1,
+                        spi:1,
+                        reqid:1;
+};
+
+#ifndef __KERNEL__
+union xt_policy_addr {
+        struct in_addr  a4;
+        struct in6_addr a6;
+};
+#endif
+
+struct xt_policy_elem {
+        union {
+#ifdef __KERNEL__
+                struct {
+                        union nf_inet_addr saddr;
+                        union nf_inet_addr smask;
+                        union nf_inet_addr daddr;
+                        union nf_inet_addr dmask;
+                };
+#else
+                struct {
+                        union xt_policy_addr saddr;
+                        union xt_policy_addr smask;
+                        union xt_policy_addr daddr;
+                        union xt_policy_addr dmask;
+                };
+#endif
+        };
+        __be32                  spi;
+        __u32           reqid;
+        __u8            proto;
+        __u8            mode;
+
+        struct xt_policy_spec   match;
+        struct xt_policy_spec   invert;
+};
+
+struct xt_policy_info {
+        struct xt_policy_elem pol[XT_POLICY_MAX_ELEM];
+        __u16 flags;
+        __u16 len;
+};
+
+#endif /* _XT_POLICY_H */
diff --git a/include/uapi/linux/netfilter/xt_quota.h b/include/uapi/linux/netfilter/xt_quota.h
new file mode 100644
index 000000000000..9314723f39ca
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_quota.h
@@ -0,0 +1,22 @@
+#ifndef _XT_QUOTA_H
+#define _XT_QUOTA_H
+
+#include <linux/types.h>
+
+enum xt_quota_flags {
+        XT_QUOTA_INVERT         = 0x1,
+};
+#define XT_QUOTA_MASK           0x1
+
+struct xt_quota_priv;
+
+struct xt_quota_info {
+        __u32 flags;
+        __u32 pad;
+        __aligned_u64 quota;
+
+        /* Used internally by the kernel */
+        struct xt_quota_priv    *master;
+};
+
+#endif /* _XT_QUOTA_H */
diff --git a/include/uapi/linux/netfilter/xt_rateest.h b/include/uapi/linux/netfilter/xt_rateest.h
new file mode 100644
index 000000000000..d40a6196842a
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_rateest.h
@@ -0,0 +1,37 @@
+#ifndef _XT_RATEEST_MATCH_H
+#define _XT_RATEEST_MATCH_H
+
+#include <linux/types.h>
+
+enum xt_rateest_match_flags {
+        XT_RATEEST_MATCH_INVERT = 1<<0,
+        XT_RATEEST_MATCH_ABS    = 1<<1,
+        XT_RATEEST_MATCH_REL    = 1<<2,
+        XT_RATEEST_MATCH_DELTA  = 1<<3,
+        XT_RATEEST_MATCH_BPS    = 1<<4,
+        XT_RATEEST_MATCH_PPS    = 1<<5,
+};
+
+enum xt_rateest_match_mode {
+        XT_RATEEST_MATCH_NONE,
+        XT_RATEEST_MATCH_EQ,
+        XT_RATEEST_MATCH_LT,
+        XT_RATEEST_MATCH_GT,
+};
+
+struct xt_rateest_match_info {
+        char                    name1[IFNAMSIZ];
+        char                    name2[IFNAMSIZ];
+        __u16           flags;
+        __u16           mode;
+        __u32           bps1;
+        __u32           pps1;
+        __u32           bps2;
+        __u32           pps2;
+
+        /* Used internally by the kernel */
+        struct xt_rateest       *est1 __attribute__((aligned(8)));
+        struct xt_rateest       *est2 __attribute__((aligned(8)));
+};
+
+#endif /* _XT_RATEEST_MATCH_H */
diff --git a/include/uapi/linux/netfilter/xt_realm.h b/include/uapi/linux/netfilter/xt_realm.h
new file mode 100644
index 000000000000..d4a82ee56a02
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_realm.h
@@ -0,0 +1,12 @@
+#ifndef _XT_REALM_H
+#define _XT_REALM_H
+
+#include <linux/types.h>
+
+struct xt_realm_info {
+        __u32 id;
+        __u32 mask;
+        __u8 invert;
+};
+
+#endif /* _XT_REALM_H */
diff --git a/include/uapi/linux/netfilter/xt_recent.h b/include/uapi/linux/netfilter/xt_recent.h
new file mode 100644
index 000000000000..6ef36c113e89
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_recent.h
@@ -0,0 +1,45 @@
+#ifndef _LINUX_NETFILTER_XT_RECENT_H
+#define _LINUX_NETFILTER_XT_RECENT_H 1
+
+#include <linux/types.h>
+
+enum {
+        XT_RECENT_CHECK    = 1 << 0,
+        XT_RECENT_SET      = 1 << 1,
+        XT_RECENT_UPDATE   = 1 << 2,
+        XT_RECENT_REMOVE   = 1 << 3,
+        XT_RECENT_TTL      = 1 << 4,
+        XT_RECENT_REAP     = 1 << 5,
+
+        XT_RECENT_SOURCE   = 0,
+        XT_RECENT_DEST     = 1,
+
+        XT_RECENT_NAME_LEN = 200,
+};
+
+/* Only allowed with --rcheck and --update */
+#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
+
+#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
+                               XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
+
+struct xt_recent_mtinfo {
+        __u32 seconds;
+        __u32 hit_count;
+        __u8 check_set;
+        __u8 invert;
+        char name[XT_RECENT_NAME_LEN];
+        __u8 side;
+};
+
+struct xt_recent_mtinfo_v1 {
+        __u32 seconds;
+        __u32 hit_count;
+        __u8 check_set;
+        __u8 invert;
+        char name[XT_RECENT_NAME_LEN];
+        __u8 side;
+        union nf_inet_addr mask;
+};
+
+#endif /* _LINUX_NETFILTER_XT_RECENT_H */
diff --git a/include/uapi/linux/netfilter/xt_sctp.h b/include/uapi/linux/netfilter/xt_sctp.h
new file mode 100644
index 000000000000..29287be696a2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_sctp.h
@@ -0,0 +1,92 @@
+#ifndef _XT_SCTP_H_
+#define _XT_SCTP_H_
+
+#include <linux/types.h>
+
+#define XT_SCTP_SRC_PORTS               0x01
+#define XT_SCTP_DEST_PORTS              0x02
+#define XT_SCTP_CHUNK_TYPES             0x04
+
+#define XT_SCTP_VALID_FLAGS             0x07
+
+struct xt_sctp_flag_info {
+        __u8 chunktype;
+        __u8 flag;
+        __u8 flag_mask;
+};
+
+#define XT_NUM_SCTP_FLAGS       4
+
+struct xt_sctp_info {
+        __u16 dpts[2];  /* Min, Max */
+        __u16 spts[2];  /* Min, Max */
+
+        __u32 chunkmap[256 / sizeof (__u32)];  /* Bit mask of chunks to be matched according to RFC 2960 */
+
+#define SCTP_CHUNK_MATCH_ANY   0x01  /* Match if any of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ALL   0x02  /* Match if all of the chunk types are present */
+#define SCTP_CHUNK_MATCH_ONLY  0x04  /* Match if these are the only chunk types present */
+
+        __u32 chunk_match_type;
+        struct xt_sctp_flag_info flag_info[XT_NUM_SCTP_FLAGS];
+        int flag_count;
+
+        __u32 flags;
+        __u32 invflags;
+};
+
+#define bytes(type) (sizeof(type) * 8)
+
+#define SCTP_CHUNKMAP_SET(chunkmap, type)               \
+        do {                                            \
+                (chunkmap)[type / bytes(__u32)] |=      \
+                        1 << (type % bytes(__u32));     \
+        } while (0)
+
+#define SCTP_CHUNKMAP_CLEAR(chunkmap, type)                     \
+        do {                                                    \
+                (chunkmap)[type / bytes(__u32)] &=              \
+                        ~(1 << (type % bytes(__u32)));  \
+        } while (0)
+
+#define SCTP_CHUNKMAP_IS_SET(chunkmap, type)                    \
+({                                                              \
+        ((chunkmap)[type / bytes (__u32)] &             \
+                (1 << (type % bytes (__u32)))) ? 1: 0;  \
+})
+
+#define SCTP_CHUNKMAP_RESET(chunkmap) \
+        memset((chunkmap), 0, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
+        memset((chunkmap), ~0U, sizeof(chunkmap))
+
+#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
+        memcpy((destmap), (srcmap), sizeof(srcmap))
+
+#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
+        __sctp_chunkmap_is_clear((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_clear(const __u32 *chunkmap, unsigned int n)
+{
+        unsigned int i;
+        for (i = 0; i < n; ++i)
+                if (chunkmap[i])
+                        return false;
+        return true;
+}
+
+#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
+        __sctp_chunkmap_is_all_set((chunkmap), ARRAY_SIZE(chunkmap))
+static inline bool
+__sctp_chunkmap_is_all_set(const __u32 *chunkmap, unsigned int n)
+{
+        unsigned int i;
+        for (i = 0; i < n; ++i)
+                if (chunkmap[i] != ~0U)
+                        return false;
+        return true;
+}
+
+#endif /* _XT_SCTP_H_ */
+
diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h
new file mode 100644
index 000000000000..e3a9978f259f
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_set.h
@@ -0,0 +1,65 @@
+#ifndef _XT_SET_H
+#define _XT_SET_H
+
+#include <linux/types.h>
+#include <linux/netfilter/ipset/ip_set.h>
+
+/* Revision 0 interface: backward compatible with netfilter/iptables */
+
+/*
+ * Option flags for kernel operations (xt_set_info_v0)
+ */
+#define IPSET_SRC               0x01    /* Source match/add */
+#define IPSET_DST               0x02    /* Destination match/add */
+#define IPSET_MATCH_INV         0x04    /* Inverse matching */
+
+struct xt_set_info_v0 {
+        ip_set_id_t index;
+        union {
+                __u32 flags[IPSET_DIM_MAX + 1];
+                struct {
+                        __u32 __flags[IPSET_DIM_MAX];
+                        __u8 dim;
+                        __u8 flags;
+                } compat;
+        } u;
+};
+
+/* match and target infos */
+struct xt_set_info_match_v0 {
+        struct xt_set_info_v0 match_set;
+};
+
+struct xt_set_info_target_v0 {
+        struct xt_set_info_v0 add_set;
+        struct xt_set_info_v0 del_set;
+};
+
+/* Revision 1  match and target */
+
+struct xt_set_info {
+        ip_set_id_t index;
+        __u8 dim;
+        __u8 flags;
+};
+
+/* match and target infos */
+struct xt_set_info_match_v1 {
+        struct xt_set_info match_set;
+};
+
+struct xt_set_info_target_v1 {
+        struct xt_set_info add_set;
+        struct xt_set_info del_set;
+};
+
+/* Revision 2 target */
+
+struct xt_set_info_target_v2 {
+        struct xt_set_info add_set;
+        struct xt_set_info del_set;
+        __u32 flags;
+        __u32 timeout;
+};
+
+#endif /*_XT_SET_H*/
diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
new file mode 100644
index 000000000000..26d7217bd4f1
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_socket.h
@@ -0,0 +1,14 @@
+#ifndef _XT_SOCKET_H
+#define _XT_SOCKET_H
+
+#include <linux/types.h>
+
+enum {
+        XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+        __u8 flags;
+};
+
+#endif /* _XT_SOCKET_H */
diff --git a/include/uapi/linux/netfilter/xt_state.h b/include/uapi/linux/netfilter/xt_state.h
new file mode 100644
index 000000000000..7b32de886613
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_state.h
@@ -0,0 +1,12 @@
+#ifndef _XT_STATE_H
+#define _XT_STATE_H
+
+#define XT_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
+#define XT_STATE_INVALID (1 << 0)
+
+#define XT_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 1))
+
+struct xt_state_info {
+        unsigned int statemask;
+};
+#endif /*_XT_STATE_H*/
diff --git a/include/uapi/linux/netfilter/xt_statistic.h b/include/uapi/linux/netfilter/xt_statistic.h
new file mode 100644
index 000000000000..4e983ef0c968
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_statistic.h
@@ -0,0 +1,36 @@
+#ifndef _XT_STATISTIC_H
+#define _XT_STATISTIC_H
+
+#include <linux/types.h>
+
+enum xt_statistic_mode {
+        XT_STATISTIC_MODE_RANDOM,
+        XT_STATISTIC_MODE_NTH,
+        __XT_STATISTIC_MODE_MAX
+};
+#define XT_STATISTIC_MODE_MAX (__XT_STATISTIC_MODE_MAX - 1)
+
+enum xt_statistic_flags {
+        XT_STATISTIC_INVERT             = 0x1,
+};
+#define XT_STATISTIC_MASK               0x1
+
+struct xt_statistic_priv;
+
+struct xt_statistic_info {
+        __u16                   mode;
+        __u16                   flags;
+        union {
+                struct {
+                        __u32   probability;
+                } random;
+                struct {
+                        __u32   every;
+                        __u32   packet;
+                        __u32   count; /* unused */
+                } nth;
+        } u;
+        struct xt_statistic_priv *master __attribute__((aligned(8)));
+};
+
+#endif /* _XT_STATISTIC_H */
diff --git a/include/uapi/linux/netfilter/xt_string.h b/include/uapi/linux/netfilter/xt_string.h
new file mode 100644
index 000000000000..235347c02eab
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_string.h
@@ -0,0 +1,34 @@
+#ifndef _XT_STRING_H
+#define _XT_STRING_H
+
+#include <linux/types.h>
+
+#define XT_STRING_MAX_PATTERN_SIZE 128
+#define XT_STRING_MAX_ALGO_NAME_SIZE 16
+
+enum {
+        XT_STRING_FLAG_INVERT           = 0x01,
+        XT_STRING_FLAG_IGNORECASE       = 0x02
+};
+
+struct xt_string_info {
+        __u16 from_offset;
+        __u16 to_offset;
+        char      algo[XT_STRING_MAX_ALGO_NAME_SIZE];
+        char      pattern[XT_STRING_MAX_PATTERN_SIZE];
+        __u8  patlen;
+        union {
+                struct {
+                        __u8  invert;
+                } v0;
+
+                struct {
+                        __u8  flags;
+                } v1;
+        } u;
+
+        /* Used internally by the kernel */
+        struct ts_config __attribute__((aligned(8))) *config;
+};
+
+#endif /*_XT_STRING_H*/
diff --git a/include/uapi/linux/netfilter/xt_tcpmss.h b/include/uapi/linux/netfilter/xt_tcpmss.h
new file mode 100644
index 000000000000..fbac56b9e667
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpmss.h
@@ -0,0 +1,11 @@
+#ifndef _XT_TCPMSS_MATCH_H
+#define _XT_TCPMSS_MATCH_H
+
+#include <linux/types.h>
+
+struct xt_tcpmss_match_info {
+    __u16 mss_min, mss_max;
+    __u8 invert;
+};
+
+#endif /*_XT_TCPMSS_MATCH_H*/
diff --git a/include/uapi/linux/netfilter/xt_tcpudp.h b/include/uapi/linux/netfilter/xt_tcpudp.h
new file mode 100644
index 000000000000..38aa7b399021
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_tcpudp.h
@@ -0,0 +1,36 @@
+#ifndef _XT_TCPUDP_H
+#define _XT_TCPUDP_H
+
+#include <linux/types.h>
+
+/* TCP matching stuff */
+struct xt_tcp {
+        __u16 spts[2];                  /* Source port range. */
+        __u16 dpts[2];                  /* Destination port range. */
+        __u8 option;                    /* TCP Option iff non-zero*/
+        __u8 flg_mask;                  /* TCP flags mask byte */
+        __u8 flg_cmp;                   /* TCP flags compare byte */
+        __u8 invflags;                  /* Inverse flags */
+};
+
+/* Values for "inv" field in struct ipt_tcp. */
+#define XT_TCP_INV_SRCPT        0x01    /* Invert the sense of source ports. */
+#define XT_TCP_INV_DSTPT        0x02    /* Invert the sense of dest ports. */
+#define XT_TCP_INV_FLAGS        0x04    /* Invert the sense of TCP flags. */
+#define XT_TCP_INV_OPTION       0x08    /* Invert the sense of option test. */
+#define XT_TCP_INV_MASK         0x0F    /* All possible flags. */
+
+/* UDP matching stuff */
+struct xt_udp {
+        __u16 spts[2];                  /* Source port range. */
+        __u16 dpts[2];                  /* Destination port range. */
+        __u8 invflags;                  /* Inverse flags */
+};
+
+/* Values for "invflags" field in struct ipt_udp. */
+#define XT_UDP_INV_SRCPT        0x01    /* Invert the sense of source ports. */
+#define XT_UDP_INV_DSTPT        0x02    /* Invert the sense of dest ports. */
+#define XT_UDP_INV_MASK 0x03    /* All possible flags. */
+
+
+#endif
diff --git a/include/uapi/linux/netfilter/xt_time.h b/include/uapi/linux/netfilter/xt_time.h
new file mode 100644
index 000000000000..095886019396
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_time.h
@@ -0,0 +1,32 @@
+#ifndef _XT_TIME_H
+#define _XT_TIME_H 1
+
+#include <linux/types.h>
+
+struct xt_time_info {
+        __u32 date_start;
+        __u32 date_stop;
+        __u32 daytime_start;
+        __u32 daytime_stop;
+        __u32 monthdays_match;
+        __u8 weekdays_match;
+        __u8 flags;
+};
+
+enum {
+        /* Match against local time (instead of UTC) */
+        XT_TIME_LOCAL_TZ = 1 << 0,
+
+        /* treat timestart > timestop (e.g. 23:00-01:00) as single period */
+        XT_TIME_CONTIGUOUS = 1 << 1,
+
+        /* Shortcuts */
+        XT_TIME_ALL_MONTHDAYS = 0xFFFFFFFE,
+        XT_TIME_ALL_WEEKDAYS  = 0xFE,
+        XT_TIME_MIN_DAYTIME   = 0,
+        XT_TIME_MAX_DAYTIME   = 24 * 60 * 60 - 1,
+};
+
+#define XT_TIME_ALL_FLAGS (XT_TIME_LOCAL_TZ|XT_TIME_CONTIGUOUS)
+
+#endif /* _XT_TIME_H */
diff --git a/include/uapi/linux/netfilter/xt_u32.h b/include/uapi/linux/netfilter/xt_u32.h
new file mode 100644
index 000000000000..04d1bfea03c2
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_u32.h
@@ -0,0 +1,42 @@
+#ifndef _XT_U32_H
+#define _XT_U32_H 1
+
+#include <linux/types.h>
+
+enum xt_u32_ops {
+        XT_U32_AND,
+        XT_U32_LEFTSH,
+        XT_U32_RIGHTSH,
+        XT_U32_AT,
+};
+
+struct xt_u32_location_element {
+        __u32 number;
+        __u8 nextop;
+};
+
+struct xt_u32_value_element {
+        __u32 min;
+        __u32 max;
+};
+
+/*
+ * Any way to allow for an arbitrary number of elements?
+ * For now, I settle with a limit of 10 each.
+ */
+#define XT_U32_MAXSIZE 10
+
+struct xt_u32_test {
+        struct xt_u32_location_element location[XT_U32_MAXSIZE+1];
+        struct xt_u32_value_element value[XT_U32_MAXSIZE+1];
+        __u8 nnums;
+        __u8 nvalues;
+};
+
+struct xt_u32 {
+        struct xt_u32_test tests[XT_U32_MAXSIZE+1];
+        __u8 ntests;
+        __u8 invert;
+};
+
+#endif /* _XT_U32_H */
diff --git a/include/uapi/linux/netfilter_arp/Kbuild b/include/uapi/linux/netfilter_arp/Kbuild
index aafaa5aa54d4..62d5637cc0ac 100644
--- a/include/uapi/linux/netfilter_arp/Kbuild
+++ b/include/uapi/linux/netfilter_arp/Kbuild
@@ -1 +1,3 @@
 # UAPI Header export list
+header-y += arp_tables.h
+header-y += arpt_mangle.h
diff --git a/include/uapi/linux/netfilter_arp/arp_tables.h b/include/uapi/linux/netfilter_arp/arp_tables.h
new file mode 100644
index 000000000000..a5a86a4db6b3
--- /dev/null
+++ b/include/uapi/linux/netfilter_arp/arp_tables.h
@@ -0,0 +1,206 @@
+/*
+ *      Format of an ARP firewall descriptor
+ *
+ *      src, tgt, src_mask, tgt_mask, arpop, arpop_mask are always stored in
+ *      network byte order.
+ *      flags are stored in host byte order (of course).
+ */
+
+#ifndef _UAPI_ARPTABLES_H
+#define _UAPI_ARPTABLES_H
+
+#include <linux/types.h>
+#include <linux/compiler.h>
+#include <linux/netfilter_arp.h>
+
+#include <linux/netfilter/x_tables.h>
+
+#ifndef __KERNEL__
+#define ARPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define ARPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define arpt_entry_target xt_entry_target
+#define arpt_standard_target xt_standard_target
+#define arpt_error_target xt_error_target
+#define ARPT_CONTINUE XT_CONTINUE
+#define ARPT_RETURN XT_RETURN
+#define arpt_counters_info xt_counters_info
+#define arpt_counters xt_counters
+#define ARPT_STANDARD_TARGET XT_STANDARD_TARGET
+#define ARPT_ERROR_TARGET XT_ERROR_TARGET
+#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
+#endif
+
+#define ARPT_DEV_ADDR_LEN_MAX 16
+
+struct arpt_devaddr_info {
+        char addr[ARPT_DEV_ADDR_LEN_MAX];
+        char mask[ARPT_DEV_ADDR_LEN_MAX];
+};
+
+/* Yes, Virginia, you have to zero the padding. */
+struct arpt_arp {
+        /* Source and target IP addr */
+        struct in_addr src, tgt;
+        /* Mask for src and target IP addr */
+        struct in_addr smsk, tmsk;
+
+        /* Device hw address length, src+target device addresses */
+        __u8 arhln, arhln_mask;
+        struct arpt_devaddr_info src_devaddr;
+        struct arpt_devaddr_info tgt_devaddr;
+
+        /* ARP operation code. */
+        __be16 arpop, arpop_mask;
+
+        /* ARP hardware address and protocol address format. */
+        __be16 arhrd, arhrd_mask;
+        __be16 arpro, arpro_mask;
+
+        /* The protocol address length is only accepted if it is 4
+         * so there is no use in offering a way to do filtering on it.
+         */
+
+        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+
+        /* Flags word */
+        __u8 flags;
+        /* Inverse flags */
+        __u16 invflags;
+};
+
+/* Values for "flag" field in struct arpt_ip (general arp structure).
+ * No flags defined yet.
+ */
+#define ARPT_F_MASK             0x00    /* All possible flag bits mask. */
+
+/* Values for "inv" field in struct arpt_arp. */
+#define ARPT_INV_VIA_IN         0x0001  /* Invert the sense of IN IFACE. */
+#define ARPT_INV_VIA_OUT        0x0002  /* Invert the sense of OUT IFACE */
+#define ARPT_INV_SRCIP          0x0004  /* Invert the sense of SRC IP. */
+#define ARPT_INV_TGTIP          0x0008  /* Invert the sense of TGT IP. */
+#define ARPT_INV_SRCDEVADDR     0x0010  /* Invert the sense of SRC DEV ADDR. */
+#define ARPT_INV_TGTDEVADDR     0x0020  /* Invert the sense of TGT DEV ADDR. */
+#define ARPT_INV_ARPOP          0x0040  /* Invert the sense of ARP OP. */
+#define ARPT_INV_ARPHRD         0x0080  /* Invert the sense of ARP HRD. */
+#define ARPT_INV_ARPPRO         0x0100  /* Invert the sense of ARP PRO. */
+#define ARPT_INV_ARPHLN         0x0200  /* Invert the sense of ARP HLN. */
+#define ARPT_INV_MASK           0x03FF  /* All possible flag bits mask. */
+
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general ARP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct arpt_entry
+{
+        struct arpt_arp arp;
+
+        /* Size of arpt_entry + matches */
+        __u16 target_offset;
+        /* Size of arpt_entry + matches + target */
+        __u16 next_offset;
+
+        /* Back pointer */
+        unsigned int comefrom;
+
+        /* Packet and byte counters. */
+        struct xt_counters counters;
+
+        /* The matches (if any), then the target. */
+        unsigned char elems[0];
+};
+
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use a raw
+ * socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in.h before adding new number here.
+ */
+#define ARPT_BASE_CTL           96
+
+#define ARPT_SO_SET_REPLACE             (ARPT_BASE_CTL)
+#define ARPT_SO_SET_ADD_COUNTERS        (ARPT_BASE_CTL + 1)
+#define ARPT_SO_SET_MAX                 ARPT_SO_SET_ADD_COUNTERS
+
+#define ARPT_SO_GET_INFO                (ARPT_BASE_CTL)
+#define ARPT_SO_GET_ENTRIES             (ARPT_BASE_CTL + 1)
+/* #define ARPT_SO_GET_REVISION_MATCH   (APRT_BASE_CTL + 2) */
+#define ARPT_SO_GET_REVISION_TARGET     (ARPT_BASE_CTL + 3)
+#define ARPT_SO_GET_MAX                 (ARPT_SO_GET_REVISION_TARGET)
+
+/* The argument to ARPT_SO_GET_INFO */
+struct arpt_getinfo {
+        /* Which table: caller fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* Kernel fills these in. */
+        /* Which hook entry points are valid: bitmask */
+        unsigned int valid_hooks;
+
+        /* Hook entry points: one per netfilter hook. */
+        unsigned int hook_entry[NF_ARP_NUMHOOKS];
+
+        /* Underflow points. */
+        unsigned int underflow[NF_ARP_NUMHOOKS];
+
+        /* Number of entries */
+        unsigned int num_entries;
+
+        /* Size of entries. */
+        unsigned int size;
+};
+
+/* The argument to ARPT_SO_SET_REPLACE. */
+struct arpt_replace {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+        unsigned int valid_hooks;
+
+        /* Number of entries */
+        unsigned int num_entries;
+
+        /* Total size of new entries */
+        unsigned int size;
+
+        /* Hook entry points. */
+        unsigned int hook_entry[NF_ARP_NUMHOOKS];
+
+        /* Underflow points. */
+        unsigned int underflow[NF_ARP_NUMHOOKS];
+
+        /* Information about old entries: */
+        /* Number of counters (must be equal to current number of entries). */
+        unsigned int num_counters;
+        /* The old entries' counters. */
+        struct xt_counters __user *counters;
+
+        /* The entries (hang off end: not really an array). */
+        struct arpt_entry entries[0];
+};
+
+/* The argument to ARPT_SO_GET_ENTRIES. */
+struct arpt_get_entries {
+        /* Which table: user fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* User fills this in: total entry size. */
+        unsigned int size;
+
+        /* The entries. */
+        struct arpt_entry entrytable[0];
+};
+
+/* Helper functions */
+static __inline__ struct xt_entry_target *arpt_get_target(struct arpt_entry *e)
+{
+        return (void *)e + e->target_offset;
+}
+
+/*
+ *      Main firewall chains definitions and global var's definitions.
+ */
+#endif /* _UAPI_ARPTABLES_H */
diff --git a/include/uapi/linux/netfilter_arp/arpt_mangle.h b/include/uapi/linux/netfilter_arp/arpt_mangle.h
new file mode 100644
index 000000000000..250f502902bb
--- /dev/null
+++ b/include/uapi/linux/netfilter_arp/arpt_mangle.h
@@ -0,0 +1,26 @@
+#ifndef _ARPT_MANGLE_H
+#define _ARPT_MANGLE_H
+#include <linux/netfilter_arp/arp_tables.h>
+
+#define ARPT_MANGLE_ADDR_LEN_MAX sizeof(struct in_addr)
+struct arpt_mangle
+{
+        char src_devaddr[ARPT_DEV_ADDR_LEN_MAX];
+        char tgt_devaddr[ARPT_DEV_ADDR_LEN_MAX];
+        union {
+                struct in_addr src_ip;
+        } u_s;
+        union {
+                struct in_addr tgt_ip;
+        } u_t;
+        u_int8_t flags;
+        int target;
+};
+
+#define ARPT_MANGLE_SDEV 0x01
+#define ARPT_MANGLE_TDEV 0x02
+#define ARPT_MANGLE_SIP 0x04
+#define ARPT_MANGLE_TIP 0x08
+#define ARPT_MANGLE_MASK 0x0f
+
+#endif /* _ARPT_MANGLE_H */
diff --git a/include/uapi/linux/netfilter_bridge/Kbuild b/include/uapi/linux/netfilter_bridge/Kbuild
index aafaa5aa54d4..348717c3a22f 100644
--- a/include/uapi/linux/netfilter_bridge/Kbuild
+++ b/include/uapi/linux/netfilter_bridge/Kbuild
@@ -1 +1,19 @@
 # UAPI Header export list
+header-y += ebt_802_3.h
+header-y += ebt_among.h
+header-y += ebt_arp.h
+header-y += ebt_arpreply.h
+header-y += ebt_ip.h
+header-y += ebt_ip6.h
+header-y += ebt_limit.h
+header-y += ebt_log.h
+header-y += ebt_mark_m.h
+header-y += ebt_mark_t.h
+header-y += ebt_nat.h
+header-y += ebt_nflog.h
+header-y += ebt_pkttype.h
+header-y += ebt_redirect.h
+header-y += ebt_stp.h
+header-y += ebt_ulog.h
+header-y += ebt_vlan.h
+header-y += ebtables.h
diff --git a/include/uapi/linux/netfilter_bridge/ebt_802_3.h b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
new file mode 100644
index 000000000000..5bf84912a082
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_802_3.h
@@ -0,0 +1,62 @@
+#ifndef _UAPI__LINUX_BRIDGE_EBT_802_3_H
+#define _UAPI__LINUX_BRIDGE_EBT_802_3_H
+
+#include <linux/types.h>
+
+#define EBT_802_3_SAP 0x01
+#define EBT_802_3_TYPE 0x02
+
+#define EBT_802_3_MATCH "802_3"
+
+/*
+ * If frame has DSAP/SSAP value 0xaa you must check the SNAP type
+ * to discover what kind of packet we're carrying. 
+ */
+#define CHECK_TYPE 0xaa
+
+/*
+ * Control field may be one or two bytes.  If the first byte has
+ * the value 0x03 then the entire length is one byte, otherwise it is two.
+ * One byte controls are used in Unnumbered Information frames.
+ * Two byte controls are used in Numbered Information frames.
+ */
+#define IS_UI 0x03
+
+#define EBT_802_3_MASK (EBT_802_3_SAP | EBT_802_3_TYPE | EBT_802_3)
+
+/* ui has one byte ctrl, ni has two */
+struct hdr_ui {
+        __u8 dsap;
+        __u8 ssap;
+        __u8 ctrl;
+        __u8 orig[3];
+        __be16 type;
+};
+
+struct hdr_ni {
+        __u8 dsap;
+        __u8 ssap;
+        __be16 ctrl;
+        __u8  orig[3];
+        __be16 type;
+};
+
+struct ebt_802_3_hdr {
+        __u8  daddr[6];
+        __u8  saddr[6];
+        __be16 len;
+        union {
+                struct hdr_ui ui;
+                struct hdr_ni ni;
+        } llc;
+};
+
+
+struct ebt_802_3_info {
+        __u8  sap;
+        __be16 type;
+        __u8  bitmask;
+        __u8  invflags;
+};
+
+#endif /* _UAPI__LINUX_BRIDGE_EBT_802_3_H */
diff --git a/include/uapi/linux/netfilter_bridge/ebt_among.h b/include/uapi/linux/netfilter_bridge/ebt_among.h
new file mode 100644
index 000000000000..bd4e3ad0b706
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_among.h
@@ -0,0 +1,64 @@
+#ifndef __LINUX_BRIDGE_EBT_AMONG_H
+#define __LINUX_BRIDGE_EBT_AMONG_H
+
+#include <linux/types.h>
+
+#define EBT_AMONG_DST 0x01
+#define EBT_AMONG_SRC 0x02
+
+/* Grzegorz Borowiak <grzes@gnu.univ.gda.pl> 2003
+ * 
+ * Write-once-read-many hash table, used for checking if a given
+ * MAC address belongs to a set or not and possibly for checking
+ * if it is related with a given IPv4 address.
+ *
+ * The hash value of an address is its last byte.
+ * 
+ * In real-world ethernet addresses, values of the last byte are
+ * evenly distributed and there is no need to consider other bytes.
+ * It would only slow the routines down.
+ *
+ * For MAC address comparison speedup reasons, we introduce a trick.
+ * MAC address is mapped onto an array of two 32-bit integers.
+ * This pair of integers is compared with MAC addresses in the
+ * hash table, which are stored also in form of pairs of integers
+ * (in `cmp' array). This is quick as it requires only two elementary
+ * number comparisons in worst case. Further, we take advantage of
+ * fact that entropy of 3 last bytes of address is larger than entropy
+ * of 3 first bytes. So first we compare 4 last bytes of addresses and
+ * if they are the same we compare 2 first.
+ *
+ * Yes, it is a memory overhead, but in 2003 AD, who cares?
+ */
+
+struct ebt_mac_wormhash_tuple {
+        __u32 cmp[2];
+        __be32 ip;
+};
+
+struct ebt_mac_wormhash {
+        int table[257];
+        int poolsize;
+        struct ebt_mac_wormhash_tuple pool[0];
+};
+
+#define ebt_mac_wormhash_size(x) ((x) ? sizeof(struct ebt_mac_wormhash) \
+                + (x)->poolsize * sizeof(struct ebt_mac_wormhash_tuple) : 0)
+
+struct ebt_among_info {
+        int wh_dst_ofs;
+        int wh_src_ofs;
+        int bitmask;
+};
+
+#define EBT_AMONG_DST_NEG 0x1
+#define EBT_AMONG_SRC_NEG 0x2
+
+#define ebt_among_wh_dst(x) ((x)->wh_dst_ofs ? \
+        (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_dst_ofs) : NULL)
+#define ebt_among_wh_src(x) ((x)->wh_src_ofs ? \
+        (struct ebt_mac_wormhash*)((char*)(x) + (x)->wh_src_ofs) : NULL)
+
+#define EBT_AMONG_MATCH "among"
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_arp.h b/include/uapi/linux/netfilter_bridge/ebt_arp.h
new file mode 100644
index 000000000000..522f3e427f49
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_arp.h
@@ -0,0 +1,36 @@
+#ifndef __LINUX_BRIDGE_EBT_ARP_H
+#define __LINUX_BRIDGE_EBT_ARP_H
+
+#include <linux/types.h>
+
+#define EBT_ARP_OPCODE 0x01
+#define EBT_ARP_HTYPE 0x02
+#define EBT_ARP_PTYPE 0x04
+#define EBT_ARP_SRC_IP 0x08
+#define EBT_ARP_DST_IP 0x10
+#define EBT_ARP_SRC_MAC 0x20
+#define EBT_ARP_DST_MAC 0x40
+#define EBT_ARP_GRAT 0x80
+#define EBT_ARP_MASK (EBT_ARP_OPCODE | EBT_ARP_HTYPE | EBT_ARP_PTYPE | \
+   EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC | \
+   EBT_ARP_GRAT)
+#define EBT_ARP_MATCH "arp"
+
+struct ebt_arp_info
+{
+        __be16 htype;
+        __be16 ptype;
+        __be16 opcode;
+        __be32 saddr;
+        __be32 smsk;
+        __be32 daddr;
+        __be32 dmsk;
+        unsigned char smaddr[ETH_ALEN];
+        unsigned char smmsk[ETH_ALEN];
+        unsigned char dmaddr[ETH_ALEN];
+        unsigned char dmmsk[ETH_ALEN];
+        __u8  bitmask;
+        __u8  invflags;
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_arpreply.h b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
new file mode 100644
index 000000000000..7e77896e1fbf
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_arpreply.h
@@ -0,0 +1,10 @@
+#ifndef __LINUX_BRIDGE_EBT_ARPREPLY_H
+#define __LINUX_BRIDGE_EBT_ARPREPLY_H
+
+struct ebt_arpreply_info {
+        unsigned char mac[ETH_ALEN];
+        int target;
+};
+#define EBT_ARPREPLY_TARGET "arpreply"
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_ip.h b/include/uapi/linux/netfilter_bridge/ebt_ip.h
new file mode 100644
index 000000000000..c4bbc41b0ea4
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip.h
@@ -0,0 +1,44 @@
+/*
+ *  ebt_ip
+ *
+ *      Authors:
+ *      Bart De Schuymer <bart.de.schuymer@pandora.be>
+ *
+ *  April, 2002
+ *
+ *  Changes:
+ *    added ip-sport and ip-dport
+ *    Innominate Security Technologies AG <mhopf@innominate.com>
+ *    September, 2002
+ */
+
+#ifndef __LINUX_BRIDGE_EBT_IP_H
+#define __LINUX_BRIDGE_EBT_IP_H
+
+#include <linux/types.h>
+
+#define EBT_IP_SOURCE 0x01
+#define EBT_IP_DEST 0x02
+#define EBT_IP_TOS 0x04
+#define EBT_IP_PROTO 0x08
+#define EBT_IP_SPORT 0x10
+#define EBT_IP_DPORT 0x20
+#define EBT_IP_MASK (EBT_IP_SOURCE | EBT_IP_DEST | EBT_IP_TOS | EBT_IP_PROTO |\
+ EBT_IP_SPORT | EBT_IP_DPORT )
+#define EBT_IP_MATCH "ip"
+
+/* the same values are used for the invflags */
+struct ebt_ip_info {
+        __be32 saddr;
+        __be32 daddr;
+        __be32 smsk;
+        __be32 dmsk;
+        __u8  tos;
+        __u8  protocol;
+        __u8  bitmask;
+        __u8  invflags;
+        __u16 sport[2];
+        __u16 dport[2];
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_ip6.h b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
new file mode 100644
index 000000000000..42b889682721
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_ip6.h
@@ -0,0 +1,50 @@
+/*
+ *  ebt_ip6
+ *
+ *      Authors:
+ * Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
+ * Manohar Castelino <manohar.r.castelino@intel.com>
+ *
+ *  Jan 11, 2008
+ *
+ */
+
+#ifndef __LINUX_BRIDGE_EBT_IP6_H
+#define __LINUX_BRIDGE_EBT_IP6_H
+
+#include <linux/types.h>
+
+#define EBT_IP6_SOURCE 0x01
+#define EBT_IP6_DEST 0x02
+#define EBT_IP6_TCLASS 0x04
+#define EBT_IP6_PROTO 0x08
+#define EBT_IP6_SPORT 0x10
+#define EBT_IP6_DPORT 0x20
+#define EBT_IP6_ICMP6 0x40
+
+#define EBT_IP6_MASK (EBT_IP6_SOURCE | EBT_IP6_DEST | EBT_IP6_TCLASS |\
+                      EBT_IP6_PROTO | EBT_IP6_SPORT | EBT_IP6_DPORT | \
+                      EBT_IP6_ICMP6)
+#define EBT_IP6_MATCH "ip6"
+
+/* the same values are used for the invflags */
+struct ebt_ip6_info {
+        struct in6_addr saddr;
+        struct in6_addr daddr;
+        struct in6_addr smsk;
+        struct in6_addr dmsk;
+        __u8  tclass;
+        __u8  protocol;
+        __u8  bitmask;
+        __u8  invflags;
+        union {
+                __u16 sport[2];
+                __u8 icmpv6_type[2];
+        };
+        union {
+                __u16 dport[2];
+                __u8 icmpv6_code[2];
+        };
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_limit.h b/include/uapi/linux/netfilter_bridge/ebt_limit.h
new file mode 100644
index 000000000000..66d80b30ba0e
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_limit.h
@@ -0,0 +1,24 @@
+#ifndef __LINUX_BRIDGE_EBT_LIMIT_H
+#define __LINUX_BRIDGE_EBT_LIMIT_H
+
+#include <linux/types.h>
+
+#define EBT_LIMIT_MATCH "limit"
+
+/* timings are in milliseconds. */
+#define EBT_LIMIT_SCALE 10000
+
+/* 1/10,000 sec period => max of 10,000/sec.  Min rate is then 429490
+   seconds, or one every 59 hours. */
+
+struct ebt_limit_info {
+        __u32 avg;    /* Average secs between packets * scale */
+        __u32 burst;  /* Period multiplier for upper limit. */
+
+        /* Used internally by the kernel */
+        unsigned long prev;
+        __u32 credit;
+        __u32 credit_cap, cost;
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_log.h b/include/uapi/linux/netfilter_bridge/ebt_log.h
new file mode 100644
index 000000000000..7e7f1d1fe494
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_log.h
@@ -0,0 +1,20 @@
+#ifndef __LINUX_BRIDGE_EBT_LOG_H
+#define __LINUX_BRIDGE_EBT_LOG_H
+
+#include <linux/types.h>
+
+#define EBT_LOG_IP 0x01 /* if the frame is made by ip, log the ip information */
+#define EBT_LOG_ARP 0x02
+#define EBT_LOG_NFLOG 0x04
+#define EBT_LOG_IP6 0x08
+#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP | EBT_LOG_IP6)
+#define EBT_LOG_PREFIX_SIZE 30
+#define EBT_LOG_WATCHER "log"
+
+struct ebt_log_info {
+        __u8 loglevel;
+        __u8 prefix[EBT_LOG_PREFIX_SIZE];
+        __u32 bitmask;
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_mark_m.h b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
new file mode 100644
index 000000000000..410f9e5a71d4
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_m.h
@@ -0,0 +1,16 @@
+#ifndef __LINUX_BRIDGE_EBT_MARK_M_H
+#define __LINUX_BRIDGE_EBT_MARK_M_H
+
+#include <linux/types.h>
+
+#define EBT_MARK_AND 0x01
+#define EBT_MARK_OR 0x02
+#define EBT_MARK_MASK (EBT_MARK_AND | EBT_MARK_OR)
+struct ebt_mark_m_info {
+        unsigned long mark, mask;
+        __u8 invert;
+        __u8 bitmask;
+};
+#define EBT_MARK_MATCH "mark_m"
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_mark_t.h b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
new file mode 100644
index 000000000000..7d5a268a4311
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_mark_t.h
@@ -0,0 +1,23 @@
+#ifndef __LINUX_BRIDGE_EBT_MARK_T_H
+#define __LINUX_BRIDGE_EBT_MARK_T_H
+
+/* The target member is reused for adding new actions, the
+ * value of the real target is -1 to -NUM_STANDARD_TARGETS.
+ * For backward compatibility, the 4 lsb (2 would be enough,
+ * but let's play it safe) are kept to designate this target.
+ * The remaining bits designate the action. By making the set
+ * action 0xfffffff0, the result will look ok for older
+ * versions. [September 2006] */
+#define MARK_SET_VALUE (0xfffffff0)
+#define MARK_OR_VALUE  (0xffffffe0)
+#define MARK_AND_VALUE (0xffffffd0)
+#define MARK_XOR_VALUE (0xffffffc0)
+
+struct ebt_mark_t_info {
+        unsigned long mark;
+        /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */
+        int target;
+};
+#define EBT_MARK_TARGET "mark"
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_nat.h b/include/uapi/linux/netfilter_bridge/ebt_nat.h
new file mode 100644
index 000000000000..5e74e3b03bd6
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_nat.h
@@ -0,0 +1,13 @@
+#ifndef __LINUX_BRIDGE_EBT_NAT_H
+#define __LINUX_BRIDGE_EBT_NAT_H
+
+#define NAT_ARP_BIT  (0x00000010)
+struct ebt_nat_info {
+        unsigned char mac[ETH_ALEN];
+        /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */
+        int target;
+};
+#define EBT_SNAT_TARGET "snat"
+#define EBT_DNAT_TARGET "dnat"
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_nflog.h b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
new file mode 100644
index 000000000000..df829fce9125
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_nflog.h
@@ -0,0 +1,23 @@
+#ifndef __LINUX_BRIDGE_EBT_NFLOG_H
+#define __LINUX_BRIDGE_EBT_NFLOG_H
+
+#include <linux/types.h>
+
+#define EBT_NFLOG_MASK 0x0
+
+#define EBT_NFLOG_PREFIX_SIZE 64
+#define EBT_NFLOG_WATCHER "nflog"
+
+#define EBT_NFLOG_DEFAULT_GROUP         0x1
+#define EBT_NFLOG_DEFAULT_THRESHOLD     1
+
+struct ebt_nflog_info {
+        __u32 len;
+        __u16 group;
+        __u16 threshold;
+        __u16 flags;
+        __u16 pad;
+        char prefix[EBT_NFLOG_PREFIX_SIZE];
+};
+
+#endif                          /* __LINUX_BRIDGE_EBT_NFLOG_H */
diff --git a/include/uapi/linux/netfilter_bridge/ebt_pkttype.h b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
new file mode 100644
index 000000000000..c241badcd036
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_pkttype.h
@@ -0,0 +1,12 @@
+#ifndef __LINUX_BRIDGE_EBT_PKTTYPE_H
+#define __LINUX_BRIDGE_EBT_PKTTYPE_H
+
+#include <linux/types.h>
+
+struct ebt_pkttype_info {
+        __u8 pkt_type;
+        __u8 invert;
+};
+#define EBT_PKTTYPE_MATCH "pkttype"
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_redirect.h b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
new file mode 100644
index 000000000000..dd9622ce8488
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_redirect.h
@@ -0,0 +1,10 @@
+#ifndef __LINUX_BRIDGE_EBT_REDIRECT_H
+#define __LINUX_BRIDGE_EBT_REDIRECT_H
+
+struct ebt_redirect_info {
+        /* EBT_ACCEPT, EBT_DROP, EBT_CONTINUE or EBT_RETURN */
+        int target;
+};
+#define EBT_REDIRECT_TARGET "redirect"
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_stp.h b/include/uapi/linux/netfilter_bridge/ebt_stp.h
new file mode 100644
index 000000000000..1025b9f5fb7d
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_stp.h
@@ -0,0 +1,46 @@
+#ifndef __LINUX_BRIDGE_EBT_STP_H
+#define __LINUX_BRIDGE_EBT_STP_H
+
+#include <linux/types.h>
+
+#define EBT_STP_TYPE            0x0001
+
+#define EBT_STP_FLAGS           0x0002
+#define EBT_STP_ROOTPRIO        0x0004
+#define EBT_STP_ROOTADDR        0x0008
+#define EBT_STP_ROOTCOST        0x0010
+#define EBT_STP_SENDERPRIO      0x0020
+#define EBT_STP_SENDERADDR      0x0040
+#define EBT_STP_PORT            0x0080
+#define EBT_STP_MSGAGE          0x0100
+#define EBT_STP_MAXAGE          0x0200
+#define EBT_STP_HELLOTIME       0x0400
+#define EBT_STP_FWDD            0x0800
+
+#define EBT_STP_MASK            0x0fff
+#define EBT_STP_CONFIG_MASK     0x0ffe
+
+#define EBT_STP_MATCH "stp"
+
+struct ebt_stp_config_info {
+        __u8 flags;
+        __u16 root_priol, root_priou;
+        char root_addr[6], root_addrmsk[6];
+        __u32 root_costl, root_costu;
+        __u16 sender_priol, sender_priou;
+        char sender_addr[6], sender_addrmsk[6];
+        __u16 portl, portu;
+        __u16 msg_agel, msg_ageu;
+        __u16 max_agel, max_ageu;
+        __u16 hello_timel, hello_timeu;
+        __u16 forward_delayl, forward_delayu;
+};
+
+struct ebt_stp_info {
+        __u8 type;
+        struct ebt_stp_config_info config;
+        __u16 bitmask;
+        __u16 invflags;
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebt_ulog.h b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
new file mode 100644
index 000000000000..89a6becb5269
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_ulog.h
@@ -0,0 +1,38 @@
+#ifndef _EBT_ULOG_H
+#define _EBT_ULOG_H
+
+#include <linux/types.h>
+
+#define EBT_ULOG_DEFAULT_NLGROUP 0
+#define EBT_ULOG_DEFAULT_QTHRESHOLD 1
+#define EBT_ULOG_MAXNLGROUPS 32 /* hardcoded netlink max */
+#define EBT_ULOG_PREFIX_LEN 32
+#define EBT_ULOG_MAX_QLEN 50
+#define EBT_ULOG_WATCHER "ulog"
+#define EBT_ULOG_VERSION 1
+
+struct ebt_ulog_info {
+        __u32 nlgroup;
+        unsigned int cprange;
+        unsigned int qthreshold;
+        char prefix[EBT_ULOG_PREFIX_LEN];
+};
+
+typedef struct ebt_ulog_packet_msg {
+        int version;
+        char indev[IFNAMSIZ];
+        char outdev[IFNAMSIZ];
+        char physindev[IFNAMSIZ];
+        char physoutdev[IFNAMSIZ];
+        char prefix[EBT_ULOG_PREFIX_LEN];
+        struct timeval stamp;
+        unsigned long mark;
+        unsigned int hook;
+        size_t data_len;
+        /* The complete packet, including Ethernet header and perhaps
+         * the VLAN header is appended */
+        unsigned char data[0] __attribute__
+                              ((aligned (__alignof__(struct ebt_ulog_info))));
+} ebt_ulog_packet_msg_t;
+
+#endif /* _EBT_ULOG_H */
diff --git a/include/uapi/linux/netfilter_bridge/ebt_vlan.h b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
new file mode 100644
index 000000000000..967d1d5cf98d
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebt_vlan.h
@@ -0,0 +1,22 @@
+#ifndef __LINUX_BRIDGE_EBT_VLAN_H
+#define __LINUX_BRIDGE_EBT_VLAN_H
+
+#include <linux/types.h>
+
+#define EBT_VLAN_ID     0x01
+#define EBT_VLAN_PRIO   0x02
+#define EBT_VLAN_ENCAP  0x04
+#define EBT_VLAN_MASK (EBT_VLAN_ID | EBT_VLAN_PRIO | EBT_VLAN_ENCAP)
+#define EBT_VLAN_MATCH "vlan"
+
+struct ebt_vlan_info {
+        __u16 id;               /* VLAN ID {1-4095} */
+        __u8 prio;              /* VLAN User Priority {0-7} */
+        __be16 encap;           /* VLAN Encapsulated frame code {0-65535} */
+        __u8 bitmask;           /* Args bitmask bit 1=1 - ID arg,
+                                   bit 2=1 User-Priority arg, bit 3=1 encap*/
+        __u8 invflags;          /* Inverse bitmask  bit 1=1 - inversed ID arg, 
+                                   bit 2=1 - inversed Pirority arg */
+};
+
+#endif
diff --git a/include/uapi/linux/netfilter_bridge/ebtables.h b/include/uapi/linux/netfilter_bridge/ebtables.h
new file mode 100644
index 000000000000..ba993360dbe9
--- /dev/null
+++ b/include/uapi/linux/netfilter_bridge/ebtables.h
@@ -0,0 +1,268 @@
+/*
+ *  ebtables
+ *
+ *      Authors:
+ *      Bart De Schuymer                <bdschuym@pandora.be>
+ *
+ *  ebtables.c,v 2.0, April, 2002
+ *
+ *  This code is stongly inspired on the iptables code which is
+ *  Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
+ */
+
+#ifndef _UAPI__LINUX_BRIDGE_EFF_H
+#define _UAPI__LINUX_BRIDGE_EFF_H
+#include <linux/if.h>
+#include <linux/netfilter_bridge.h>
+#include <linux/if_ether.h>
+
+#define EBT_TABLE_MAXNAMELEN 32
+#define EBT_CHAIN_MAXNAMELEN EBT_TABLE_MAXNAMELEN
+#define EBT_FUNCTION_MAXNAMELEN EBT_TABLE_MAXNAMELEN
+
+/* verdicts >0 are "branches" */
+#define EBT_ACCEPT   -1
+#define EBT_DROP     -2
+#define EBT_CONTINUE -3
+#define EBT_RETURN   -4
+#define NUM_STANDARD_TARGETS   4
+/* ebtables target modules store the verdict inside an int. We can
+ * reclaim a part of this int for backwards compatible extensions.
+ * The 4 lsb are more than enough to store the verdict. */
+#define EBT_VERDICT_BITS 0x0000000F
+
+struct xt_match;
+struct xt_target;
+
+struct ebt_counter {
+        uint64_t pcnt;
+        uint64_t bcnt;
+};
+
+struct ebt_replace {
+        char name[EBT_TABLE_MAXNAMELEN];
+        unsigned int valid_hooks;
+        /* nr of rules in the table */
+        unsigned int nentries;
+        /* total size of the entries */
+        unsigned int entries_size;
+        /* start of the chains */
+        struct ebt_entries __user *hook_entry[NF_BR_NUMHOOKS];
+        /* nr of counters userspace expects back */
+        unsigned int num_counters;
+        /* where the kernel will put the old counters */
+        struct ebt_counter __user *counters;
+        char __user *entries;
+};
+
+struct ebt_replace_kernel {
+        char name[EBT_TABLE_MAXNAMELEN];
+        unsigned int valid_hooks;
+        /* nr of rules in the table */
+        unsigned int nentries;
+        /* total size of the entries */
+        unsigned int entries_size;
+        /* start of the chains */
+        struct ebt_entries *hook_entry[NF_BR_NUMHOOKS];
+        /* nr of counters userspace expects back */
+        unsigned int num_counters;
+        /* where the kernel will put the old counters */
+        struct ebt_counter *counters;
+        char *entries;
+};
+
+struct ebt_entries {
+        /* this field is always set to zero
+         * See EBT_ENTRY_OR_ENTRIES.
+         * Must be same size as ebt_entry.bitmask */
+        unsigned int distinguisher;
+        /* the chain name */
+        char name[EBT_CHAIN_MAXNAMELEN];
+        /* counter offset for this chain */
+        unsigned int counter_offset;
+        /* one standard (accept, drop, return) per hook */
+        int policy;
+        /* nr. of entries */
+        unsigned int nentries;
+        /* entry list */
+        char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+
+/* used for the bitmask of struct ebt_entry */
+
+/* This is a hack to make a difference between an ebt_entry struct and an
+ * ebt_entries struct when traversing the entries from start to end.
+ * Using this simplifies the code a lot, while still being able to use
+ * ebt_entries.
+ * Contrary, iptables doesn't use something like ebt_entries and therefore uses
+ * different techniques for naming the policy and such. So, iptables doesn't
+ * need a hack like this.
+ */
+#define EBT_ENTRY_OR_ENTRIES 0x01
+/* these are the normal masks */
+#define EBT_NOPROTO 0x02
+#define EBT_802_3 0x04
+#define EBT_SOURCEMAC 0x08
+#define EBT_DESTMAC 0x10
+#define EBT_F_MASK (EBT_NOPROTO | EBT_802_3 | EBT_SOURCEMAC | EBT_DESTMAC \
+   | EBT_ENTRY_OR_ENTRIES)
+
+#define EBT_IPROTO 0x01
+#define EBT_IIN 0x02
+#define EBT_IOUT 0x04
+#define EBT_ISOURCE 0x8
+#define EBT_IDEST 0x10
+#define EBT_ILOGICALIN 0x20
+#define EBT_ILOGICALOUT 0x40
+#define EBT_INV_MASK (EBT_IPROTO | EBT_IIN | EBT_IOUT | EBT_ILOGICALIN \
+   | EBT_ILOGICALOUT | EBT_ISOURCE | EBT_IDEST)
+
+struct ebt_entry_match {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_match *match;
+        } u;
+        /* size of data */
+        unsigned int match_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+
+struct ebt_entry_watcher {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_target *watcher;
+        } u;
+        /* size of data */
+        unsigned int watcher_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+
+struct ebt_entry_target {
+        union {
+                char name[EBT_FUNCTION_MAXNAMELEN];
+                struct xt_target *target;
+        } u;
+        /* size of data */
+        unsigned int target_size;
+        unsigned char data[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+
+#define EBT_STANDARD_TARGET "standard"
+struct ebt_standard_target {
+        struct ebt_entry_target target;
+        int verdict;
+};
+
+/* one entry */
+struct ebt_entry {
+        /* this needs to be the first field */
+        unsigned int bitmask;
+        unsigned int invflags;
+        __be16 ethproto;
+        /* the physical in-dev */
+        char in[IFNAMSIZ];
+        /* the logical in-dev */
+        char logical_in[IFNAMSIZ];
+        /* the physical out-dev */
+        char out[IFNAMSIZ];
+        /* the logical out-dev */
+        char logical_out[IFNAMSIZ];
+        unsigned char sourcemac[ETH_ALEN];
+        unsigned char sourcemsk[ETH_ALEN];
+        unsigned char destmac[ETH_ALEN];
+        unsigned char destmsk[ETH_ALEN];
+        /* sizeof ebt_entry + matches */
+        unsigned int watchers_offset;
+        /* sizeof ebt_entry + matches + watchers */
+        unsigned int target_offset;
+        /* sizeof ebt_entry + matches + watchers + target */
+        unsigned int next_offset;
+        unsigned char elems[0] __attribute__ ((aligned (__alignof__(struct ebt_replace))));
+};
+
+/* {g,s}etsockopt numbers */
+#define EBT_BASE_CTL            128
+
+#define EBT_SO_SET_ENTRIES      (EBT_BASE_CTL)
+#define EBT_SO_SET_COUNTERS     (EBT_SO_SET_ENTRIES+1)
+#define EBT_SO_SET_MAX          (EBT_SO_SET_COUNTERS+1)
+
+#define EBT_SO_GET_INFO         (EBT_BASE_CTL)
+#define EBT_SO_GET_ENTRIES      (EBT_SO_GET_INFO+1)
+#define EBT_SO_GET_INIT_INFO    (EBT_SO_GET_ENTRIES+1)
+#define EBT_SO_GET_INIT_ENTRIES (EBT_SO_GET_INIT_INFO+1)
+#define EBT_SO_GET_MAX          (EBT_SO_GET_INIT_ENTRIES+1)
+
+
+/* blatently stolen from ip_tables.h
+ * fn returns 0 to continue iteration */
+#define EBT_MATCH_ITERATE(e, fn, args...)                   \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry_match *__match;                    \
+                                                            \
+        for (__i = sizeof(struct ebt_entry);                \
+             __i < (e)->watchers_offset;                    \
+             __i += __match->match_size +                   \
+             sizeof(struct ebt_entry_match)) {              \
+                __match = (void *)(e) + __i;                \
+                                                            \
+                __ret = fn(__match , ## args);              \
+                if (__ret != 0)                             \
+                        break;                              \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (e)->watchers_offset)            \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+
+#define EBT_WATCHER_ITERATE(e, fn, args...)                 \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry_watcher *__watcher;                \
+                                                            \
+        for (__i = e->watchers_offset;                      \
+             __i < (e)->target_offset;                      \
+             __i += __watcher->watcher_size +               \
+             sizeof(struct ebt_entry_watcher)) {            \
+                __watcher = (void *)(e) + __i;              \
+                                                            \
+                __ret = fn(__watcher , ## args);            \
+                if (__ret != 0)                             \
+                        break;                              \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (e)->target_offset)              \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+
+#define EBT_ENTRY_ITERATE(entries, size, fn, args...)       \
+({                                                          \
+        unsigned int __i;                                   \
+        int __ret = 0;                                      \
+        struct ebt_entry *__entry;                          \
+                                                            \
+        for (__i = 0; __i < (size);) {                      \
+                __entry = (void *)(entries) + __i;          \
+                __ret = fn(__entry , ## args);              \
+                if (__ret != 0)                             \
+                        break;                              \
+                if (__entry->bitmask != 0)                  \
+                        __i += __entry->next_offset;        \
+                else                                        \
+                        __i += sizeof(struct ebt_entries);  \
+        }                                                   \
+        if (__ret == 0) {                                   \
+                if (__i != (size))                          \
+                        __ret = -EINVAL;                    \
+        }                                                   \
+        __ret;                                              \
+})
+
+#endif /* _UAPI__LINUX_BRIDGE_EFF_H */
diff --git a/include/uapi/linux/netfilter_ipv4/Kbuild b/include/uapi/linux/netfilter_ipv4/Kbuild
index aafaa5aa54d4..fb008437dde1 100644
--- a/include/uapi/linux/netfilter_ipv4/Kbuild
+++ b/include/uapi/linux/netfilter_ipv4/Kbuild
@@ -1 +1,11 @@
 # UAPI Header export list
+header-y += ip_tables.h
+header-y += ipt_CLUSTERIP.h
+header-y += ipt_ECN.h
+header-y += ipt_LOG.h
+header-y += ipt_REJECT.h
+header-y += ipt_TTL.h
+header-y += ipt_ULOG.h
+header-y += ipt_ah.h
+header-y += ipt_ecn.h
+header-y += ipt_ttl.h
diff --git a/include/uapi/linux/netfilter_ipv4/ip_tables.h b/include/uapi/linux/netfilter_ipv4/ip_tables.h
new file mode 100644
index 000000000000..f1e6ef256034
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ip_tables.h
@@ -0,0 +1,229 @@
+/*
+ * 25-Jul-1998 Major changes to allow for ip chain table
+ *
+ * 3-Jan-2000 Named tables to allow packet selection for different uses.
+ */
+
+/*
+ *      Format of an IP firewall descriptor
+ *
+ *      src, dst, src_mask, dst_mask are always stored in network byte order.
+ *      flags are stored in host byte order (of course).
+ *      Port numbers are stored in HOST byte order.
+ */
+
+#ifndef _UAPI_IPTABLES_H
+#define _UAPI_IPTABLES_H
+
+#include <linux/types.h>
+#include <linux/compiler.h>
+#include <linux/netfilter_ipv4.h>
+
+#include <linux/netfilter/x_tables.h>
+
+#ifndef __KERNEL__
+#define IPT_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IPT_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define ipt_match xt_match
+#define ipt_target xt_target
+#define ipt_table xt_table
+#define ipt_get_revision xt_get_revision
+#define ipt_entry_match xt_entry_match
+#define ipt_entry_target xt_entry_target
+#define ipt_standard_target xt_standard_target
+#define ipt_error_target xt_error_target
+#define ipt_counters xt_counters
+#define IPT_CONTINUE XT_CONTINUE
+#define IPT_RETURN XT_RETURN
+
+/* This group is older than old (iptables < v1.4.0-rc1~89) */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ipt_udp xt_udp
+#define ipt_tcp xt_tcp
+#define IPT_TCP_INV_SRCPT       XT_TCP_INV_SRCPT
+#define IPT_TCP_INV_DSTPT       XT_TCP_INV_DSTPT
+#define IPT_TCP_INV_FLAGS       XT_TCP_INV_FLAGS
+#define IPT_TCP_INV_OPTION      XT_TCP_INV_OPTION
+#define IPT_TCP_INV_MASK        XT_TCP_INV_MASK
+#define IPT_UDP_INV_SRCPT       XT_UDP_INV_SRCPT
+#define IPT_UDP_INV_DSTPT       XT_UDP_INV_DSTPT
+#define IPT_UDP_INV_MASK        XT_UDP_INV_MASK
+
+/* The argument to IPT_SO_ADD_COUNTERS. */
+#define ipt_counters_info xt_counters_info
+/* Standard return verdict, or do jump. */
+#define IPT_STANDARD_TARGET XT_STANDARD_TARGET
+/* Error verdict. */
+#define IPT_ERROR_TARGET XT_ERROR_TARGET
+
+/* fn returns 0 to continue iteration */
+#define IPT_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
+
+/* fn returns 0 to continue iteration */
+#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
+#endif
+
+/* Yes, Virginia, you have to zero the padding. */
+struct ipt_ip {
+        /* Source and destination IP addr */
+        struct in_addr src, dst;
+        /* Mask for src and dest IP addr */
+        struct in_addr smsk, dmsk;
+        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+
+        /* Protocol, 0 = ANY */
+        __u16 proto;
+
+        /* Flags word */
+        __u8 flags;
+        /* Inverse flags */
+        __u8 invflags;
+};
+
+/* Values for "flag" field in struct ipt_ip (general ip structure). */
+#define IPT_F_FRAG              0x01    /* Set if rule is a fragment rule */
+#define IPT_F_GOTO              0x02    /* Set if jump is a goto */
+#define IPT_F_MASK              0x03    /* All possible flag bits mask. */
+
+/* Values for "inv" field in struct ipt_ip. */
+#define IPT_INV_VIA_IN          0x01    /* Invert the sense of IN IFACE. */
+#define IPT_INV_VIA_OUT         0x02    /* Invert the sense of OUT IFACE */
+#define IPT_INV_TOS             0x04    /* Invert the sense of TOS. */
+#define IPT_INV_SRCIP           0x08    /* Invert the sense of SRC IP. */
+#define IPT_INV_DSTIP           0x10    /* Invert the sense of DST OP. */
+#define IPT_INV_FRAG            0x20    /* Invert the sense of FRAG. */
+#define IPT_INV_PROTO           XT_INV_PROTO
+#define IPT_INV_MASK            0x7F    /* All possible flag bits mask. */
+
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general IP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct ipt_entry {
+        struct ipt_ip ip;
+
+        /* Mark with fields that we care about. */
+        unsigned int nfcache;
+
+        /* Size of ipt_entry + matches */
+        __u16 target_offset;
+        /* Size of ipt_entry + matches + target */
+        __u16 next_offset;
+
+        /* Back pointer */
+        unsigned int comefrom;
+
+        /* Packet and byte counters. */
+        struct xt_counters counters;
+
+        /* The matches (if any), then the target. */
+        unsigned char elems[0];
+};
+
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use a raw
+ * socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in.h before adding new number here.
+ */
+#define IPT_BASE_CTL            64
+
+#define IPT_SO_SET_REPLACE      (IPT_BASE_CTL)
+#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
+#define IPT_SO_SET_MAX          IPT_SO_SET_ADD_COUNTERS
+
+#define IPT_SO_GET_INFO                 (IPT_BASE_CTL)
+#define IPT_SO_GET_ENTRIES              (IPT_BASE_CTL + 1)
+#define IPT_SO_GET_REVISION_MATCH       (IPT_BASE_CTL + 2)
+#define IPT_SO_GET_REVISION_TARGET      (IPT_BASE_CTL + 3)
+#define IPT_SO_GET_MAX                  IPT_SO_GET_REVISION_TARGET
+
+/* ICMP matching stuff */
+struct ipt_icmp {
+        __u8 type;                              /* type to match */
+        __u8 code[2];                           /* range of code */
+        __u8 invflags;                          /* Inverse flags */
+};
+
+/* Values for "inv" field for struct ipt_icmp. */
+#define IPT_ICMP_INV    0x01    /* Invert the sense of type/code test */
+
+/* The argument to IPT_SO_GET_INFO */
+struct ipt_getinfo {
+        /* Which table: caller fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* Kernel fills these in. */
+        /* Which hook entry points are valid: bitmask */
+        unsigned int valid_hooks;
+
+        /* Hook entry points: one per netfilter hook. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+
+        /* Number of entries */
+        unsigned int num_entries;
+
+        /* Size of entries. */
+        unsigned int size;
+};
+
+/* The argument to IPT_SO_SET_REPLACE. */
+struct ipt_replace {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+        unsigned int valid_hooks;
+
+        /* Number of entries */
+        unsigned int num_entries;
+
+        /* Total size of new entries */
+        unsigned int size;
+
+        /* Hook entry points. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+
+        /* Information about old entries: */
+        /* Number of counters (must be equal to current number of entries). */
+        unsigned int num_counters;
+        /* The old entries' counters. */
+        struct xt_counters __user *counters;
+
+        /* The entries (hang off end: not really an array). */
+        struct ipt_entry entries[0];
+};
+
+/* The argument to IPT_SO_GET_ENTRIES. */
+struct ipt_get_entries {
+        /* Which table: user fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* User fills this in: total entry size. */
+        unsigned int size;
+
+        /* The entries. */
+        struct ipt_entry entrytable[0];
+};
+
+/* Helper functions */
+static __inline__ struct xt_entry_target *
+ipt_get_target(struct ipt_entry *e)
+{
+        return (void *)e + e->target_offset;
+}
+
+/*
+ *      Main firewall chains definitions and global var's definitions.
+ */
+#endif /* _UAPI_IPTABLES_H */
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h
new file mode 100644
index 000000000000..c6a204c97047
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_CLUSTERIP.h
@@ -0,0 +1,36 @@
+#ifndef _IPT_CLUSTERIP_H_target
+#define _IPT_CLUSTERIP_H_target
+
+#include <linux/types.h>
+
+enum clusterip_hashmode {
+    CLUSTERIP_HASHMODE_SIP = 0,
+    CLUSTERIP_HASHMODE_SIP_SPT,
+    CLUSTERIP_HASHMODE_SIP_SPT_DPT,
+};
+
+#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
+
+#define CLUSTERIP_MAX_NODES 16
+
+#define CLUSTERIP_FLAG_NEW 0x00000001
+
+struct clusterip_config;
+
+struct ipt_clusterip_tgt_info {
+
+        __u32 flags;
+
+        /* only relevant for new ones */
+        __u8 clustermac[6];
+        __u16 num_total_nodes;
+        __u16 num_local_nodes;
+        __u16 local_nodes[CLUSTERIP_MAX_NODES];
+        __u32 hash_mode;
+        __u32 hash_initval;
+
+        /* Used internally by the kernel */
+        struct clusterip_config *config;
+};
+
+#endif /*_IPT_CLUSTERIP_H_target*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ECN.h b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h
new file mode 100644
index 000000000000..bb88d5315a4d
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ECN.h
@@ -0,0 +1,33 @@
+/* Header file for iptables ipt_ECN target
+ *
+ * (C) 2002 by Harald Welte <laforge@gnumonks.org>
+ *
+ * This software is distributed under GNU GPL v2, 1991
+ * 
+ * ipt_ECN.h,v 1.3 2002/05/29 12:17:40 laforge Exp
+*/
+#ifndef _IPT_ECN_TARGET_H
+#define _IPT_ECN_TARGET_H
+
+#include <linux/types.h>
+#include <linux/netfilter/xt_DSCP.h>
+
+#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
+
+#define IPT_ECN_OP_SET_IP       0x01    /* set ECN bits of IPv4 header */
+#define IPT_ECN_OP_SET_ECE      0x10    /* set ECE bit of TCP header */
+#define IPT_ECN_OP_SET_CWR      0x20    /* set CWR bit of TCP header */
+
+#define IPT_ECN_OP_MASK         0xce
+
+struct ipt_ECN_info {
+        __u8 operation; /* bitset of operations */
+        __u8 ip_ect;    /* ECT codepoint of IPv4 header, pre-shifted */
+        union {
+                struct {
+                        __u8 ece:1, cwr:1; /* TCP ECT bits */
+                } tcp;
+        } proto;
+};
+
+#endif /* _IPT_ECN_TARGET_H */
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_LOG.h b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h
new file mode 100644
index 000000000000..5d8152077d71
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_LOG.h
@@ -0,0 +1,21 @@
+#ifndef _IPT_LOG_H
+#define _IPT_LOG_H
+
+#warning "Please update iptables, this file will be removed soon!"
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IPT_LOG_TCPSEQ          0x01    /* Log TCP sequence numbers */
+#define IPT_LOG_TCPOPT          0x02    /* Log TCP options */
+#define IPT_LOG_IPOPT           0x04    /* Log IP options */
+#define IPT_LOG_UID             0x08    /* Log UID owning local socket */
+#define IPT_LOG_NFLOG           0x10    /* Unsupported, don't reuse */
+#define IPT_LOG_MACDECODE       0x20    /* Decode MAC header */
+#define IPT_LOG_MASK            0x2f
+
+struct ipt_log_info {
+        unsigned char level;
+        unsigned char logflags;
+        char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h
new file mode 100644
index 000000000000..4293a1ad1b01
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_REJECT.h
@@ -0,0 +1,20 @@
+#ifndef _IPT_REJECT_H
+#define _IPT_REJECT_H
+
+enum ipt_reject_with {
+        IPT_ICMP_NET_UNREACHABLE,
+        IPT_ICMP_HOST_UNREACHABLE,
+        IPT_ICMP_PROT_UNREACHABLE,
+        IPT_ICMP_PORT_UNREACHABLE,
+        IPT_ICMP_ECHOREPLY,
+        IPT_ICMP_NET_PROHIBITED,
+        IPT_ICMP_HOST_PROHIBITED,
+        IPT_TCP_RESET,
+        IPT_ICMP_ADMIN_PROHIBITED
+};
+
+struct ipt_reject_info {
+        enum ipt_reject_with with;      /* reject type */
+};
+
+#endif /*_IPT_REJECT_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_TTL.h b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h
new file mode 100644
index 000000000000..f6ac169d92f9
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_TTL.h
@@ -0,0 +1,23 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@netfilter.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+#include <linux/types.h>
+
+enum {
+        IPT_TTL_SET = 0,
+        IPT_TTL_INC,
+        IPT_TTL_DEC
+};
+
+#define IPT_TTL_MAXMODE IPT_TTL_DEC
+
+struct ipt_TTL_info {
+        __u8    mode;
+        __u8    ttl;
+};
+
+
+#endif
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h
new file mode 100644
index 000000000000..417aad280bcc
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ULOG.h
@@ -0,0 +1,49 @@
+/* Header file for IP tables userspace logging, Version 1.8
+ *
+ * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
+ * 
+ * Distributed under the terms of GNU GPL */
+
+#ifndef _IPT_ULOG_H
+#define _IPT_ULOG_H
+
+#ifndef NETLINK_NFLOG
+#define NETLINK_NFLOG   5
+#endif
+
+#define ULOG_DEFAULT_NLGROUP    1
+#define ULOG_DEFAULT_QTHRESHOLD 1
+
+#define ULOG_MAC_LEN    80
+#define ULOG_PREFIX_LEN 32
+
+#define ULOG_MAX_QLEN   50
+/* Why 50? Well... there is a limit imposed by the slab cache 131000
+ * bytes. So the multipart netlink-message has to be < 131000 bytes.
+ * Assuming a standard ethernet-mtu of 1500, we could define this up
+ * to 80... but even 50 seems to be big enough. */
+
+/* private data structure for each rule with a ULOG target */
+struct ipt_ulog_info {
+        unsigned int nl_group;
+        size_t copy_range;
+        size_t qthreshold;
+        char prefix[ULOG_PREFIX_LEN];
+};
+
+/* Format of the ULOG packets passed through netlink */
+typedef struct ulog_packet_msg {
+        unsigned long mark;
+        long timestamp_sec;
+        long timestamp_usec;
+        unsigned int hook;
+        char indev_name[IFNAMSIZ];
+        char outdev_name[IFNAMSIZ];
+        size_t data_len;
+        char prefix[ULOG_PREFIX_LEN];
+        unsigned char mac_len;
+        unsigned char mac[ULOG_MAC_LEN];
+        unsigned char payload[0];
+} ulog_packet_msg_t;
+
+#endif /*_IPT_ULOG_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ah.h b/include/uapi/linux/netfilter_ipv4/ipt_ah.h
new file mode 100644
index 000000000000..4e02bb0119e3
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ah.h
@@ -0,0 +1,17 @@
+#ifndef _IPT_AH_H
+#define _IPT_AH_H
+
+#include <linux/types.h>
+
+struct ipt_ah {
+        __u32 spis[2];                  /* Security Parameter Index */
+        __u8  invflags;                 /* Inverse flags */
+};
+
+
+
+/* Values for "invflags" field in struct ipt_ah. */
+#define IPT_AH_INV_SPI          0x01    /* Invert the sense of spi. */
+#define IPT_AH_INV_MASK 0x01    /* All possible flags. */
+
+#endif /*_IPT_AH_H*/
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ecn.h b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h
new file mode 100644
index 000000000000..0e0c063dbf60
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ecn.h
@@ -0,0 +1,15 @@
+#ifndef _IPT_ECN_H
+#define _IPT_ECN_H
+
+#include <linux/netfilter/xt_ecn.h>
+#define ipt_ecn_info xt_ecn_info
+
+enum {
+        IPT_ECN_IP_MASK       = XT_ECN_IP_MASK,
+        IPT_ECN_OP_MATCH_IP   = XT_ECN_OP_MATCH_IP,
+        IPT_ECN_OP_MATCH_ECE  = XT_ECN_OP_MATCH_ECE,
+        IPT_ECN_OP_MATCH_CWR  = XT_ECN_OP_MATCH_CWR,
+        IPT_ECN_OP_MATCH_MASK = XT_ECN_OP_MATCH_MASK,
+};
+
+#endif /* IPT_ECN_H */
diff --git a/include/uapi/linux/netfilter_ipv4/ipt_ttl.h b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h
new file mode 100644
index 000000000000..37bee4442486
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv4/ipt_ttl.h
@@ -0,0 +1,23 @@
+/* IP tables module for matching the value of the TTL
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+
+#ifndef _IPT_TTL_H
+#define _IPT_TTL_H
+
+#include <linux/types.h>
+
+enum {
+        IPT_TTL_EQ = 0,         /* equals */
+        IPT_TTL_NE,             /* not equals */
+        IPT_TTL_LT,             /* less than */
+        IPT_TTL_GT,             /* greater than */
+};
+
+
+struct ipt_ttl_info {
+        __u8    mode;
+        __u8    ttl;
+};
+
+
+#endif
diff --git a/include/uapi/linux/netfilter_ipv6/Kbuild b/include/uapi/linux/netfilter_ipv6/Kbuild
index aafaa5aa54d4..75a668ca2353 100644
--- a/include/uapi/linux/netfilter_ipv6/Kbuild
+++ b/include/uapi/linux/netfilter_ipv6/Kbuild
@@ -1 +1,13 @@
 # UAPI Header export list
+header-y += ip6_tables.h
+header-y += ip6t_HL.h
+header-y += ip6t_LOG.h
+header-y += ip6t_NPT.h
+header-y += ip6t_REJECT.h
+header-y += ip6t_ah.h
+header-y += ip6t_frag.h
+header-y += ip6t_hl.h
+header-y += ip6t_ipv6header.h
+header-y += ip6t_mh.h
+header-y += ip6t_opts.h
+header-y += ip6t_rt.h
diff --git a/include/uapi/linux/netfilter_ipv6/ip6_tables.h b/include/uapi/linux/netfilter_ipv6/ip6_tables.h
new file mode 100644
index 000000000000..bf1ef65cc582
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6_tables.h
@@ -0,0 +1,267 @@
+/*
+ * 25-Jul-1998 Major changes to allow for ip chain table
+ *
+ * 3-Jan-2000 Named tables to allow packet selection for different uses.
+ */
+
+/*
+ *      Format of an IP6 firewall descriptor
+ *
+ *      src, dst, src_mask, dst_mask are always stored in network byte order.
+ *      flags are stored in host byte order (of course).
+ *      Port numbers are stored in HOST byte order.
+ */
+
+#ifndef _UAPI_IP6_TABLES_H
+#define _UAPI_IP6_TABLES_H
+
+#include <linux/types.h>
+#include <linux/compiler.h>
+#include <linux/netfilter_ipv6.h>
+
+#include <linux/netfilter/x_tables.h>
+
+#ifndef __KERNEL__
+#define IP6T_FUNCTION_MAXNAMELEN XT_FUNCTION_MAXNAMELEN
+#define IP6T_TABLE_MAXNAMELEN XT_TABLE_MAXNAMELEN
+#define ip6t_match xt_match
+#define ip6t_target xt_target
+#define ip6t_table xt_table
+#define ip6t_get_revision xt_get_revision
+#define ip6t_entry_match xt_entry_match
+#define ip6t_entry_target xt_entry_target
+#define ip6t_standard_target xt_standard_target
+#define ip6t_error_target xt_error_target
+#define ip6t_counters xt_counters
+#define IP6T_CONTINUE XT_CONTINUE
+#define IP6T_RETURN XT_RETURN
+
+/* Pre-iptables-1.4.0 */
+#include <linux/netfilter/xt_tcpudp.h>
+#define ip6t_tcp xt_tcp
+#define ip6t_udp xt_udp
+#define IP6T_TCP_INV_SRCPT      XT_TCP_INV_SRCPT
+#define IP6T_TCP_INV_DSTPT      XT_TCP_INV_DSTPT
+#define IP6T_TCP_INV_FLAGS      XT_TCP_INV_FLAGS
+#define IP6T_TCP_INV_OPTION     XT_TCP_INV_OPTION
+#define IP6T_TCP_INV_MASK       XT_TCP_INV_MASK
+#define IP6T_UDP_INV_SRCPT      XT_UDP_INV_SRCPT
+#define IP6T_UDP_INV_DSTPT      XT_UDP_INV_DSTPT
+#define IP6T_UDP_INV_MASK       XT_UDP_INV_MASK
+
+#define ip6t_counters_info xt_counters_info
+#define IP6T_STANDARD_TARGET XT_STANDARD_TARGET
+#define IP6T_ERROR_TARGET XT_ERROR_TARGET
+#define IP6T_MATCH_ITERATE(e, fn, args...) \
+        XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
+#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
+        XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
+#endif
+
+/* Yes, Virginia, you have to zero the padding. */
+struct ip6t_ip6 {
+        /* Source and destination IP6 addr */
+        struct in6_addr src, dst;               
+        /* Mask for src and dest IP6 addr */
+        struct in6_addr smsk, dmsk;
+        char iniface[IFNAMSIZ], outiface[IFNAMSIZ];
+        unsigned char iniface_mask[IFNAMSIZ], outiface_mask[IFNAMSIZ];
+
+        /* Upper protocol number
+         * - The allowed value is 0 (any) or protocol number of last parsable
+         *   header, which is 50 (ESP), 59 (No Next Header), 135 (MH), or
+         *   the non IPv6 extension headers.
+         * - The protocol numbers of IPv6 extension headers except of ESP and
+         *   MH do not match any packets.
+         * - You also need to set IP6T_FLAGS_PROTO to "flags" to check protocol.
+         */
+        __u16 proto;
+        /* TOS to match iff flags & IP6T_F_TOS */
+        __u8 tos;
+
+        /* Flags word */
+        __u8 flags;
+        /* Inverse flags */
+        __u8 invflags;
+};
+
+/* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
+#define IP6T_F_PROTO            0x01    /* Set if rule cares about upper 
+                                           protocols */
+#define IP6T_F_TOS              0x02    /* Match the TOS. */
+#define IP6T_F_GOTO             0x04    /* Set if jump is a goto */
+#define IP6T_F_MASK             0x07    /* All possible flag bits mask. */
+
+/* Values for "inv" field in struct ip6t_ip6. */
+#define IP6T_INV_VIA_IN         0x01    /* Invert the sense of IN IFACE. */
+#define IP6T_INV_VIA_OUT                0x02    /* Invert the sense of OUT IFACE */
+#define IP6T_INV_TOS            0x04    /* Invert the sense of TOS. */
+#define IP6T_INV_SRCIP          0x08    /* Invert the sense of SRC IP. */
+#define IP6T_INV_DSTIP          0x10    /* Invert the sense of DST OP. */
+#define IP6T_INV_FRAG           0x20    /* Invert the sense of FRAG. */
+#define IP6T_INV_PROTO          XT_INV_PROTO
+#define IP6T_INV_MASK           0x7F    /* All possible flag bits mask. */
+
+/* This structure defines each of the firewall rules.  Consists of 3
+   parts which are 1) general IP header stuff 2) match specific
+   stuff 3) the target to perform if the rule matches */
+struct ip6t_entry {
+        struct ip6t_ip6 ipv6;
+
+        /* Mark with fields that we care about. */
+        unsigned int nfcache;
+
+        /* Size of ipt_entry + matches */
+        __u16 target_offset;
+        /* Size of ipt_entry + matches + target */
+        __u16 next_offset;
+
+        /* Back pointer */
+        unsigned int comefrom;
+
+        /* Packet and byte counters. */
+        struct xt_counters counters;
+
+        /* The matches (if any), then the target. */
+        unsigned char elems[0];
+};
+
+/* Standard entry */
+struct ip6t_standard {
+        struct ip6t_entry entry;
+        struct xt_standard_target target;
+};
+
+struct ip6t_error {
+        struct ip6t_entry entry;
+        struct xt_error_target target;
+};
+
+#define IP6T_ENTRY_INIT(__size)                                                \
+{                                                                              \
+        .target_offset  = sizeof(struct ip6t_entry),                           \
+        .next_offset    = (__size),                                            \
+}
+
+#define IP6T_STANDARD_INIT(__verdict)                                          \
+{                                                                              \
+        .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_standard)),       \
+        .target         = XT_TARGET_INIT(XT_STANDARD_TARGET,                   \
+                                         sizeof(struct xt_standard_target)),   \
+        .target.verdict = -(__verdict) - 1,                                    \
+}
+
+#define IP6T_ERROR_INIT                                                        \
+{                                                                              \
+        .entry          = IP6T_ENTRY_INIT(sizeof(struct ip6t_error)),          \
+        .target         = XT_TARGET_INIT(XT_ERROR_TARGET,                      \
+                                         sizeof(struct xt_error_target)),      \
+        .target.errorname = "ERROR",                                           \
+}
+
+/*
+ * New IP firewall options for [gs]etsockopt at the RAW IP level.
+ * Unlike BSD Linux inherits IP options so you don't have to use
+ * a raw socket for this. Instead we check rights in the calls.
+ *
+ * ATTENTION: check linux/in6.h before adding new number here.
+ */
+#define IP6T_BASE_CTL                   64
+
+#define IP6T_SO_SET_REPLACE             (IP6T_BASE_CTL)
+#define IP6T_SO_SET_ADD_COUNTERS        (IP6T_BASE_CTL + 1)
+#define IP6T_SO_SET_MAX                 IP6T_SO_SET_ADD_COUNTERS
+
+#define IP6T_SO_GET_INFO                (IP6T_BASE_CTL)
+#define IP6T_SO_GET_ENTRIES             (IP6T_BASE_CTL + 1)
+#define IP6T_SO_GET_REVISION_MATCH      (IP6T_BASE_CTL + 4)
+#define IP6T_SO_GET_REVISION_TARGET     (IP6T_BASE_CTL + 5)
+#define IP6T_SO_GET_MAX                 IP6T_SO_GET_REVISION_TARGET
+
+/* ICMP matching stuff */
+struct ip6t_icmp {
+        __u8 type;                              /* type to match */
+        __u8 code[2];                           /* range of code */
+        __u8 invflags;                          /* Inverse flags */
+};
+
+/* Values for "inv" field for struct ipt_icmp. */
+#define IP6T_ICMP_INV   0x01    /* Invert the sense of type/code test */
+
+/* The argument to IP6T_SO_GET_INFO */
+struct ip6t_getinfo {
+        /* Which table: caller fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* Kernel fills these in. */
+        /* Which hook entry points are valid: bitmask */
+        unsigned int valid_hooks;
+
+        /* Hook entry points: one per netfilter hook. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+
+        /* Number of entries */
+        unsigned int num_entries;
+
+        /* Size of entries. */
+        unsigned int size;
+};
+
+/* The argument to IP6T_SO_SET_REPLACE. */
+struct ip6t_replace {
+        /* Which table. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* Which hook entry points are valid: bitmask.  You can't
+           change this. */
+        unsigned int valid_hooks;
+
+        /* Number of entries */
+        unsigned int num_entries;
+
+        /* Total size of new entries */
+        unsigned int size;
+
+        /* Hook entry points. */
+        unsigned int hook_entry[NF_INET_NUMHOOKS];
+
+        /* Underflow points. */
+        unsigned int underflow[NF_INET_NUMHOOKS];
+
+        /* Information about old entries: */
+        /* Number of counters (must be equal to current number of entries). */
+        unsigned int num_counters;
+        /* The old entries' counters. */
+        struct xt_counters __user *counters;
+
+        /* The entries (hang off end: not really an array). */
+        struct ip6t_entry entries[0];
+};
+
+/* The argument to IP6T_SO_GET_ENTRIES. */
+struct ip6t_get_entries {
+        /* Which table: user fills this in. */
+        char name[XT_TABLE_MAXNAMELEN];
+
+        /* User fills this in: total entry size. */
+        unsigned int size;
+
+        /* The entries. */
+        struct ip6t_entry entrytable[0];
+};
+
+/* Helper functions */
+static __inline__ struct xt_entry_target *
+ip6t_get_target(struct ip6t_entry *e)
+{
+        return (void *)e + e->target_offset;
+}
+
+/*
+ *      Main firewall chains definitions and global var's definitions.
+ */
+
+#endif /* _UAPI_IP6_TABLES_H */
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_HL.h b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h
new file mode 100644
index 000000000000..ebd8ead1bb63
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_HL.h
@@ -0,0 +1,24 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's TTL module */
+
+#ifndef _IP6T_HL_H
+#define _IP6T_HL_H
+
+#include <linux/types.h>
+
+enum {
+        IP6T_HL_SET = 0,
+        IP6T_HL_INC,
+        IP6T_HL_DEC
+};
+
+#define IP6T_HL_MAXMODE IP6T_HL_DEC
+
+struct ip6t_HL_info {
+        __u8    mode;
+        __u8    hop_limit;
+};
+
+
+#endif
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h
new file mode 100644
index 000000000000..3dd0bc4e0735
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_LOG.h
@@ -0,0 +1,21 @@
+#ifndef _IP6T_LOG_H
+#define _IP6T_LOG_H
+
+#warning "Please update iptables, this file will be removed soon!"
+
+/* make sure not to change this without changing netfilter.h:NF_LOG_* (!) */
+#define IP6T_LOG_TCPSEQ         0x01    /* Log TCP sequence numbers */
+#define IP6T_LOG_TCPOPT         0x02    /* Log TCP options */
+#define IP6T_LOG_IPOPT          0x04    /* Log IP options */
+#define IP6T_LOG_UID            0x08    /* Log UID owning local socket */
+#define IP6T_LOG_NFLOG          0x10    /* Unsupported, don't use */
+#define IP6T_LOG_MACDECODE      0x20    /* Decode MAC header */
+#define IP6T_LOG_MASK           0x2f
+
+struct ip6t_log_info {
+        unsigned char level;
+        unsigned char logflags;
+        char prefix[30];
+};
+
+#endif /*_IPT_LOG_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h
new file mode 100644
index 000000000000..f763355481b5
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_NPT.h
@@ -0,0 +1,16 @@
+#ifndef __NETFILTER_IP6T_NPT
+#define __NETFILTER_IP6T_NPT
+
+#include <linux/types.h>
+#include <linux/netfilter.h>
+
+struct ip6t_npt_tginfo {
+        union nf_inet_addr      src_pfx;
+        union nf_inet_addr      dst_pfx;
+        __u8                    src_pfx_len;
+        __u8                    dst_pfx_len;
+        /* Used internally by the kernel */
+        __sum16                 adjustment;
+};
+
+#endif /* __NETFILTER_IP6T_NPT */
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h
new file mode 100644
index 000000000000..205ed62e4605
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h
@@ -0,0 +1,20 @@
+#ifndef _IP6T_REJECT_H
+#define _IP6T_REJECT_H
+
+#include <linux/types.h>
+
+enum ip6t_reject_with {
+        IP6T_ICMP6_NO_ROUTE,
+        IP6T_ICMP6_ADM_PROHIBITED,
+        IP6T_ICMP6_NOT_NEIGHBOUR,
+        IP6T_ICMP6_ADDR_UNREACH,
+        IP6T_ICMP6_PORT_UNREACH,
+        IP6T_ICMP6_ECHOREPLY,
+        IP6T_TCP_RESET
+};
+
+struct ip6t_reject_info {
+        __u32   with;   /* reject type */
+};
+
+#endif /*_IP6T_REJECT_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_ah.h b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h
new file mode 100644
index 000000000000..5da2b65cb3ad
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_ah.h
@@ -0,0 +1,22 @@
+#ifndef _IP6T_AH_H
+#define _IP6T_AH_H
+
+#include <linux/types.h>
+
+struct ip6t_ah {
+        __u32 spis[2];                  /* Security Parameter Index */
+        __u32 hdrlen;                   /* Header Length */
+        __u8  hdrres;                   /* Test of the Reserved Filed */
+        __u8  invflags;                 /* Inverse flags */
+};
+
+#define IP6T_AH_SPI 0x01
+#define IP6T_AH_LEN 0x02
+#define IP6T_AH_RES 0x04
+
+/* Values for "invflags" field in struct ip6t_ah. */
+#define IP6T_AH_INV_SPI         0x01    /* Invert the sense of spi. */
+#define IP6T_AH_INV_LEN         0x02    /* Invert the sense of length. */
+#define IP6T_AH_INV_MASK        0x03    /* All possible flags. */
+
+#endif /*_IP6T_AH_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_frag.h b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h
new file mode 100644
index 000000000000..b47f61b9e082
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_frag.h
@@ -0,0 +1,25 @@
+#ifndef _IP6T_FRAG_H
+#define _IP6T_FRAG_H
+
+#include <linux/types.h>
+
+struct ip6t_frag {
+        __u32 ids[2];                   /* Security Parameter Index */
+        __u32 hdrlen;                   /* Header Length */
+        __u8  flags;                    /*  */
+        __u8  invflags;                 /* Inverse flags */
+};
+
+#define IP6T_FRAG_IDS           0x01
+#define IP6T_FRAG_LEN           0x02
+#define IP6T_FRAG_RES           0x04
+#define IP6T_FRAG_FST           0x08
+#define IP6T_FRAG_MF            0x10
+#define IP6T_FRAG_NMF           0x20
+
+/* Values for "invflags" field in struct ip6t_frag. */
+#define IP6T_FRAG_INV_IDS       0x01    /* Invert the sense of ids. */
+#define IP6T_FRAG_INV_LEN       0x02    /* Invert the sense of length. */
+#define IP6T_FRAG_INV_MASK      0x03    /* All possible flags. */
+
+#endif /*_IP6T_FRAG_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_hl.h b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h
new file mode 100644
index 000000000000..6e76dbc6c19a
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_hl.h
@@ -0,0 +1,24 @@
+/* ip6tables module for matching the Hop Limit value
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+ * Based on HW's ttl module */
+
+#ifndef _IP6T_HL_H
+#define _IP6T_HL_H
+
+#include <linux/types.h>
+
+enum {
+        IP6T_HL_EQ = 0,         /* equals */
+        IP6T_HL_NE,             /* not equals */
+        IP6T_HL_LT,             /* less than */
+        IP6T_HL_GT,             /* greater than */
+};
+
+
+struct ip6t_hl_info {
+        __u8    mode;
+        __u8    hop_limit;
+};
+
+
+#endif
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h
new file mode 100644
index 000000000000..efae3a20c214
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_ipv6header.h
@@ -0,0 +1,28 @@
+/* ipv6header match - matches IPv6 packets based
+on whether they contain certain headers */
+
+/* Original idea: Brad Chapman 
+ * Rewritten by: Andras Kis-Szabo <kisza@sch.bme.hu> */
+
+
+#ifndef __IPV6HEADER_H
+#define __IPV6HEADER_H
+
+#include <linux/types.h>
+
+struct ip6t_ipv6header_info {
+        __u8 matchflags;
+        __u8 invflags;
+        __u8 modeflag;
+};
+
+#define MASK_HOPOPTS    128
+#define MASK_DSTOPTS    64
+#define MASK_ROUTING    32
+#define MASK_FRAGMENT   16
+#define MASK_AH         8
+#define MASK_ESP        4
+#define MASK_NONE       2
+#define MASK_PROTO      1
+
+#endif /* __IPV6HEADER_H */
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_mh.h b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h
new file mode 100644
index 000000000000..a7729a5025cd
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_mh.h
@@ -0,0 +1,16 @@
+#ifndef _IP6T_MH_H
+#define _IP6T_MH_H
+
+#include <linux/types.h>
+
+/* MH matching stuff */
+struct ip6t_mh {
+        __u8 types[2];  /* MH type range */
+        __u8 invflags;  /* Inverse flags */
+};
+
+/* Values for "invflags" field in struct ip6t_mh. */
+#define IP6T_MH_INV_TYPE        0x01    /* Invert the sense of type. */
+#define IP6T_MH_INV_MASK        0x01    /* All possible flags. */
+
+#endif /*_IP6T_MH_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_opts.h b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h
new file mode 100644
index 000000000000..17d419a811fd
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_opts.h
@@ -0,0 +1,24 @@
+#ifndef _IP6T_OPTS_H
+#define _IP6T_OPTS_H
+
+#include <linux/types.h>
+
+#define IP6T_OPTS_OPTSNR 16
+
+struct ip6t_opts {
+        __u32 hdrlen;                   /* Header Length */
+        __u8 flags;                             /*  */
+        __u8 invflags;                  /* Inverse flags */
+        __u16 opts[IP6T_OPTS_OPTSNR];   /* opts */
+        __u8 optsnr;                    /* Nr of OPts */
+};
+
+#define IP6T_OPTS_LEN           0x01
+#define IP6T_OPTS_OPTS          0x02
+#define IP6T_OPTS_NSTRICT       0x04
+
+/* Values for "invflags" field in struct ip6t_rt. */
+#define IP6T_OPTS_INV_LEN       0x01    /* Invert the sense of length. */
+#define IP6T_OPTS_INV_MASK      0x01    /* All possible flags. */
+
+#endif /*_IP6T_OPTS_H*/
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_rt.h b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h
new file mode 100644
index 000000000000..7605a5ff81cd
--- /dev/null
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_rt.h
@@ -0,0 +1,33 @@
+#ifndef _IP6T_RT_H
+#define _IP6T_RT_H
+
+#include <linux/types.h>
+/*#include <linux/in6.h>*/
+
+#define IP6T_RT_HOPS 16
+
+struct ip6t_rt {
+        __u32 rt_type;                  /* Routing Type */
+        __u32 segsleft[2];                      /* Segments Left */
+        __u32 hdrlen;                   /* Header Length */
+        __u8  flags;                    /*  */
+        __u8  invflags;                 /* Inverse flags */
+        struct in6_addr addrs[IP6T_RT_HOPS];    /* Hops */
+        __u8 addrnr;                    /* Nr of Addresses */
+};
+
+#define IP6T_RT_TYP             0x01
+#define IP6T_RT_SGS             0x02
+#define IP6T_RT_LEN             0x04
+#define IP6T_RT_RES             0x08
+#define IP6T_RT_FST_MASK        0x30
+#define IP6T_RT_FST             0x10
+#define IP6T_RT_FST_NSTRICT     0x20
+
+/* Values for "invflags" field in struct ip6t_rt. */
+#define IP6T_RT_INV_TYP         0x01    /* Invert the sense of type. */
+#define IP6T_RT_INV_SGS         0x02    /* Invert the sense of Segments. */
+#define IP6T_RT_INV_LEN         0x04    /* Invert the sense of length. */
+#define IP6T_RT_INV_MASK        0x07    /* All possible flags. */
+
+#endif /*_IP6T_RT_H*/
diff --git a/include/uapi/linux/tc_act/Kbuild b/include/uapi/linux/tc_act/Kbuild
index aafaa5aa54d4..0623ec4e728f 100644
--- a/include/uapi/linux/tc_act/Kbuild
+++ b/include/uapi/linux/tc_act/Kbuild
@@ -1 +1,8 @@
 # UAPI Header export list
+header-y += tc_csum.h
+header-y += tc_gact.h
+header-y += tc_ipt.h
+header-y += tc_mirred.h
+header-y += tc_nat.h
+header-y += tc_pedit.h
+header-y += tc_skbedit.h
diff --git a/include/uapi/linux/tc_act/tc_csum.h b/include/uapi/linux/tc_act/tc_csum.h
new file mode 100644
index 000000000000..a047c49a3153
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_csum.h
@@ -0,0 +1,32 @@
+#ifndef __LINUX_TC_CSUM_H
+#define __LINUX_TC_CSUM_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+#define TCA_ACT_CSUM 16
+
+enum {
+        TCA_CSUM_UNSPEC,
+        TCA_CSUM_PARMS,
+        TCA_CSUM_TM,
+        __TCA_CSUM_MAX
+};
+#define TCA_CSUM_MAX (__TCA_CSUM_MAX - 1)
+
+enum {
+        TCA_CSUM_UPDATE_FLAG_IPV4HDR = 1,
+        TCA_CSUM_UPDATE_FLAG_ICMP    = 2,
+        TCA_CSUM_UPDATE_FLAG_IGMP    = 4,
+        TCA_CSUM_UPDATE_FLAG_TCP     = 8,
+        TCA_CSUM_UPDATE_FLAG_UDP     = 16,
+        TCA_CSUM_UPDATE_FLAG_UDPLITE = 32
+};
+
+struct tc_csum {
+        tc_gen;
+
+        __u32 update_flags;
+};
+
+#endif /* __LINUX_TC_CSUM_H */
diff --git a/include/uapi/linux/tc_act/tc_gact.h b/include/uapi/linux/tc_act/tc_gact.h
new file mode 100644
index 000000000000..f7bf94eed510
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_gact.h
@@ -0,0 +1,32 @@
+#ifndef __LINUX_TC_GACT_H
+#define __LINUX_TC_GACT_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+#define TCA_ACT_GACT 5
+struct tc_gact {
+        tc_gen;
+
+};
+
+struct tc_gact_p {
+#define PGACT_NONE              0
+#define PGACT_NETRAND           1
+#define PGACT_DETERM            2
+#define MAX_RAND                (PGACT_DETERM + 1 )
+        __u16                 ptype;
+        __u16                 pval;
+        int                   paction;
+};
+ 
+enum {
+        TCA_GACT_UNSPEC,
+        TCA_GACT_TM,
+        TCA_GACT_PARMS,
+        TCA_GACT_PROB,
+        __TCA_GACT_MAX
+};
+#define TCA_GACT_MAX (__TCA_GACT_MAX - 1)
+ 
+#endif
diff --git a/include/uapi/linux/tc_act/tc_ipt.h b/include/uapi/linux/tc_act/tc_ipt.h
new file mode 100644
index 000000000000..a2335563d21f
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_ipt.h
@@ -0,0 +1,20 @@
+#ifndef __LINUX_TC_IPT_H
+#define __LINUX_TC_IPT_H
+
+#include <linux/pkt_cls.h>
+
+#define TCA_ACT_IPT 6
+
+enum {
+        TCA_IPT_UNSPEC,
+        TCA_IPT_TABLE,
+        TCA_IPT_HOOK,
+        TCA_IPT_INDEX,
+        TCA_IPT_CNT,
+        TCA_IPT_TM,
+        TCA_IPT_TARG,
+        __TCA_IPT_MAX
+};
+#define TCA_IPT_MAX (__TCA_IPT_MAX - 1)
+                                                                                
+#endif
diff --git a/include/uapi/linux/tc_act/tc_mirred.h b/include/uapi/linux/tc_act/tc_mirred.h
new file mode 100644
index 000000000000..7561750e8fd6
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_mirred.h
@@ -0,0 +1,27 @@
+#ifndef __LINUX_TC_MIR_H
+#define __LINUX_TC_MIR_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+#define TCA_ACT_MIRRED 8
+#define TCA_EGRESS_REDIR 1  /* packet redirect to EGRESS*/
+#define TCA_EGRESS_MIRROR 2 /* mirror packet to EGRESS */
+#define TCA_INGRESS_REDIR 3  /* packet redirect to INGRESS*/
+#define TCA_INGRESS_MIRROR 4 /* mirror packet to INGRESS */
+                                                                                
+struct tc_mirred {
+        tc_gen;
+        int                     eaction;   /* one of IN/EGRESS_MIRROR/REDIR */
+        __u32                   ifindex;  /* ifindex of egress port */
+};
+                                                                                
+enum {
+        TCA_MIRRED_UNSPEC,
+        TCA_MIRRED_TM,
+        TCA_MIRRED_PARMS,
+        __TCA_MIRRED_MAX
+};
+#define TCA_MIRRED_MAX (__TCA_MIRRED_MAX - 1)
+                                                                                
+#endif
diff --git a/include/uapi/linux/tc_act/tc_nat.h b/include/uapi/linux/tc_act/tc_nat.h
new file mode 100644
index 000000000000..6663aeba0b9a
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_nat.h
@@ -0,0 +1,27 @@
+#ifndef __LINUX_TC_NAT_H
+#define __LINUX_TC_NAT_H
+
+#include <linux/pkt_cls.h>
+#include <linux/types.h>
+
+#define TCA_ACT_NAT 9
+
+enum {
+        TCA_NAT_UNSPEC,
+        TCA_NAT_PARMS,
+        TCA_NAT_TM,
+        __TCA_NAT_MAX
+};
+#define TCA_NAT_MAX (__TCA_NAT_MAX - 1)
+
+#define TCA_NAT_FLAG_EGRESS 1
+
+struct tc_nat {
+        tc_gen;
+        __be32 old_addr;
+        __be32 new_addr;
+        __be32 mask;
+        __u32 flags;
+};
+
+#endif
diff --git a/include/uapi/linux/tc_act/tc_pedit.h b/include/uapi/linux/tc_act/tc_pedit.h
new file mode 100644
index 000000000000..716cfabcd5b2
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_pedit.h
@@ -0,0 +1,34 @@
+#ifndef __LINUX_TC_PED_H
+#define __LINUX_TC_PED_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+#define TCA_ACT_PEDIT 7
+
+enum {
+        TCA_PEDIT_UNSPEC,
+        TCA_PEDIT_TM,
+        TCA_PEDIT_PARMS,
+        __TCA_PEDIT_MAX
+};
+#define TCA_PEDIT_MAX (__TCA_PEDIT_MAX - 1)
+                                                                                
+struct tc_pedit_key {
+        __u32           mask;  /* AND */
+        __u32           val;   /*XOR */
+        __u32           off;  /*offset */
+        __u32           at;
+        __u32           offmask;
+        __u32           shift;
+};
+                                                                                
+struct tc_pedit_sel {
+        tc_gen;
+        unsigned char           nkeys;
+        unsigned char           flags;
+        struct tc_pedit_key     keys[0];
+};
+#define tc_pedit tc_pedit_sel
+
+#endif
diff --git a/include/uapi/linux/tc_act/tc_skbedit.h b/include/uapi/linux/tc_act/tc_skbedit.h
new file mode 100644
index 000000000000..7a2e910a5f08
--- /dev/null
+++ b/include/uapi/linux/tc_act/tc_skbedit.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2008, Intel Corporation.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 59 Temple
+ * Place - Suite 330, Boston, MA 02111-1307 USA.
+ *
+ * Author: Alexander Duyck <alexander.h.duyck@intel.com>
+ */
+
+#ifndef __LINUX_TC_SKBEDIT_H
+#define __LINUX_TC_SKBEDIT_H
+
+#include <linux/pkt_cls.h>
+
+#define TCA_ACT_SKBEDIT 11
+
+#define SKBEDIT_F_PRIORITY              0x1
+#define SKBEDIT_F_QUEUE_MAPPING         0x2
+#define SKBEDIT_F_MARK                  0x4
+
+struct tc_skbedit {
+        tc_gen;
+};
+
+enum {
+        TCA_SKBEDIT_UNSPEC,
+        TCA_SKBEDIT_TM,
+        TCA_SKBEDIT_PARMS,
+        TCA_SKBEDIT_PRIORITY,
+        TCA_SKBEDIT_QUEUE_MAPPING,
+        TCA_SKBEDIT_MARK,
+        __TCA_SKBEDIT_MAX
+};
+#define TCA_SKBEDIT_MAX (__TCA_SKBEDIT_MAX - 1)
+
+#endif
diff --git a/include/uapi/linux/tc_ematch/Kbuild b/include/uapi/linux/tc_ematch/Kbuild
index aafaa5aa54d4..53fca3925535 100644
--- a/include/uapi/linux/tc_ematch/Kbuild
+++ b/include/uapi/linux/tc_ematch/Kbuild
@@ -1 +1,5 @@
 # UAPI Header export list
+header-y += tc_em_cmp.h
+header-y += tc_em_meta.h
+header-y += tc_em_nbyte.h
+header-y += tc_em_text.h
diff --git a/include/uapi/linux/tc_ematch/tc_em_cmp.h b/include/uapi/linux/tc_ematch/tc_em_cmp.h
new file mode 100644
index 000000000000..f34bb1bae083
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_cmp.h
@@ -0,0 +1,25 @@
+#ifndef __LINUX_TC_EM_CMP_H
+#define __LINUX_TC_EM_CMP_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+struct tcf_em_cmp {
+        __u32           val;
+        __u32           mask;
+        __u16           off;
+        __u8            align:4;
+        __u8            flags:4;
+        __u8            layer:4;
+        __u8            opnd:4;
+};
+
+enum {
+        TCF_EM_ALIGN_U8  = 1,
+        TCF_EM_ALIGN_U16 = 2,
+        TCF_EM_ALIGN_U32 = 4
+};
+
+#define TCF_EM_CMP_TRANS        1
+
+#endif
diff --git a/include/uapi/linux/tc_ematch/tc_em_meta.h b/include/uapi/linux/tc_ematch/tc_em_meta.h
new file mode 100644
index 000000000000..b11f8ce2d3c0
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_meta.h
@@ -0,0 +1,92 @@
+#ifndef __LINUX_TC_EM_META_H
+#define __LINUX_TC_EM_META_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+enum {
+        TCA_EM_META_UNSPEC,
+        TCA_EM_META_HDR,
+        TCA_EM_META_LVALUE,
+        TCA_EM_META_RVALUE,
+        __TCA_EM_META_MAX
+};
+#define TCA_EM_META_MAX (__TCA_EM_META_MAX - 1)
+
+struct tcf_meta_val {
+        __u16                   kind;
+        __u8                    shift;
+        __u8                    op;
+};
+
+#define TCF_META_TYPE_MASK      (0xf << 12)
+#define TCF_META_TYPE(kind)     (((kind) & TCF_META_TYPE_MASK) >> 12)
+#define TCF_META_ID_MASK        0x7ff
+#define TCF_META_ID(kind)       ((kind) & TCF_META_ID_MASK)
+
+enum {
+        TCF_META_TYPE_VAR,
+        TCF_META_TYPE_INT,
+        __TCF_META_TYPE_MAX
+};
+#define TCF_META_TYPE_MAX (__TCF_META_TYPE_MAX - 1)
+
+enum {
+        TCF_META_ID_VALUE,
+        TCF_META_ID_RANDOM,
+        TCF_META_ID_LOADAVG_0,
+        TCF_META_ID_LOADAVG_1,
+        TCF_META_ID_LOADAVG_2,
+        TCF_META_ID_DEV,
+        TCF_META_ID_PRIORITY,
+        TCF_META_ID_PROTOCOL,
+        TCF_META_ID_PKTTYPE,
+        TCF_META_ID_PKTLEN,
+        TCF_META_ID_DATALEN,
+        TCF_META_ID_MACLEN,
+        TCF_META_ID_NFMARK,
+        TCF_META_ID_TCINDEX,
+        TCF_META_ID_RTCLASSID,
+        TCF_META_ID_RTIIF,
+        TCF_META_ID_SK_FAMILY,
+        TCF_META_ID_SK_STATE,
+        TCF_META_ID_SK_REUSE,
+        TCF_META_ID_SK_BOUND_IF,
+        TCF_META_ID_SK_REFCNT,
+        TCF_META_ID_SK_SHUTDOWN,
+        TCF_META_ID_SK_PROTO,
+        TCF_META_ID_SK_TYPE,
+        TCF_META_ID_SK_RCVBUF,
+        TCF_META_ID_SK_RMEM_ALLOC,
+        TCF_META_ID_SK_WMEM_ALLOC,
+        TCF_META_ID_SK_OMEM_ALLOC,
+        TCF_META_ID_SK_WMEM_QUEUED,
+        TCF_META_ID_SK_RCV_QLEN,
+        TCF_META_ID_SK_SND_QLEN,
+        TCF_META_ID_SK_ERR_QLEN,
+        TCF_META_ID_SK_FORWARD_ALLOCS,
+        TCF_META_ID_SK_SNDBUF,
+        TCF_META_ID_SK_ALLOCS,
+        __TCF_META_ID_SK_ROUTE_CAPS,    /* unimplemented but in ABI already */
+        TCF_META_ID_SK_HASH,
+        TCF_META_ID_SK_LINGERTIME,
+        TCF_META_ID_SK_ACK_BACKLOG,
+        TCF_META_ID_SK_MAX_ACK_BACKLOG,
+        TCF_META_ID_SK_PRIO,
+        TCF_META_ID_SK_RCVLOWAT,
+        TCF_META_ID_SK_RCVTIMEO,
+        TCF_META_ID_SK_SNDTIMEO,
+        TCF_META_ID_SK_SENDMSG_OFF,
+        TCF_META_ID_SK_WRITE_PENDING,
+        TCF_META_ID_VLAN_TAG,
+        TCF_META_ID_RXHASH,
+        __TCF_META_ID_MAX
+};
+#define TCF_META_ID_MAX (__TCF_META_ID_MAX - 1)
+
+struct tcf_meta_hdr {
+        struct tcf_meta_val     left;
+        struct tcf_meta_val     right;
+};
+
+#endif
diff --git a/include/uapi/linux/tc_ematch/tc_em_nbyte.h b/include/uapi/linux/tc_ematch/tc_em_nbyte.h
new file mode 100644
index 000000000000..7172cfb999c1
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_nbyte.h
@@ -0,0 +1,13 @@
+#ifndef __LINUX_TC_EM_NBYTE_H
+#define __LINUX_TC_EM_NBYTE_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+struct tcf_em_nbyte {
+        __u16           off;
+        __u16           len:12;
+        __u8            layer:4;
+};
+
+#endif
diff --git a/include/uapi/linux/tc_ematch/tc_em_text.h b/include/uapi/linux/tc_ematch/tc_em_text.h
new file mode 100644
index 000000000000..5aac4045ba88
--- /dev/null
+++ b/include/uapi/linux/tc_ematch/tc_em_text.h
@@ -0,0 +1,19 @@
+#ifndef __LINUX_TC_EM_TEXT_H
+#define __LINUX_TC_EM_TEXT_H
+
+#include <linux/types.h>
+#include <linux/pkt_cls.h>
+
+#define TC_EM_TEXT_ALGOSIZ      16
+
+struct tcf_em_text {
+        char            algo[TC_EM_TEXT_ALGOSIZ];
+        __u16           from_offset;
+        __u16           to_offset;
+        __u16           pattern_len;
+        __u8            from_layer:4;
+        __u8            to_layer:4;
+        __u8            pad;
+};
+
+#endif