58 files changed, 426 insertions, 512 deletions
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 864009643675..5750a2b2a0d6 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1007,7 +1007,7 @@ static int inet_sk_reselect_saddr(struct sock *sk)
                               RT_CONN_FLAGS(sk),
                               sk->sk_bound_dev_if,
                               sk->sk_protocol,
-                               inet->sport, inet->dport, sk);
+                               inet->sport, inet->dport, sk, 0);
        if (err)
                return err;
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index 7b068a891953..0072d79f0c2a 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -49,7 +49,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        err = ip_route_connect(&rt, usin->sin_addr.s_addr, saddr,
                               RT_CONN_FLAGS(sk), oif,
                               sk->sk_protocol,
-                               inet->sport, usin->sin_port, sk);
+                               inet->sport, usin->sin_port, sk, 1);
        if (err)
                return err;
        if ((rt->rt_flags & RTCF_BROADCAST) && !sock_flag(sk, SOCK_BROADCAST)) {
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 480ace9819f6..c40203640966 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1140,7 +1140,7 @@ static int inet_fill_ifaddr(struct sk_buff *skb, struct in_ifaddr *ifa,
        nlh = nlmsg_put(skb, pid, seq, event, sizeof(*ifm), flags);
        if (nlh == NULL)
-                return -ENOBUFS;
+                return -EMSGSIZE;
        ifm = nlmsg_data(nlh);
        ifm->ifa_family = AF_INET;
@@ -1167,7 +1167,8 @@ static int inet_fill_ifaddr(struct sk_buff *skb, struct in_ifaddr *ifa,
        return nlmsg_end(skb, nlh);
 nla_put_failure:
-        return nlmsg_cancel(skb, nlh);
+        nlmsg_cancel(skb, nlh);
+        return -EMSGSIZE;
 }
 static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
@@ -1225,9 +1226,12 @@ static void rtmsg_ifa(int event, struct in_ifaddr* ifa, struct nlmsghdr *nlh,
                goto errout;
        err = inet_fill_ifaddr(skb, ifa, pid, seq, event, 0);
-        /* failure implies BUG in inet_nlmsg_size() */
+        if (err < 0) {
-        BUG_ON(err < 0);
+                /* -EMSGSIZE implies BUG in inet_nlmsg_size() */
+                WARN_ON(err == -EMSGSIZE);
+                kfree_skb(skb);
+                goto errout;
+        }
        err = rtnl_notify(skb, pid, RTNLGRP_IPV4_IFADDR, nlh, GFP_KERNEL);
 errout:
        if (err < 0)
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index e63b8a98fb4d..be1028c9933e 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -314,9 +314,12 @@ void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
        err = fib_dump_info(skb, info->pid, seq, event, tb_id,
                            fa->fa_type, fa->fa_scope, key, dst_len,
                            fa->fa_tos, fa->fa_info, 0);
-        /* failure implies BUG in fib_nlmsg_size() */
+        if (err < 0) {
-        BUG_ON(err < 0);
+                /* -EMSGSIZE implies BUG in fib_nlmsg_size() */
+                WARN_ON(err == -EMSGSIZE);
+                kfree_skb(skb);
+                goto errout;
+        }
        err = rtnl_notify(skb, info->pid, RTNLGRP_IPV4_ROUTE,
                          info->nlh, GFP_KERNEL);
 errout:
@@ -960,7 +963,7 @@ int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
        nlh = nlmsg_put(skb, pid, seq, event, sizeof(*rtm), flags);
        if (nlh == NULL)
-                return -ENOBUFS;
+                return -EMSGSIZE;
        rtm = nlmsg_data(nlh);
        rtm->rtm_family = AF_INET;
@@ -1031,7 +1034,8 @@ int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
        return nlmsg_end(skb, nlh);
 nla_put_failure:
-        return nlmsg_cancel(skb, nlh);
+        nlmsg_cancel(skb, nlh);
+        return -EMSGSIZE;
 }
 /*
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index 0017ccb01d6d..024ae56cab25 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -455,6 +455,8 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
                        skb = add_grhead(skb, pmc, type, &pgr);
                        first = 0;
                }
+                if (!skb)
+                        return NULL;
                psrc = (__be32 *)skb_put(skb, sizeof(__be32));
                *psrc = psf->sf_inaddr;
                scount++; stotal++;
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 77761ac4f7bb..8aa7d51e6881 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -153,7 +153,7 @@ static int inet_csk_diag_fill(struct sock *sk,
 rtattr_failure:
 nlmsg_failure:
        skb_trim(skb, b - skb->data);
-        return -1;
+        return -EMSGSIZE;
 }
 static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
@@ -209,7 +209,7 @@ static int inet_twsk_diag_fill(struct inet_timewait_sock *tw,
        return skb->len;
 nlmsg_failure:
        skb_trim(skb, previous_tail - skb->data);
-        return -1;
+        return -EMSGSIZE;
 }
 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb,
@@ -274,11 +274,14 @@ static int inet_diag_get_exact(struct sk_buff *in_skb,
        if (!rep)
                goto out;
-        if (sk_diag_fill(sk, rep, req->idiag_ext,
+        err = sk_diag_fill(sk, rep, req->idiag_ext,
-                         NETLINK_CB(in_skb).pid,
+                           NETLINK_CB(in_skb).pid,
-                         nlh->nlmsg_seq, 0, nlh) <= 0)
+                           nlh->nlmsg_seq, 0, nlh);
-                BUG();
+        if (err < 0) {
+                WARN_ON(err == -EMSGSIZE);
+                kfree_skb(rep);
+                goto out;
+        }
        err = netlink_unicast(idiagnl, rep, NETLINK_CB(in_skb).pid,
                              MSG_DONTWAIT);
        if (err > 0)
@@ -775,7 +778,7 @@ next_normal:
                        struct inet_timewait_sock *tw;
                        inet_twsk_for_each(tw, node,
-                                    &hashinfo->ehash[i + hashinfo->ehash_size].chain) {
+                                    &head->twchain) {
                                if (num < s_num)
                                        goto next_dying;
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 8c79c8a4ea5c..150ace18dc75 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -212,7 +212,7 @@ static int __inet_check_established(struct inet_timewait_death_row *death_row,
        write_lock(&head->lock);
        /* Check TIME-WAIT sockets first. */
-        sk_for_each(sk2, node, &(head + hinfo->ehash_size)->chain) {
+        sk_for_each(sk2, node, &head->twchain) {
                tw = inet_twsk(sk2);
                if (INET_TW_MATCH(sk2, hash, acookie, saddr, daddr, ports, dif)) {
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 9f414e35c488..a73cf93cee36 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -78,8 +78,8 @@ void __inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk,
        if (__sk_del_node_init(sk))
                sock_prot_dec_use(sk->sk_prot);
-        /* Step 3: Hash TW into TIMEWAIT half of established hash table. */
+        /* Step 3: Hash TW into TIMEWAIT chain. */
-        inet_twsk_add_node(tw, &(ehead + hashinfo->ehash_size)->chain);
+        inet_twsk_add_node(tw, &ehead->twchain);
        atomic_inc(&tw->tw_refcnt);
        write_unlock(&ehead->lock);
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 476cb6084c75..51c83500790f 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -1008,7 +1008,8 @@ ipgre_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
                                goto done;
                        dev = t->dev;
                }
-                err = unregister_netdevice(dev);
+                unregister_netdevice(dev);
+                err = 0;
                break;
        default:
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 9d719d664e5b..da8bbd20c7ed 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -754,7 +754,8 @@ ipip_tunnel_ioctl (struct net_device *dev, struct ifreq *ifr, int cmd)
                                goto done;
                        dev = t->dev;
                }
-                err = unregister_netdevice(dev);
+                unregister_netdevice(dev);
+                err = 0;
                break;
        default:
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 47bd3ad18b71..9b08e7ad71bc 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -361,32 +361,6 @@ config IP_NF_TARGET_ULOG
          To compile it as a module, choose M here.  If unsure, say N.
-config IP_NF_TARGET_TCPMSS
-        tristate "TCPMSS target support"
-        depends on IP_NF_IPTABLES
-        ---help---
-          This option adds a `TCPMSS' target, which allows you to alter the
-          MSS value of TCP SYN packets, to control the maximum size for that
-          connection (usually limiting it to your outgoing interface's MTU
-          minus 40).
-          This is used to overcome criminally braindead ISPs or servers which
-          block ICMP Fragmentation Needed packets.  The symptoms of this
-          problem are that everything works fine from your Linux
-          firewall/router, but machines behind it can never exchange large
-          packets:
-                1) Web browsers connect, then hang with no data received.
-                2) Small mail works fine, but large emails hang.
-                3) ssh works fine, but scp hangs after initial handshaking.
-          Workaround: activate this option and add a rule to your firewall
-          configuration like:
-          iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
-                         -j TCPMSS --clamp-mss-to-pmtu
-          To compile it as a module, choose M here.  If unsure, say N.
 # NAT + specific targets: ip_conntrack
 config IP_NF_NAT
        tristate "Full NAT"
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 16d177b71bf8..6625ec68180c 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -103,7 +103,6 @@ obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
 obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
-obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
 obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 06e4e8a6dd9f..c34f48fe5478 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -50,12 +50,9 @@ static DEFINE_RWLOCK(tcp_lock);
    If it's non-zero, we mark only out of window RST segments as INVALID. */
 int ip_ct_tcp_be_liberal __read_mostly = 0;
-/* When connection is picked up from the middle, how many packets are required
+/* If it is set to zero, we disable picking up already established
-   to pass in each direction when we assume we are in sync - if any side uses
-   window scaling, we lost the game. 
-   If it is set to zero, we disable picking up already established 
   connections. */
-int ip_ct_tcp_loose __read_mostly = 3;
+int ip_ct_tcp_loose __read_mostly = 1;
 /* Max number of the retransmitted packets without receiving an (acceptable) 
   ACK from the destination. If this number is reached, a shorter timer 
@@ -694,11 +691,10 @@ static int tcp_in_window(struct ip_ct_tcp *state,
                before(sack, receiver->td_end + 1),
                after(ack, receiver->td_end - MAXACKWINDOW(sender)));
        
-        if (sender->loose || receiver->loose ||
+        if (before(seq, sender->td_maxend + 1) &&
-            (before(seq, sender->td_maxend + 1) &&
+            after(end, sender->td_end - receiver->td_maxwin - 1) &&
-             after(end, sender->td_end - receiver->td_maxwin - 1) &&
+            before(sack, receiver->td_end + 1) &&
-             before(sack, receiver->td_end + 1) &&
+            after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
-             after(ack, receiver->td_end - MAXACKWINDOW(sender)))) {
                /*
                 * Take into account window scaling (RFC 1323).
                 */
@@ -743,15 +739,13 @@ static int tcp_in_window(struct ip_ct_tcp *state,
                                state->retrans = 0;
                        }
                }
-                /*
-                 * Close the window of disabled window tracking :-)
-                 */
-                if (sender->loose)
-                        sender->loose--;
-                
                res = 1;
        } else {
-                if (LOG_INVALID(IPPROTO_TCP))
+                res = 0;
+                if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
+                    ip_ct_tcp_be_liberal)
+                        res = 1;
+                if (!res && LOG_INVALID(IPPROTO_TCP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                        "ip_ct_tcp: %s ",
                        before(seq, sender->td_maxend + 1) ?
@@ -762,8 +756,6 @@ static int tcp_in_window(struct ip_ct_tcp *state,
                        : "ACK is over the upper bound (ACKed data not seen yet)"
                        : "SEQ is under the lower bound (already ACKed data retransmitted)"
                        : "SEQ is over the upper bound (over the window of the receiver)");
-                res = ip_ct_tcp_be_liberal;
        }
  
        DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u "
@@ -1105,8 +1097,6 @@ static int tcp_new(struct ip_conntrack *conntrack,
                tcp_options(skb, iph, th, &conntrack->proto.tcp.seen[0]);
                conntrack->proto.tcp.seen[1].flags = 0;
-                conntrack->proto.tcp.seen[0].loose = 
-                conntrack->proto.tcp.seen[1].loose = 0;
        } else if (ip_ct_tcp_loose == 0) {
                /* Don't try to pick up connections. */
                return 0;
@@ -1127,11 +1117,11 @@ static int tcp_new(struct ip_conntrack *conntrack,
                        conntrack->proto.tcp.seen[0].td_maxwin;
                conntrack->proto.tcp.seen[0].td_scale = 0;
-                /* We assume SACK. Should we assume window scaling too? */
+                /* We assume SACK and liberal window checking to handle
+                 * window scaling */
                conntrack->proto.tcp.seen[0].flags =
-                conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM;
+                conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
-                conntrack->proto.tcp.seen[0].loose = 
+                                                     IP_CT_TCP_FLAG_BE_LIBERAL;
-                conntrack->proto.tcp.seen[1].loose = ip_ct_tcp_loose;
        }
    
        conntrack->proto.tcp.seen[1].td_end = 0;
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index 9d1a5175dcd4..5e08c2bf887d 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -246,8 +246,9 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
        if (maniptype == IP_NAT_MANIP_SRC) {
                if (find_appropriate_src(orig_tuple, tuple, range)) {
                        DEBUGP("get_unique_tuple: Found current src map\n");
-                        if (!ip_nat_used_tuple(tuple, conntrack))
+                        if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM))
-                                return;
+                                if (!ip_nat_used_tuple(tuple, conntrack))
+                                        return;
                }
        }
@@ -261,6 +262,13 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
        proto = ip_nat_proto_find_get(orig_tuple->dst.protonum);
+        /* Change protocol info to have some randomization */
+        if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {
+                proto->unique_tuple(tuple, range, maniptype, conntrack);
+                ip_nat_proto_put(proto);
+                return;
+        }
        /* Only bother mapping if it's not already in range and unique */
        if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
             || proto->in_range(tuple, maniptype, &range->min, &range->max))
diff --git a/net/ipv4/netfilter/ip_nat_helper.c b/net/ipv4/netfilter/ip_nat_helper.c
index ee80feb4b2a9..2e5c4bc52a60 100644
--- a/net/ipv4/netfilter/ip_nat_helper.c
+++ b/net/ipv4/netfilter/ip_nat_helper.c
@@ -183,7 +183,7 @@ ip_nat_mangle_tcp_packet(struct sk_buff **pskb,
        datalen = (*pskb)->len - iph->ihl*4;
        if ((*pskb)->ip_summed != CHECKSUM_PARTIAL) {
                tcph->check = 0;
-                tcph->check = tcp_v4_check(tcph, datalen,
+                tcph->check = tcp_v4_check(datalen,
                                           iph->saddr, iph->daddr,
                                           csum_partial((char *)tcph,
                                                        datalen, 0));
diff --git a/net/ipv4/netfilter/ip_nat_proto_tcp.c b/net/ipv4/netfilter/ip_nat_proto_tcp.c
index b586d18b3fb3..14ff24f53a7a 100644
--- a/net/ipv4/netfilter/ip_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_tcp.c
@@ -8,6 +8,7 @@
 #include <linux/types.h>
 #include <linux/init.h>
+#include <linux/random.h>
 #include <linux/netfilter.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
@@ -75,6 +76,10 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple,
                range_size = ntohs(range->max.tcp.port) - min + 1;
        }
+        /* Start from random port to avoid prediction */
+        if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
+                port =  net_random();
        for (i = 0; i < range_size; i++, port++) {
                *portptr = htons(min + port % range_size);
                if (!ip_nat_used_tuple(tuple, conntrack)) {
diff --git a/net/ipv4/netfilter/ip_nat_proto_udp.c b/net/ipv4/netfilter/ip_nat_proto_udp.c
index 5ced0877b32f..dfd521672891 100644
--- a/net/ipv4/netfilter/ip_nat_proto_udp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_udp.c
@@ -8,6 +8,7 @@
 #include <linux/types.h>
 #include <linux/init.h>
+#include <linux/random.h>
 #include <linux/netfilter.h>
 #include <linux/ip.h>
 #include <linux/udp.h>
@@ -74,6 +75,10 @@ udp_unique_tuple(struct ip_conntrack_tuple *tuple,
                range_size = ntohs(range->max.udp.port) - min + 1;
        }
+        /* Start from random port to avoid prediction */
+        if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
+                port = net_random();
        for (i = 0; i < range_size; i++, port++) {
                *portptr = htons(min + port % range_size);
                if (!ip_nat_used_tuple(tuple, conntrack))
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index a176aa3031e0..e1c8a05f3dc6 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -86,7 +86,7 @@ static struct
    }
 };
-static struct ipt_table nat_table = {
+static struct xt_table nat_table = {
        .name           = "nat",
        .valid_hooks    = NAT_VALID_HOOKS,
        .lock           = RW_LOCK_UNLOCKED,
@@ -99,7 +99,7 @@ static unsigned int ipt_snat_target(struct sk_buff **pskb,
                                    const struct net_device *in,
                                    const struct net_device *out,
                                    unsigned int hooknum,
-                                    const struct ipt_target *target,
+                                    const struct xt_target *target,
                                    const void *targinfo)
 {
        struct ip_conntrack *ct;
@@ -141,7 +141,7 @@ static unsigned int ipt_dnat_target(struct sk_buff **pskb,
                                    const struct net_device *in,
                                    const struct net_device *out,
                                    unsigned int hooknum,
-                                    const struct ipt_target *target,
+                                    const struct xt_target *target,
                                    const void *targinfo)
 {
        struct ip_conntrack *ct;
@@ -166,7 +166,7 @@ static unsigned int ipt_dnat_target(struct sk_buff **pskb,
 static int ipt_snat_checkentry(const char *tablename,
                               const void *entry,
-                               const struct ipt_target *target,
+                               const struct xt_target *target,
                               void *targinfo,
                               unsigned int hook_mask)
 {
@@ -182,7 +182,7 @@ static int ipt_snat_checkentry(const char *tablename,
 static int ipt_dnat_checkentry(const char *tablename,
                               const void *entry,
-                               const struct ipt_target *target,
+                               const struct xt_target *target,
                               void *targinfo,
                               unsigned int hook_mask)
 {
@@ -193,6 +193,10 @@ static int ipt_dnat_checkentry(const char *tablename,
                printk("DNAT: multiple ranges no longer supported\n");
                return 0;
        }
+        if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM) {
+                printk("DNAT: port randomization not supported\n");
+                return 0;
+        }
        return 1;
 }
@@ -257,8 +261,9 @@ int ip_nat_rule_find(struct sk_buff **pskb,
        return ret;
 }
-static struct ipt_target ipt_snat_reg = {
+static struct xt_target ipt_snat_reg = {
        .name           = "SNAT",
+        .family         = AF_INET,
        .target         = ipt_snat_target,
        .targetsize     = sizeof(struct ip_nat_multi_range_compat),
        .table          = "nat",
@@ -266,8 +271,9 @@ static struct ipt_target ipt_snat_reg = {
        .checkentry     = ipt_snat_checkentry,
 };
-static struct ipt_target ipt_dnat_reg = {
+static struct xt_target ipt_dnat_reg = {
        .name           = "DNAT",
+        .family         = AF_INET,
        .target         = ipt_dnat_target,
        .targetsize     = sizeof(struct ip_nat_multi_range_compat),
        .table          = "nat",
@@ -282,27 +288,27 @@ int __init ip_nat_rule_init(void)
        ret = ipt_register_table(&nat_table, &nat_initial_table.repl);
        if (ret != 0)
                return ret;
-        ret = ipt_register_target(&ipt_snat_reg);
+        ret = xt_register_target(&ipt_snat_reg);
        if (ret != 0)
                goto unregister_table;
-        ret = ipt_register_target(&ipt_dnat_reg);
+        ret = xt_register_target(&ipt_dnat_reg);
        if (ret != 0)
                goto unregister_snat;
        return ret;
 unregister_snat:
-        ipt_unregister_target(&ipt_snat_reg);
+        xt_unregister_target(&ipt_snat_reg);
 unregister_table:
-        ipt_unregister_table(&nat_table);
+        xt_unregister_table(&nat_table);
        return ret;
 }
 void ip_nat_rule_cleanup(void)
 {
-        ipt_unregister_target(&ipt_dnat_reg);
+        xt_unregister_target(&ipt_dnat_reg);
-        ipt_unregister_target(&ipt_snat_reg);
+        xt_unregister_target(&ipt_snat_reg);
        ipt_unregister_table(&nat_table);
 }
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index fc1f153c86ba..5a7b3a341389 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -216,7 +216,7 @@ ipt_do_table(struct sk_buff **pskb,
             unsigned int hook,
             const struct net_device *in,
             const struct net_device *out,
-             struct ipt_table *table)
+             struct xt_table *table)
 {
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
        u_int16_t offset;
@@ -507,7 +507,7 @@ check_entry(struct ipt_entry *e, const char *name)
 static inline int check_match(struct ipt_entry_match *m, const char *name,
                                const struct ipt_ip *ip, unsigned int hookmask)
 {
-        struct ipt_match *match;
+        struct xt_match *match;
        int ret;
        match = m->u.kernel.match;
@@ -531,7 +531,7 @@ find_check_match(struct ipt_entry_match *m,
            unsigned int hookmask,
            unsigned int *i)
 {
-        struct ipt_match *match;
+        struct xt_match *match;
        int ret;
        match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
@@ -557,7 +557,7 @@ err:
 static inline int check_target(struct ipt_entry *e, const char *name)
 {
        struct ipt_entry_target *t;
-        struct ipt_target *target;
+        struct xt_target *target;
        int ret;
        t = ipt_get_target(e);
@@ -580,7 +580,7 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
            unsigned int *i)
 {
        struct ipt_entry_target *t;
-        struct ipt_target *target;
+        struct xt_target *target;
        int ret;
        unsigned int j;
@@ -818,7 +818,7 @@ get_counters(const struct xt_table_info *t,
        }
 }
-static inline struct xt_counters * alloc_counters(struct ipt_table *table)
+static inline struct xt_counters * alloc_counters(struct xt_table *table)
 {
        unsigned int countersize;
        struct xt_counters *counters;
@@ -843,7 +843,7 @@ static inline struct xt_counters * alloc_counters(struct ipt_table *table)
 static int
 copy_entries_to_user(unsigned int total_size,
-                     struct ipt_table *table,
+                     struct xt_table *table,
                     void __user *userptr)
 {
        unsigned int off, num;
@@ -1046,7 +1046,7 @@ static int compat_table_info(struct xt_table_info *info,
 static int get_info(void __user *user, int *len, int compat)
 {
        char name[IPT_TABLE_MAXNAMELEN];
-        struct ipt_table *t;
+        struct xt_table *t;
        int ret;
        if (*len != sizeof(struct ipt_getinfo)) {
@@ -1107,7 +1107,7 @@ get_entries(struct ipt_get_entries __user *uptr, int *len)
 {
        int ret;
        struct ipt_get_entries get;
-        struct ipt_table *t;
+        struct xt_table *t;
        if (*len < sizeof(get)) {
                duprintf("get_entries: %u < %d\n", *len,
@@ -1151,7 +1151,7 @@ __do_replace(const char *name, unsigned int valid_hooks,
                void __user *counters_ptr)
 {
        int ret;
-        struct ipt_table *t;
+        struct xt_table *t;
        struct xt_table_info *oldinfo;
        struct xt_counters *counters;
        void *loc_cpu_old_entry;
@@ -1302,7 +1302,7 @@ do_add_counters(void __user *user, unsigned int len, int compat)
        char *name;
        int size;
        void *ptmp;
-        struct ipt_table *t;
+        struct xt_table *t;
        struct xt_table_info *private;
        int ret = 0;
        void *loc_cpu_entry;
@@ -1437,7 +1437,7 @@ compat_check_calc_match(struct ipt_entry_match *m,
            unsigned int hookmask,
            int *size, int *i)
 {
-        struct ipt_match *match;
+        struct xt_match *match;
        match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
                                                   m->u.user.revision),
@@ -1466,7 +1466,7 @@ check_compat_entry_size_and_hooks(struct ipt_entry *e,
                           const char *name)
 {
        struct ipt_entry_target *t;
-        struct ipt_target *target;
+        struct xt_target *target;
        unsigned int entry_offset;
        int ret, off, h, j;
@@ -1550,7 +1550,7 @@ static int compat_copy_entry_from_user(struct ipt_entry *e, void **dstptr,
        struct xt_table_info *newinfo, unsigned char *base)
 {
        struct ipt_entry_target *t;
-        struct ipt_target *target;
+        struct xt_target *target;
        struct ipt_entry *de;
        unsigned int origsize;
        int ret, h;
@@ -1795,7 +1795,7 @@ struct compat_ipt_get_entries
 };
 static int compat_copy_entries_to_user(unsigned int total_size,
-                     struct ipt_table *table, void __user *userptr)
+                     struct xt_table *table, void __user *userptr)
 {
        unsigned int off, num;
        struct compat_ipt_entry e;
@@ -1869,7 +1869,7 @@ compat_get_entries(struct compat_ipt_get_entries __user *uptr, int *len)
 {
        int ret;
        struct compat_ipt_get_entries get;
-        struct ipt_table *t;
+        struct xt_table *t;
        if (*len < sizeof(get)) {
@@ -2052,7 +2052,7 @@ int ipt_register_table(struct xt_table *table, const struct ipt_replace *repl)
        return 0;
 }
-void ipt_unregister_table(struct ipt_table *table)
+void ipt_unregister_table(struct xt_table *table)
 {
        struct xt_table_info *private;
        void *loc_cpu_entry;
@@ -2124,7 +2124,7 @@ icmp_checkentry(const char *tablename,
 }
 /* The built-in targets: standard (NULL) and error. */
-static struct ipt_target ipt_standard_target = {
+static struct xt_target ipt_standard_target = {
        .name           = IPT_STANDARD_TARGET,
        .targetsize     = sizeof(int),
        .family         = AF_INET,
@@ -2135,7 +2135,7 @@ static struct ipt_target ipt_standard_target = {
 #endif
 };
-static struct ipt_target ipt_error_target = {
+static struct xt_target ipt_error_target = {
        .name           = IPT_ERROR_TARGET,
        .target         = ipt_error,
        .targetsize     = IPT_FUNCTION_MAXNAMELEN,
@@ -2158,7 +2158,7 @@ static struct nf_sockopt_ops ipt_sockopts = {
 #endif
 };
-static struct ipt_match icmp_matchstruct = {
+static struct xt_match icmp_matchstruct = {
        .name           = "icmp",
        .match          = icmp_match,
        .matchsize      = sizeof(struct ipt_icmp),
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index b1c11160b9de..343c2abdc1a0 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -26,6 +26,7 @@
 #include <linux/netfilter_arp.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_CLUSTERIP.h>
 #include <net/netfilter/nf_conntrack_compat.h>
@@ -247,6 +248,7 @@ clusterip_hashfn(struct sk_buff *skb, struct clusterip_config *config)
        switch (iph->protocol) {
        case IPPROTO_TCP:
        case IPPROTO_UDP:
+        case IPPROTO_UDPLITE:
        case IPPROTO_SCTP:
        case IPPROTO_DCCP:
        case IPPROTO_ICMP:
@@ -329,7 +331,7 @@ target(struct sk_buff **pskb,
        if ((*pskb)->nh.iph->protocol == IPPROTO_ICMP
            && (ctinfo == IP_CT_RELATED 
                || ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
-                return IPT_CONTINUE;
+                return XT_CONTINUE;
        /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, 
         * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
@@ -367,7 +369,7 @@ target(struct sk_buff **pskb,
         * actually a unicast IP packet. TCP doesn't like PACKET_MULTICAST */
        (*pskb)->pkt_type = PACKET_HOST;
-        return IPT_CONTINUE;
+        return XT_CONTINUE;
 }
 static int
@@ -470,8 +472,9 @@ static void destroy(const struct xt_target *target, void *targinfo)
        nf_ct_l3proto_module_put(target->family);
 }
-static struct ipt_target clusterip_tgt = {
+static struct xt_target clusterip_tgt = {
        .name           = "CLUSTERIP",
+        .family         = AF_INET,
        .target         = target,
        .targetsize     = sizeof(struct ipt_clusterip_tgt_info),
        .checkentry     = checkentry,
@@ -727,7 +730,7 @@ static int __init ipt_clusterip_init(void)
 {
        int ret;
-        ret = ipt_register_target(&clusterip_tgt);
+        ret = xt_register_target(&clusterip_tgt);
        if (ret < 0)
                return ret;
@@ -753,7 +756,7 @@ cleanup_hook:
        nf_unregister_hook(&cip_arp_ops);
 #endif /* CONFIG_PROC_FS */
 cleanup_target:
-        ipt_unregister_target(&clusterip_tgt);
+        xt_unregister_target(&clusterip_tgt);
        return ret;
 }
@@ -765,7 +768,7 @@ static void __exit ipt_clusterip_fini(void)
        remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
        nf_unregister_hook(&cip_arp_ops);
-        ipt_unregister_target(&clusterip_tgt);
+        xt_unregister_target(&clusterip_tgt);
 }
 module_init(ipt_clusterip_init);
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index b55d670a24df..b5ca5938d1fe 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -9,12 +9,14 @@
 * ipt_ECN.c,v 1.5 2002/08/18 19:36:51 laforge Exp
 */
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
 #include <net/checksum.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ECN.h>
@@ -95,7 +97,7 @@ target(struct sk_buff **pskb,
                if (!set_ect_tcp(pskb, einfo))
                        return NF_DROP;
-        return IPT_CONTINUE;
+        return XT_CONTINUE;
 }
 static int
@@ -119,7 +121,7 @@ checkentry(const char *tablename,
                return 0;
        }
        if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
-            && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & IPT_INV_PROTO))) {
+            && (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
                printk(KERN_WARNING "ECN: cannot use TCP operations on a "
                       "non-tcp rule\n");
                return 0;
@@ -127,8 +129,9 @@ checkentry(const char *tablename,
        return 1;
 }
-static struct ipt_target ipt_ecn_reg = {
+static struct xt_target ipt_ecn_reg = {
        .name           = "ECN",
+        .family         = AF_INET,
        .target         = target,
        .targetsize     = sizeof(struct ipt_ECN_info),
        .table          = "mangle",
@@ -138,12 +141,12 @@ static struct ipt_target ipt_ecn_reg = {
 static int __init ipt_ecn_init(void)
 {
-        return ipt_register_target(&ipt_ecn_reg);
+        return xt_register_target(&ipt_ecn_reg);
 }
 static void __exit ipt_ecn_fini(void)
 {
-        ipt_unregister_target(&ipt_ecn_reg);
+        xt_unregister_target(&ipt_ecn_reg);
 }
 module_init(ipt_ecn_init);
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index c96de16fefae..f68370ffb43f 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -20,7 +20,7 @@
 #include <net/route.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_LOG.h>
 MODULE_LICENSE("GPL");
@@ -432,7 +432,7 @@ ipt_log_target(struct sk_buff **pskb,
        ipt_log_packet(PF_INET, hooknum, *pskb, in, out, &li,
                       loginfo->prefix);
-        return IPT_CONTINUE;
+        return XT_CONTINUE;
 }
 static int ipt_log_checkentry(const char *tablename,
@@ -455,8 +455,9 @@ static int ipt_log_checkentry(const char *tablename,
        return 1;
 }
-static struct ipt_target ipt_log_reg = {
+static struct xt_target ipt_log_reg = {
        .name           = "LOG",
+        .family         = AF_INET,
        .target         = ipt_log_target,
        .targetsize     = sizeof(struct ipt_log_info),
        .checkentry     = ipt_log_checkentry,
@@ -471,8 +472,11 @@ static struct nf_logger ipt_log_logger ={
 static int __init ipt_log_init(void)
 {
-        if (ipt_register_target(&ipt_log_reg))
+        int ret;
-                return -EINVAL;
+        ret = xt_register_target(&ipt_log_reg);
+        if (ret < 0)
+                return ret;
        if (nf_log_register(PF_INET, &ipt_log_logger) < 0) {
                printk(KERN_WARNING "ipt_LOG: not logging via system console "
                       "since somebody else already registered for PF_INET\n");
@@ -486,7 +490,7 @@ static int __init ipt_log_init(void)
 static void __exit ipt_log_fini(void)
 {
        nf_log_unregister_logger(&ipt_log_logger);
-        ipt_unregister_target(&ipt_log_reg);
+        xt_unregister_target(&ipt_log_reg);
 }
 module_init(ipt_log_init);
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index d669685afd04..91c42efcd533 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -25,7 +25,7 @@
 #else
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
 #endif
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
@@ -190,8 +190,9 @@ static struct notifier_block masq_inet_notifier = {
        .notifier_call  = masq_inet_event,
 };
-static struct ipt_target masquerade = {
+static struct xt_target masquerade = {
        .name           = "MASQUERADE",
+        .family         = AF_INET,
        .target         = masquerade_target,
        .targetsize     = sizeof(struct ip_nat_multi_range_compat),
        .table          = "nat",
@@ -204,7 +205,7 @@ static int __init ipt_masquerade_init(void)
 {
        int ret;
-        ret = ipt_register_target(&masquerade);
+        ret = xt_register_target(&masquerade);
        if (ret == 0) {
                /* Register for device down reports */
@@ -218,7 +219,7 @@ static int __init ipt_masquerade_init(void)
 static void __exit ipt_masquerade_fini(void)
 {
-        ipt_unregister_target(&masquerade);
+        xt_unregister_target(&masquerade);
        unregister_netdevice_notifier(&masq_dev_notifier);
        unregister_inetaddr_notifier(&masq_inet_notifier);      
 }
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 9390e90f2b25..b4acc241d898 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -88,8 +89,9 @@ target(struct sk_buff **pskb,
        return ip_nat_setup_info(ct, &newrange, hooknum);
 }
-static struct ipt_target target_module = { 
+static struct xt_target target_module = {
        .name           = MODULENAME,
+        .family         = AF_INET,
        .target         = target, 
        .targetsize     = sizeof(struct ip_nat_multi_range_compat),
        .table          = "nat",
@@ -101,12 +103,12 @@ static struct ipt_target target_module = {
 static int __init ipt_netmap_init(void)
 {
-        return ipt_register_target(&target_module);
+        return xt_register_target(&target_module);
 }
 static void __exit ipt_netmap_fini(void)
 {
-        ipt_unregister_target(&target_module);
+        xt_unregister_target(&target_module);
 }
 module_init(ipt_netmap_init);
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 462eceb3a1b1..54cd021aa5a8 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -18,6 +18,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -104,8 +105,9 @@ redirect_target(struct sk_buff **pskb,
        return ip_nat_setup_info(ct, &newrange, hooknum);
 }
-static struct ipt_target redirect_reg = {
+static struct xt_target redirect_reg = {
        .name           = "REDIRECT",
+        .family         = AF_INET,
        .target         = redirect_target,
        .targetsize     = sizeof(struct ip_nat_multi_range_compat),
        .table          = "nat",
@@ -116,12 +118,12 @@ static struct ipt_target redirect_reg = {
 static int __init ipt_redirect_init(void)
 {
-        return ipt_register_target(&redirect_reg);
+        return xt_register_target(&redirect_reg);
 }
 static void __exit ipt_redirect_fini(void)
 {
-        ipt_unregister_target(&redirect_reg);
+        xt_unregister_target(&redirect_reg);
 }
 module_init(ipt_redirect_init);
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index f0319e5ee437..e4a1ddb386a7 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -22,6 +22,7 @@
 #include <net/tcp.h>
 #include <net/route.h>
 #include <net/dst.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_REJECT.h>
 #ifdef CONFIG_BRIDGE_NETFILTER
@@ -116,7 +117,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
        /* Adjust TCP checksum */
        tcph->check = 0;
-        tcph->check = tcp_v4_check(tcph, sizeof(struct tcphdr),
+        tcph->check = tcp_v4_check(sizeof(struct tcphdr),
                                   nskb->nh.iph->saddr,
                                   nskb->nh.iph->daddr,
                                   csum_partial((char *)tcph,
@@ -230,7 +231,7 @@ static int check(const char *tablename,
        } else if (rejinfo->with == IPT_TCP_RESET) {
                /* Must specify that it's a TCP packet */
                if (e->ip.proto != IPPROTO_TCP
-                    || (e->ip.invflags & IPT_INV_PROTO)) {
+                    || (e->ip.invflags & XT_INV_PROTO)) {
                        DEBUGP("REJECT: TCP_RESET invalid for non-tcp\n");
                        return 0;
                }
@@ -238,8 +239,9 @@ static int check(const char *tablename,
        return 1;
 }
-static struct ipt_target ipt_reject_reg = {
+static struct xt_target ipt_reject_reg = {
        .name           = "REJECT",
+        .family         = AF_INET,
        .target         = reject,
        .targetsize     = sizeof(struct ipt_reject_info),
        .table          = "filter",
@@ -251,12 +253,12 @@ static struct ipt_target ipt_reject_reg = {
 static int __init ipt_reject_init(void)
 {
-        return ipt_register_target(&ipt_reject_reg);
+        return xt_register_target(&ipt_reject_reg);
 }
 static void __exit ipt_reject_fini(void)
 {
-        ipt_unregister_target(&ipt_reject_reg);
+        xt_unregister_target(&ipt_reject_reg);
 }
 module_init(ipt_reject_init);
diff --git a/net/ipv4/netfilter/ipt_SAME.c b/net/ipv4/netfilter/ipt_SAME.c
index 3dcf29411337..a1cdd1262de2 100644
--- a/net/ipv4/netfilter/ipt_SAME.c
+++ b/net/ipv4/netfilter/ipt_SAME.c
@@ -34,6 +34,7 @@
 #include <net/protocol.h>
 #include <net/checksum.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter/x_tables.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_rule.h>
 #else
@@ -186,8 +187,9 @@ same_target(struct sk_buff **pskb,
        return ip_nat_setup_info(ct, &newrange, hooknum);
 }
-static struct ipt_target same_reg = { 
+static struct xt_target same_reg = {
        .name           = "SAME",
+        .family         = AF_INET,
        .target         = same_target,
        .targetsize     = sizeof(struct ipt_same_info),
        .table          = "nat",
@@ -199,12 +201,12 @@ static struct ipt_target same_reg = {
 static int __init ipt_same_init(void)
 {
-        return ipt_register_target(&same_reg);
+        return xt_register_target(&same_reg);
 }
 static void __exit ipt_same_fini(void)
 {
-        ipt_unregister_target(&same_reg);
+        xt_unregister_target(&same_reg);
 }
 module_init(ipt_same_init);
diff --git a/net/ipv4/netfilter/ipt_TCPMSS.c b/net/ipv4/netfilter/ipt_TCPMSS.c
deleted file mode 100644
index 93eb5c3c1884..000000000000
--- a/net/ipv4/netfilter/ipt_TCPMSS.c
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * This is a module which is used for setting the MSS option in TCP packets.
- *
- * Copyright (C) 2000 Marc Boucher <marc@mbsi.ca>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/tcp.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TCPMSS.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("iptables TCP MSS modification module");
-static inline unsigned int
-optlen(const u_int8_t *opt, unsigned int offset)
-{
-        /* Beware zero-length options: make finite progress */
-        if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0)
-                return 1;
-        else
-                return opt[offset+1];
-}
-static unsigned int
-ipt_tcpmss_target(struct sk_buff **pskb,
-                  const struct net_device *in,
-                  const struct net_device *out,
-                  unsigned int hooknum,
-                  const struct xt_target *target,
-                  const void *targinfo)
-{
-        const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
-        struct tcphdr *tcph;
-        struct iphdr *iph;
-        u_int16_t tcplen, newmss;
-        __be16 newtotlen, oldval;
-        unsigned int i;
-        u_int8_t *opt;
-        if (!skb_make_writable(pskb, (*pskb)->len))
-                return NF_DROP;
-        iph = (*pskb)->nh.iph;
-        tcplen = (*pskb)->len - iph->ihl*4;
-        tcph = (void *)iph + iph->ihl*4;
-        /* Since it passed flags test in tcp match, we know it is is
-           not a fragment, and has data >= tcp header length.  SYN
-           packets should not contain data: if they did, then we risk
-           running over MTU, sending Frag Needed and breaking things
-           badly. --RR */
-        if (tcplen != tcph->doff*4) {
-                if (net_ratelimit())
-                        printk(KERN_ERR
-                               "ipt_tcpmss_target: bad length (%d bytes)\n",
-                               (*pskb)->len);
-                return NF_DROP;
-        }
-        if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU) {
-                if (dst_mtu((*pskb)->dst) <= sizeof(struct iphdr) +
-                                             sizeof(struct tcphdr)) {
-                        if (net_ratelimit())
-                                printk(KERN_ERR "ipt_tcpmss_target: "
-                                       "unknown or invalid path-MTU (%d)\n",
-                                       dst_mtu((*pskb)->dst));
-                        return NF_DROP; /* or IPT_CONTINUE ?? */
-                }
-                newmss = dst_mtu((*pskb)->dst) - sizeof(struct iphdr) -
-                                                 sizeof(struct tcphdr);
-        } else
-                newmss = tcpmssinfo->mss;
-        opt = (u_int8_t *)tcph;
-        for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
-                if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
-                    opt[i+1] == TCPOLEN_MSS) {
-                        u_int16_t oldmss;
-                        oldmss = (opt[i+2] << 8) | opt[i+3];
-                        if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU &&
-                            oldmss <= newmss)
-                                return IPT_CONTINUE;
-                        opt[i+2] = (newmss & 0xff00) >> 8;
-                        opt[i+3] = (newmss & 0x00ff);
-                        nf_proto_csum_replace2(&tcph->check, *pskb,
-                                                htons(oldmss), htons(newmss), 0);
-                        return IPT_CONTINUE;
-                }
-        }
-        /*
-         * MSS Option not found ?! add it..
-         */
-        if (skb_tailroom((*pskb)) < TCPOLEN_MSS) {
-                struct sk_buff *newskb;
-                newskb = skb_copy_expand(*pskb, skb_headroom(*pskb),
-                                         TCPOLEN_MSS, GFP_ATOMIC);
-                if (!newskb)
-                        return NF_DROP;
-                kfree_skb(*pskb);
-                *pskb = newskb;
-                iph = (*pskb)->nh.iph;
-                tcph = (void *)iph + iph->ihl*4;
-        }
-        skb_put((*pskb), TCPOLEN_MSS);
-        opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
-        memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
-        nf_proto_csum_replace2(&tcph->check, *pskb,
-                                htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
-        opt[0] = TCPOPT_MSS;
-        opt[1] = TCPOLEN_MSS;
-        opt[2] = (newmss & 0xff00) >> 8;
-        opt[3] = (newmss & 0x00ff);
-        nf_proto_csum_replace4(&tcph->check, *pskb, 0, *((__be32 *)opt), 0);
-        oldval = ((__be16 *)tcph)[6];
-        tcph->doff += TCPOLEN_MSS/4;
-        nf_proto_csum_replace2(&tcph->check, *pskb,
-                                oldval, ((__be16 *)tcph)[6], 0);
-        newtotlen = htons(ntohs(iph->tot_len) + TCPOLEN_MSS);
-        nf_csum_replace2(&iph->check, iph->tot_len, newtotlen);
-        iph->tot_len = newtotlen;
-        return IPT_CONTINUE;
-}
-#define TH_SYN 0x02
-static inline int find_syn_match(const struct ipt_entry_match *m)
-{
-        const struct ipt_tcp *tcpinfo = (const struct ipt_tcp *)m->data;
-        if (strcmp(m->u.kernel.match->name, "tcp") == 0 &&
-            tcpinfo->flg_cmp & TH_SYN &&
-            !(tcpinfo->invflags & IPT_TCP_INV_FLAGS))
-                return 1;
-        return 0;
-}
-/* Must specify -p tcp --syn/--tcp-flags SYN */
-static int
-ipt_tcpmss_checkentry(const char *tablename,
-                      const void *e_void,
-                      const struct xt_target *target,
-                      void *targinfo,
-                      unsigned int hook_mask)
-{
-        const struct ipt_tcpmss_info *tcpmssinfo = targinfo;
-        const struct ipt_entry *e = e_void;
-        if (tcpmssinfo->mss == IPT_TCPMSS_CLAMP_PMTU &&
-            (hook_mask & ~((1 << NF_IP_FORWARD) |
-                           (1 << NF_IP_LOCAL_OUT) |
-                           (1 << NF_IP_POST_ROUTING))) != 0) {
-                printk("TCPMSS: path-MTU clamping only supported in "
-                       "FORWARD, OUTPUT and POSTROUTING hooks\n");
-                return 0;
-        }
-        if (IPT_MATCH_ITERATE(e, find_syn_match))
-                return 1;
-        printk("TCPMSS: Only works on TCP SYN packets\n");
-        return 0;
-}
-static struct ipt_target ipt_tcpmss_reg = {
-        .name           = "TCPMSS",
-        .target         = ipt_tcpmss_target,
-        .targetsize     = sizeof(struct ipt_tcpmss_info),
-        .proto          = IPPROTO_TCP,
-        .checkentry     = ipt_tcpmss_checkentry,
-        .me             = THIS_MODULE,
-};
-static int __init ipt_tcpmss_init(void)
-{
-        return ipt_register_target(&ipt_tcpmss_reg);
-}
-static void __exit ipt_tcpmss_fini(void)
-{
-        ipt_unregister_target(&ipt_tcpmss_reg);
-}
-module_init(ipt_tcpmss_init);
-module_exit(ipt_tcpmss_fini);
diff --git a/net/ipv4/netfilter/ipt_TOS.c b/net/ipv4/netfilter/ipt_TOS.c
index 18e74ac4d425..29b05a6bd108 100644
--- a/net/ipv4/netfilter/ipt_TOS.c
+++ b/net/ipv4/netfilter/ipt_TOS.c
@@ -13,7 +13,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TOS.h>
 MODULE_LICENSE("GPL");
@@ -40,7 +40,7 @@ target(struct sk_buff **pskb,
                iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
                nf_csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
        }
-        return IPT_CONTINUE;
+        return XT_CONTINUE;
 }
 static int
@@ -63,8 +63,9 @@ checkentry(const char *tablename,
        return 1;
 }
-static struct ipt_target ipt_tos_reg = {
+static struct xt_target ipt_tos_reg = {
        .name           = "TOS",
+        .family         = AF_INET,
        .target         = target,
        .targetsize     = sizeof(struct ipt_tos_target_info),
        .table          = "mangle",
@@ -74,12 +75,12 @@ static struct ipt_target ipt_tos_reg = {
 static int __init ipt_tos_init(void)
 {
-        return ipt_register_target(&ipt_tos_reg);
+        return xt_register_target(&ipt_tos_reg);
 }
 static void __exit ipt_tos_fini(void)
 {
-        ipt_unregister_target(&ipt_tos_reg);
+        xt_unregister_target(&ipt_tos_reg);
 }
 module_init(ipt_tos_init);
diff --git a/net/ipv4/netfilter/ipt_TTL.c b/net/ipv4/netfilter/ipt_TTL.c
index fffe5ca82e91..d2b6fa3f9dcd 100644
--- a/net/ipv4/netfilter/ipt_TTL.c
+++ b/net/ipv4/netfilter/ipt_TTL.c
@@ -12,7 +12,7 @@
 #include <linux/ip.h>
 #include <net/checksum.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_TTL.h>
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -59,7 +59,7 @@ ipt_ttl_target(struct sk_buff **pskb,
                iph->ttl = new_ttl;
        }
-        return IPT_CONTINUE;
+        return XT_CONTINUE;
 }
 static int ipt_ttl_checkentry(const char *tablename,
@@ -80,8 +80,9 @@ static int ipt_ttl_checkentry(const char *tablename,
        return 1;
 }
-static struct ipt_target ipt_TTL = { 
+static struct xt_target ipt_TTL = {
        .name           = "TTL",
+        .family         = AF_INET,
        .target         = ipt_ttl_target, 
        .targetsize     = sizeof(struct ipt_TTL_info),
        .table          = "mangle",
@@ -91,12 +92,12 @@ static struct ipt_target ipt_TTL = {
 static int __init ipt_ttl_init(void)
 {
-        return ipt_register_target(&ipt_TTL);
+        return xt_register_target(&ipt_TTL);
 }
 static void __exit ipt_ttl_fini(void)
 {
-        ipt_unregister_target(&ipt_TTL);
+        xt_unregister_target(&ipt_TTL);
 }
 module_init(ipt_ttl_init);
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index dbd34783a64d..7af57a3a1f36 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -57,7 +57,7 @@
 #include <linux/mm.h>
 #include <linux/moduleparam.h>
 #include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_ULOG.h>
 #include <net/sock.h>
 #include <linux/bitops.h>
@@ -132,7 +132,6 @@ static void ulog_send(unsigned int nlgroupnum)
        ub->qlen = 0;
        ub->skb = NULL;
        ub->lastnlh = NULL;
 }
@@ -314,7 +313,7 @@ static unsigned int ipt_ulog_target(struct sk_buff **pskb,
        ipt_ulog_packet(hooknum, *pskb, in, out, loginfo, NULL);
 
-        return IPT_CONTINUE;
+        return XT_CONTINUE;
 }
 
 static void ipt_logfn(unsigned int pf,
@@ -363,8 +362,9 @@ static int ipt_ulog_checkentry(const char *tablename,
        return 1;
 }
-static struct ipt_target ipt_ulog_reg = {
+static struct xt_target ipt_ulog_reg = {
        .name           = "ULOG",
+        .family         = AF_INET,
        .target         = ipt_ulog_target,
        .targetsize     = sizeof(struct ipt_ulog_info),
        .checkentry     = ipt_ulog_checkentry,
@@ -379,7 +379,7 @@ static struct nf_logger ipt_ulog_logger = {
 static int __init ipt_ulog_init(void)
 {
-        int i;
+        int ret, i;
        DEBUGP("ipt_ULOG: init module\n");
@@ -400,9 +400,10 @@ static int __init ipt_ulog_init(void)
        if (!nflognl)
                return -ENOMEM;
-        if (ipt_register_target(&ipt_ulog_reg) != 0) {
+        ret = xt_register_target(&ipt_ulog_reg);
+        if (ret < 0) {
                sock_release(nflognl->sk_socket);
-                return -EINVAL;
+                return ret;
        }
        if (nflog)
                nf_log_register(PF_INET, &ipt_ulog_logger);
@@ -419,7 +420,7 @@ static void __exit ipt_ulog_fini(void)
        if (nflog)
                nf_log_unregister_logger(&ipt_ulog_logger);
-        ipt_unregister_target(&ipt_ulog_reg);
+        xt_unregister_target(&ipt_ulog_reg);
        sock_release(nflognl->sk_socket);
        /* remove pending timers and free allocated skb's */
@@ -435,7 +436,6 @@ static void __exit ipt_ulog_fini(void)
                        ub->skb = NULL;
                }
        }
 }
 module_init(ipt_ulog_init);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 7b60eb74788b..648f555c4d16 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -16,7 +16,7 @@
 #include <net/route.h>
 #include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -44,8 +44,9 @@ static int match(const struct sk_buff *skb,
        return ret;
 }
-static struct ipt_match addrtype_match = {
+static struct xt_match addrtype_match = {
        .name           = "addrtype",
+        .family         = AF_INET,
        .match          = match,
        .matchsize      = sizeof(struct ipt_addrtype_info),
        .me             = THIS_MODULE
@@ -53,12 +54,12 @@ static struct ipt_match addrtype_match = {
 static int __init ipt_addrtype_init(void)
 {
-        return ipt_register_match(&addrtype_match);
+        return xt_register_match(&addrtype_match);
 }
 static void __exit ipt_addrtype_fini(void)
 {
-        ipt_unregister_match(&addrtype_match);
+        xt_unregister_match(&addrtype_match);
 }
 module_init(ipt_addrtype_init);
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 1798f86bc534..42f41224a43a 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -6,12 +6,13 @@
 * published by the Free Software Foundation.
 */
+#include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
 #include <linux/netfilter_ipv4/ipt_ah.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -86,8 +87,9 @@ checkentry(const char *tablename,
        return 1;
 }
-static struct ipt_match ah_match = {
+static struct xt_match ah_match = {
        .name           = "ah",
+        .family         = AF_INET,
        .match          = match,
        .matchsize      = sizeof(struct ipt_ah),
        .proto          = IPPROTO_AH,
@@ -97,12 +99,12 @@ static struct ipt_match ah_match = {
 static int __init ipt_ah_init(void)
 {
-        return ipt_register_match(&ah_match);
+        return xt_register_match(&ah_match);
 }
 static void __exit ipt_ah_fini(void)
 {
-        ipt_unregister_match(&ah_match);
+        xt_unregister_match(&ah_match);
 }
 module_init(ipt_ah_init);
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index dafbdec0efc0..37508b2cfea6 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -9,10 +9,13 @@
 * published by the Free Software Foundation.
 */
+#include <linux/in.h>
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/tcp.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
@@ -109,8 +112,9 @@ static int checkentry(const char *tablename, const void *ip_void,
        return 1;
 }
-static struct ipt_match ecn_match = {
+static struct xt_match ecn_match = {
        .name           = "ecn",
+        .family         = AF_INET,
        .match          = match,
        .matchsize      = sizeof(struct ipt_ecn_info),
        .checkentry     = checkentry,
@@ -119,12 +123,12 @@ static struct ipt_match ecn_match = {
 static int __init ipt_ecn_init(void)
 {
-        return ipt_register_match(&ecn_match);
+        return xt_register_match(&ecn_match);
 }
 static void __exit ipt_ecn_fini(void)
 {
-        ipt_unregister_match(&ecn_match);
+        xt_unregister_match(&ecn_match);
 }
 module_init(ipt_ecn_init);
diff --git a/net/ipv4/netfilter/ipt_iprange.c b/net/ipv4/netfilter/ipt_iprange.c
index 5202edd8d333..05de593be94c 100644
--- a/net/ipv4/netfilter/ipt_iprange.c
+++ b/net/ipv4/netfilter/ipt_iprange.c
@@ -10,7 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_iprange.h>
 MODULE_LICENSE("GPL");
@@ -63,22 +63,22 @@ match(const struct sk_buff *skb,
        return 1;
 }
-static struct ipt_match iprange_match = {
+static struct xt_match iprange_match = {
        .name           = "iprange",
+        .family         = AF_INET,
        .match          = match,
        .matchsize      = sizeof(struct ipt_iprange_info),
-        .destroy        = NULL,
        .me             = THIS_MODULE
 };
 static int __init ipt_iprange_init(void)
 {
-        return ipt_register_match(&iprange_match);
+        return xt_register_match(&iprange_match);
 }
 static void __exit ipt_iprange_fini(void)
 {
-        ipt_unregister_match(&iprange_match);
+        xt_unregister_match(&iprange_match);
 }
 module_init(ipt_iprange_init);
diff --git a/net/ipv4/netfilter/ipt_owner.c b/net/ipv4/netfilter/ipt_owner.c
index 78c336f12a9e..9f496ac834b5 100644
--- a/net/ipv4/netfilter/ipt_owner.c
+++ b/net/ipv4/netfilter/ipt_owner.c
@@ -15,7 +15,7 @@
 #include <net/sock.h>
 #include <linux/netfilter_ipv4/ipt_owner.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
@@ -68,8 +68,9 @@ checkentry(const char *tablename,
        return 1;
 }
-static struct ipt_match owner_match = {
+static struct xt_match owner_match = {
        .name           = "owner",
+        .family         = AF_INET,
        .match          = match,
        .matchsize      = sizeof(struct ipt_owner_info),
        .hooks          = (1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_POST_ROUTING),
@@ -79,12 +80,12 @@ static struct ipt_match owner_match = {
 static int __init ipt_owner_init(void)
 {
-        return ipt_register_match(&owner_match);
+        return xt_register_match(&owner_match);
 }
 static void __exit ipt_owner_fini(void)
 {
-        ipt_unregister_match(&owner_match);
+        xt_unregister_match(&owner_match);
 }
 module_init(ipt_owner_init);
diff --git a/net/ipv4/netfilter/ipt_recent.c b/net/ipv4/netfilter/ipt_recent.c
index 4db0e73c56f1..6b97b6796173 100644
--- a/net/ipv4/netfilter/ipt_recent.c
+++ b/net/ipv4/netfilter/ipt_recent.c
@@ -12,6 +12,7 @@
 * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
 */
 #include <linux/init.h>
+#include <linux/ip.h>
 #include <linux/moduleparam.h>
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
@@ -24,7 +25,7 @@
 #include <linux/skbuff.h>
 #include <linux/inet.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_ipv4/ipt_recent.h>
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
@@ -462,8 +463,9 @@ static struct file_operations recent_fops = {
 };
 #endif /* CONFIG_PROC_FS */
-static struct ipt_match recent_match = {
+static struct xt_match recent_match = {
        .name           = "recent",
+        .family         = AF_INET,
        .match          = ipt_recent_match,
        .matchsize      = sizeof(struct ipt_recent_info),
        .checkentry     = ipt_recent_checkentry,
@@ -479,13 +481,13 @@ static int __init ipt_recent_init(void)
                return -EINVAL;
        ip_list_hash_size = 1 << fls(ip_list_tot);
-        err = ipt_register_match(&recent_match);
+        err = xt_register_match(&recent_match);
 #ifdef CONFIG_PROC_FS
        if (err)
                return err;
        proc_dir = proc_mkdir("ipt_recent", proc_net);
        if (proc_dir == NULL) {
-                ipt_unregister_match(&recent_match);
+                xt_unregister_match(&recent_match);
                err = -ENOMEM;
        }
 #endif
@@ -495,7 +497,7 @@ static int __init ipt_recent_init(void)
 static void __exit ipt_recent_exit(void)
 {
        BUG_ON(!list_empty(&tables));
-        ipt_unregister_match(&recent_match);
+        xt_unregister_match(&recent_match);
 #ifdef CONFIG_PROC_FS
        remove_proc_entry("ipt_recent", proc_net);
 #endif
diff --git a/net/ipv4/netfilter/ipt_tos.c b/net/ipv4/netfilter/ipt_tos.c
index 5549c39c7851..5d33b51d49d8 100644
--- a/net/ipv4/netfilter/ipt_tos.c
+++ b/net/ipv4/netfilter/ipt_tos.c
@@ -8,11 +8,12 @@
 * published by the Free Software Foundation.
 */
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter_ipv4/ipt_tos.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("iptables TOS match module");
@@ -32,8 +33,9 @@ match(const struct sk_buff *skb,
        return (skb->nh.iph->tos == info->tos) ^ info->invert;
 }
-static struct ipt_match tos_match = {
+static struct xt_match tos_match = {
        .name           = "tos",
+        .family         = AF_INET,
        .match          = match,
        .matchsize      = sizeof(struct ipt_tos_info),
        .me             = THIS_MODULE,
@@ -41,12 +43,12 @@ static struct ipt_match tos_match = {
 static int __init ipt_multiport_init(void)
 {
-        return ipt_register_match(&tos_match);
+        return xt_register_match(&tos_match);
 }
 static void __exit ipt_multiport_fini(void)
 {
-        ipt_unregister_match(&tos_match);
+        xt_unregister_match(&tos_match);
 }
 module_init(ipt_multiport_init);
diff --git a/net/ipv4/netfilter/ipt_ttl.c b/net/ipv4/netfilter/ipt_ttl.c
index a5243bdb87d7..d5cd984e5ed2 100644
--- a/net/ipv4/netfilter/ipt_ttl.c
+++ b/net/ipv4/netfilter/ipt_ttl.c
@@ -9,11 +9,12 @@
 * published by the Free Software Foundation.
 */
+#include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter_ipv4/ipt_ttl.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter/x_tables.h>
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
 MODULE_DESCRIPTION("IP tables TTL matching module");
@@ -48,8 +49,9 @@ static int match(const struct sk_buff *skb,
        return 0;
 }
-static struct ipt_match ttl_match = {
+static struct xt_match ttl_match = {
        .name           = "ttl",
+        .family         = AF_INET,
        .match          = match,
        .matchsize      = sizeof(struct ipt_ttl_info),
        .me             = THIS_MODULE,
@@ -57,13 +59,12 @@ static struct ipt_match ttl_match = {
 static int __init ipt_ttl_init(void)
 {
-        return ipt_register_match(&ttl_match);
+        return xt_register_match(&ttl_match);
 }
 static void __exit ipt_ttl_fini(void)
 {
-        ipt_unregister_match(&ttl_match);
+        xt_unregister_match(&ttl_match);
 }
 module_init(ipt_ttl_init);
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index e2e7dd8d7903..51053cb42f43 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -74,7 +74,7 @@ static struct
    }
 };
-static struct ipt_table packet_filter = {
+static struct xt_table packet_filter = {
        .name           = "filter",
        .valid_hooks    = FILTER_VALID_HOOKS,
        .lock           = RW_LOCK_UNLOCKED,
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index af2939889444..a532e4d84332 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -103,7 +103,7 @@ static struct
    }
 };
-static struct ipt_table packet_mangler = {
+static struct xt_table packet_mangler = {
        .name           = "mangle",
        .valid_hooks    = MANGLE_VALID_HOOKS,
        .lock           = RW_LOCK_UNLOCKED,
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index bcbeb4aeacd9..5277550fa6b5 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -79,7 +79,7 @@ static struct
        }
 };
-static struct ipt_table packet_raw = { 
+static struct xt_table packet_raw = {
        .name = "raw", 
        .valid_hooks =  RAW_VALID_HOOKS, 
        .lock = RW_LOCK_UNLOCKED, 
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 86a92272b053..998b2557692c 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -254,8 +254,9 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
        if (maniptype == IP_NAT_MANIP_SRC) {
                if (find_appropriate_src(orig_tuple, tuple, range)) {
                        DEBUGP("get_unique_tuple: Found current src map\n");
-                        if (!nf_nat_used_tuple(tuple, ct))
+                        if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM))
-                                return;
+                                if (!nf_nat_used_tuple(tuple, ct))
+                                        return;
                }
        }
@@ -269,6 +270,13 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
        proto = nf_nat_proto_find_get(orig_tuple->dst.protonum);
+        /* Change protocol info to have some randomization */
+        if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {
+                proto->unique_tuple(tuple, range, maniptype, ct);
+                nf_nat_proto_put(proto);
+                return;
+        }
        /* Only bother mapping if it's not already in range and unique */
        if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) ||
             proto->in_range(tuple, maniptype, &range->min, &range->max)) &&
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 98fbfc84d183..dc6738bdfab7 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -176,7 +176,7 @@ nf_nat_mangle_tcp_packet(struct sk_buff **pskb,
        datalen = (*pskb)->len - iph->ihl*4;
        if ((*pskb)->ip_summed != CHECKSUM_PARTIAL) {
                tcph->check = 0;
-                tcph->check = tcp_v4_check(tcph, datalen,
+                tcph->check = tcp_v4_check(datalen,
                                           iph->saddr, iph->daddr,
                                           csum_partial((char *)tcph,
                                                        datalen, 0));
diff --git a/net/ipv4/netfilter/nf_nat_proto_tcp.c b/net/ipv4/netfilter/nf_nat_proto_tcp.c
index 7e26a7e9bee1..439164c7a626 100644
--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c
@@ -8,6 +8,7 @@
 #include <linux/types.h>
 #include <linux/init.h>
+#include <linux/random.h>
 #include <linux/ip.h>
 #include <linux/tcp.h>
@@ -75,6 +76,9 @@ tcp_unique_tuple(struct nf_conntrack_tuple *tuple,
                range_size = ntohs(range->max.tcp.port) - min + 1;
        }
+        if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
+                port =  net_random();
        for (i = 0; i < range_size; i++, port++) {
                *portptr = htons(min + port % range_size);
                if (!nf_nat_used_tuple(tuple, ct))
diff --git a/net/ipv4/netfilter/nf_nat_proto_udp.c b/net/ipv4/netfilter/nf_nat_proto_udp.c
index ab0ce4c8699f..8cae6e063bb6 100644
--- a/net/ipv4/netfilter/nf_nat_proto_udp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_udp.c
@@ -8,6 +8,7 @@
 #include <linux/types.h>
 #include <linux/init.h>
+#include <linux/random.h>
 #include <linux/ip.h>
 #include <linux/udp.h>
@@ -73,6 +74,9 @@ udp_unique_tuple(struct nf_conntrack_tuple *tuple,
                range_size = ntohs(range->max.udp.port) - min + 1;
        }
+        if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
+                port = net_random();
        for (i = 0; i < range_size; i++, port++) {
                *portptr = htons(min + port % range_size);
                if (!nf_nat_used_tuple(tuple, ct))
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index b868ee0195d4..7f95b4e2eb31 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -119,7 +119,7 @@ static struct
        }
 };
-static struct ipt_table nat_table = {
+static struct xt_table nat_table = {
        .name           = "nat",
        .valid_hooks    = NAT_VALID_HOOKS,
        .lock           = RW_LOCK_UNLOCKED,
@@ -226,6 +226,10 @@ static int ipt_dnat_checkentry(const char *tablename,
                printk("DNAT: multiple ranges no longer supported\n");
                return 0;
        }
+        if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM) {
+                printk("DNAT: port randomization not supported\n");
+                return 0;
+        }
        return 1;
 }
@@ -290,7 +294,7 @@ int nf_nat_rule_find(struct sk_buff **pskb,
        return ret;
 }
-static struct ipt_target ipt_snat_reg = {
+static struct xt_target ipt_snat_reg = {
        .name           = "SNAT",
        .target         = ipt_snat_target,
        .targetsize     = sizeof(struct nf_nat_multi_range_compat),
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 00d6dea9f7f3..5a964a167c13 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -32,12 +32,6 @@
 #define DEBUGP(format, args...)
 #endif
-#define HOOKNAME(hooknum) ((hooknum) == NF_IP_POST_ROUTING ? "POST_ROUTING"  \
-                           : ((hooknum) == NF_IP_PRE_ROUTING ? "PRE_ROUTING" \
-                              : ((hooknum) == NF_IP_LOCAL_OUT ? "LOCAL_OUT"  \
-                                 : ((hooknum) == NF_IP_LOCAL_IN ? "LOCAL_IN"  \
-                                    : "*ERROR*")))
 #ifdef CONFIG_XFRM
 static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
 {
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index a6c63bbd9ddb..fed6a1e7af9e 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -489,7 +489,7 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                }
                security_sk_classify_flow(sk, &fl);
-                err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT));
+                err = ip_route_output_flow(&rt, &fl, sk, 1);
        }
        if (err)
                goto done;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 2daa0dc19d33..baee304a3cb7 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2635,7 +2635,7 @@ static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
        nlh = nlmsg_put(skb, pid, seq, event, sizeof(*r), flags);
        if (nlh == NULL)
-                return -ENOBUFS;
+                return -EMSGSIZE;
        r = nlmsg_data(nlh);
        r->rtm_family    = AF_INET;
@@ -2718,7 +2718,8 @@ static int rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
        return nlmsg_end(skb, nlh);
 nla_put_failure:
-        return nlmsg_cancel(skb, nlh);
+        nlmsg_cancel(skb, nlh);
+        return -EMSGSIZE;
 }
 int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void *arg)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b67e0dd743be..5bd43d7294fd 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2415,10 +2415,11 @@ void __init tcp_init(void)
                                        &tcp_hashinfo.ehash_size,
                                        NULL,
                                        0);
-        tcp_hashinfo.ehash_size = (1 << tcp_hashinfo.ehash_size) >> 1;
+        tcp_hashinfo.ehash_size = 1 << tcp_hashinfo.ehash_size;
-        for (i = 0; i < (tcp_hashinfo.ehash_size << 1); i++) {
+        for (i = 0; i < tcp_hashinfo.ehash_size; i++) {
                rwlock_init(&tcp_hashinfo.ehash[i].lock);
                INIT_HLIST_HEAD(&tcp_hashinfo.ehash[i].chain);
+                INIT_HLIST_HEAD(&tcp_hashinfo.ehash[i].twchain);
        }
        tcp_hashinfo.bhash =
@@ -2475,7 +2476,7 @@ void __init tcp_init(void)
        printk(KERN_INFO "TCP: Hash tables configured "
               "(established %d bind %d)\n",
-               tcp_hashinfo.ehash_size << 1, tcp_hashinfo.bhash_size);
+               tcp_hashinfo.ehash_size, tcp_hashinfo.bhash_size);
        tcp_register_congestion_control(&tcp_reno);
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c26076fb890e..c6109895bb5e 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -936,28 +936,58 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
        struct tcp_sock *tp = tcp_sk(sk);
        unsigned char *ptr = ack_skb->h.raw + TCP_SKB_CB(ack_skb)->sacked;
        struct tcp_sack_block_wire *sp = (struct tcp_sack_block_wire *)(ptr+2);
+        struct sk_buff *cached_skb;
        int num_sacks = (ptr[1] - TCPOLEN_SACK_BASE)>>3;
        int reord = tp->packets_out;
        int prior_fackets;
        u32 lost_retrans = 0;
        int flag = 0;
        int dup_sack = 0;
+        int cached_fack_count;
        int i;
+        int first_sack_index;
        if (!tp->sacked_out)
                tp->fackets_out = 0;
        prior_fackets = tp->fackets_out;
+        /* Check for D-SACK. */
+        if (before(ntohl(sp[0].start_seq), TCP_SKB_CB(ack_skb)->ack_seq)) {
+                dup_sack = 1;
+                tp->rx_opt.sack_ok |= 4;
+                NET_INC_STATS_BH(LINUX_MIB_TCPDSACKRECV);
+        } else if (num_sacks > 1 &&
+                        !after(ntohl(sp[0].end_seq), ntohl(sp[1].end_seq)) &&
+                        !before(ntohl(sp[0].start_seq), ntohl(sp[1].start_seq))) {
+                dup_sack = 1;
+                tp->rx_opt.sack_ok |= 4;
+                NET_INC_STATS_BH(LINUX_MIB_TCPDSACKOFORECV);
+        }
+        /* D-SACK for already forgotten data...
+         * Do dumb counting. */
+        if (dup_sack &&
+                        !after(ntohl(sp[0].end_seq), prior_snd_una) &&
+                        after(ntohl(sp[0].end_seq), tp->undo_marker))
+                tp->undo_retrans--;
+        /* Eliminate too old ACKs, but take into
+         * account more or less fresh ones, they can
+         * contain valid SACK info.
+         */
+        if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window))
+                return 0;
        /* SACK fastpath:
         * if the only SACK change is the increase of the end_seq of
         * the first block then only apply that SACK block
         * and use retrans queue hinting otherwise slowpath */
        flag = 1;
-        for (i = 0; i< num_sacks; i++) {
+        for (i = 0; i < num_sacks; i++) {
-                __u32 start_seq = ntohl(sp[i].start_seq);
+                __be32 start_seq = sp[i].start_seq;
-                __u32 end_seq =  ntohl(sp[i].end_seq);
+                __be32 end_seq = sp[i].end_seq;
-                if (i == 0){
+                if (i == 0) {
                        if (tp->recv_sack_cache[i].start_seq != start_seq)
                                flag = 0;
                } else {
@@ -967,39 +997,14 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
                }
                tp->recv_sack_cache[i].start_seq = start_seq;
                tp->recv_sack_cache[i].end_seq = end_seq;
+        }
-                /* Check for D-SACK. */
+        /* Clear the rest of the cache sack blocks so they won't match mistakenly. */
-                if (i == 0) {
+        for (; i < ARRAY_SIZE(tp->recv_sack_cache); i++) {
-                        u32 ack = TCP_SKB_CB(ack_skb)->ack_seq;
+                tp->recv_sack_cache[i].start_seq = 0;
+                tp->recv_sack_cache[i].end_seq = 0;
-                        if (before(start_seq, ack)) {
-                                dup_sack = 1;
-                                tp->rx_opt.sack_ok |= 4;
-                                NET_INC_STATS_BH(LINUX_MIB_TCPDSACKRECV);
-                        } else if (num_sacks > 1 &&
-                                   !after(end_seq, ntohl(sp[1].end_seq)) &&
-                                   !before(start_seq, ntohl(sp[1].start_seq))) {
-                                dup_sack = 1;
-                                tp->rx_opt.sack_ok |= 4;
-                                NET_INC_STATS_BH(LINUX_MIB_TCPDSACKOFORECV);
-                        }
-                        /* D-SACK for already forgotten data...
-                         * Do dumb counting. */
-                        if (dup_sack &&
-                            !after(end_seq, prior_snd_una) &&
-                            after(end_seq, tp->undo_marker))
-                                tp->undo_retrans--;
-                        /* Eliminate too old ACKs, but take into
-                         * account more or less fresh ones, they can
-                         * contain valid SACK info.
-                         */
-                        if (before(ack, prior_snd_una - tp->max_window))
-                                return 0;
-                }
        }
+        first_sack_index = 0;
        if (flag)
                num_sacks = 1;
        else {
@@ -1016,6 +1021,10 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
                                        tmp = sp[j];
                                        sp[j] = sp[j+1];
                                        sp[j+1] = tmp;
+                                        /* Track where the first SACK block goes to */
+                                        if (j == first_sack_index)
+                                                first_sack_index = j+1;
                                }
                        }
@@ -1025,20 +1034,22 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
        /* clear flag as used for different purpose in following code */
        flag = 0;
+        /* Use SACK fastpath hint if valid */
+        cached_skb = tp->fastpath_skb_hint;
+        cached_fack_count = tp->fastpath_cnt_hint;
+        if (!cached_skb) {
+                cached_skb = sk->sk_write_queue.next;
+                cached_fack_count = 0;
+        }
        for (i=0; i<num_sacks; i++, sp++) {
                struct sk_buff *skb;
                __u32 start_seq = ntohl(sp->start_seq);
                __u32 end_seq = ntohl(sp->end_seq);
                int fack_count;
-                /* Use SACK fastpath hint if valid */
+                skb = cached_skb;
-                if (tp->fastpath_skb_hint) {
+                fack_count = cached_fack_count;
-                        skb = tp->fastpath_skb_hint;
-                        fack_count = tp->fastpath_cnt_hint;
-                } else {
-                        skb = sk->sk_write_queue.next;
-                        fack_count = 0;
-                }
                /* Event "B" in the comment above. */
                if (after(end_seq, tp->high_seq))
@@ -1048,8 +1059,12 @@ tcp_sacktag_write_queue(struct sock *sk, struct sk_buff *ack_skb, u32 prior_snd_
                        int in_sack, pcount;
                        u8 sacked;
-                        tp->fastpath_skb_hint = skb;
+                        cached_skb = skb;
-                        tp->fastpath_cnt_hint = fack_count;
+                        cached_fack_count = fack_count;
+                        if (i == first_sack_index) {
+                                tp->fastpath_skb_hint = skb;
+                                tp->fastpath_cnt_hint = fack_count;
+                        }
                        /* The retransmission queue is always in order, so
                         * we can short-circuit the walk early.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 12de90a5047c..f51d6404c61c 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -191,7 +191,7 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        tmp = ip_route_connect(&rt, nexthop, inet->saddr,
                               RT_CONN_FLAGS(sk), sk->sk_bound_dev_if,
                               IPPROTO_TCP,
-                               inet->sport, usin->sin_port, sk);
+                               inet->sport, usin->sin_port, sk, 1);
        if (tmp < 0)
                return tmp;
@@ -502,11 +502,11 @@ void tcp_v4_send_check(struct sock *sk, int len, struct sk_buff *skb)
        struct tcphdr *th = skb->h.th;
        if (skb->ip_summed == CHECKSUM_PARTIAL) {
-                th->check = ~tcp_v4_check(th, len,
+                th->check = ~tcp_v4_check(len, inet->saddr,
-                                          inet->saddr, inet->daddr, 0);
+                                          inet->daddr, 0);
                skb->csum_offset = offsetof(struct tcphdr, check);
        } else {
-                th->check = tcp_v4_check(th, len, inet->saddr, inet->daddr,
+                th->check = tcp_v4_check(len, inet->saddr, inet->daddr,
                                         csum_partial((char *)th,
                                                      th->doff << 2,
                                                      skb->csum));
@@ -525,7 +525,7 @@ int tcp_v4_gso_send_check(struct sk_buff *skb)
        th = skb->h.th;
        th->check = 0;
-        th->check = ~tcp_v4_check(th, skb->len, iph->saddr, iph->daddr, 0);
+        th->check = ~tcp_v4_check(skb->len, iph->saddr, iph->daddr, 0);
        skb->csum_offset = offsetof(struct tcphdr, check);
        skb->ip_summed = CHECKSUM_PARTIAL;
        return 0;
@@ -747,7 +747,7 @@ static int tcp_v4_send_synack(struct sock *sk, struct request_sock *req,
        if (skb) {
                struct tcphdr *th = skb->h.th;
-                th->check = tcp_v4_check(th, skb->len,
+                th->check = tcp_v4_check(skb->len,
                                         ireq->loc_addr,
                                         ireq->rmt_addr,
                                         csum_partial((char *)th, skb->len,
@@ -1514,7 +1514,7 @@ static struct sock *tcp_v4_hnd_req(struct sock *sk, struct sk_buff *skb)
 static __sum16 tcp_v4_checksum_init(struct sk_buff *skb)
 {
        if (skb->ip_summed == CHECKSUM_COMPLETE) {
-                if (!tcp_v4_check(skb->h.th, skb->len, skb->nh.iph->saddr,
+                if (!tcp_v4_check(skb->len, skb->nh.iph->saddr,
                                  skb->nh.iph->daddr, skb->csum)) {
                        skb->ip_summed = CHECKSUM_UNNECESSARY;
                        return 0;
@@ -2051,7 +2051,7 @@ static void *established_get_first(struct seq_file *seq)
                }
                st->state = TCP_SEQ_STATE_TIME_WAIT;
                inet_twsk_for_each(tw, node,
-                                   &tcp_hashinfo.ehash[st->bucket + tcp_hashinfo.ehash_size].chain) {
+                                   &tcp_hashinfo.ehash[st->bucket].twchain) {
                        if (tw->tw_family != st->family) {
                                continue;
                        }
@@ -2107,7 +2107,7 @@ get_tw:
        }
        st->state = TCP_SEQ_STATE_TIME_WAIT;
-        tw = tw_head(&tcp_hashinfo.ehash[st->bucket + tcp_hashinfo.ehash_size].chain);
+        tw = tw_head(&tcp_hashinfo.ehash[st->bucket].twchain);
        goto get_tw;
 found:
        cur = sk;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 975f4472af29..58b7111523f4 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -965,7 +965,8 @@ static inline unsigned int tcp_cwnd_test(struct tcp_sock *tp, struct sk_buff *sk
        u32 in_flight, cwnd;
        /* Don't be strict about the congestion window for the final FIN.  */
-        if (TCP_SKB_CB(skb)->flags & TCPCB_FLAG_FIN)
+        if ((TCP_SKB_CB(skb)->flags & TCPCB_FLAG_FIN) &&
+            tcp_skb_pcount(skb) == 1)
                return 1;
        in_flight = tcp_packets_in_flight(tp);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index cfff930f2baf..8b54c68a0d12 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -629,7 +629,7 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                                               { .sport = inet->sport,
                                                 .dport = dport } } };
                security_sk_classify_flow(sk, &fl);
-                err = ip_route_output_flow(&rt, &fl, sk, !(msg->msg_flags&MSG_DONTWAIT));
+                err = ip_route_output_flow(&rt, &fl, sk, 1);
                if (err)
                        goto out;
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index e23c21d31a53..e54c5494c88f 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -23,6 +23,12 @@ static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
                IP_ECN_set_ce(inner_iph);
 }
+static inline void ipip6_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
+{
+        if (INET_ECN_is_ce(iph->tos))
+                IP6_ECN_set_ce(skb->nh.ipv6h);
+}
 /* Add encapsulation header.
 *
 * The top IP header will be constructed per RFC 2401.  The following fields
@@ -36,6 +42,7 @@ static inline void ipip_ecn_decapsulate(struct sk_buff *skb)
 static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
 {
        struct dst_entry *dst = skb->dst;
+        struct xfrm_dst *xdst = (struct xfrm_dst*)dst;
        struct iphdr *iph, *top_iph;
        int flags;
@@ -48,15 +55,27 @@ static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
        top_iph->ihl = 5;
        top_iph->version = 4;
+        flags = x->props.flags;
        /* DS disclosed */
-        top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
+        if (xdst->route->ops->family == AF_INET) {
+                top_iph->protocol = IPPROTO_IPIP;
+                top_iph->tos = INET_ECN_encapsulate(iph->tos, iph->tos);
+                top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
+                        0 : (iph->frag_off & htons(IP_DF));
+        }
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+        else {
+                struct ipv6hdr *ipv6h = (struct ipv6hdr*)iph;
+                top_iph->protocol = IPPROTO_IPV6;
+                top_iph->tos = INET_ECN_encapsulate(iph->tos, ipv6_get_dsfield(ipv6h));
+                top_iph->frag_off = 0;
+        }
+#endif
-        flags = x->props.flags;
        if (flags & XFRM_STATE_NOECN)
                IP_ECN_clear(top_iph);
-        top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
-                0 : (iph->frag_off & htons(IP_DF));
        if (!top_iph->frag_off)
                __ip_select_ident(top_iph, dst->child, 0);
@@ -64,7 +83,6 @@ static int xfrm4_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
        top_iph->saddr = x->props.saddr.a4;
        top_iph->daddr = x->id.daddr.a4;
-        top_iph->protocol = IPPROTO_IPIP;
        memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
        return 0;
@@ -75,8 +93,16 @@ static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
        struct iphdr *iph = skb->nh.iph;
        int err = -EINVAL;
-        if (iph->protocol != IPPROTO_IPIP)
+        switch(iph->protocol){
-                goto out;
+                case IPPROTO_IPIP:
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+                case IPPROTO_IPV6:
+                        break;
+#endif
+                default:
+                        goto out;
+        }
        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
                goto out;
@@ -84,10 +110,19 @@ static int xfrm4_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
            (err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC)))
                goto out;
-        if (x->props.flags & XFRM_STATE_DECAP_DSCP)
+        if (iph->protocol == IPPROTO_IPIP) {
-                ipv4_copy_dscp(iph, skb->h.ipiph);
+                if (x->props.flags & XFRM_STATE_DECAP_DSCP)
-        if (!(x->props.flags & XFRM_STATE_NOECN))
+                        ipv4_copy_dscp(iph, skb->h.ipiph);
-                ipip_ecn_decapsulate(skb);
+                if (!(x->props.flags & XFRM_STATE_NOECN))
+                        ipip_ecn_decapsulate(skb);
+        }
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+        else {
+                if (!(x->props.flags & XFRM_STATE_NOECN))
+                        ipip6_ecn_decapsulate(iph, skb);
+                skb->protocol = htons(ETH_P_IPV6);
+        }
+#endif
        skb->mac.raw = memmove(skb->data - skb->mac_len,
                               skb->mac.raw, skb->mac_len);
        skb->nh.raw = skb->data;
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index fb9f69c616f5..699f27ce62ad 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -72,13 +72,11 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
        struct dst_entry *dst, *dst_prev;
        struct rtable *rt0 = (struct rtable*)(*dst_p);
        struct rtable *rt = rt0;
-        __be32 remote = fl->fl4_dst;
-        __be32 local  = fl->fl4_src;
        struct flowi fl_tunnel = {
                .nl_u = {
                        .ip4_u = {
-                                .saddr = local,
+                                .saddr = fl->fl4_src,
-                                .daddr = remote,
+                                .daddr = fl->fl4_dst,
                                .tos = fl->fl4_tos
                        }
                }
@@ -94,7 +92,6 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
        for (i = 0; i < nx; i++) {
                struct dst_entry *dst1 = dst_alloc(&xfrm4_dst_ops);
                struct xfrm_dst *xdst;
-                int tunnel = 0;
                if (unlikely(dst1 == NULL)) {
                        err = -ENOBUFS;
@@ -116,19 +113,28 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
                dst1->next = dst_prev;
                dst_prev = dst1;
-                if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
-                        remote = xfrm[i]->id.daddr.a4;
-                        local  = xfrm[i]->props.saddr.a4;
-                        tunnel = 1;
-                }
                header_len += xfrm[i]->props.header_len;
                trailer_len += xfrm[i]->props.trailer_len;
-                if (tunnel) {
+                if (xfrm[i]->props.mode == XFRM_MODE_TUNNEL) {
-                        fl_tunnel.fl4_src = local;
+                        unsigned short encap_family = xfrm[i]->props.family;
-                        fl_tunnel.fl4_dst = remote;
+                        switch(encap_family) {
+                        case AF_INET:
+                                fl_tunnel.fl4_dst = xfrm[i]->id.daddr.a4;
+                                fl_tunnel.fl4_src = xfrm[i]->props.saddr.a4;
+                                break;
+#if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
+                        case AF_INET6:
+                                ipv6_addr_copy(&fl_tunnel.fl6_dst, (struct in6_addr*)&xfrm[i]->id.daddr.a6);
+                                ipv6_addr_copy(&fl_tunnel.fl6_src, (struct in6_addr*)&xfrm[i]->props.saddr.a6);
+                                break;
+#endif
+                        default:
+                                BUG_ON(1);
+                        }
                        err = xfrm_dst_lookup((struct xfrm_dst **)&rt,
-                                              &fl_tunnel, AF_INET);
+                                              &fl_tunnel, encap_family);
                        if (err)
                                goto error;
                } else
@@ -145,6 +151,7 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
        i = 0;
        for (; dst_prev != &rt->u.dst; dst_prev = dst_prev->child) {
                struct xfrm_dst *x = (struct xfrm_dst*)dst_prev;
+                struct xfrm_state_afinfo *afinfo;
                x->u.rt.fl = *fl;
                dst_prev->xfrm = xfrm[i++];
@@ -162,8 +169,18 @@ __xfrm4_bundle_create(struct xfrm_policy *policy, struct xfrm_state **xfrm, int
                /* Copy neighbout for reachability confirmation */
                dst_prev->neighbour     = neigh_clone(rt->u.dst.neighbour);
                dst_prev->input         = rt->u.dst.input;
-                dst_prev->output        = xfrm4_output;
+                /* XXX: When IPv6 module can be unloaded, we should manage reference
-                if (rt->peer)
+                 * to xfrm6_output in afinfo->output. Miyazawa
+                 * */
+                afinfo = xfrm_state_get_afinfo(dst_prev->xfrm->props.family);
+                if (!afinfo) {
+                        dst = *dst_p;
+                        err = -EAFNOSUPPORT;
+                        goto error;
+                }
+                dst_prev->output = afinfo->output;
+                xfrm_state_put_afinfo(afinfo);
+                if (dst_prev->xfrm->props.family == AF_INET && rt->peer)
                        atomic_inc(&rt->peer->refcnt);
                x->u.rt.peer = rt->peer;
                /* Sheit... I remember I did this right. Apparently,
@@ -274,7 +291,7 @@ static void xfrm4_dst_destroy(struct dst_entry *dst)
        if (likely(xdst->u.rt.idev))
                in_dev_put(xdst->u.rt.idev);
-        if (likely(xdst->u.rt.peer))
+        if (dst->xfrm->props.family == AF_INET && likely(xdst->u.rt.peer))
                inet_putpeer(xdst->u.rt.peer);
        xfrm_dst_destroy(xdst);
 }
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 3cc3df0c6ece..93e2c061cdda 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -51,6 +51,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
        .family                 = AF_INET,
        .init_flags             = xfrm4_init_flags,
        .init_tempsel           = __xfrm4_init_tempsel,
+        .output                 = xfrm4_output,
 };
 void __init xfrm4_state_init(void)