Initial Contributionandroid-1.0release-1.0cdma-import

203 files changed, 788 insertions, 6448 deletions

diff --git a/Android.mk b/Android.mk
new file mode 100644
index 00000000..63ddba29
--- /dev/null
+++ b/Android.mk
@@ -0,0 +1,109 @@
+ifneq ($(TARGET_SIMULATOR),true)
+  BUILD_IPTABLES := 1
+endif
+ifeq ($(BUILD_IPTABLES),1)
+
+LOCAL_PATH:= $(call my-dir)
+
+#
+# Build libraries
+#
+
+# libiptc
+
+include $(CLEAR_VARS)
+
+LOCAL_C_INCLUDES:= \
+	$(KERNEL_HEADERS) \
+	$(LOCAL_PATH)/include/
+
+LOCAL_CFLAGS:=-DNO_SHARED_LIBS
+
+LOCAL_SRC_FILES:= \
+	libiptc/libip4tc.c
+
+LOCAL_MODULE_TAGS:=debug
+LOCAL_MODULE:=libiptc
+
+include $(BUILD_STATIC_LIBRARY)
+
+# libext
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE_TAGS:=debug
+LOCAL_MODULE:=libext
+
+# LOCAL_MODULE_CLASS must be defined before calling $(local-intermediates-dir)
+#
+LOCAL_MODULE_CLASS := STATIC_LIBRARIES
+intermediates := $(call local-intermediates-dir)
+
+LOCAL_C_INCLUDES:= \
+	$(LOCAL_PATH)/include/ \
+	$(KERNEL_HEADERS) \
+	$(intermediates)/extensions/
+
+LOCAL_CFLAGS:=-DNO_SHARED_LIBS
+LOCAL_CFLAGS+=-D_INIT=$*_init
+LOCAL_CFLAGS+=-DIPTABLES_VERSION=\"1.3.7\"
+
+PF_EXT_SLIB:=ah addrtype comment 2connmark conntrack 2dscp 2ecn esp 
+PF_EXT_SLIB+=hashlimit helper icmp iprange length limit mac multiport #2mark
+PF_EXT_SLIB+=owner physdev pkttype policy realm sctp standard state tcp 
+PF_EXT_SLIB+=2tcpmss 2tos 2ttl udp unclean CLASSIFY CONNMARK DNAT LOG #DSCP ECN
+PF_EXT_SLIB+=MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT #MARK
+PF_EXT_SLIB+=SAME SNAT ULOG # TOS TCPMSS TTL
+
+EXT_FUNC+=$(foreach T,$(PF_EXT_SLIB),ipt_$(T))
+
+# generated headers
+
+GEN_INITEXT:= $(intermediates)/extensions/gen_initext.c
+$(GEN_INITEXT): PRIVATE_PATH := $(LOCAL_PATH)
+$(GEN_INITEXT): PRIVATE_CUSTOM_TOOL = $(PRIVATE_PATH)/extensions/create_initext "$(EXT_FUNC)" > $@
+$(GEN_INITEXT): PRIVATE_MODULE := $(LOCAL_MODULE)
+$(GEN_INITEXT):
+	$(transform-generated-source)
+
+$(intermediates)/extensions/initext.o : $(GEN_INITEXT)
+
+LOCAL_GENERATED_SOURCES:= $(GEN_INITEXT)
+
+LOCAL_SRC_FILES:= \
+	$(foreach T,$(PF_EXT_SLIB),extensions/libipt_$(T).c) \
+	extensions/initext.c
+
+LOCAL_STATIC_LIBRARIES := \
+	libc
+
+include $(BUILD_STATIC_LIBRARY)
+
+#
+# Build iptables
+#
+
+include $(CLEAR_VARS)
+
+LOCAL_C_INCLUDES:= \
+	$(LOCAL_PATH)/include/ \
+	$(KERNEL_HEADERS)
+
+LOCAL_CFLAGS:=-DNO_SHARED_LIBS
+LOCAL_CFLAGS+=-DIPTABLES_VERSION=\"1.3.7\" # -DIPT_LIB_DIR=\"$(IPT_LIBDIR)\"
+#LOCAL_CFLAGS+=-DIPT_LIB_DIR=\"$(IPT_LIBDIR)\"
+
+LOCAL_SRC_FILES:= \
+	iptables.c \
+	iptables-standalone.c 
+
+LOCAL_MODULE_TAGS:=debug
+LOCAL_MODULE:=iptables
+
+LOCAL_STATIC_LIBRARIES := \
+	libiptc \
+	libext
+
+include $(BUILD_EXECUTABLE)
+
+endif
diff --git a/MODULE_LICENSE_GPL b/MODULE_LICENSE_GPL
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/MODULE_LICENSE_GPL
diff --git a/Makefile b/Makefile.orig
index b651063b..81e72d4c 100644
--- a/Makefile
+++ b/Makefile.orig
@@ -170,7 +170,7 @@ iptables-xml: iptables-xml.c #iptables.o # $(STATIC_LIBS) libiptc/libiptc.a
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS)
 
 ifeq ($(DO_MULTI), 1)
-$(DESTDIR)$(BINDIR)/iptables-xml: iptables-xml
+$(DESTDIR)$(BINDIR)/iptables-xml: iptables
 	@[ -d $(DESTDIR)$(BINDIR) ] || mkdir -p $(DESTDIR)$(BINDIR)
 	ln -sf $< $@
 else
@@ -249,7 +249,7 @@ distrib: check distclean delrelease $(RELEASE_DIR)/iptables-$(IPTABLES_VERSION).
 # -g -pg -DIPTC_DEBUG
 .PHONY: check
 check:
-	@if echo $(CFLAGS) | egrep -e '-g|-pg|IPTC_DEBUG' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
+	@if echo $(CFLAGS) | egrep -e '(^|[[:space:]])(-g|-pg|-DIPTC_DEBUG)([[:space:]]|$)' >/dev/null; then echo Remove debugging flags; exit 1; else exit 0; fi
 
 .PHONY: nowhitespace
 nowhitespace:
diff --git a/NOTICE b/NOTICE
new file mode 100644
index 00000000..a43ea212
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1,339 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                          675 Mass Ave, Cambridge, MA 02139, USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	Appendix: How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/extensions/.BALANCE-test b/extensions/.BALANCE-test
deleted file mode 100755
index 3a46d745..00000000
--- a/extensions/.BALANCE-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_BALANCE.c ] && echo BALANCE
diff --git a/extensions/.CLUSTERIP-test b/extensions/.CLUSTERIP-test
index 6d0017aa..6d0017aa 100755..100644
--- a/extensions/.CLUSTERIP-test
+++ b/extensions/.CLUSTERIP-test
diff --git a/extensions/.FTOS-test b/extensions/.FTOS-test
deleted file mode 100755
index d07fce7a..00000000
--- a/extensions/.FTOS-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_FTOS.h ] && echo FTOS
diff --git a/extensions/.IPMARK-test b/extensions/.IPMARK-test
deleted file mode 100755
index 7996c889..00000000
--- a/extensions/.IPMARK-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if IPMARK patch is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_IPMARK.h ] && echo IPMARK
diff --git a/extensions/.IPV4OPTSSTRIP-test b/extensions/.IPV4OPTSSTRIP-test
deleted file mode 100755
index cfd84ee0..00000000
--- a/extensions/.IPV4OPTSSTRIP-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if IPV4OPTSSTRIP patch is applied.
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_IPV4OPTSSTRIP.c ] && echo IPV4OPTSSTRIP
diff --git a/extensions/.NETLINK-test b/extensions/.NETLINK-test
deleted file mode 100755
index fe94c0c3..00000000
--- a/extensions/.NETLINK-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_NETLINK.c ] && echo NETLINK
diff --git a/extensions/.NFLOG-test b/extensions/.NFLOG-test
index 25f0dee7..25f0dee7 100755..100644
--- a/extensions/.NFLOG-test
+++ b/extensions/.NFLOG-test
diff --git a/extensions/.NFLOG-test6 b/extensions/.NFLOG-test6
index 25f0dee7..25f0dee7 100755..100644
--- a/extensions/.NFLOG-test6
+++ b/extensions/.NFLOG-test6
diff --git a/extensions/.REJECT-test6 b/extensions/.REJECT-test6
index 1f096945..1f096945 100755..100644
--- a/extensions/.REJECT-test6
+++ b/extensions/.REJECT-test6
diff --git a/extensions/.ROUTE-test b/extensions/.ROUTE-test
deleted file mode 100755
index 8b7b3f07..00000000
--- a/extensions/.ROUTE-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_ROUTE.c ] && echo ROUTE
diff --git a/extensions/.ROUTE-test6 b/extensions/.ROUTE-test6
deleted file mode 100755
index 7994970d..00000000
--- a/extensions/.ROUTE-test6
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_ROUTE.h ] && echo ROUTE
diff --git a/extensions/.TCPLAG-test b/extensions/.TCPLAG-test
deleted file mode 100755
index 248f1281..00000000
--- a/extensions/.TCPLAG-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_TCPLAG.c ] && echo TCPLAG
diff --git a/extensions/.XOR-test b/extensions/.XOR-test
deleted file mode 100755
index 92707da2..00000000
--- a/extensions/.XOR-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_XOR.c ] && echo XOR
diff --git a/extensions/.account-test b/extensions/.account-test
deleted file mode 100755
index 68aeb166..00000000
--- a/extensions/.account-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if account match patch is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_account.h ] && echo account
diff --git a/extensions/.ah-test6 b/extensions/.ah-test6
index 1812c56d..1812c56d 100755..100644
--- a/extensions/.ah-test6
+++ b/extensions/.ah-test6
diff --git a/extensions/.childlevel-test b/extensions/.childlevel-test
deleted file mode 100755
index 9f3b9658..00000000
--- a/extensions/.childlevel-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_childlevel.h ] && echo childlevel
diff --git a/extensions/.condition-test b/extensions/.condition-test
index 20f3bc78..20f3bc78 100755..100644
--- a/extensions/.condition-test
+++ b/extensions/.condition-test
diff --git a/extensions/.condition-test6 b/extensions/.condition-test6
index f4af61f8..f4af61f8 100755..100644
--- a/extensions/.condition-test6
+++ b/extensions/.condition-test6
diff --git a/extensions/.connbytes-test b/extensions/.connbytes-test
index 61355d09..61355d09 100755..100644
--- a/extensions/.connbytes-test
+++ b/extensions/.connbytes-test
diff --git a/extensions/.connrate-test b/extensions/.connrate-test
deleted file mode 100755
index d110c158..00000000
--- a/extensions/.connrate-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_connrate.h ] && echo connrate
diff --git a/extensions/.dccp-test b/extensions/.dccp-test
index 5b67527c..5b67527c 100755..100644
--- a/extensions/.dccp-test
+++ b/extensions/.dccp-test
diff --git a/extensions/.dstlimit-test b/extensions/.dstlimit-test
deleted file mode 100755
index b7c8ef9b..00000000
--- a/extensions/.dstlimit-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_dstlimit.c ] && echo dstlimit
diff --git a/extensions/.esp-test6 b/extensions/.esp-test6
index 7ded9452..7ded9452 100755..100644
--- a/extensions/.esp-test6
+++ b/extensions/.esp-test6
diff --git a/extensions/.frag-test6 b/extensions/.frag-test6
index ff3650df..ff3650df 100755..100644
--- a/extensions/.frag-test6
+++ b/extensions/.frag-test6
diff --git a/extensions/.fuzzy-test b/extensions/.fuzzy-test
deleted file mode 100755
index f6575a99..00000000
--- a/extensions/.fuzzy-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_fuzzy.h ] && echo fuzzy 
diff --git a/extensions/.fuzzy-test6 b/extensions/.fuzzy-test6
deleted file mode 100755
index 034263e1..00000000
--- a/extensions/.fuzzy-test6
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-[ -f $KERNEL_DIR/net/ipv6/netfilter/ip6t_fuzzy.c -a -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_fuzzy.h ] && echo fuzzy
diff --git a/extensions/.hashlimit-test6 b/extensions/.hashlimit-test6
index 9a2a4651..9a2a4651 100755..100644
--- a/extensions/.hashlimit-test6
+++ b/extensions/.hashlimit-test6
diff --git a/extensions/.ipv4options-test b/extensions/.ipv4options-test
deleted file mode 100755
index 134ab09e..00000000
--- a/extensions/.ipv4options-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if ipv4options is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_ipv4options.h ] && echo ipv4options
diff --git a/extensions/.ipv6header-test6 b/extensions/.ipv6header-test6
index 47f6f06c..47f6f06c 100755..100644
--- a/extensions/.ipv6header-test6
+++ b/extensions/.ipv6header-test6
diff --git a/extensions/.mport-test b/extensions/.mport-test
deleted file mode 100755
index 411a0839..00000000
--- a/extensions/.mport-test
+++ /dev/null
@@ -1,2 +0,0 @@
-#! /bin/sh
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_mport.c ] && echo mport
diff --git a/extensions/.nth-test b/extensions/.nth-test
deleted file mode 100755
index 536da95d..00000000
--- a/extensions/.nth-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if nth is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_nth.h ] && echo nth
diff --git a/extensions/.nth-test6 b/extensions/.nth-test6
deleted file mode 100755
index 7dbe091a..00000000
--- a/extensions/.nth-test6
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if nth is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_nth.h ] && echo nth
diff --git a/extensions/.opts-test6 b/extensions/.opts-test6
index 1ed20135..1ed20135 100755..100644
--- a/extensions/.opts-test6
+++ b/extensions/.opts-test6
diff --git a/extensions/.osf-test b/extensions/.osf-test
deleted file mode 100755
index bc3ad8f9..00000000
--- a/extensions/.osf-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if osf is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_osf.h ] && echo osf
diff --git a/extensions/.psd-test b/extensions/.psd-test
deleted file mode 100755
index 9d05088e..00000000
--- a/extensions/.psd-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if psd is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_psd.h ] && echo psd
diff --git a/extensions/.quota-test b/extensions/.quota-test
index b21058c5..b21058c5 100755..100644
--- a/extensions/.quota-test
+++ b/extensions/.quota-test
diff --git a/extensions/.random-test b/extensions/.random-test
deleted file mode 100755
index 7626722f..00000000
--- a/extensions/.random-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if random is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_random.h ] && echo random
diff --git a/extensions/.random-test6 b/extensions/.random-test6
deleted file mode 100755
index 25a431fd..00000000
--- a/extensions/.random-test6
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if random is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv6/ip6t_random.h ] && echo random
diff --git a/extensions/.recent-test b/extensions/.recent-test
index 2a47fc98..2a47fc98 100755..100644
--- a/extensions/.recent-test
+++ b/extensions/.recent-test
diff --git a/extensions/.record-rpc-test b/extensions/.record-rpc-test
deleted file mode 100755
index 4ff9fe24..00000000
--- a/extensions/.record-rpc-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#! /bin/sh
-# True if record rpc is applied.
-[ -f $KERNEL_DIR/net/ipv4/netfilter/ipt_record_rpc.c ] && echo record_rpc
diff --git a/extensions/.rt-test6 b/extensions/.rt-test6
index e8d58559..e8d58559 100755..100644
--- a/extensions/.rt-test6
+++ b/extensions/.rt-test6
diff --git a/extensions/.sctp-test6 b/extensions/.sctp-test6
index 3cfc7b84..3cfc7b84 100755..100644
--- a/extensions/.sctp-test6
+++ b/extensions/.sctp-test6
diff --git a/extensions/.set-test b/extensions/.set-test
index 700a73c0..700a73c0 100755..100644
--- a/extensions/.set-test
+++ b/extensions/.set-test
diff --git a/extensions/.statistic-test b/extensions/.statistic-test
index 843cb41e..843cb41e 100755..100644
--- a/extensions/.statistic-test
+++ b/extensions/.statistic-test
diff --git a/extensions/.string-test b/extensions/.string-test
index 609f1c2b..609f1c2b 100755..100644
--- a/extensions/.string-test
+++ b/extensions/.string-test
diff --git a/extensions/.time-test b/extensions/.time-test
deleted file mode 100755
index 7f0390e2..00000000
--- a/extensions/.time-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if time is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_time.h ] && echo time
diff --git a/extensions/.u32-test b/extensions/.u32-test
deleted file mode 100755
index 77d8a00c..00000000
--- a/extensions/.u32-test
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-# True if u32 is applied.
-[ -f $KERNEL_DIR/include/linux/netfilter_ipv4/ipt_u32.h ] && echo u32
diff --git a/extensions/Makefile b/extensions/Makefile.orig
index b1daa732..8baafee0 100644
--- a/extensions/Makefile
+++ b/extensions/Makefile.orig
@@ -5,8 +5,8 @@
 # header files are present in the include/linux directory of this iptables
 # package (HW)
 #
-PF_EXT_SLIB:=ah addrtype comment connlimit connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm rpc sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TARPIT TCPMSS TOS TRACE TTL ULOG
-PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK TRACE
+PF_EXT_SLIB:=ah addrtype comment connmark conntrack dscp ecn esp hashlimit helper icmp iprange length limit mac mark multiport owner physdev pkttype policy realm sctp standard state tcp tcpmss tos ttl udp unclean CLASSIFY CONNMARK DNAT DSCP ECN LOG MARK MASQUERADE MIRROR NETMAP NFQUEUE NOTRACK REDIRECT REJECT SAME SNAT TCPMSS TOS TTL ULOG
+PF6_EXT_SLIB:=connmark eui64 hl icmp6 length limit mac mark multiport owner physdev policy standard state tcp udp CONNMARK HL LOG NFQUEUE MARK
 
 ifeq ($(DO_SELINUX), 1)
 PF_EXT_SE_SLIB:=SECMARK CONNSECMARK
diff --git a/extensions/create_initext b/extensions/create_initext
new file mode 100755
index 00000000..33cab752
--- /dev/null
+++ b/extensions/create_initext
@@ -0,0 +1,11 @@
+#!/bin/bash
+echo ""
+for i in $1; do
+	echo "extern void ${i}_init(void);";
+done;
+echo "void init_extensions(void) {"
+for i in $1; do
+	echo "	${i}_init();";
+done
+echo "}"
+
diff --git a/extensions/initext.c b/extensions/initext.c
new file mode 100644
index 00000000..52304a78
--- /dev/null
+++ b/extensions/initext.c
@@ -0,0 +1 @@
+#include "gen_initext.c"
diff --git a/extensions/libip6t_connmark.c b/extensions/libip6t_2connmark.c
index 419da304..609c8e91 100644
--- a/extensions/libip6t_connmark.c
+++ b/extensions/libip6t_2connmark.c
@@ -26,7 +26,7 @@
 #include <getopt.h>
 
 #include <ip6tables.h>
-#include "../include/linux/netfilter_ipv4/ipt_connmark.h"
+#include "../include/linux/netfilter_ipv4/ipt_2connmark.h"
 
 /* Function which prints out usage message. */
 static void
diff --git a/extensions/libip6t_hl.c b/extensions/libip6t_2hl.c
index 208da33f..208da33f 100644
--- a/extensions/libip6t_hl.c
+++ b/extensions/libip6t_2hl.c
diff --git a/extensions/libip6t_mark.c b/extensions/libip6t_2mark.c
index b831cfe4..b831cfe4 100644
--- a/extensions/libip6t_mark.c
+++ b/extensions/libip6t_2mark.c
diff --git a/extensions/libip6t_ROUTE.c b/extensions/libip6t_ROUTE.c
deleted file mode 100644
index ad83a1d6..00000000
--- a/extensions/libip6t_ROUTE.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/* Shared library add-on to iptables to add ROUTE v6 target support.
- * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
- * v 1.1 2004/11/23
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_ROUTE.h>
-
-/* compile IP6T_ROUTE_TEE support even if kernel headers are unpatched */
-#ifndef IP6T_ROUTE_TEE
-#define IP6T_ROUTE_TEE		0x02
-#endif
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"ROUTE target v%s options:\n"
-"    --oif   \tifname \t\tRoute the packet through `ifname' network interface\n"
-"    --gw    \tip     \t\tRoute the packet via this gateway\n"
-"    --continue\t     \t\tRoute packet and continue traversing the\n"
-"            \t       \t\trules. Not valid with --iif or --tee.\n"
-"    --tee\t  \t\tDuplicate packet, route the duplicate,\n"
-"            \t       \t\tcontinue traversing with original packet.\n"
-"            \t       \t\tNot valid with --iif or --continue.\n"
-"\n",
-"1.1");
-}
-
-static struct option opts[] = {
-	{ "oif", 1, 0, '1' },
-	{ "iif", 1, 0, '2' },
-	{ "gw", 1, 0, '3' },
-	{ "continue", 0, 0, '4' },
-	{ "tee", 0, 0, '5' },
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_target *t, unsigned int *nfcache)
-{
-	struct ip6t_route_target_info *route_info = 
-		(struct ip6t_route_target_info*)t->data;
-
-	route_info->oif[0] = '\0';
-	route_info->iif[0] = '\0';
-	route_info->gw[0] = 0;
-	route_info->gw[1] = 0;
-	route_info->gw[2] = 0;
-	route_info->gw[3] = 0;
-	route_info->flags = 0;
-}
-
-
-#define IP6T_ROUTE_OPT_OIF      0x01
-#define IP6T_ROUTE_OPT_IIF      0x02
-#define IP6T_ROUTE_OPT_GW       0x04
-#define IP6T_ROUTE_OPT_CONTINUE 0x08
-#define IP6T_ROUTE_OPT_TEE      0x10
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ip6t_entry *entry,
-      struct ip6t_entry_target **target)
-{
-	struct ip6t_route_target_info *route_info = 
-		(struct ip6t_route_target_info*)(*target)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags & IP6T_ROUTE_OPT_OIF)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --oif twice");
-
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --oif");
-
-		if (strlen(optarg) > sizeof(route_info->oif) - 1)
-			exit_error(PARAMETER_PROBLEM,
-				   "Maximum interface name length %u",
-				   sizeof(route_info->oif) - 1);
-
-		strcpy(route_info->oif, optarg);
-		*flags |= IP6T_ROUTE_OPT_OIF;
-		break;
-
-	case '2':
-		exit_error(PARAMETER_PROBLEM,
-			   "--iif option not implemented");
-		break;
-
-	case '3':
-		if (*flags & IP6T_ROUTE_OPT_GW)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --gw twice");
-
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --gw");
-
-		if (!inet_pton(AF_INET6, optarg, (struct in6_addr*)&route_info->gw)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "Invalid IPv6 address %s",
-				   optarg);
-		}
-
-		*flags |= IP6T_ROUTE_OPT_GW;
-		break;
-
-	case '4':
-		if (*flags & IP6T_ROUTE_OPT_CONTINUE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --continue twice");
-		if (*flags & IP6T_ROUTE_OPT_TEE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --continue AND --tee");
-
-		route_info->flags |= IP6T_ROUTE_CONTINUE;
-		*flags |= IP6T_ROUTE_OPT_CONTINUE;
-
-		break;
-
-	case '5':
-		if (*flags & IP6T_ROUTE_OPT_TEE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --tee twice");
-		if (*flags & IP6T_ROUTE_OPT_CONTINUE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --tee AND --continue");
-
-		route_info->flags |= IP6T_ROUTE_TEE;
-		*flags |= IP6T_ROUTE_OPT_TEE;
-
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-
-static void
-final_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-		           "ROUTE target: oif or gw option required");
-}
-
-
-/* Prints out the targinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
-      const struct ip6t_entry_target *target,
-      int numeric)
-{
-	const struct ip6t_route_target_info *route_info
-		= (const struct ip6t_route_target_info *)target->data;
-
-	printf("ROUTE ");
-
-	if (route_info->oif[0])
-		printf("oif:%s ", route_info->oif);
-
-	if (route_info->gw[0] 
-	    || route_info->gw[1] 
-	    || route_info->gw[2] 
-	    || route_info->gw[3]) {
-		char address[INET6_ADDRSTRLEN];
-		printf("gw:%s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
-	}
-
-	if (route_info->flags & IP6T_ROUTE_CONTINUE)
-		printf("continue");
-
-	if (route_info->flags & IP6T_ROUTE_TEE)
-		printf("tee");
-
-}
-
-
-static void save(const struct ip6t_ip6 *ip, 
-		 const struct ip6t_entry_target *target)
-{
-	const struct ip6t_route_target_info *route_info
-		= (const struct ip6t_route_target_info *)target->data;
-
-	if (route_info->oif[0])
-		printf("--oif %s ", route_info->oif);
-
-	if (route_info->gw[0] 
-	    || route_info->gw[1] 
-	    || route_info->gw[2] 
-	    || route_info->gw[3]) {
-		char address[INET6_ADDRSTRLEN];
-		printf("--gw %s ", inet_ntop(AF_INET6, route_info->gw, address, INET6_ADDRSTRLEN));
-	}
-
-	if (route_info->flags & IP6T_ROUTE_CONTINUE)
-		printf("--continue ");
-
-	if (route_info->flags & IP6T_ROUTE_TEE)
-		printf("--tee ");
-}
-
-
-static struct ip6tables_target route = { 
-	.name 		= "ROUTE",
-	.version	= IPTABLES_VERSION,
-	.size		= IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
-	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_route_target_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts,
-};
-
-void _init(void)
-{
-	register_target6(&route);
-}
diff --git a/extensions/libip6t_ROUTE.man b/extensions/libip6t_ROUTE.man
deleted file mode 100644
index e3ad12b5..00000000
--- a/extensions/libip6t_ROUTE.man
+++ /dev/null
@@ -1,15 +0,0 @@
-This is used to explicitly override the core network stack's routing decision.
-.B mangle
-table.
-.TP
-.BI "--oif " "ifname"
-Route the packet through `ifname' network interface
-.TP
-.BI "--gw " "IPv6_address"
-Route the packet via this gateway
-.TP
-.BI "--continue "
-Behave like a non-terminating target and continue traversing the rules. Not valid in combination with `--tee'
-.TP
-.BI "--tee "
-Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules.  Not valid in combination with `--continue'
diff --git a/extensions/libip6t_TCPMSS.c b/extensions/libip6t_TCPMSS.c
new file mode 100644
index 00000000..7fcccd5c
--- /dev/null
+++ b/extensions/libip6t_TCPMSS.c
@@ -0,0 +1,134 @@
+/* Shared library add-on to iptables to add TCPMSS target support.
+ *
+ * Copyright (c) 2000 Marc Boucher
+*/
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+
+#include <ip6tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <linux/netfilter_ipv6/ip6t_TCPMSS.h>
+
+struct mssinfo {
+	struct ip6t_entry_target t;
+	struct ip6t_tcpmss_info mss;
+};
+
+/* Function which prints out usage message. */
+static void
+help(void)
+{
+	printf(
+"TCPMSS target v%s mutually-exclusive options:\n"
+"  --set-mss value               explicitly set MSS option to specified value\n"
+"  --clamp-mss-to-pmtu           automatically clamp MSS value to (path_MTU - 60)\n",
+IPTABLES_VERSION);
+}
+
+static struct option opts[] = {
+	{ "set-mss", 1, 0, '1' },
+	{ "clamp-mss-to-pmtu", 0, 0, '2' },
+	{ 0 }
+};
+
+/* Initialize the target. */
+static void
+init(struct ip6t_entry_target *t, unsigned int *nfcache)
+{
+}
+
+/* Function which parses command options; returns true if it
+   ate an option */
+static int
+parse(int c, char **argv, int invert, unsigned int *flags,
+      const struct ip6t_entry *entry,
+      struct ip6t_entry_target **target)
+{
+	struct ip6t_tcpmss_info *mssinfo
+		= (struct ip6t_tcpmss_info *)(*target)->data;
+
+	switch (c) {
+		unsigned int mssval;
+
+	case '1':
+		if (*flags)
+			exit_error(PARAMETER_PROBLEM,
+			           "TCPMSS target: Only one option may be specified");
+		if (string_to_number(optarg, 0, 65535 - 60, &mssval) == -1)
+			exit_error(PARAMETER_PROBLEM, "Bad TCPMSS value `%s'", optarg);
+
+		mssinfo->mss = mssval;
+		*flags = 1;
+		break;
+
+	case '2':
+		if (*flags)
+			exit_error(PARAMETER_PROBLEM,
+			           "TCPMSS target: Only one option may be specified");
+		mssinfo->mss = IP6T_TCPMSS_CLAMP_PMTU;
+		*flags = 1;
+		break;
+
+	default:
+		return 0;
+	}
+
+	return 1;
+}
+
+static void
+final_check(unsigned int flags)
+{
+	if (!flags)
+		exit_error(PARAMETER_PROBLEM,
+		           "TCPMSS target: At least one parameter is required");
+}
+
+/* Prints out the targinfo. */
+static void
+print(const struct ip6t_ip6 *ip6,
+      const struct ip6t_entry_target *target,
+      int numeric)
+{
+	const struct ip6t_tcpmss_info *mssinfo =
+		(const struct ip6t_tcpmss_info *)target->data;
+	if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
+		printf("TCPMSS clamp to PMTU ");
+	else
+		printf("TCPMSS set %u ", mssinfo->mss);
+}
+
+/* Saves the union ip6t_targinfo in parsable form to stdout. */
+static void
+save(const struct ip6t_ip6 *ip, const struct ip6t_entry_target *target)
+{
+	const struct ip6t_tcpmss_info *mssinfo =
+		(const struct ip6t_tcpmss_info *)target->data;
+
+	if(mssinfo->mss == IP6T_TCPMSS_CLAMP_PMTU)
+		printf("--clamp-mss-to-pmtu ");
+	else
+		printf("--set-mss %u ", mssinfo->mss);
+}
+
+static struct ip6tables_target mss = {
+	.next		= NULL,
+	.name		= "TCPMSS",
+	.version	= IPTABLES_VERSION,
+	.size		= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
+	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_tcpmss_info)),
+	.help		= &help,
+	.init		= &init,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
+};
+
+void _init(void)
+{
+	register_target6(&mss);
+}
diff --git a/extensions/libip6t_TCPMSS.man b/extensions/libip6t_TCPMSS.man
new file mode 100644
index 00000000..b4c357e8
--- /dev/null
+++ b/extensions/libip6t_TCPMSS.man
@@ -0,0 +1,42 @@
+This target allows to alter the MSS value of TCP SYN packets, to control
+the maximum size for that connection (usually limiting it to your
+outgoing interface's MTU minus 60).  Of course, it can only be used
+in conjunction with
+.BR "-p tcp" .
+It is only valid in the
+.BR mangle
+table.
+.br
+This target is used to overcome criminally braindead ISPs or servers
+which block ICMPv6 Packet Too Big packets or are unable to send them.
+The symptoms of this problem are that everything works fine from your 
+Linux firewall/router, but machines behind it can never exchange large
+packets:
+.PD 0
+.RS 0.1i
+.TP 0.3i
+1)
+Web browsers connect, then hang with no data received.
+.TP
+2)
+Small mail works fine, but large emails hang.
+.TP
+3)
+ssh works fine, but scp hangs after initial handshaking.
+.RE
+.PD
+Workaround: activate this option and add a rule to your firewall
+configuration like:
+.nf
+ ip6tables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\
+             -j TCPMSS --clamp-mss-to-pmtu
+.fi
+.TP
+.BI "--set-mss " "value"
+Explicitly set MSS option to specified value.
+.TP
+.B "--clamp-mss-to-pmtu"
+Automatically clamp MSS value to (path_MTU - 60).
+.TP
+These options are mutually exclusive.
+
diff --git a/extensions/libip6t_TRACE.c b/extensions/libip6t_TRACE.c
deleted file mode 100644
index 00d85910..00000000
--- a/extensions/libip6t_TRACE.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* Shared library add-on to iptables to add TRACE target support. */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"TRACE target v%s takes no options\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_target *t, unsigned int *nfcache)
-{
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ip6t_entry *entry,
-      struct ip6t_entry_target **target)
-{
-	return 0;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-static
-struct ip6tables_target trace
-= {	.next = NULL,
-	.name = "TRACE",
-	.version = IPTABLES_VERSION,
-	.size = IP6T_ALIGN(0),
-	.userspacesize = IP6T_ALIGN(0),
-	.help = &help,
-	.init = &init,
-	.parse = &parse,
-	.final_check = &final_check,
-	.print = NULL, /* print */
-	.save = NULL, /* save */
-	.extra_opts = opts
-};
-
-void _init(void)
-{
-	register_target6(&trace);
-}
diff --git a/extensions/libip6t_TRACE.man b/extensions/libip6t_TRACE.man
deleted file mode 100644
index 549ab33b..00000000
--- a/extensions/libip6t_TRACE.man
+++ /dev/null
@@ -1,3 +0,0 @@
-This target has no options.  It just turns on 
-.B packet tracing
-for all packets that match this rule.
diff --git a/extensions/libip6t_eui64.man b/extensions/libip6t_eui64.man
index d01cb4f4..cd80b98d 100644
--- a/extensions/libip6t_eui64.man
+++ b/extensions/libip6t_eui64.man
@@ -1,5 +1,5 @@
 This module matches the EUI-64 part of a stateless autoconfigured IPv6 address.
-It compares the EUI-64 derived from the source MAC address in Ehternet frame
+It compares the EUI-64 derived from the source MAC address in Ethernet frame
 with the lower 64 bits of the IPv6 source address. But "Universal/Local"
 bit is not compared. This module doesn't match other link layer frame, and
 is only valid in the
diff --git a/extensions/libip6t_fuzzy.c b/extensions/libip6t_fuzzy.c
deleted file mode 100644
index 749ddc8f..00000000
--- a/extensions/libip6t_fuzzy.c
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
-   Shared library add-on to iptables to add match support for the fuzzy match.
-
-   This file is distributed under the terms of the GNU General Public
-   License (GPL). Copies of the GPL can be obtained from:
-   ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
-2003-04-08 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 Port
-2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
-the save function , thanks to information given by Jean-Francois Patenaude.
-
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_fuzzy.h>
-
-
-static void
-help(void)
-{
-	printf(
-"fuzzy v%s options:\n"
-"                      --lower-limit number (in packets per second)\n"
-"                      --upper-limit number\n"
-,IPTABLES_VERSION);
-};
-
-static struct option opts[] = {
-	{ .name = "lower-limit", .has_arg = 1, .flag = 0, .val = '1' },
-	{ .name = "upper-limit", .has_arg = 1, .flag = 0, .val = '2' },
-	{ .name = 0 }
-};
-
-/* Initialize data structures */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	struct ip6t_fuzzy_info *presentinfo = (struct ip6t_fuzzy_info *)(m)->data;
-	/*
-	 * Default rates ( I'll improve this very soon with something based
-	 * on real statistics of the running machine ) .
-	*/
-
-	presentinfo->minimum_rate = 1000;
-	presentinfo->maximum_rate = 2000;
-}
-
-#define IP6T_FUZZY_OPT_MINIMUM	0x01
-#define IP6T_FUZZY_OPT_MAXIMUM	0x02
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ip6t_entry *entry,
-      unsigned int *nfcache,
-      struct ip6t_entry_match **match)
-{
-	struct ip6t_fuzzy_info *fuzzyinfo =
-		(struct ip6t_fuzzy_info *)(*match)->data;
-
-	u_int32_t num;
-
-	switch (c) {
-
-	case '1':
-
-	if (invert)
-	       	exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
-
-	if (*flags & IP6T_FUZZY_OPT_MINIMUM)
-       	      exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
-
-	if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
-			exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
-
-		fuzzyinfo->minimum_rate = num ;
-
-		*flags |= IP6T_FUZZY_OPT_MINIMUM;
-
-		break;
-
-	case '2':
-
-	if (invert)
-		exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
-
-	if (*flags & IP6T_FUZZY_OPT_MAXIMUM)
-	   exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
-
-	if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
-		exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
-
-		fuzzyinfo->maximum_rate = num;
-
-		*flags |= IP6T_FUZZY_OPT_MAXIMUM;
-
-		break ;
-
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-}
-
-static void
-print(const struct ip6t_ip6 *ipv6,
-      const struct ip6t_entry_match *match,
-      int numeric)
-{
-	const struct ip6t_fuzzy_info *fuzzyinfo
-		= (const struct ip6t_fuzzy_info *)match->data;
-
-	printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",
-		fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
-}
-
-/* Saves the union ip6t_targinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ipv6, const struct ip6t_entry_match *match)
-{
-	const struct ip6t_fuzzy_info *fuzzyinfo
-		= (const struct ip6t_fuzzy_info *)match->data;
-
-	printf("--lower-limit %u --upper-limit %u ",
-		fuzzyinfo->minimum_rate, fuzzyinfo->maximum_rate);
-}
-
-struct ip6tables_match fuzzy_match = {
-	.name          = "fuzzy",
-	.version       = IPTABLES_VERSION,
-	.size          = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
-	.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_fuzzy_info)),
-	.help          = &help,
-	.init          = &init,
-	.parse         = &parse,
-	.final_check   = &final_check,
-	.print         = &print,
-	.save          = &save,
-	.extra_opts    = opts
-};
-
-void _init(void)
-{
-	register_match6(&fuzzy_match);
-}
diff --git a/extensions/libip6t_fuzzy.man b/extensions/libip6t_fuzzy.man
deleted file mode 100644
index 397727aa..00000000
--- a/extensions/libip6t_fuzzy.man
+++ /dev/null
@@ -1,7 +0,0 @@
-This module matches a rate limit based on a fuzzy logic controller [FLC]
-.TP
-.BI "--lower-limit " "number"
-Specifies the lower limit (in packets per second).
-.TP
-.BI "--upper-limit " "number"
-Specifies the upper limit (in packets per second).
diff --git a/extensions/libip6t_nth.c b/extensions/libip6t_nth.c
deleted file mode 100644
index 19b13f79..00000000
--- a/extensions/libip6t_nth.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/* 
-   Shared library add-on to iptables to add match support for every Nth packet
-   
-   This file is distributed under the terms of the GNU General Public
-   License (GPL). Copies of the GPL can be obtained from:
-   ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-   2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
-   2001-09-20 Richard Wagner (rwagner@cloudnet.com)
-        * added support for multiple counters
-        * added support for matching on individual packets
-          in the counter cycle
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_nth.h>
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"nth v%s options:\n"
-"   --every     Nth              Match every Nth packet\n"
-"  [--counter]  num              Use counter 0-%u (default:0)\n"
-"  [--start]    num              Initialize the counter at the number 'num'\n"
-"                                instead of 0. Must be between 0 and Nth-1\n"
-"  [--packet]   num              Match on 'num' packet. Must be between 0\n"
-"                                and Nth-1.\n\n"
-"                                If --packet is used for a counter than\n"
-"                                there must be Nth number of --packet\n"
-"                                rules, covering all values between 0 and\n"
-"                                Nth-1 inclusively.\n",
-IPTABLES_VERSION, IP6T_NTH_NUM_COUNTERS-1);
-}
-
-static struct option opts[] = {
-	{ "every", 1, 0, '1' },
-	{ "start", 1, 0, '2' },
-        { "counter", 1, 0, '3' },
-        { "packet", 1, 0, '4' },
-	{ 0 }
-};
-
-#define IP6T_NTH_OPT_EVERY	0x01
-#define IP6T_NTH_OPT_NOT_EVERY	0x02
-#define IP6T_NTH_OPT_START	0x04
-#define IP6T_NTH_OPT_COUNTER     0x08
-#define IP6T_NTH_OPT_PACKET      0x10
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ip6t_entry *entry,
-      unsigned int *nfcache,
-      struct ip6t_entry_match **match)
-{
-	struct ip6t_nth_info *nthinfo = (struct ip6t_nth_info *)(*match)->data;
-	unsigned int num;
-
-	switch (c) {
-	case '1':
-		/* check for common mistakes... */
-		if ((!invert) && (*flags & IP6T_NTH_OPT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --every twice");
-		if (invert && (*flags & IP6T_NTH_OPT_NOT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --every twice");
-		if ((!invert) && (*flags & IP6T_NTH_OPT_NOT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --every with ! --every");
-		if (invert && (*flags & IP6T_NTH_OPT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --every with --every");
-
-		/* Remember, this function will interpret a leading 0 to be 
-		   Octal, a leading 0x to be hexdecimal... */
-                if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --every `%s', must be between 2 and 100", optarg);
-
-		/* assign the values */
-		nthinfo->every = num-1;
-		nthinfo->startat = 0;
-                nthinfo->packet = 0xFF;
-                if(!(*flags & IP6T_NTH_OPT_EVERY))
-                {
-                        nthinfo->counter = 0;
-                }
-		if (invert)
-		{
-			*flags |= IP6T_NTH_OPT_NOT_EVERY;
-			nthinfo->not = 1;
-		}
-		else
-		{
-			*flags |= IP6T_NTH_OPT_EVERY;
-			nthinfo->not = 0;
-		}
-		break;
-	case '2':
-		/* check for common mistakes... */
-		if (!((*flags & IP6T_NTH_OPT_EVERY) ||
-		      (*flags & IP6T_NTH_OPT_NOT_EVERY)))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --start before --every");
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify with ! --start");
-		if (*flags & IP6T_NTH_OPT_START)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --start twice");
-		if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
-		*flags |= IP6T_NTH_OPT_START;
-		nthinfo->startat = num;
-		break;
-        case '3':
-                /* check for common mistakes... */
-                if (invert)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify with ! --counter");
-                if (*flags & IP6T_NTH_OPT_COUNTER)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --counter twice");
-                if (string_to_number(optarg, 0, IP6T_NTH_NUM_COUNTERS-1, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --counter `%s', must between 0 and %u", optarg, IP6T_NTH_NUM_COUNTERS-1);
-                /* assign the values */
-                *flags |= IP6T_NTH_OPT_COUNTER;
-                nthinfo->counter = num;
-                break;
-        case '4':
-                /* check for common mistakes... */
-                if (!((*flags & IP6T_NTH_OPT_EVERY) ||
-                      (*flags & IP6T_NTH_OPT_NOT_EVERY)))
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --packet before --every");
-                if ((*flags & IP6T_NTH_OPT_NOT_EVERY))
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --packet with ! --every");
-                if (invert)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify with ! --packet");
-                if (*flags & IP6T_NTH_OPT_PACKET)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --packet twice");
-                if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
-                *flags |= IP6T_NTH_OPT_PACKET;
-                nthinfo->packet = num;
-                break;
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
-      const struct ip6t_entry_match *match,
-      int numeric)
-{
-	const struct ip6t_nth_info *nthinfo
-		= (const struct ip6t_nth_info *)match->data;
-
-	if (nthinfo->not == 1)
-		printf(" !");
-	printf("every %uth ", (nthinfo->every +1));
-	if (nthinfo->counter != 0) 
-		printf("counter #%u ", (nthinfo->counter));
-        if (nthinfo->packet != 0xFF)
-                printf("packet #%u ", nthinfo->packet);
-	if (nthinfo->startat != 0)
-		printf("start at %u ", nthinfo->startat);
-}
-
-/* Saves the union ip6t_targinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
-{
-	const struct ip6t_nth_info *nthinfo
-		= (const struct ip6t_nth_info *)match->data;
-
-	if (nthinfo->not == 1)
-		printf("! ");
-	printf("--every %u ", (nthinfo->every +1));
-	printf("--counter %u ", (nthinfo->counter));
-	if (nthinfo->startat != 0)
-		printf("--start %u ", nthinfo->startat );
-        if (nthinfo->packet != 0xFF)
-                printf("--packet %u ", nthinfo->packet );
-}
-
-struct ip6tables_match nth = {
-	.name 		= "nth",
-	.version	= IPTABLES_VERSION,
-	.size		= IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
-	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts,
-};
-
-void _init(void)
-{
-	register_match6(&nth);
-}
diff --git a/extensions/libip6t_nth.man b/extensions/libip6t_nth.man
deleted file mode 100644
index d215fd55..00000000
--- a/extensions/libip6t_nth.man
+++ /dev/null
@@ -1,14 +0,0 @@
-This module matches every `n'th packet
-.TP
-.BI "--every " "value"
-Match every `value' packet
-.TP
-.BI "[" "--counter " "num" "]"
-Use internal counter number `num'.  Default is `0'.
-.TP
-.BI "[" "--start " "num" "]"
-Initialize the counter at the number `num' insetad of `0'.  Most between `0'
-and `value'-1.
-.TP
-.BI "[" "--packet " "num" "]"
-Match on `num' packet.  Most be between `0' and `value'-1.
diff --git a/extensions/libip6t_random.c b/extensions/libip6t_random.c
deleted file mode 100644
index d34a2308..00000000
--- a/extensions/libip6t_random.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/* 
-   Shared library add-on to iptables to add match support for random match.
-   
-   This file is distributed under the terms of the GNU General Public
-   License (GPL). Copies of the GPL can be obtained from:
-   ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-   2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
-   2003-04-30 Maciej Soltysiak <solt@dns.toxicfilms.tv> : IPv6 port.
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <ip6tables.h>
-#include <linux/netfilter_ipv6/ip6_tables.h>
-#include <linux/netfilter_ipv6/ip6t_random.h>
-
-/**
- * The kernel random routing returns numbers between 0 and 255.
- * To ease the task of the user in choosing the probability
- * of matching, we want him to be able to use percentages.
- * Therefore we have to accept numbers in percentage here,
- * turn them into number between 0 and 255 for the kernel module,
- * and turn them back to percentages when we print/save
- * the rule.
- */
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"random v%s options:\n"
-"  [--average]     percent      The probability in percentage of the match\n"
-"                               If ommited, a probability of 50%% percent is set.\n"
-"                               Percentage must be within : 1 <= percent <= 99.\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "average", 1, 0, '1' },
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(m)->data;
-
-	/* We assign the average to be 50 which is our default value */
-	/* 50 * 2.55 = 128 */
-	randinfo->average = 128;
-}
-
-#define IP6T_RAND_OPT_AVERAGE	0x01
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ip6t_entry *entry,
-      unsigned int *nfcache,
-      struct ip6t_entry_match **match)
-{
-	struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(*match)->data;
-	unsigned int num;
-
-	switch (c) {
-	case '1':
-		/* check for common mistakes... */
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --average");
-		if (*flags & IP6T_RAND_OPT_AVERAGE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --average twice");
-
-		/* Remember, this function will interpret a leading 0 to be 
-		   Octal, a leading 0x to be hexdecimal... */
-                if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --average `%s', must be between 1 and 99", optarg);
-
-		/* assign the values */
-		randinfo->average = (int)(num * 2.55);
-		*flags |= IP6T_RAND_OPT_AVERAGE;
-		break;
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ip6t_ip6 *ip,
-      const struct ip6t_entry_match *match,
-      int numeric)
-{
-	const struct ip6t_rand_info *randinfo
-		= (const struct ip6t_rand_info *)match->data;
-	div_t result = div((randinfo->average*100), 255);
-	if (result.rem > 127)  /* round up... */
-		++result.quot;
-
-	printf(" random %u%% ", result.quot);
-}
-
-/* Saves the union ip6t_targinfo in parsable form to stdout. */
-static void
-save(const struct ip6t_ip6 *ip, const struct ip6t_entry_match *match)
-{
-	const struct ip6t_rand_info *randinfo
-		= (const struct ip6t_rand_info *)match->data;
-	div_t result = div((randinfo->average *100), 255);
-	if (result.rem > 127)  /* round up... */
-		++result.quot;
-
-	printf("--average %u ", result.quot);
-}
-
-struct ip6tables_match rand_match = {
-	.name		= "random",
-	.version	= IPTABLES_VERSION,
-	.size		= IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
-	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_rand_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts,
-};
-
-void _init(void)
-{
-	register_match6(&rand_match);
-}
diff --git a/extensions/libip6t_random.man b/extensions/libip6t_random.man
deleted file mode 100644
index f808a779..00000000
--- a/extensions/libip6t_random.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module randomly matches a certain percentage of all packets.
-.TP
-.BI "--average " "percent"
-Matches the given percentage.  If omitted, a probability of 50% is set. 
diff --git a/extensions/libipt_connmark.c b/extensions/libipt_2connmark.c
index bc15f0d1..18c75867 100644
--- a/extensions/libipt_connmark.c
+++ b/extensions/libipt_2connmark.c
@@ -26,7 +26,7 @@
 #include <getopt.h>
 
 #include <iptables.h>
-#include "../include/linux/netfilter_ipv4/ipt_connmark.h"
+#include "../include/linux/netfilter_ipv4/ipt_2connmark.h"
 
 /* Function which prints out usage message. */
 static void
@@ -145,7 +145,7 @@ static struct iptables_match connmark_match = {
     .extra_opts    = opts
 };
 
-void _init(void)
+void ipt_2connmark_init(void)
 {
 	register_match(&connmark_match);
 }
diff --git a/extensions/libipt_dscp.c b/extensions/libipt_2dscp.c
index bb19bede..1cf8c2ee 100644
--- a/extensions/libipt_dscp.c
+++ b/extensions/libipt_2dscp.c
@@ -19,7 +19,7 @@
 
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_dscp.h>
+#include <linux/netfilter_ipv4/ipt_2dscp.h>
 
 /* This is evil, but it's my code - HW*/
 #include "libipt_dscp_helper.c"
@@ -166,7 +166,7 @@ static struct iptables_match dscp = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_2dscp_init(void)
 {
 	register_match(&dscp);
 }
diff --git a/extensions/libipt_ecn.c b/extensions/libipt_2ecn.c
index 97e839da..2d5a38ed 100644
--- a/extensions/libipt_ecn.c
+++ b/extensions/libipt_2ecn.c
@@ -14,7 +14,7 @@
 
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ecn.h>
+#include <linux/netfilter_ipv4/ipt_2ecn.h>
 
 static void help(void) 
 {
@@ -165,7 +165,7 @@ struct iptables_match ecn
     .extra_opts    = opts
 };
 
-void _init(void)
+void ipt_2ecn_init(void)
 {
 	register_match(&ecn);
 }
diff --git a/extensions/libipt_mark.c b/extensions/libipt_2mark.c
index 1922768e..5dbd2c8f 100644
--- a/extensions/libipt_mark.c
+++ b/extensions/libipt_2mark.c
@@ -7,7 +7,7 @@
 
 #include <iptables.h>
 /* For 64bit kernel / 32bit userspace */
-#include "../include/linux/netfilter_ipv4/ipt_mark.h"
+#include "../include/linux/netfilter_ipv4/ipt_2mark.h"
 
 /* Function which prints out usage message. */
 static void
@@ -137,7 +137,7 @@ static struct iptables_match mark = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_2mark_init(void)
 {
 	register_match(&mark);
 }
diff --git a/extensions/libipt_set.c b/extensions/libipt_2set.c
index eb127dd5..697ed55b 100644
--- a/extensions/libipt_set.c
+++ b/extensions/libipt_2set.c
@@ -20,7 +20,7 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_conntrack.h>
 #include <linux/netfilter_ipv4/ipt_set.h>
-#include "libipt_set.h"
+#include "libipt_2set.h"
 
 /* Function which prints out usage message. */
 static void help(void)
@@ -161,7 +161,7 @@ struct iptables_match set = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_2set_init(void)
 {
 	register_match(&set);
 }
diff --git a/extensions/libipt_tcpmss.c b/extensions/libipt_2tcpmss.c
index 9a399bbd..28eea830 100644
--- a/extensions/libipt_tcpmss.c
+++ b/extensions/libipt_2tcpmss.c
@@ -6,7 +6,7 @@
 #include <getopt.h>
 
 #include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_tcpmss.h>
+#include <linux/netfilter_ipv4/ipt_2tcpmss.h>
 
 /* Function which prints out usage message. */
 static void
@@ -146,7 +146,7 @@ static struct iptables_match tcpmss = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_2tcpmss_init(void)
 {
 	register_match(&tcpmss);
 }
diff --git a/extensions/libipt_tos.c b/extensions/libipt_2tos.c
index f8b5cb49..49dbac55 100644
--- a/extensions/libipt_tos.c
+++ b/extensions/libipt_2tos.c
@@ -6,7 +6,7 @@
 #include <getopt.h>
 
 #include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_tos.h>
+#include <linux/netfilter_ipv4/ipt_tos_.h>
 
 /* TOS names and values. */
 static
@@ -166,7 +166,7 @@ static struct iptables_match tos = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_2tos_init(void)
 {
 	register_match(&tos);
 }
diff --git a/extensions/libipt_ttl.c b/extensions/libipt_2ttl.c
index 89ea0848..5e167132 100644
--- a/extensions/libipt_ttl.c
+++ b/extensions/libipt_2ttl.c
@@ -12,7 +12,7 @@
 #include <iptables.h>
 
 #include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ttl.h>
+#include <linux/netfilter_ipv4/ipt_2ttl.h>
 
 static void help(void) 
 {
@@ -166,7 +166,7 @@ static struct iptables_match ttl = {
 };
 
 
-void _init(void) 
+void ipt_2ttl_init(void) 
 {
 	register_match(&ttl);
 }
diff --git a/extensions/libipt_BALANCE.c b/extensions/libipt_BALANCE.c
deleted file mode 100644
index 6d6392f8..00000000
--- a/extensions/libipt_BALANCE.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/* Shared library add-on to iptables to add simple load-balance support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat_rule.h>
-
-#define BREAKUP_IP(x) (x)>>24, ((x)>>16) & 0xFF, ((x)>>8) & 0xFF, (x) & 0xFF
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"BALANCE v%s options:\n"
-" --to-destination <ipaddr>-<ipaddr>\n"
-"				Addresses to map destination to.\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "to-destination", 1, 0, '1' },
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-	struct ip_nat_multi_range *mr = (struct ip_nat_multi_range *)t->data;
-
-	/* Actually, it's 0, but it's ignored at the moment. */
-	mr->rangesize = 1;
-
-}
-
-/* Parses range of IPs */
-static void
-parse_to(char *arg, struct ip_nat_range *range)
-{
-	char *dash;
-	struct in_addr *ip;
-
-	range->flags |= IP_NAT_RANGE_MAP_IPS;
-	dash = strchr(arg, '-');
-	if (dash)
-		*dash = '\0';
-	else
-		exit_error(PARAMETER_PROBLEM, "Bad IP range `%s'\n", arg);
-
-	ip = dotted_to_addr(arg);
-	if (!ip)
-		exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
-			   arg);
-	range->min_ip = ip->s_addr;
-	ip = dotted_to_addr(dash+1);
-	if (!ip)
-		exit_error(PARAMETER_PROBLEM, "Bad IP address `%s'\n",
-			   dash+1);
-	range->max_ip = ip->s_addr;
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      struct ipt_entry_target **target)
-{
-	struct ip_nat_multi_range *mr
-		= (struct ip_nat_multi_range *)(*target)->data;
-
-	switch (c) {
-	case '1':
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --to-destination");
-
-		parse_to(optarg, &mr->range[0]);
-		*flags = 1;
-		return 1;
-
-	default:
-		return 0;
-	}
-}
-
-/* Final check; need --to-dest. */
-static void final_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "BALANCE needs --to-destination");
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_target *target,
-      int numeric)
-{
-	struct ip_nat_multi_range *mr
-		= (struct ip_nat_multi_range *)target->data;
-	struct ip_nat_range *r = &mr->range[0];
-	struct in_addr a;
-
-	a.s_addr = r->min_ip;
-
-	printf("balance %s", addr_to_dotted(&a));
-	a.s_addr = r->max_ip;
-	printf("-%s ", addr_to_dotted(&a));
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
-	struct ip_nat_multi_range *mr
-		= (struct ip_nat_multi_range *)target->data;
-	struct ip_nat_range *r = &mr->range[0];
-	struct in_addr a;
-
-	a.s_addr = r->min_ip;
-	printf("--to-destination %s", addr_to_dotted(&a));
-	a.s_addr = r->max_ip;
-	printf("-%s ", addr_to_dotted(&a));
-}
-
-static struct iptables_target balance = { 
-	.next		= NULL,
-	.name		= "BALANCE",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_target(&balance);
-}
diff --git a/extensions/libipt_BALANCE.man b/extensions/libipt_BALANCE.man
deleted file mode 100644
index 0eb09d07..00000000
--- a/extensions/libipt_BALANCE.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This allows you to DNAT connections in a round-robin way over a given range of destination addresses.
-.TP
-.BI "--to-destination " "ipaddr-ipaddr"
-Address range to round-robin over.
diff --git a/extensions/libipt_CLASSIFY.c b/extensions/libipt_CLASSIFY.c
index 07c9b25e..8fad60ba 100644
--- a/extensions/libipt_CLASSIFY.c
+++ b/extensions/libipt_CLASSIFY.c
@@ -123,7 +123,7 @@ static struct iptables_target classify = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_CLASSIFY_init(void)
 {
 	register_target(&classify);
 }
diff --git a/extensions/libipt_CLUSTERIP.c b/extensions/libipt_CLUSTERIP.c
index 3268ac53..1ab77cc2 100644
--- a/extensions/libipt_CLUSTERIP.c
+++ b/extensions/libipt_CLUSTERIP.c
@@ -262,7 +262,7 @@ static struct iptables_target clusterip = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_CLUSTERIP_init(void)
 {
 	register_target(&clusterip);
 }
diff --git a/extensions/libipt_CONNMARK.c b/extensions/libipt_CONNMARK.c
index 2e17b3fa..30dc4b05 100644
--- a/extensions/libipt_CONNMARK.c
+++ b/extensions/libipt_CONNMARK.c
@@ -214,7 +214,7 @@ static struct iptables_target connmark_target = {
     .extra_opts    = opts
 };
 
-void _init(void)
+void ipt_CONNMARK_init(void)
 {
 	register_target(&connmark_target);
 }
diff --git a/extensions/libipt_CONNSECMARK.c b/extensions/libipt_CONNSECMARK.c
index 237a41f3..bcd89ea8 100644
--- a/extensions/libipt_CONNSECMARK.c
+++ b/extensions/libipt_CONNSECMARK.c
@@ -120,7 +120,7 @@ static struct iptables_target connsecmark = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_CONNSECMARK_init(void)
 {
 	register_target(&connsecmark);
 }
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index bdc15eb8..fdc2115d 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -7,6 +7,7 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <netinet/in.h>
 
 /* Dest NAT data consists of a multi-range, indicating where to map
    to. */
@@ -243,7 +244,7 @@ static struct iptables_target dnat = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_DNAT_init(void)
 {
 	register_target(&dnat);
 }
diff --git a/extensions/libipt_DSCP.c b/extensions/libipt_DSCP.c
index c50d902b..ca068353 100644
--- a/extensions/libipt_DSCP.c
+++ b/extensions/libipt_DSCP.c
@@ -158,7 +158,7 @@ static struct iptables_target dscp = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_DSCP_init(void)
 {
 	register_target(&dscp);
 }
diff --git a/extensions/libipt_ECN.c b/extensions/libipt_ECN.c
index 7e8d0c4e..2dfa8913 100644
--- a/extensions/libipt_ECN.c
+++ b/extensions/libipt_ECN.c
@@ -179,7 +179,7 @@ struct iptables_target ecn = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_ECN_init(void)
 {
 	register_target(&ecn);
 }
diff --git a/extensions/libipt_FTOS.c b/extensions/libipt_FTOS.c
deleted file mode 100644
index 62df4cde..00000000
--- a/extensions/libipt_FTOS.c
+++ /dev/null
@@ -1,133 +0,0 @@
-/* Shared library add-on to iptables for FTOS
- *
- * (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
- *
- * This program is distributed under the terms of GNU GPL v2, 1991
- *
- * libipt_FTOS.c borrowed heavily from libipt_TOS.c  11/09/2000
- *
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_FTOS.h>
-
-struct finfo {
- 	struct ipt_entry_target t;
-	u_int8_t ftos;
-};
-
-static void init(struct ipt_entry_target *t, unsigned int *nfcache) 
-{
-}
-
-static void help(void) 
-{
-	printf(
-"FTOS target options\n"
-"  --set-ftos value		Set TOS field in packet header to value\n"
-"  		                This value can be in decimal (ex: 32)\n"
-"               		or in hex (ex: 0x20)\n"
-);
-}
-
-static struct option opts[] = {
-	{ "set-ftos", 1, 0, 'F' },
-	{ 0 }
-};
-
-static void
-parse_ftos(const unsigned char *s, struct ipt_FTOS_info *finfo)
-{
-	unsigned int ftos;
-       
-	if (string_to_number(s, 0, 255, &ftos) == -1)
-		exit_error(PARAMETER_PROBLEM,
-			   "Invalid ftos `%s'\n", s);
-    	finfo->ftos = (u_int8_t )ftos;
-    	return;
-}
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      struct ipt_entry_target **target)
-{
-	struct ipt_FTOS_info *finfo
-		= (struct ipt_FTOS_info *)(*target)->data;
-
-	switch (c) {
-	case 'F':
-		if (*flags)
-			exit_error(PARAMETER_PROBLEM,
-			           "FTOS target: Only use --set-ftos ONCE!");
-		parse_ftos(optarg, finfo);
-		*flags = 1;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-		           "FTOS target: Parameter --set-ftos is required");
-}
-
-static void
-print_ftos(u_int8_t ftos, int numeric)
-{
- 	printf("0x%02x ", ftos);
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_target *target,
-      int numeric)
-{
-	const struct ipt_FTOS_info *finfo =
-		(const struct ipt_FTOS_info *)target->data;
-	printf("TOS set ");
-	print_ftos(finfo->ftos, numeric);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
-	const struct ipt_FTOS_info *finfo =
-		(const struct ipt_FTOS_info *)target->data;
-
-	printf("--set-ftos 0x%02x ", finfo->ftos);
-}
-
-static struct iptables_target ftos = {
-	.next		= NULL,
-	.name		= "FTOS",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_FTOS_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_target(&ftos);
-}
diff --git a/extensions/libipt_IPMARK.c b/extensions/libipt_IPMARK.c
deleted file mode 100644
index 3e0942de..00000000
--- a/extensions/libipt_IPMARK.c
+++ /dev/null
@@ -1,168 +0,0 @@
-/* Shared library add-on to iptables to add IPMARK target support.
- * (C) 2003 by Grzegorz Janoszka <Grzegorz.Janoszka@pro.onet.pl>
- *
- * based on original MARK target
- * 
- * This program is distributed under the terms of GNU GPL
- */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_IPMARK.h>
-
-#define IPT_ADDR_USED        1
-#define IPT_AND_MASK_USED    2
-#define IPT_OR_MASK_USED     4
-
-struct ipmarkinfo {
-	struct ipt_entry_target t;
-	struct ipt_ipmark_target_info ipmark;
-};
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"IPMARK target v%s options:\n"
-"  --addr src/dst         use source or destination ip address\n"
-"  --and-mask value       logical AND ip address with this value becomes MARK\n"
-"  --or-mask value        logical OR ip address with this value becomes MARK\n"
-"\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "addr", 1, 0, '1' },
-	{ "and-mask", 1, 0, '2' },
-	{ "or-mask", 1, 0, '3' },
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-	struct ipt_ipmark_target_info *ipmarkinfo =
-		(struct ipt_ipmark_target_info *)t->data;
-
-	ipmarkinfo->andmask=0xffffffff;
-	ipmarkinfo->ormask=0;
-
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      struct ipt_entry_target **target)
-{
-	struct ipt_ipmark_target_info *ipmarkinfo
-		= (struct ipt_ipmark_target_info *)(*target)->data;
-
-	switch (c) {
-		char *end;
-	case '1':
-		if(!strcmp(optarg, "src")) ipmarkinfo->addr=IPT_IPMARK_SRC;
-		  else if(!strcmp(optarg, "dst")) ipmarkinfo->addr=IPT_IPMARK_DST;
-		    else exit_error(PARAMETER_PROBLEM, "Bad addr value `%s' - should be `src' or `dst'", optarg);
-		if (*flags & IPT_ADDR_USED)
-			exit_error(PARAMETER_PROBLEM,
-			           "IPMARK target: Can't specify --addr twice");
-		*flags |= IPT_ADDR_USED;
-		break;
-	
-	case '2':
-		ipmarkinfo->andmask = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad and-mask value `%s'", optarg);
-		if (*flags & IPT_AND_MASK_USED)
-			exit_error(PARAMETER_PROBLEM,
-			           "IPMARK target: Can't specify --and-mask twice");
-		*flags |= IPT_AND_MASK_USED;
-		break;
-	case '3':
-		ipmarkinfo->ormask = strtoul(optarg, &end, 0);
-		if (*end != '\0' || end == optarg)
-			exit_error(PARAMETER_PROBLEM, "Bad or-mask value `%s'", optarg);
-		if (*flags & IPT_OR_MASK_USED)
-			exit_error(PARAMETER_PROBLEM,
-			           "IPMARK target: Can't specify --or-mask twice");
-		*flags |= IPT_OR_MASK_USED;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
-	if (!(flags & IPT_ADDR_USED))
-		exit_error(PARAMETER_PROBLEM,
-		           "IPMARK target: Parameter --addr is required");
-	if (!(flags & (IPT_AND_MASK_USED | IPT_OR_MASK_USED)))
-		exit_error(PARAMETER_PROBLEM,
-		           "IPMARK target: Parameter --and-mask or --or-mask is required");
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_target *target,
-      int numeric)
-{
-	const struct ipt_ipmark_target_info *ipmarkinfo =
-		(const struct ipt_ipmark_target_info *)target->data;
-
-	if(ipmarkinfo->addr == IPT_IPMARK_SRC)
-	  printf("IPMARK src");
-	else
-	  printf("IPMARK dst");
-	printf(" ip and 0x%lx or 0x%lx", ipmarkinfo->andmask, ipmarkinfo->ormask);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
-	const struct ipt_ipmark_target_info *ipmarkinfo =
-		(const struct ipt_ipmark_target_info *)target->data;
-
-	if(ipmarkinfo->addr == IPT_IPMARK_SRC)
-	  printf("--addr=src ");
-	else
-	  printf("--addr=dst ");
-	if(ipmarkinfo->andmask != 0xffffffff)
-	  printf("--and-mask 0x%lx ", ipmarkinfo->andmask);
-	if(ipmarkinfo->ormask != 0)
-	  printf("--or-mask 0x%lx ", ipmarkinfo->ormask);
-}
-
-static struct iptables_target ipmark = { 
-	.next		= NULL,
-	.name		= "IPMARK",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_ipmark_target_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_target(&ipmark);
-}
diff --git a/extensions/libipt_IPMARK.man b/extensions/libipt_IPMARK.man
deleted file mode 100644
index e4659b01..00000000
--- a/extensions/libipt_IPMARK.man
+++ /dev/null
@@ -1,45 +0,0 @@
-Allows you to mark a received packet basing on its IP address. This
-can replace many mangle/mark entries with only one, if you use
-firewall based classifier.
-
-This target is to be used inside the mangle table, in the PREROUTING,
-POSTROUTING or FORWARD hooks.
-.TP
-.BI "--addr " "src/dst"
-Use source or destination IP address.
-.TP
-.BI "--and-mask " "mask"
-Perform bitwise `and' on the IP address and this mask.
-.TP
-.BI "--or-mask " "mask"
-Perform bitwise `or' on the IP address and this mask.
-.P
-The order of IP address bytes is reversed to meet "human order of bytes":
-192.168.0.1 is 0xc0a80001. At first the `and' operation is performed, then
-`or'.
-
-Examples:
-
-We create a queue for each user, the queue number is adequate
-to the IP address of the user, e.g.: all packets going to/from 192.168.5.2
-are directed to 1:0502 queue, 192.168.5.12 -> 1:050c etc.
-
-We have one classifier rule:
-.IP
-tc filter add dev eth3 parent 1:0 protocol ip fw
-.P
-Earlier we had many rules just like below:
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.2 -j MARK
---set-mark 0x10502
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -d 192.168.5.3 -j MARK
---set-mark 0x10503
-.P
-Using IPMARK target we can replace all the mangle/mark rules with only one:
-.IP
-iptables -t mangle -A POSTROUTING -o eth3 -j IPMARK --addr=dst
---and-mask=0xffff --or-mask=0x10000
-.P
-On the routers with hundreds of users there should be significant load
-decrease (e.g. twice).
diff --git a/extensions/libipt_IPV4OPTSSTRIP.c b/extensions/libipt_IPV4OPTSSTRIP.c
deleted file mode 100644
index d0305e63..00000000
--- a/extensions/libipt_IPV4OPTSSTRIP.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/* Shared library add-on to iptables for IPV4OPTSSTRIP
- * This modules strip all the IP options.
- *
- * (C) 2001 by Fabrice MARIE <fabrice@netfilter.org>
- * This program is distributed under the terms of GNU GPL v2, 1991
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-
-static void help(void) 
-{
-	printf("IPV4OPTSSTRIP v%s target takes no option !! Make sure you use it in the mangle table.\n",
-	       IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ 0 }
-};
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      struct ipt_entry_target **target)
-{
-	return 0;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_target *target,
-      int numeric)
-{
-	/* nothing to print, we don't take option... */
-}
-
-/* Saves the stuff in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
-	/* nothing to print, we don't take option... */
-}
-
-static struct iptables_target IPV4OPTSSTRIP = { 
-	.next		= NULL,
-	.name		= "IPV4OPTSSTRIP",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(0),
-	.userspacesize	= IPT_ALIGN(0),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_target(&IPV4OPTSSTRIP);
-}
diff --git a/extensions/libipt_IPV4OPTSSTRIP.man b/extensions/libipt_IPV4OPTSSTRIP.man
deleted file mode 100644
index a17d8a25..00000000
--- a/extensions/libipt_IPV4OPTSSTRIP.man
+++ /dev/null
@@ -1,5 +0,0 @@
-Strip all the IP options from a packet.
-
-The target doesn't take any option, and therefore is extremly easy to use :
-
-# iptables -t mangle -A PREROUTING -j IPV4OPTSSTRIP
diff --git a/extensions/libipt_LOG.c b/extensions/libipt_LOG.c
index 96cc7010..7d3fd822 100644
--- a/extensions/libipt_LOG.c
+++ b/extensions/libipt_LOG.c
@@ -284,7 +284,7 @@ struct iptables_target log
     .extra_opts    = opts
 };
 
-void _init(void)
+void ipt_LOG_init(void)
 {
 	register_target(&log);
 }
diff --git a/extensions/libipt_MARK.c b/extensions/libipt_MARK.c
index 457f6ad3..ca2fe58f 100644
--- a/extensions/libipt_MARK.c
+++ b/extensions/libipt_MARK.c
@@ -236,7 +236,7 @@ struct iptables_target mark_v1 = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_MARK_init(void)
 {
 	register_target(&mark_v0);
 	register_target(&mark_v1);
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index 7eddcc09..f809e786 100644
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -7,6 +7,7 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <netinet/in.h>
 
 /* Function which prints out usage message. */
 static void
@@ -159,7 +160,7 @@ static struct iptables_target masq = { NULL,
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_MASQUERADE_init(void)
 {
 	register_target(&masq);
 }
diff --git a/extensions/libipt_MIRROR.c b/extensions/libipt_MIRROR.c
index 7e617030..6988c908 100644
--- a/extensions/libipt_MIRROR.c
+++ b/extensions/libipt_MIRROR.c
@@ -56,7 +56,7 @@ static struct iptables_target mirror = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_MIRROR_init(void)
 {
 	register_target(&mirror);
 }
diff --git a/extensions/libipt_NETLINK.c b/extensions/libipt_NETLINK.c
deleted file mode 100644
index 403c4139..00000000
--- a/extensions/libipt_NETLINK.c
+++ /dev/null
@@ -1,157 +0,0 @@
-/* Provides a NETLINK target, identical to that of the ipchains -o flag */
-/* AUTHOR: Gianni Tedesco <gianni@ecsc.co.uk> */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_NETLINK.h>
-
-static void help(void)
-{
-	printf("NETLINK v%s options:\n"
-		" --nldrop		Drop the packet too\n"
-		" --nlmark <number>	Mark the packet\n"
-		" --nlsize <bytes>	Limit packet size\n",
-	       IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{"nldrop", 0, 0, 'd'},
-	{"nlmark", 1, 0, 'm'},
-	{"nlsize", 1, 0, 's'},
-	{0}
-};
-
-static void init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-	struct ipt_nldata *nld = (struct ipt_nldata *) t->data;
-	
-	nld->flags=0;
-	
-}
-
-/* Parse command options */
-static int parse(int c, char **argv, int invert, unsigned int *flags,
-		 const struct ipt_entry *entry,
-		 struct ipt_entry_target **target)
-{
-	struct ipt_nldata *nld=(struct ipt_nldata *)(*target)->data;
-
-	switch (c) {
-		case 'd':
-			if (MASK(*flags, USE_DROP))
-				exit_error(PARAMETER_PROBLEM,
-				"Can't specify --nldrop twice");
-
-			if ( check_inverse(optarg, &invert, NULL, 0) ) {
-				MASK_UNSET(nld->flags, USE_DROP);
-			} else {
-				MASK_SET(nld->flags, USE_DROP);
-			}
-
-			MASK_SET(*flags, USE_DROP);			
-
-			break;
-		case 'm':
-			if (MASK(*flags, USE_MARK))
-				exit_error(PARAMETER_PROBLEM,
-				"Can't specify --nlmark twice");
-
-			if (check_inverse(optarg, &invert, NULL, 0)) {
-				MASK_UNSET(nld->flags, USE_MARK);
-			}else{
-				MASK_SET(nld->flags, USE_MARK);
-				nld->mark=atoi(optarg);
-			}
-
-			MASK_SET(*flags, USE_MARK);
-			break;
-		case 's':
-			if (MASK(*flags, USE_SIZE))
-				exit_error(PARAMETER_PROBLEM,
-				"Can't specify --nlsize twice");
-
-			if ( atoi(optarg) <= 0 )
-				exit_error(PARAMETER_PROBLEM,
-				"--nlsize must be larger than zero");
-			
-
-			if (check_inverse(optarg, &invert, NULL, 0)) {
-				MASK_UNSET(nld->flags, USE_SIZE);
-			}else{
-				MASK_SET(nld->flags, USE_SIZE);
-				nld->size=atoi(optarg);
-			}
-			MASK_SET(*flags, USE_SIZE);
-			break;
-
-		default:
-			return 0;
-	}
-	return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-	/* ?? */
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip,
-		 const struct ipt_entry_target *target)
-{
-	const struct ipt_nldata *nld
-	    = (const struct ipt_nldata *) target->data;
-
-	if ( MASK(nld->flags, USE_DROP) )
-		printf("--nldrop ");
-
-	if ( MASK(nld->flags, USE_MARK) )
-		printf("--nlmark %i ", nld->mark);
-
-	if ( MASK(nld->flags, USE_SIZE) )
-		printf("--nlsize %i ", nld->size);		
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_target *target, int numeric)
-{
-	const struct ipt_nldata *nld
-	    = (const struct ipt_nldata *) target->data;
-
-	if ( MASK(nld->flags, USE_DROP) )
-		printf("nldrop ");
-
-	if ( MASK(nld->flags, USE_MARK) )
-		printf("nlmark %i ", nld->mark);
-
-	if ( MASK(nld->flags, USE_SIZE) )
-		printf("nlsize %i ", nld->size);
-}
-
-static struct iptables_target netlink = {
-	.next		= NULL,
-	.name		= "NETLINK",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_nldata)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_nldata)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_target(&netlink);
-}
-
diff --git a/extensions/libipt_NETMAP.c b/extensions/libipt_NETMAP.c
index 8cecb4d3..8e9eaca5 100644
--- a/extensions/libipt_NETMAP.c
+++ b/extensions/libipt_NETMAP.c
@@ -10,6 +10,7 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <netinet/in.h>
 
 #define MODULENAME "NETMAP"
 
@@ -192,7 +193,7 @@ static struct iptables_target target_module = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_NETMAP_init(void)
 {
 	register_target(&target_module);
 }
diff --git a/extensions/libipt_NFLOG.c b/extensions/libipt_NFLOG.c
index 4a2c1970..d054383d 100644
--- a/extensions/libipt_NFLOG.c
+++ b/extensions/libipt_NFLOG.c
@@ -155,7 +155,7 @@ static struct iptables_target nflog = {
 	.extra_opts	= opts,
 };
 
-void _init(void)
+void ipt_NFLOG_init(void)
 {
 	register_target(&nflog);
 }
diff --git a/extensions/libipt_NFQUEUE.c b/extensions/libipt_NFQUEUE.c
index bc4e82f4..c4573ff5 100644
--- a/extensions/libipt_NFQUEUE.c
+++ b/extensions/libipt_NFQUEUE.c
@@ -108,7 +108,7 @@ static struct iptables_target nfqueue = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_NFQUEUE_init(void)
 {
 	register_target(&nfqueue);
 }
diff --git a/extensions/libipt_NOTRACK.c b/extensions/libipt_NOTRACK.c
index 39489aea..f9dfefe2 100644
--- a/extensions/libipt_NOTRACK.c
+++ b/extensions/libipt_NOTRACK.c
@@ -57,7 +57,7 @@ struct iptables_target notrack
 	.extra_opts = opts
 };
 
-void _init(void)
+void ipt_NOTRACK_init(void)
 {
 	register_target(&notrack);
 }
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index 13195b0c..7fb46f68 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -7,6 +7,7 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <netinet/in.h>
 
 /* Function which prints out usage message. */
 static void
@@ -164,7 +165,7 @@ static struct iptables_target redir = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_REDIRECT_init(void)
 {
 	register_target(&redir);
 }
diff --git a/extensions/libipt_REJECT.c b/extensions/libipt_REJECT.c
index 70859eb5..6564476a 100644
--- a/extensions/libipt_REJECT.c
+++ b/extensions/libipt_REJECT.c
@@ -183,7 +183,7 @@ static struct iptables_target reject = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_REJECT_init(void)
 {
 	register_target(&reject);
 }
diff --git a/extensions/libipt_ROUTE.c b/extensions/libipt_ROUTE.c
deleted file mode 100644
index 360f9832..00000000
--- a/extensions/libipt_ROUTE.c
+++ /dev/null
@@ -1,264 +0,0 @@
-/* Shared library add-on to iptables to add ROUTE target support.
- * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
- * v 1.11 2004/11/23
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <net/if.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_ROUTE.h>
-
-/* compile IPT_ROUTE_TEE support even if kernel headers are unpatched */
-#ifndef IPT_ROUTE_TEE
-#define IPT_ROUTE_TEE		0x02
-#endif
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"ROUTE target v%s options:\n"
-"    --oif   \tifname \t\tRoute packet through `ifname' network interface\n"
-"    --iif   \tifname \t\tChange packet's incoming interface to `ifname'\n"
-"    --gw    \tip     \t\tRoute packet via this gateway `ip'\n"
-"    --continue\t     \t\tRoute packet and continue traversing the\n"
-"            \t       \t\trules. Not valid with --iif or --tee.\n"
-"    --tee\t  \t\tDuplicate packet, route the duplicate,\n"
-"            \t       \t\tcontinue traversing with original packet.\n"
-"            \t       \t\tNot valid with --iif or --continue.\n"
-"\n",
-"1.11");
-}
-
-static struct option opts[] = {
-	{ "oif", 1, 0, '1' },
-	{ "iif", 1, 0, '2' },
-	{ "gw", 1, 0, '3' },
-	{ "continue", 0, 0, '4' },
-	{ "tee", 0, 0, '5' },
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-	struct ipt_route_target_info *route_info = 
-		(struct ipt_route_target_info*)t->data;
-
-	route_info->oif[0] = '\0';
-	route_info->iif[0] = '\0';
-	route_info->gw = 0;
-	route_info->flags = 0;
-}
-
-
-#define IPT_ROUTE_OPT_OIF      0x01
-#define IPT_ROUTE_OPT_IIF      0x02
-#define IPT_ROUTE_OPT_GW       0x04
-#define IPT_ROUTE_OPT_CONTINUE 0x08
-#define IPT_ROUTE_OPT_TEE      0x10
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      struct ipt_entry_target **target)
-{
-	struct ipt_route_target_info *route_info = 
-		(struct ipt_route_target_info*)(*target)->data;
-
-	switch (c) {
-	case '1':
-		if (*flags & IPT_ROUTE_OPT_OIF)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --oif twice");
-
-		if (*flags & IPT_ROUTE_OPT_IIF)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't use --oif and --iif together");
-
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --oif");
-
-		if (strlen(optarg) > sizeof(route_info->oif) - 1)
-			exit_error(PARAMETER_PROBLEM,
-				   "Maximum interface name length %u",
-				   sizeof(route_info->oif) - 1);
-
-		strcpy(route_info->oif, optarg);
-		*flags |= IPT_ROUTE_OPT_OIF;
-		break;
-
-	case '2':
-		if (*flags & IPT_ROUTE_OPT_IIF)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --iif twice");
-
-		if (*flags & IPT_ROUTE_OPT_OIF)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't use --iif and --oif together");
-
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --iif");
-
-		if (strlen(optarg) > sizeof(route_info->iif) - 1)
-			exit_error(PARAMETER_PROBLEM,
-				   "Maximum interface name length %u",
-				   sizeof(route_info->iif) - 1);
-
-		strcpy(route_info->iif, optarg);
-		*flags |= IPT_ROUTE_OPT_IIF;
-		break;
-
-	case '3':
-		if (*flags & IPT_ROUTE_OPT_GW)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --gw twice");
-
-		if (check_inverse(optarg, &invert, NULL, 0))
-			exit_error(PARAMETER_PROBLEM,
-				   "Unexpected `!' after --gw");
-
-		if (!inet_aton(optarg, (struct in_addr*)&route_info->gw)) {
-			exit_error(PARAMETER_PROBLEM,
-				   "Invalid IP address %s",
-				   optarg);
-		}
-
-		*flags |= IPT_ROUTE_OPT_GW;
-		break;
-
-	case '4':
-		if (*flags & IPT_ROUTE_OPT_CONTINUE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --continue twice");
-		if (*flags & IPT_ROUTE_OPT_TEE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --continue AND --tee");
-
-		route_info->flags |= IPT_ROUTE_CONTINUE;
-		*flags |= IPT_ROUTE_OPT_CONTINUE;
-
-		break;
-
-	case '5':
-		if (*flags & IPT_ROUTE_OPT_TEE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --tee twice");
-		if (*flags & IPT_ROUTE_OPT_CONTINUE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --tee AND --continue");
-
-		route_info->flags |= IPT_ROUTE_TEE;
-		*flags |= IPT_ROUTE_OPT_TEE;
-
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-
-static void
-final_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-		           "ROUTE target: oif, iif or gw option required");
-
-	if ((flags & (IPT_ROUTE_OPT_CONTINUE|IPT_ROUTE_OPT_TEE)) && (flags & IPT_ROUTE_OPT_IIF))
-		exit_error(PARAMETER_PROBLEM,
-			   "ROUTE target: can't continue traversing the rules with iif option");
-}
-
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_target *target,
-      int numeric)
-{
-	const struct ipt_route_target_info *route_info
-		= (const struct ipt_route_target_info *)target->data;
-
-	printf("ROUTE ");
-
-	if (route_info->oif[0])
-		printf("oif:%s ", route_info->oif);
-
-	if (route_info->iif[0])
-		printf("iif:%s ", route_info->iif);
-
-	if (route_info->gw) {
-		struct in_addr ip = { route_info->gw };
-		printf("gw:%s ", inet_ntoa(ip));
-	}
-
-	if (route_info->flags & IPT_ROUTE_CONTINUE)
-		printf("continue");
-
-	if (route_info->flags & IPT_ROUTE_TEE)
-		printf("tee");
-
-}
-
-
-static void save(const struct ipt_ip *ip, 
-		 const struct ipt_entry_target *target)
-{
-	const struct ipt_route_target_info *route_info
-		= (const struct ipt_route_target_info *)target->data;
-
-	if (route_info->oif[0])
-		printf("--oif %s ", route_info->oif);
-
-	if (route_info->iif[0])
-		printf("--iif %s ", route_info->iif);
-
-	if (route_info->gw) {
-		struct in_addr ip = { route_info->gw };
-		printf("--gw %s ", inet_ntoa(ip));
-	}
-
-	if (route_info->flags & IPT_ROUTE_CONTINUE)
-		printf("--continue ");
-
-	if (route_info->flags & IPT_ROUTE_TEE)
-		printf("--tee ");
-}
-
-
-static struct iptables_target route = { 
-	.next		= NULL,
-	.name		= "ROUTE",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_route_target_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_route_target_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_target(&route);
-}
diff --git a/extensions/libipt_ROUTE.man b/extensions/libipt_ROUTE.man
deleted file mode 100644
index 8a36e8e0..00000000
--- a/extensions/libipt_ROUTE.man
+++ /dev/null
@@ -1,18 +0,0 @@
-This is used to explicitly override the core network stack's routing decision.
-.B mangle
-table.
-.TP
-.BI "--oif " "ifname"
-Route the packet through `ifname' network interface
-.TP
-.BI "--iif " "ifname"
-Change the packet's incoming interface to `ifname'
-.TP
-.BI "--gw " "IP_address"
-Route the packet via this gateway
-.TP
-.BI "--continue "
-Behave like a non-terminating target and continue traversing the rules.  Not valid in combination with `--iif' or `--tee'
-.TP
-.BI "--tee "
-Make a copy of the packet, and route that copy to the given destination. For the original, uncopied packet, behave like a non-terminating target and continue traversing the rules.  Not valid in combination with `--iif' or `--continue'
diff --git a/extensions/libipt_SAME.c b/extensions/libipt_SAME.c
index 4eda2237..d8912f39 100644
--- a/extensions/libipt_SAME.c
+++ b/extensions/libipt_SAME.c
@@ -202,7 +202,7 @@ static struct iptables_target same = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_SAME_init(void)
 {
 	register_target(&same);
 }
diff --git a/extensions/libipt_SECMARK.c b/extensions/libipt_SECMARK.c
index 89a2b2ad..c7f0fb26 100644
--- a/extensions/libipt_SECMARK.c
+++ b/extensions/libipt_SECMARK.c
@@ -119,7 +119,7 @@ static struct iptables_target secmark = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_SECMARK_init(void)
 {
 	register_target(&secmark);
 }
diff --git a/extensions/libipt_SET.c b/extensions/libipt_SET.c
index d11a9f03..f4834180 100644
--- a/extensions/libipt_SET.c
+++ b/extensions/libipt_SET.c
@@ -174,7 +174,7 @@ struct iptables_target ipt_set_target
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_SET_init(void)
 {
 	register_target(&ipt_set_target);
 }
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index 867c9d01..94b85c73 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -7,6 +7,7 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ip_nat_rule.h>
+#include <netinet/in.h>
 
 /* Source NAT data consists of a multi-range, indicating where to map
    to. */
@@ -243,7 +244,7 @@ static struct iptables_target snat = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_SNAT_init(void)
 {
 	register_target(&snat);
 }
diff --git a/extensions/libipt_TARPIT.c b/extensions/libipt_TARPIT.c
deleted file mode 100644
index b12cbc2c..00000000
--- a/extensions/libipt_TARPIT.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/* Shared library add-on to iptables for TARPIT support */
-#include <stdio.h>
-#include <getopt.h>
-#include <iptables.h>
-
-static void
-help(void)
-{
-	fputs(
-"TARPIT takes no options\n"
-"\n", stdout);
-}
-
-static struct option opts[] = {
-	{ 0 }
-};
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      struct ipt_entry_target **target)
-{
-	return 0;
-}
-
-static void final_check(unsigned int flags)
-{
-}
-
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_target *target,
-      int numeric)
-{
-}
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
-{
-}
-
-static struct iptables_target tarpit = {
-	.next		= NULL,
-	.name		= "TARPIT",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(0),
-	.userspacesize	= IPT_ALIGN(0),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_target(&tarpit);
-}
diff --git a/extensions/libipt_TARPIT.man b/extensions/libipt_TARPIT.man
deleted file mode 100644
index 26526b76..00000000
--- a/extensions/libipt_TARPIT.man
+++ /dev/null
@@ -1,34 +0,0 @@
-Captures and holds incoming TCP connections using no local
-per-connection resources. Connections are accepted, but immediately
-switched to the persist state (0 byte window), in which the remote
-side stops sending data and asks to continue every 60-240 seconds.
-Attempts to close the connection are ignored, forcing the remote side
-to time out the connection in 12-24 minutes.
-
-This offers similar functionality to LaBrea
-<http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
-hardware or IPs. Any TCP port that you would normally DROP or REJECT
-can instead become a tarpit.
-
-To tarpit connections to TCP port 80 destined for the current machine:
-.IP
-iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
-.P
-To significantly slow down Code Red/Nimda-style scans of unused address
-space, forward unused ip addresses to a Linux box not acting as a router
-(e.g. "ip route 10.0.0.0 255.0.0.0 ip.of.linux.box" on a Cisco), enable IP
-forwarding on the Linux box, and add:
-.IP
-iptables -A FORWARD -p tcp -j TARPIT
-.IP
-iptables -A FORWARD -j DROP
-.TP
-NOTE:
-If you use the conntrack module while you are using TARPIT, you should
-also use the NOTRACK target, or the kernel will unnecessarily allocate
-resources for each TARPITted connection. To TARPIT incoming
-connections to the standard IRC port while using conntrack, you could:
-.IP
-iptables -t raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
-.IP
-iptables -A INPUT -p tcp --dport 6667 -j TARPIT
diff --git a/extensions/libipt_TCPLAG.c b/extensions/libipt_TCPLAG.c
deleted file mode 100644
index 3042d738..00000000
--- a/extensions/libipt_TCPLAG.c
+++ /dev/null
@@ -1,215 +0,0 @@
-/* libipt_TCPLAG.c -- module for iptables to interface with TCPLAG target
- * Copyright (C) 2002 Telford Tendys <telford@triode.net.au>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-
-/*
- * Shared library add-on to iptables for TCPLAG target control
- *
- * This allows installation and removal of the TCPLAG target
- * Note that there is a lot more commentary in this file than
- * the average libipt target (i.e. more than none) but these
- * are just my deductions based on examination of the source
- * and 
- */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_TCPLAG.h>
-
-/*
- * This merely dumps out text for the user
- * (saves keeping the manpage up to date)
- */
-static void help( void )
-{
-	printf( "TCPLAG options:\n"
-			" --log-level=n    Set the syslog level to n (integer 0 to 7)\n\n"
-			" --log-prefix=xx  Prefix log messages with xx\n" );
-}
-
-/*
- * See "man getopt_long" for an explanation of this structure
- *
- * If one of our options DOES happen to come up then we get
- * a callback into parse(), our vals must not overlap with any
- * normal iptables short options (I think) because there is only
- * one actual options handler and it can't tell whose options it
- * is really looking at unless they are all distinct.
- *
- * These are exactly the same as the LOG target options
- * and have the same purpose.
- */
-static const struct option opts[] =
-{
-	{ "log-level",     1, 0, '!' },
-	{ "log-prefix",    1, 0, '#' },
-	{ 0 }
-};
-
-/*
- * This gives us a chance to install some initial values in
- * our own private data structure (which is at t->data).
- * Probably we could fiddle with t->tflags too but there is
- * no great advantage in doing so.
- */
-static void init( struct ipt_entry_target *t, unsigned int *nfcache )
-{
-	struct ipt_tcplag *el = (struct ipt_tcplag *)t->data;
-	memset( el, 0, sizeof( struct ipt_tcplag ));
-	el->level = 4; /* Default to warning level */
-	strcpy( el->prefix, "TCPLAG:" ); /* Give a reasonable default prefix */
-}
-
-/*
- * It doesn't take much thought to see how little thought has gone into
- * this particular API. However, to add to that I'd just like to say that
- * it can be made to work and small miracles are still miracles.
- *
- * The input parameters are as follows:
- * 
- *  c      --  the 'val' from opts[] above, could possibly be something
- *             we cannot recognise in which case return(0).
- *             If we do recognise it then return(1).
- *
- *  argv   --  in case we want to take parameters from the command line,
- *             not sure how to safely ensure that the parameter that
- *             we want to take will really exist, presumably getopt_long()
- *             will have already checked such things (what about optional
- *             parameters huh?).
- *
- *  invert --  if the option parameter had '!' in front of it, usually this
- *             would inversion of the matching sense but I don't think it
- *             is useful in the case of targets.
- *
- *  flags  --  always (*target)->tflags for those who feel it is better
- *             to access this field indirectly <shrug> starts of
- *             zero for a fresh target, gets fed into final_check().
- *
- *  entry  --  apparently useless
- *
- *  target --  the record that holds data about this target,
- *             most importantly, our private data is (*target)->data
- *             (this has already been malloced for us).
- */
-static int parse( int c, char **argv, int invert, unsigned int *flags,
-				  const struct ipt_entry *entry, struct ipt_entry_target **target )
-{
-	struct ipt_tcplag *el = (struct ipt_tcplag *)( *target )->data;
-/*
- * Yeah, we could complain about options being issued twice but
- * is it really worth the trouble? Will it make the world a better place?
- */
-	switch( c )
-	{
-/*
- * I really can't be bothered with the syslog naming convention,
- * it isn't terribly useful anyhow.
- */
-		case '!':
-			el->level = strtol( optarg, 0, 10 );
-			return( 1 );
-/*
- * 15 chars should be plenty
- */
-		case '#':
-			strncpy( el->prefix, optarg, 15 );
-			el->prefix[ 14 ] = 0; /* Force termination */
-			return( 1 );
-	}
-	return( 0 );
-}
-
-/*
- * This gets given the (*target)->tflags value from
- * the parse() above and it gets called after all the
- * parsing of options is completed. Thus if one option
- * requires another option you can test the flags and
- * decide whether everything is in order.
- *
- * If there is a problem then do something like:
- *		exit_error( PARAMETER_PROBLEM, "foobar parameters detected in TCPLAG target");
- *
- * In this case, no errors are possible
- */
-static void final_check( unsigned int flags ) { }
-/*
- * This print is for the purpose of user-readable display
- * such as what "iptables -L" would give. The notes in
- * iptables.h say that target could possibly be a null pointer
- * but coding of the various libipt_XX.c modules suggests
- * that it is safe to presume target is correctly initialised.
- */
-static void print(const struct ipt_ip *ip, const struct ipt_entry_target *target, int numeric)
-{
-	const struct ipt_tcplag *el = (const struct ipt_tcplag *)target->data;
-	printf("TCPLAG <%d>", el->level );
-	if( el->prefix[ 0 ])
-	{
-		printf( "%s", el->prefix );
-	}
-}
-
-/*
- * As above but command-line style printout
- * (machine-readable for restoring table)
- */
-static void save( const struct ipt_ip *ip, const struct ipt_entry_target *target )
-{
-	const struct ipt_tcplag *el = (const struct ipt_tcplag *)target->data;
-	printf("TCPLAG --log-level=%d", el->level );
-	if( el->prefix[ 0 ])
-	{
-/*
- * FIXME: Should have smarter quoting
- */
-		printf( " --log-prefix='%s'", el->prefix );
-	}
-}
-
-/*
- * The version must match the iptables version exactly
- * which is a big pain, could use `iptables -V` in makefile
- * but we can't guarantee compatibility with all iptables
- * so we are stuck with only supporting one particular version.
- */
-static struct iptables_target targ =
-{
-next:	          0,
-name:             "TCPLAG",
-version:          IPTABLES_VERSION,
-size:             IPT_ALIGN( sizeof( struct ipt_tcplag )),
-userspacesize:    IPT_ALIGN( sizeof( struct ipt_tcplag )),
-help:             &help,
-init:             &init,
-parse:            &parse,
-final_check:      &final_check,
-print:            &print,
-save:             &save,
-extra_opts:       opts
-};
-
-/*
- * Always nervous trusting _init() but oh well that is the standard
- * so have to go ahead and use it. This registers your target into
- * the list of available targets so that your options become available.
- */
-void _init( void ) { register_target( &targ ); }
diff --git a/extensions/libipt_TCPMSS.c b/extensions/libipt_TCPMSS.c
index c3256f00..bf9af586 100644
--- a/extensions/libipt_TCPMSS.c
+++ b/extensions/libipt_TCPMSS.c
@@ -128,7 +128,7 @@ static struct iptables_target mss = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_TCPMSS_init(void)
 {
 	register_target(&mss);
 }
diff --git a/extensions/libipt_TOS.c b/extensions/libipt_TOS.c
index 999f7b02..1acd9956 100644
--- a/extensions/libipt_TOS.c
+++ b/extensions/libipt_TOS.c
@@ -168,7 +168,7 @@ static struct iptables_target tos = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_TOS_init(void)
 {
 	register_target(&tos);
 }
diff --git a/extensions/libipt_TRACE.c b/extensions/libipt_TRACE.c
deleted file mode 100644
index 72179991..00000000
--- a/extensions/libipt_TRACE.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/* Shared library add-on to iptables to add TRACE target support. */
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"TRACE target v%s takes no options\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      struct ipt_entry_target **target)
-{
-	return 0;
-}
-
-static void
-final_check(unsigned int flags)
-{
-}
-
-static
-struct iptables_target trace
-= {	.next = NULL,
-	.name = "TRACE",
-	.version = IPTABLES_VERSION,
-	.size = IPT_ALIGN(0),
-	.userspacesize = IPT_ALIGN(0),
-	.help = &help,
-	.init = &init,
-	.parse = &parse,
-	.final_check = &final_check,
-	.print = NULL, /* print */
-	.save = NULL, /* save */
-	.extra_opts = opts
-};
-
-void _init(void)
-{
-	register_target(&trace);
-}
diff --git a/extensions/libipt_TRACE.man b/extensions/libipt_TRACE.man
deleted file mode 100644
index 549ab33b..00000000
--- a/extensions/libipt_TRACE.man
+++ /dev/null
@@ -1,3 +0,0 @@
-This target has no options.  It just turns on 
-.B packet tracing
-for all packets that match this rule.
diff --git a/extensions/libipt_TTL.c b/extensions/libipt_TTL.c
index a2a28bd5..beafbe21 100644
--- a/extensions/libipt_TTL.c
+++ b/extensions/libipt_TTL.c
@@ -160,7 +160,7 @@ static struct iptables_target TTL = {
 	.extra_opts	= opts 
 };
 
-void _init(void)
+void ipt_TTL_init(void)
 {
 	register_target(&TTL);
 }
diff --git a/extensions/libipt_ULOG.c b/extensions/libipt_ULOG.c
index a73b685f..a8546e09 100644
--- a/extensions/libipt_ULOG.c
+++ b/extensions/libipt_ULOG.c
@@ -231,7 +231,7 @@ static struct iptables_target ulog = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_ULOG_init(void)
 {
 	register_target(&ulog);
 }
diff --git a/extensions/libipt_XOR.c b/extensions/libipt_XOR.c
deleted file mode 100644
index 23979164..00000000
--- a/extensions/libipt_XOR.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/* Shared library add-on to iptables for the XOR target
- * (C) 2000 by Tim Vandermeersch <Tim.Vandermeersch@pandora.be>
- * Based on libipt_TTL.c
- *
- * Version 1.0
- *
- * This program is distributed under the terms of GNU GPL
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_XOR.h>
-
-#define	IPT_KEY_SET		1
-#define IPT_BLOCKSIZE_SET	2
-
-static void init(struct ipt_entry_target *t, unsigned int *nfcache) 
-{
-}
-
-static void help(void) 
-{
-	printf(
-		"XOR target v%s options\n"
-		"  --key string	          Set key to \"string\"\n"
-		"  --block-size		  Set block size\n",
-		IPTABLES_VERSION);
-}
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
-		const struct ipt_entry *entry, 
-		struct ipt_entry_target **target)
-{
-	struct ipt_XOR_info *info = (struct ipt_XOR_info *) (*target)->data;
-	
-	if (!optarg)
-		exit_error(PARAMETER_PROBLEM, "XOR: too few arguments");
-	
-	if (check_inverse(optarg, &invert, NULL, 0))
-		exit_error(PARAMETER_PROBLEM, "XOR: unexpected '!'");
-
-	switch (c) {	
-		case '1':
-			strncpy(info->key, optarg, 30);
-			info->key[29] = '\0';
-			*flags |= IPT_KEY_SET;
-			break;
-		case '2':
-			info->block_size = atoi(optarg);
-			*flags |= IPT_BLOCKSIZE_SET;
-			break;
-		default:
-			return 0;
-	}
-	
-	return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-	if (!(flags & IPT_KEY_SET))
-		exit_error(PARAMETER_PROBLEM, "XOR: You must specify a key");
-	if (!(flags & IPT_BLOCKSIZE_SET))
-		exit_error(PARAMETER_PROBLEM, "XOR: You must specify a block-size");
-}
-
-static void save (const struct ipt_ip *ip,
-		const struct ipt_entry_target *target)
-{
-	const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
-
-	printf("--key %s ", info->key);
-	printf("--block-size %u ", info->block_size);
-}
-
-static void print (const struct ipt_ip *ip,
-	const struct ipt_entry_target *target, int numeric)
-{
-	const struct ipt_XOR_info *info = (struct ipt_XOR_info *) target->data;
-
-	printf("key: %s ", info->key);
-	printf("block-size: %u ", info->block_size);
-}
-
-static struct option opts[] = {
-	{ "key", 1, 0, '1' },
-	{ "block-size", 1, 0, '2' },
-	{ 0 }
-};
-
-static struct iptables_target XOR = {
-	.next		= NULL, 
-	.name		= "XOR",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_XOR_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_XOR_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts 
-};
-
-void _init(void)
-{
-	register_target(&XOR);
-}
diff --git a/extensions/libipt_XOR.man b/extensions/libipt_XOR.man
deleted file mode 100644
index 712b4723..00000000
--- a/extensions/libipt_XOR.man
+++ /dev/null
@@ -1,7 +0,0 @@
-Encrypt TCP and UDP traffic using a simple XOR encryption
-.TP
-.BI "--key " "string"
-Set key to "string"
-.TP
-.BI "--block-size"
-Set block size
diff --git a/extensions/libipt_account.c b/extensions/libipt_account.c
deleted file mode 100644
index d049a03d..00000000
--- a/extensions/libipt_account.c
+++ /dev/null
@@ -1,277 +0,0 @@
-/* 
- * accounting match helper (libipt_account.c)
- * (C) 2003,2004 by Piotr Gasid³o (quaker@barbara.eu.org)
- *
- * Version: 0.1.6
- *
- * This software is distributed under the terms of GNU GPL
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <iptables.h>
-#include <string.h>
-#include <getopt.h>
-
-#include <linux/netfilter_ipv4/ipt_account.h>
-
-#ifndef HIPQUAD
-#define HIPQUAD(addr) \
-	((unsigned char *)&addr)[3], \
-	((unsigned char *)&addr)[2], \
-	((unsigned char *)&addr)[1], \
-	((unsigned char *)&addr)[0]
-#endif
-				
-static void help(void) {
-	printf(
-			"account v%s options:\n"
-			"--aaddr network/netmask\n"
-			"	defines network/netmask for which make statistics.\n"
-			"--aname name\n"
-			"	defines name of list where statistics will be kept. If no is\n"
-			"	specified DEFAULT will be used.\n"
-			"--ashort\n"
-			"       table will colect only short statistics (only total counters\n"
-			"       without splitting it into protocols.\n"
-	, 
-	IPTABLES_VERSION);
-};
-
-static struct option opts[] = {
-	{ .name = "aaddr",  .has_arg = 1, .flag = NULL, .val = 201 },
-	{ .name = "aname",  .has_arg = 1, .flag = NULL, .val = 202 },
-	{ .name = "ashort", .has_arg = 0, .flag = NULL, .val = 203 },
-	{ .name = 0, .has_arg = 0, .flag = 0, .val = 0 }
-};
-
-/* Helper functions for parse_network */
-int parseip(const char *parameter, u_int32_t *ip) {
-	
-	char buffer[16], *bufferptr, *dot;
-	unsigned int i, shift, part;
-
-	if (strlen(parameter) > 15)
-		return 0;
-
-	strncpy(buffer, parameter, 15);
-	buffer[15] = 0;
-
-	bufferptr = buffer;
-
-	for (i = 0, shift = 24, *ip = 0; i < 3; i++, shift -= 8) {
-		/* no dot */
-		if ((dot = strchr(bufferptr, '.')) == NULL)
-			return 0;
-		/* not a number */
-		if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0) 
-			return 0;	
-		/* to big number */
-		if (part > 255)
-			return 0;
-		*ip |= part << shift;		
-		bufferptr = dot + 1;
-	}
-	/* not a number */
-	if ((part = strtol(bufferptr, (char**)NULL, 10)) < 0) 
-		return 0;
-	/* to big number */
-	if (part > 255)
-		return 0;
-	*ip |= part;
-	return 1;
-}
-
-static void parsenetwork(const char *parameter, u_int32_t *network) {
-	if (!parseip(parameter, network))
-		exit_error(PARAMETER_PROBLEM, "account: wrong ip in network");
-}
-
-static void parsenetmaskasbits(const char *parameter, u_int32_t *netmask) {
-	
-	u_int32_t bits;
-	
-	if ((bits = strtol(parameter, (char **)NULL, 10)) < 0 || bits > 32)
-		exit_error(PARAMETER_PROBLEM, "account: wrong netmask");
-
-	*netmask = 0xffffffff << (32 - bits);
-}
-
-static void parsenetmaskasip(const char *parameter, u_int32_t *netmask) {
-	if (!parseip(parameter, netmask))
-		exit_error(PARAMETER_PROBLEM, "account: wrong ip in netmask");
-}
-
-static void parsenetmask(const char *parameter, u_int32_t *netmask) 
-{
-	if (strchr(parameter, '.') != NULL)
-		parsenetmaskasip(parameter, netmask);
-	else
-		parsenetmaskasbits(parameter, netmask);
-}
-
-static void parsenetworkandnetmask(const char *parameter, u_int32_t *network, u_int32_t *netmask) 
-{
-	
-	char buffer[32], *slash;
-
-	if (strlen(parameter) > 31)
-		/* text is to long, even for 255.255.255.255/255.255.255.255 */
-		exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
-
-	strncpy(buffer, parameter, 31);
-	buffer[31] = 0;
-
-	/* check whether netmask is given */
-	if ((slash = strchr(buffer, '/')) != NULL) {
-		parsenetmask(slash + 1, netmask);
-		*slash = 0;
-	} else
-		*netmask = 0xffffffff;
-	parsenetwork(buffer, network);
-
-	if ((*network & *netmask) != *network)
-		exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
-}
-
-
-/* Function gets network & netmask from argument after --aaddr */
-static void parse_network(const char *parameter, struct t_ipt_account_info *info) {
-
-	parsenetworkandnetmask(parameter, &info->network, &info->netmask);
-	
-}
-
-/* validate netmask */
-inline int valid_netmask(u_int32_t netmask) {
-	while (netmask & 0x80000000)
-		netmask <<= 1;
-	if (netmask != 0)
-		return 0;
-        return 1;
-}
-
-/* validate network/netmask pair */
-inline int valid_network_and_netmask(struct t_ipt_account_info *info) {
-	if (!valid_netmask(info->netmask))
-		return 0;
-	if ((info->network & info->netmask) != info->network)
-		return 0;
-	return 1;
-}
-
-
-
-/* Function initializes match */
-static void init(struct ipt_entry_match *match, 
-		 unsigned int *nfcache) {
-	
-	struct t_ipt_account_info *info = (struct t_ipt_account_info *)(match)->data;
-
-
-	/* set default table name to DEFAULT */
-	strncpy(info->name, "DEFAULT", IPT_ACCOUNT_NAME_LEN);
-	info->shortlisting = 0;
-	
-}
-
-/* Function parses match's arguments */
-static int parse(int c, char **argv, 
-		  int invert, 
-		  unsigned int *flags,
-                  const struct ipt_entry *entry,
-                  unsigned int *nfcache,
-                  struct ipt_entry_match **match) {
-	
-	struct t_ipt_account_info *info = (struct t_ipt_account_info *)(*match)->data;
-
-	switch (c) {
-		
-		/* --aaddr */
-		case 201:
-			parse_network(optarg, info);
-			if (!valid_network_and_netmask(info))
-				exit_error(PARAMETER_PROBLEM, "account: wrong network/netmask");
-			*flags = 1;
-			break;
-			
-		/* --aname */
-		case 202:
-			if (strlen(optarg) < IPT_ACCOUNT_NAME_LEN)
-				strncpy(info->name, optarg, IPT_ACCOUNT_NAME_LEN);
-			else
-				exit_error(PARAMETER_PROBLEM, "account: Too long table name");			
-			break;	
-		/* --ashort */
-		case 203:
-			info->shortlisting = 1;
-			break;
-		default:
-			return 0;			
-	}
-	return 1;	
-}
-
-/* Final check whether network/netmask was specified */
-static void final_check(unsigned int flags) {
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM, "account: You need specify '--aaddr' parameter");
-}
-
-/* Function used for printing rule with account match for iptables -L */
-static void print(const struct ipt_ip *ip,
-                  const struct ipt_entry_match *match, 
-		  int numeric) {
-	
-	struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
-	
-	printf("account: ");
-	printf("network/netmask: ");
-	printf("%u.%u.%u.%u/%u.%u.%u.%u ",
-			HIPQUAD(info->network),
-			HIPQUAD(info->netmask)
-	      );
-	
-	printf("name: %s ", info->name);
-	if (info->shortlisting)
-		printf("short-listing ");
-}
-
-/* Function used for saving rule containing account match */
-static void save(const struct ipt_ip *ip, 
-		 const struct ipt_entry_match *match) {
-
-	struct t_ipt_account_info *info = (struct t_ipt_account_info *)match->data;
-	
-	printf("--aaddr ");
-	printf("%u.%u.%u.%u/%u.%u.%u.%u ",
-			 HIPQUAD(info->network),
-			 HIPQUAD(info->netmask)
-	       );
-	
-	printf("--aname %s ", info->name);
-	if (info->shortlisting)
-		printf("--ashort ");
-}
-	
-static struct iptables_match account = {
-	.next = NULL,
-	.name = "account",
-	.version = IPTABLES_VERSION,
-	.size = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
-	.userspacesize = IPT_ALIGN(sizeof(struct t_ipt_account_info)),
-	.help = &help,
-	.init = &init,
-	.parse = &parse,
-	.final_check = &final_check,
-	.print = &print,
-	.save = &save,
-	.extra_opts = opts
-};
-
-/* Function which registers match */
-void _init(void)
-{
-	register_match(&account);
-}
-	
diff --git a/extensions/libipt_account.man b/extensions/libipt_account.man
deleted file mode 100644
index fcbb179a..00000000
--- a/extensions/libipt_account.man
+++ /dev/null
@@ -1,47 +0,0 @@
-Account traffic for all hosts in defined network/netmask.
-
-Features:
-
-- long (one counter per protocol TCP/UDP/IMCP/Other) and short statistics
-
-- one iptables rule for all hosts in network/netmask
-
-- loading/saving counters (by reading/writting to procfs entries)
-
-.TP
-.BI "--aaddr " "network/netmask"
-defines network/netmask for which make statistics.
-.TP
-.BI "--aname " "name"
-defines name of list where statistics will be kept. If no is
-specified DEFAULT will be used.
-.TP
-.B "--ashort"
-table will colect only short statistics (only total counters
-without splitting it into protocols.
-.P
-Example usage:
-
-account traffic for/to 192.168.0.0/24 network into table mynetwork:
-
-# iptables -A FORWARD -m account --aname mynetwork --aaddr 192.168.0.0/24
-
-account traffic for/to WWW serwer for 192.168.0.0/24 network into table mywwwserver:
-
-# iptables -A INPUT -p tcp --dport 80
-  -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
-
-# iptables -A OUTPUT -p tcp --sport 80
-  -m account --aname mywwwserver --aaddr 192.168.0.0/24 --ashort
-
-read counters:
-
-# cat /proc/net/ipt_account/mynetwork
-# cat /proc/net/ipt_account/mywwwserver
-
-set counters:
-
-# echo "ip = 192.168.0.1 packets_src = 0" > /proc/net/ipt_account/mywwserver
-
-Webpage:
-  http://www.barbara.eu.org/~quaker/ipt_account/
diff --git a/extensions/libipt_addrtype.c b/extensions/libipt_addrtype.c
index d8e19296..644e5159 100644
--- a/extensions/libipt_addrtype.c
+++ b/extensions/libipt_addrtype.c
@@ -201,7 +201,7 @@ struct iptables_match addrtype = {
 };
 
 
-void _init(void) 
+void ipt_addrtype_init(void) 
 {
 	register_match(&addrtype);
 }
diff --git a/extensions/libipt_ah.c b/extensions/libipt_ah.c
index 443c9f82..e04bbe5f 100644
--- a/extensions/libipt_ah.c
+++ b/extensions/libipt_ah.c
@@ -184,7 +184,7 @@ static struct iptables_match ah = {
 };
 
 void
-_init(void)
+ipt_ah_init(void)
 {
 	register_match(&ah);
 }
diff --git a/extensions/libipt_childlevel.c b/extensions/libipt_childlevel.c
deleted file mode 100644
index 1018c9e0..00000000
--- a/extensions/libipt_childlevel.c
+++ /dev/null
@@ -1,115 +0,0 @@
-/* 
-   Shared library add-on to iptables to add layer 7 matching support. 
-
-   http://l7-filter.sf.net
-  
-   By Matthew Strait <quadong@users.sf.net>, Dec 2003.
-
-   This program is free software; you can redistribute it and/or
-   modify it under the terms of the GNU General Public License
-   as published by the Free Software Foundation; either version
-   2 of the License, or (at your option) any later version.
-   http://www.gnu.org/licenses/gpl.txt
-*/
-
-#define _GNU_SOURCE
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-#include <dirent.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_childlevel.h>
-
-/* Function which prints out usage message. */
-static void help(void)
-{
-	printf(
-	"CHILDLEVEL match v%s options:\n"
-	"--level <n>  : Match childlevel n (0 == master)\n",
-	IPTABLES_VERSION);
-	fputc('\n', stdout);
-}
-
-static struct option opts[] = {
-	{ .name = "level", .has_arg = 1, .flag = 0, .val = '1' },
-	{ .name = 0 }
-};
-
-/* Function which parses command options; returns true if it ate an option */
-static int parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry, unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_childlevel_info *childlevelinfo = 
-		(struct ipt_childlevel_info *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		check_inverse(optarg, &invert, &optind, 0);
-		childlevelinfo->childlevel = atoi(argv[optind-1]);
-		if (invert)
-			childlevelinfo->invert = 1;
-		*flags = 1;
-		break;
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; must have specified --level. */
-static void final_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "CHILDLEVEL match: You must specify `--level'");
-}
-
-static void print_protocol(int n, int invert, int numeric)
-{
-	fputs("childlevel ", stdout);
-	if (invert) fputc('!', stdout);
-	printf("%d ", n);
-}
-
-/* Prints out the matchinfo. */
-static void print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	printf("CHILDLEVEL ");
-
-	print_protocol(((struct ipt_childlevel_info *)match->data)->childlevel,
-		  ((struct ipt_childlevel_info *)match->data)->invert, numeric);
-}
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-        const struct ipt_childlevel_info *info =
-            (const struct ipt_childlevel_info*) match->data;
-
-        printf("--childlevel %s%d ", (info->invert) ? "! ": "", info->childlevel);
-}
-
-static struct iptables_match childlevel = { 
-	.name		= "childlevel",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&childlevel);
-}
diff --git a/extensions/libipt_childlevel.man b/extensions/libipt_childlevel.man
deleted file mode 100644
index 3d9b3553..00000000
--- a/extensions/libipt_childlevel.man
+++ /dev/null
@@ -1,5 +0,0 @@
-This is an experimental module.  It matches on whether the 
-packet is part of a master connection or one of its children (or grandchildren,
-etc).  For instance, most packets are level 0.  FTP data transfer is level 1.
-.TP
-.BR "--childlevel " "[!] \fIlevel\fP"
diff --git a/extensions/libipt_comment.c b/extensions/libipt_comment.c
index 692acca3..405b7e27 100644
--- a/extensions/libipt_comment.c
+++ b/extensions/libipt_comment.c
@@ -113,7 +113,7 @@ static struct iptables_match comment = {
     .extra_opts		= opts
 };
 
-void _init(void)
+void ipt_comment_init(void)
 {
 	register_match(&comment);
 }
diff --git a/extensions/libipt_condition.c b/extensions/libipt_condition.c
index 16558fe6..e91cb8e5 100644
--- a/extensions/libipt_condition.c
+++ b/extensions/libipt_condition.c
@@ -100,7 +100,7 @@ static struct iptables_match condition = {
 
 
 void
-_init(void)
+ipt_condition_init(void)
 {
 	register_match(&condition);
 }
diff --git a/extensions/libipt_connbytes.c b/extensions/libipt_connbytes.c
index 42e1ab57..fec4ce0e 100644
--- a/extensions/libipt_connbytes.c
+++ b/extensions/libipt_connbytes.c
@@ -199,7 +199,7 @@ static struct iptables_match state = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_connbytes_init(void)
 {
 	register_match(&state);
 }
diff --git a/extensions/libipt_connlimit.c b/extensions/libipt_connlimit.c
deleted file mode 100644
index 17b4d13b..00000000
--- a/extensions/libipt_connlimit.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/* Shared library add-on to iptables to add connection limit support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stddef.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ipt_connlimit.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"connlimit v%s options:\n"
-"[!] --connlimit-above n		match if the number of existing tcp connections is (not) above n\n"
-" --connlimit-mask n		group hosts using mask\n"
-"\n", IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "connlimit-above", 1, 0, '1' },
-	{ "connlimit-mask",  1, 0, '2' },
-	{0}
-};
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)(*match)->data;
-	int i;
-
-	if (0 == (*flags & 2)) {
-		/* set default mask unless we've already seen a mask option */
-		info->mask = htonl(0xFFFFFFFF);
-	}
-
-	switch (c) {
-	case '1':
-		check_inverse(optarg, &invert, &optind, 0);
-		info->limit = atoi(argv[optind-1]);
-		info->inverse = invert;
-		*flags |= 1;
-		break;
-
-	case '2':
-		i = atoi(argv[optind-1]);
-		if ((i < 0) || (i > 32))
-			exit_error(PARAMETER_PROBLEM,
-				"--connlimit-mask must be between 0 and 32");
-
-		if (i == 0)
-			info->mask = 0;
-		else
-			info->mask = htonl(0xFFFFFFFF << (32 - i));
-		*flags |= 2;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check */
-static void final_check(unsigned int flags)
-{
-	if (!flags & 1)
-		exit_error(PARAMETER_PROBLEM, "You must specify `--connlimit-above'");
-}
-
-static int
-count_bits(u_int32_t mask)
-{
-	int i, bits;
-
-	for (bits = 0, i = 31; i >= 0; i--) {
-		if (mask & htonl((u_int32_t)1 << i)) {
-			bits++;
-			continue;
-		}
-		break;
-	}
-	return bits;
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
-
-	printf("#conn/%d %s %d ", count_bits(info->mask),
-	       info->inverse ? "<" : ">", info->limit);
-}
-
-/* Saves the matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	struct ipt_connlimit_info *info = (struct ipt_connlimit_info*)match->data;
-
-	printf("%s--connlimit-above %d ",info->inverse ? "! " : "",info->limit);
-	printf("--connlimit-mask %d ",count_bits(info->mask));
-}
-
-static struct iptables_match connlimit = {
-	.name		= "connlimit",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
-	.userspacesize 	= offsetof(struct ipt_connlimit_info,data),
-	.help		= help,
-	.parse 		= parse,
-	.final_check	= final_check,
-	.print		= print,
-	.save		= save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&connlimit);
-}
diff --git a/extensions/libipt_connlimit.man b/extensions/libipt_connlimit.man
deleted file mode 100644
index 55e53d14..00000000
--- a/extensions/libipt_connlimit.man
+++ /dev/null
@@ -1,21 +0,0 @@
-Allows you to restrict the number of parallel TCP connections to a
-server per client IP address (or address block).
-.TP
-[\fB!\fR] \fB--connlimit-above \fIn\fR
-match if the number of existing tcp connections is (not) above n
-.TP
-.BI "--connlimit-mask " "bits"
-group hosts using mask
-.P
-Examples:
-.TP
-# allow 2 telnet connections per client host
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
-.TP
-# you can also match the other way around:
-iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
-.TP
-# limit the nr of parallel http requests to 16 per class C sized \
-network (24 bit netmask)
-iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16
---connlimit-mask 24 -j REJECT
diff --git a/extensions/libipt_connrate.c b/extensions/libipt_connrate.c
index 47c5fcbb..fbb18ec9 100644
--- a/extensions/libipt_connrate.c
+++ b/extensions/libipt_connrate.c
@@ -173,7 +173,7 @@ static struct iptables_match state = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_connrate_init(void)
 {
 	register_match(&state);
 }
diff --git a/extensions/libipt_conntrack.c b/extensions/libipt_conntrack.c
index cdb86c4e..e26b5233 100644
--- a/extensions/libipt_conntrack.c
+++ b/extensions/libipt_conntrack.c
@@ -544,7 +544,7 @@ static struct iptables_match conntrack = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_conntrack_init(void)
 {
 	register_match(&conntrack);
 }
diff --git a/extensions/libipt_dccp.c b/extensions/libipt_dccp.c
index e5782a85..97706394 100644
--- a/extensions/libipt_dccp.c
+++ b/extensions/libipt_dccp.c
@@ -367,7 +367,7 @@ struct iptables_match dccp
     .extra_opts    = opts
 };
 
-void _init(void)
+void ipt_dccp_init(void)
 {
 	register_match(&dccp);
 }
diff --git a/extensions/libipt_dstlimit.c b/extensions/libipt_dstlimit.c
deleted file mode 100644
index 3f3b6330..00000000
--- a/extensions/libipt_dstlimit.c
+++ /dev/null
@@ -1,340 +0,0 @@
-/* iptables match extension for limiting packets per destination
- *
- * (C) 2003 by Harald Welte <laforge@netfilter.org>
- *
- * Development of this code was funded by Astaro AG, http://www.astaro.com/
- *
- * Based on ipt_limit.c by
- * Jérôme de Vivie   <devivie@info.enserb.u-bordeaux.fr>
- * Hervé Eychenne    <rv@wallfire.org>
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <stddef.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_dstlimit.h>
-
-#define IPT_DSTLIMIT_BURST	5
-
-/* miliseconds */
-#define IPT_DSTLIMIT_GCINTERVAL	1000
-#define IPT_DSTLIMIT_EXPIRE	10000
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"dstlimit v%s options:\n"
-"--dstlimit <avg>		max average match rate\n"
-"                                [Packets per second unless followed by \n"
-"                                /sec /minute /hour /day postfixes]\n"
-"--dstlimit-mode <mode>		mode\n"
-"					dstip\n"
-"					dstip-dstport\n"
-"					srcip-dstip\n"
-"					srcip-dstip-dstport\n"
-"--dstlimit-name <name>		name for /proc/net/ipt_dstlimit/\n"
-"[--dstlimit-burst <num>]	number to match in a burst, default %u\n"
-"[--dstlimit-htable-size <num>]	number of hashtable buckets\n"
-"[--dstlimit-htable-max <num>]	number of hashtable entries\n"
-"[--dstlimit-htable-gcinterval]	interval between garbage collection runs\n"
-"[--dstlimit-htable-expire]	after which time are idle entries expired?\n"
-"\n", IPTABLES_VERSION, IPT_DSTLIMIT_BURST);
-}
-
-static struct option opts[] = {
-	{ "dstlimit", 1, 0, '%' },
-	{ "dstlimit-burst", 1, 0, '$' },
-	{ "dstlimit-htable-size", 1, 0, '&' },
-	{ "dstlimit-htable-max", 1, 0, '*' },
-	{ "dstlimit-htable-gcinterval", 1, 0, '(' },
-	{ "dstlimit-htable-expire", 1, 0, ')' },
-	{ "dstlimit-mode", 1, 0, '_' },
-	{ "dstlimit-name", 1, 0, '"' },
-	{ 0 }
-};
-
-static
-int parse_rate(const char *rate, u_int32_t *val)
-{
-	const char *delim;
-	u_int32_t r;
-	u_int32_t mult = 1;  /* Seconds by default. */
-
-	delim = strchr(rate, '/');
-	if (delim) {
-		if (strlen(delim+1) == 0)
-			return 0;
-
-		if (strncasecmp(delim+1, "second", strlen(delim+1)) == 0)
-			mult = 1;
-		else if (strncasecmp(delim+1, "minute", strlen(delim+1)) == 0)
-			mult = 60;
-		else if (strncasecmp(delim+1, "hour", strlen(delim+1)) == 0)
-			mult = 60*60;
-		else if (strncasecmp(delim+1, "day", strlen(delim+1)) == 0)
-			mult = 24*60*60;
-		else
-			return 0;
-	}
-	r = atoi(rate);
-	if (!r)
-		return 0;
-
-	/* This would get mapped to infinite (1/day is minimum they
-           can specify, so we're ok at that end). */
-	if (r / mult > IPT_DSTLIMIT_SCALE)
-		exit_error(PARAMETER_PROBLEM, "Rate too fast `%s'\n", rate);
-
-	*val = IPT_DSTLIMIT_SCALE * mult / r;
-	return 1;
-}
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	struct ipt_dstlimit_info *r = (struct ipt_dstlimit_info *)m->data;
-
-	r->cfg.burst = IPT_DSTLIMIT_BURST;
-	r->cfg.gc_interval = IPT_DSTLIMIT_GCINTERVAL;
-	r->cfg.expire = IPT_DSTLIMIT_EXPIRE;
-
-}
-
-#define PARAM_LIMIT		0x00000001
-#define PARAM_BURST		0x00000002
-#define PARAM_MODE		0x00000004
-#define PARAM_NAME		0x00000008
-#define PARAM_SIZE		0x00000010
-#define PARAM_MAX		0x00000020
-#define PARAM_GCINTERVAL	0x00000040
-#define PARAM_EXPIRE		0x00000080
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_dstlimit_info *r = 
-			(struct ipt_dstlimit_info *)(*match)->data;
-	unsigned int num;
-
-	switch(c) {
-	case '%':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (!parse_rate(optarg, &r->cfg.avg))
-			exit_error(PARAMETER_PROBLEM,
-				   "bad rate `%s'", optarg);
-		*flags |= PARAM_LIMIT;
-		break;
-
-	case '$':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (string_to_number(optarg, 0, 10000, &num) == -1)
-			exit_error(PARAMETER_PROBLEM,
-				   "bad --dstlimit-burst `%s'", optarg);
-		r->cfg.burst = num;
-		*flags |= PARAM_BURST;
-		break;
-	case '&':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
-			exit_error(PARAMETER_PROBLEM,
-				"bad --dstlimit-htable-size: `%s'", optarg);
-		r->cfg.size = num;
-		*flags |= PARAM_SIZE;
-		break;
-	case '*':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
-			exit_error(PARAMETER_PROBLEM,
-				"bad --dstlimit-htable-max: `%s'", optarg);
-		r->cfg.max = num;
-		*flags |= PARAM_MAX;
-		break;
-	case '(':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
-			exit_error(PARAMETER_PROBLEM,
-				"bad --dstlimit-htable-gcinterval: `%s'", 
-				optarg);
-		/* FIXME: not HZ dependent!! */
-		r->cfg.gc_interval = num;
-		*flags |= PARAM_GCINTERVAL;
-		break;
-	case ')':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (string_to_number(optarg, 0, 0xffffffff, &num) == -1)
-			exit_error(PARAMETER_PROBLEM,
-				"bad --dstlimit-htable-expire: `%s'", optarg);
-		/* FIXME: not HZ dependent */
-		r->cfg.expire = num;
-		*flags |= PARAM_EXPIRE;
-		break;
-	case '_':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (!strcmp(optarg, "dstip"))
-			r->cfg.mode = IPT_DSTLIMIT_HASH_DIP;
-		else if (!strcmp(optarg, "dstip-destport") ||
-			 !strcmp(optarg, "dstip-dstport"))
-			r->cfg.mode = IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
-		else if (!strcmp(optarg, "srcip-dstip"))
-			r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP;
-		else if (!strcmp(optarg, "srcip-dstip-destport") ||
-			 !strcmp(optarg, "srcip-dstip-dstport"))
-			r->cfg.mode = IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT;
-		else
-			exit_error(PARAMETER_PROBLEM, 
-				"bad --dstlimit-mode: `%s'\n", optarg);
-		*flags |= PARAM_MODE;
-		break;
-	case '"':
-		if (check_inverse(argv[optind-1], &invert, &optind, 0)) break;
-		if (strlen(optarg) == 0)
-			exit_error(PARAMETER_PROBLEM, "Zero-length name?");
-		strncpy(r->name, optarg, sizeof(r->name));
-		*flags |= PARAM_NAME;
-		break;
-	default:
-		return 0;
-	}
-
-	if (invert)
-		exit_error(PARAMETER_PROBLEM,
-			   "dstlimit does not support invert");
-
-	return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-	if (!(flags & PARAM_LIMIT))
-		exit_error(PARAMETER_PROBLEM,
-				"You have to specify --dstlimit");
-	if (!(flags & PARAM_MODE))
-		exit_error(PARAMETER_PROBLEM,
-				"You have to specify --dstlimit-mode");
-	if (!(flags & PARAM_NAME))
-		exit_error(PARAMETER_PROBLEM,
-				"You have to specify --dstlimit-name");
-}
-
-static struct rates
-{
-	const char *name;
-	u_int32_t mult;
-} rates[] = { { "day", IPT_DSTLIMIT_SCALE*24*60*60 },
-	      { "hour", IPT_DSTLIMIT_SCALE*60*60 },
-	      { "min", IPT_DSTLIMIT_SCALE*60 },
-	      { "sec", IPT_DSTLIMIT_SCALE } };
-
-static void print_rate(u_int32_t period)
-{
-	unsigned int i;
-
-	for (i = 1; i < sizeof(rates)/sizeof(struct rates); i++) {
-		if (period > rates[i].mult
-            || rates[i].mult/period < rates[i].mult%period)
-			break;
-	}
-
-	printf("%u/%s ", rates[i-1].mult / period, rates[i-1].name);
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	struct ipt_dstlimit_info *r = 
-		(struct ipt_dstlimit_info *)match->data;
-	printf("limit: avg "); print_rate(r->cfg.avg);
-	printf("burst %u ", r->cfg.burst);
-	switch (r->cfg.mode) {
-		case (IPT_DSTLIMIT_HASH_DIP):
-			printf("mode dstip ");
-			break;
-		case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
-			printf("mode dstip-dstport ");
-			break;
-		case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
-			printf("mode srcip-dstip ");
-			break;
-		case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
-			printf("mode srcip-dstip-dstport ");
-			break;
-	}
-	if (r->cfg.size)
-		printf("htable-size %u ", r->cfg.size);
-	if (r->cfg.max)
-		printf("htable-max %u ", r->cfg.max);
-	if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
-		printf("htable-gcinterval %u ", r->cfg.gc_interval);
-	if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
-		printf("htable-expire %u ", r->cfg.expire);
-}
-
-/* FIXME: Make minimalist: only print rate if not default --RR */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	struct ipt_dstlimit_info *r = 
-		(struct ipt_dstlimit_info *)match->data;
-
-	printf("--dstlimit "); print_rate(r->cfg.avg);
-	if (r->cfg.burst != IPT_DSTLIMIT_BURST)
-		printf("--dstlimit-burst %u ", r->cfg.burst);
-	switch (r->cfg.mode) {
-		case (IPT_DSTLIMIT_HASH_DIP):
-			printf("--mode dstip ");
-			break;
-		case (IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
-			printf("--mode dstip-dstport ");
-			break;
-		case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP):
-			printf("--mode srcip-dstip ");
-			break;
-		case (IPT_DSTLIMIT_HASH_SIP|IPT_DSTLIMIT_HASH_DIP|IPT_DSTLIMIT_HASH_DPT):
-			printf("--mode srcip-dstip-dstport ");
-			break;
-	}
-	if (r->cfg.size)
-		printf("--dstlimit-htable-size %u ", r->cfg.size);
-	if (r->cfg.max)
-		printf("--dstlimit-htable-max %u ", r->cfg.max);
-	if (r->cfg.gc_interval != IPT_DSTLIMIT_GCINTERVAL)
-		printf("--dstlimit-htable-gcinterval %u", r->cfg.gc_interval);
-	if (r->cfg.expire != IPT_DSTLIMIT_EXPIRE)
-		printf("--dstlimit-htable-expire %u ", r->cfg.expire);
-}
-
-static struct iptables_match dstlimit = { 
-	.next		= NULL,
-	.name 		= "dstlimit",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_dstlimit_info)),
-	//offsetof(struct ipt_dstlimit_info, prev),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print 		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&dstlimit);
-}
diff --git a/extensions/libipt_dstlimit.man b/extensions/libipt_dstlimit.man
deleted file mode 100644
index 9df00f1c..00000000
--- a/extensions/libipt_dstlimit.man
+++ /dev/null
@@ -1,37 +0,0 @@
-This module allows you to limit the packet per second (pps) rate on a per
-destination IP or per destination port base.  As opposed to the `limit' match,
-every destination ip / destination port has it's own limit.
-.TP
-THIS MODULE IS DEPRECATED AND HAS BEEN REPLACED BY ``hashlimit''
-.TP
-.BI "--dstlimit " "avg"
-Maximum average match rate (packets per second unless followed by /sec /minute /hour /day postfixes).
-.TP
-.BI "--dstlimit-mode " "mode"
-The limiting hashmode.  Is the specified limit per
-.B dstip, dstip-dstport
-tuple, 
-.B srcip-dstip
-tuple, or per
-.B srcipdstip-dstport
-tuple.
-.TP
-.BI "--dstlimit-name " "name"
-Name for /proc/net/ipt_dstlimit/* file entry
-.TP
-.BI "[" "--dstlimit-burst " "burst" "]"
-Number of packets to match in a burst.  Default: 5
-.TP
-.BI "[" "--dstlimit-htable-size " "size" "]"
-Number of buckets in the hashtable
-.TP
-.BI "[" "--dstlimit-htable-max " "max" "]"
-Maximum number of entries in the hashtable
-.TP
-.BI "[" "--dstlimit-htable-gcinterval " "interval" "]"
-Interval between garbage collection runs of the hashtable (in miliseconds).
-Default is 1000 (1 second).
-.TP
-.BI "[" "--dstlimit-htable-expire " "time"
-After which time are idle entries expired from hashtable (in miliseconds)?
-Default is 10000 (10 seconds).
diff --git a/extensions/libipt_esp.c b/extensions/libipt_esp.c
index 21e912b7..d75a4071 100644
--- a/extensions/libipt_esp.c
+++ b/extensions/libipt_esp.c
@@ -187,7 +187,7 @@ static struct iptables_match esp = {
 };
 
 void
-_init(void)
+ipt_esp_init(void)
 {
 	register_match(&esp);
 }
diff --git a/extensions/libipt_fuzzy.c b/extensions/libipt_fuzzy.c
deleted file mode 100644
index d574db8a..00000000
--- a/extensions/libipt_fuzzy.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* 
-   Shared library add-on to iptables to add match support for the fuzzy match.
-   
-   This file is distributed under the terms of the GNU General Public
-   License (GPL). Copies of the GPL can be obtained from:
-   ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-2002-08-07 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Initial version.
-2003-06-09 Hime Aguiar e Oliveira Jr. <hime@engineer.com> : Bug corrections in
-the save function , thanks to information given by Jean-Francois Patenaude .
-
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_fuzzy.h>
-
-
-static void
-help(void)
-{
-	printf(
-"fuzzy v%s options:\n"
-"                      --lower-limit number (in packets per second)\n"
-"                      --upper-limit number\n"
-,IPTABLES_VERSION);
-};
-
-static struct option opts[] = {
-	{ "lower-limit", 1 , 0 , '1' } ,
-	{ "upper-limit", 1 , 0 , '2' } ,
-	{ 0 }
-};
-
-/* Initialize data structures */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	struct ipt_fuzzy_info *presentinfo = (struct ipt_fuzzy_info *)(m)->data;
-
-	/*
-	 * Default rates ( I'll improve this very soon with something based 
-	 * on real statistics of the running machine ) .
-	*/
-
-	presentinfo->minimum_rate = 1000;
-	presentinfo->maximum_rate = 2000;
-}
-
-#define IPT_FUZZY_OPT_MINIMUM	0x01
-#define IPT_FUZZY_OPT_MAXIMUM	0x02
-
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-
-struct ipt_fuzzy_info *fuzzyinfo = (struct ipt_fuzzy_info *)(*match)->data;
-
-	u_int32_t num;
-
-	switch (c) {
-
-	case '1':
-		
-	if (invert)
-	       	exit_error(PARAMETER_PROBLEM,"Can't specify ! --lower-limit");
-
-	if (*flags & IPT_FUZZY_OPT_MINIMUM)
-       	      exit_error(PARAMETER_PROBLEM,"Can't specify --lower-limit twice");
-	
-	if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
-			exit_error(PARAMETER_PROBLEM,"BAD --lower-limit");
-
-		fuzzyinfo->minimum_rate = num ;
-
-		*flags |= IPT_FUZZY_OPT_MINIMUM;
-		
-		break;
-
-	case '2':
-
-	if (invert)
-		exit_error(PARAMETER_PROBLEM,"Can't specify ! --upper-limit");
-
-	if (*flags & IPT_FUZZY_OPT_MAXIMUM)
-	   exit_error(PARAMETER_PROBLEM,"Can't specify --upper-limit twice");
-
-	if (string_to_number(optarg,1,MAXFUZZYRATE,&num) == -1 || num < 1)
-		exit_error(PARAMETER_PROBLEM,"BAD --upper-limit");
-
-		fuzzyinfo->maximum_rate = num ;
-
-		*flags |= IPT_FUZZY_OPT_MAXIMUM;
-
-		break ;
-
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-}
-
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	const struct ipt_fuzzy_info *fuzzyinfo
-		= (const struct ipt_fuzzy_info *)match->data;
-
-	printf(" fuzzy: lower limit = %u pps - upper limit = %u pps ",fuzzyinfo->minimum_rate,fuzzyinfo->maximum_rate);
-
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	const struct ipt_fuzzy_info *fuzzyinfo
-		= (const struct ipt_fuzzy_info *)match->data;
-
-	printf("--lower-limit %u ",fuzzyinfo->minimum_rate);
-	printf("--upper-limit %u ",fuzzyinfo->maximum_rate);
-
-}
-
-static struct iptables_match fuzzy_match = { 
-	.next 		= NULL,
-	.name		= "fuzzy",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_fuzzy_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&fuzzy_match);
-}
diff --git a/extensions/libipt_fuzzy.man b/extensions/libipt_fuzzy.man
deleted file mode 100644
index 397727aa..00000000
--- a/extensions/libipt_fuzzy.man
+++ /dev/null
@@ -1,7 +0,0 @@
-This module matches a rate limit based on a fuzzy logic controller [FLC]
-.TP
-.BI "--lower-limit " "number"
-Specifies the lower limit (in packets per second).
-.TP
-.BI "--upper-limit " "number"
-Specifies the upper limit (in packets per second).
diff --git a/extensions/libipt_hashlimit.c b/extensions/libipt_hashlimit.c
index 6fb0eccb..ce776286 100644
--- a/extensions/libipt_hashlimit.c
+++ b/extensions/libipt_hashlimit.c
@@ -363,7 +363,7 @@ static struct iptables_match hashlimit = { NULL,
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_hashlimit_init(void)
 {
 	register_match(&hashlimit);
 }
diff --git a/extensions/libipt_helper.c b/extensions/libipt_helper.c
index 7c9f3e3c..f7e0ce02 100644
--- a/extensions/libipt_helper.c
+++ b/extensions/libipt_helper.c
@@ -95,7 +95,7 @@ static struct iptables_match helper = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_helper_init(void)
 {
 	register_match(&helper);
 }
diff --git a/extensions/libipt_icmp.c b/extensions/libipt_icmp.c
index 8f22d052..3a7b1c08 100644
--- a/extensions/libipt_icmp.c
+++ b/extensions/libipt_icmp.c
@@ -301,7 +301,7 @@ static struct iptables_match icmp = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_icmp_init(void)
 {
 	register_match(&icmp);
 }
diff --git a/extensions/libipt_iprange.c b/extensions/libipt_iprange.c
index e6967029..847802bc 100644
--- a/extensions/libipt_iprange.c
+++ b/extensions/libipt_iprange.c
@@ -178,7 +178,7 @@ static struct iptables_match iprange = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_iprange_init(void)
 {
 	register_match(&iprange);
 }
diff --git a/extensions/libipt_ipv4options.c b/extensions/libipt_ipv4options.c
deleted file mode 100644
index 3d3b2360..00000000
--- a/extensions/libipt_ipv4options.c
+++ /dev/null
@@ -1,311 +0,0 @@
-/* Shared library add-on to iptables to add ipv4 options matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_ipv4options.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"ipv4options v%s options:\n"
-"      --ssrr    (match strict source routing flag)\n"
-"      --lsrr    (match loose  source routing flag)\n"
-"      --no-srr  (match packets with no source routing)\n\n"
-"  [!] --rr      (match record route flag)\n\n"
-"  [!] --ts      (match timestamp flag)\n\n"
-"  [!] --ra      (match router-alert option)\n\n"
-"  [!] --any-opt (match any option or no option at all if used with '!')\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "ssrr", 0, 0, '1' },
-	{ "lsrr", 0, 0, '2' },
-	{ "no-srr", 0, 0, '3'},
-	{ "rr", 0, 0, '4'},
-	{ "ts", 0, 0, '5'},
-	{ "ra", 0, 0, '6'},
-	{ "any-opt", 0, 0, '7'},
-	{0}
-};
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_ipv4options_info *info = (struct ipt_ipv4options_info *)(*match)->data;
-
-	switch (c)
-	{
-		/* strict-source-routing */
-	case '1':
-		if (invert) 
-			exit_error(PARAMETER_PROBLEM,
-				   "ipv4options: unexpected `!' with --ssrr");
-		if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --ssrr twice");
-		if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --ssrr with --lsrr");
-		if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --ssrr with --no-srr");
-
-		info->options |= IPT_IPV4OPTION_MATCH_SSRR;
-		*flags |= IPT_IPV4OPTION_MATCH_SSRR;
-		break;
-
-		/* loose-source-routing */
-	case '2':
-		if (invert) 
-			exit_error(PARAMETER_PROBLEM,
-				   "ipv4options: unexpected `!' with --lsrr");
-		if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --lsrr twice");
-		if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --lsrr with --ssrr");
-		if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --lsrr with --no-srr");
-		info->options |= IPT_IPV4OPTION_MATCH_LSRR;
-		*flags |= IPT_IPV4OPTION_MATCH_LSRR;
-		break;
-
-		/* no-source-routing */
-	case '3':
-		if (invert) 
-			exit_error(PARAMETER_PROBLEM,
-					   "ipv4options: unexpected `!' with --no-srr");
-		if (*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --no-srr twice");
-		if (*flags & IPT_IPV4OPTION_MATCH_SSRR)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --no-srr with --ssrr");
-		if (*flags & IPT_IPV4OPTION_MATCH_LSRR)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --no-srr with --lsrr");
-		info->options |= IPT_IPV4OPTION_DONT_MATCH_SRR;
-		*flags |= IPT_IPV4OPTION_DONT_MATCH_SRR;
-		break;
-
-		/* record-route */
-	case '4':
-		if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_RR))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --rr twice");	
-		if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --rr twice");
-		if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_RR))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --rr with ! --rr");
-		if (invert && (*flags & IPT_IPV4OPTION_MATCH_RR))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --rr with --rr");
-		if (invert) {
-			info->options |= IPT_IPV4OPTION_DONT_MATCH_RR;
-			*flags |= IPT_IPV4OPTION_DONT_MATCH_RR;
-		}
-		else {
-			info->options |= IPT_IPV4OPTION_MATCH_RR;
-			*flags |= IPT_IPV4OPTION_MATCH_RR;
-		}
-		break;
-
-		/* timestamp */
-	case '5':
-		if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --ts twice");	
-		if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --ts twice");
-		if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --ts with ! --ts");
-		if (invert && (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --ts with --ts");
-		if (invert) {
-			info->options |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
-			*flags |= IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP;
-		}
-		else {
-			info->options |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
-			*flags |= IPT_IPV4OPTION_MATCH_TIMESTAMP;
-		}
-		break;
-
-		/* router-alert  */
-	case '6':
-		if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --ra twice");	
-		if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --rr twice");
-		if ((!invert) && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --ra with ! --ra");
-		if (invert && (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --ra with --ra");
-		if (invert) {
-			info->options |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
-			*flags |= IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT;
-		}
-		else {
-			info->options |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
-			*flags |= IPT_IPV4OPTION_MATCH_ROUTER_ALERT;
-		}
-		break;
-
-		/* any option */
-	case '7' :
-		if ((!invert) && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --any-opt twice");
-		if (invert && (*flags & IPT_IPV4OPTION_MATCH_ANY_OPT))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --any-opt with --any-opt");
-		if (invert && (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --any-opt twice");
-		if ((!invert) &&
-		    ((*flags & IPT_IPV4OPTION_DONT_MATCH_SRR)       ||
-		     (*flags & IPT_IPV4OPTION_DONT_MATCH_RR)        ||
-		     (*flags & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP) ||
-		     (*flags & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --any-opt with any other negative ipv4options match");
-		if (invert &&
-		    ((*flags & IPT_IPV4OPTION_MATCH_LSRR)      ||
-		     (*flags & IPT_IPV4OPTION_MATCH_SSRR)      ||
-		     (*flags & IPT_IPV4OPTION_MATCH_RR)        ||
-		     (*flags & IPT_IPV4OPTION_MATCH_TIMESTAMP) ||
-		     (*flags & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --any-opt with any other positive ipv4options match");
-		if (invert) {
-			info->options |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;
-			*flags |= IPT_IPV4OPTION_DONT_MATCH_ANY_OPT;	
-		}
-		else {
-			info->options |= IPT_IPV4OPTION_MATCH_ANY_OPT;
-			*flags |= IPT_IPV4OPTION_MATCH_ANY_OPT;
-		}
-		break;
-
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-static void
-final_check(unsigned int flags)
-{
-	if (flags == 0)
-		exit_error(PARAMETER_PROBLEM,
-			   "ipv4options match: you must specify some parameters. See iptables -m ipv4options --help for help.'");
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
-
-	printf(" IPV4OPTS");
-	if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
-		printf(" SSRR");
-	else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
-		printf(" LSRR");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
-		printf(" !SRR");
-	if (info->options & IPT_IPV4OPTION_MATCH_RR)
-		printf(" RR");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
-		printf(" !RR");
-	if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
-		printf(" TS");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
-		printf(" !TS");
-	if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
-		printf(" RA");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
-		printf(" !RA");
-	if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
-		printf(" ANYOPT ");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
-		printf(" NOOPT");
-
-	printf(" ");
-}
-
-/* Saves the data in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	struct ipt_ipv4options_info *info = ((struct ipt_ipv4options_info *)match->data);
-
-	if (info->options & IPT_IPV4OPTION_MATCH_SSRR)
-		printf(" --ssrr");
-	else if (info->options & IPT_IPV4OPTION_MATCH_LSRR)
-		printf(" --lsrr");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_SRR)
-		printf(" --no-srr");
-	if (info->options & IPT_IPV4OPTION_MATCH_RR)
-		printf(" --rr");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_RR)
-		printf(" ! --rr");
-	if (info->options & IPT_IPV4OPTION_MATCH_TIMESTAMP)
-		printf(" --ts");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_TIMESTAMP)
-		printf(" ! --ts");
-	if (info->options & IPT_IPV4OPTION_MATCH_ROUTER_ALERT)
-		printf(" --ra");
-	else if (info->options & IPT_IPV4OPTION_DONT_MATCH_ROUTER_ALERT)
-		printf(" ! --ra");
-	if (info->options & IPT_IPV4OPTION_MATCH_ANY_OPT)
-		printf(" --any-opt");
-	if (info->options & IPT_IPV4OPTION_DONT_MATCH_ANY_OPT)
-		printf(" ! --any-opt");
-
-	printf(" ");
-}
-
-static struct iptables_match ipv4options_struct = { 
-	.next		= NULL,
-	.name		= "ipv4options",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&ipv4options_struct);
-}
diff --git a/extensions/libipt_ipv4options.man b/extensions/libipt_ipv4options.man
deleted file mode 100644
index 122dc68d..00000000
--- a/extensions/libipt_ipv4options.man
+++ /dev/null
@@ -1,32 +0,0 @@
-Match on IPv4 header options like source routing, record route,
-timestamp and router-alert.
-.TP
-.B "--ssrr"
-To match packets with the flag strict source routing.
-.TP
-.B "--lsrr"
-To match packets with the flag loose source routing.
-.TP
-.B "--no-srr"
-To match packets with no flag for source routing.
-.TP
-.B "\fR[\fB!\fR]\fB --rr"
-To match packets with the RR flag.
-.TP
-.B "\fR[\fB!\fR]\fB --ts"
-To match packets with the TS flag.
-.TP
-.B "\fR[\fB!\fR]\fB --ra"
-To match packets with the router-alert option.
-.TP
-.B "\fR[\fB!\fR]\fB --any-opt"
-To match a packet with at least one IP option, or no IP option
-at all if ! is chosen.
-.TP
-Examples:
-.TP
-$ iptables -A input -m ipv4options --rr -j DROP
-will drop packets with the record-route flag.
-.TP
-$ iptables -A input -m ipv4options --ts -j DROP
-will drop packets with the timestamp flag.
diff --git a/extensions/libipt_length.c b/extensions/libipt_length.c
index cfac1c5f..38c70b57 100644
--- a/extensions/libipt_length.c
+++ b/extensions/libipt_length.c
@@ -145,7 +145,7 @@ static struct iptables_match length = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_length_init(void)
 {
 	register_match(&length);
 }
diff --git a/extensions/libipt_limit.c b/extensions/libipt_limit.c
index 7f0337ae..5e75d937 100644
--- a/extensions/libipt_limit.c
+++ b/extensions/libipt_limit.c
@@ -190,7 +190,7 @@ static struct iptables_match limit = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_limit_init(void)
 {
 	register_match(&limit);
 }
diff --git a/extensions/libipt_mac.c b/extensions/libipt_mac.c
index bac85125..59f9fc02 100644
--- a/extensions/libipt_mac.c
+++ b/extensions/libipt_mac.c
@@ -134,7 +134,7 @@ static struct iptables_match mac = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_mac_init(void)
 {
 	register_match(&mac);
 }
diff --git a/extensions/libipt_mport.c b/extensions/libipt_mport.c
deleted file mode 100644
index 624de134..00000000
--- a/extensions/libipt_mport.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/* Shared library add-on to iptables to add multiple TCP port support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_mport.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"mport v%s options:\n"
-" --source-ports port[,port:port,port...]\n"
-" --sports ...\n"
-"				match source port(s)\n"
-" --destination-ports port[,port:port,port...]\n"
-" --dports ...\n"
-"				match destination port(s)\n"
-" --ports port[,port:port,port]\n"
-"				match both source and destination port(s)\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "source-ports", 1, 0, '1' },
-	{ "sports", 1, 0, '1' }, /* synonym */
-	{ "destination-ports", 1, 0, '2' },
-	{ "dports", 1, 0, '2' }, /* synonym */
-	{ "ports", 1, 0, '3' },
-	{0}
-};
-
-static void
-parse_multi_ports(const char *portstring, struct ipt_mport *minfo,
-                  const char *proto)
-{
-	char *buffer, *cp, *next, *range;
-	unsigned int i;
-        u_int16_t m;
-
-	buffer = strdup(portstring);
-	if (!buffer) exit_error(OTHER_PROBLEM, "strdup failed");
-
-        minfo->pflags = 0;
-
-	for (cp=buffer, i=0, m=1; cp && i<IPT_MULTI_PORTS; cp=next,i++,m<<=1)
-	{
-		next=strchr(cp, ',');
-		if (next) *next++='\0';
-                range = strchr(cp, ':');
-                if (range) {
-                        if (i == IPT_MULTI_PORTS-1)
-                                exit_error(PARAMETER_PROBLEM,
-                                           "too many ports specified");
-                        *range++ = '\0';
-                }
-		minfo->ports[i] = parse_port(cp, proto);
-                if (range) {
-                        minfo->pflags |= m;
-                        minfo->ports[++i] = parse_port(range, proto);
-                        if (minfo->ports[i-1] >= minfo->ports[i])
-                                exit_error(PARAMETER_PROBLEM,
-                                           "invalid portrange specified");
-                        m <<= 1;
-                }
-	}
-	if (cp) exit_error(PARAMETER_PROBLEM, "too many ports specified");
-        if (i == IPT_MULTI_PORTS-1)
-                minfo->ports[i] = minfo->ports[i-1];
-        else if (i < IPT_MULTI_PORTS-1) {
-                minfo->ports[i] = ~0;
-                minfo->pflags |= 1<<i;
-        }
-	free(buffer);
-}
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-}
-
-static const char *
-check_proto(const struct ipt_entry *entry)
-{
-	if (entry->ip.proto == IPPROTO_TCP)
-		return "tcp";
-	else if (entry->ip.proto == IPPROTO_UDP)
-		return "udp";
-	else if (!entry->ip.proto)
-		exit_error(PARAMETER_PROBLEM,
-			   "multiport needs `-p tcp' or `-p udp'");
-	else
-		exit_error(PARAMETER_PROBLEM,
-			   "multiport only works with TCP or UDP");
-}
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	const char *proto;
-	struct ipt_mport *minfo
-		= (struct ipt_mport *)(*match)->data;
-
-	switch (c) {
-	case '1':
-		check_inverse(argv[optind-1], &invert, &optind, 0);
-		proto = check_proto(entry);
-		parse_multi_ports(argv[optind-1], minfo, proto);
-		minfo->flags = IPT_MPORT_SOURCE;
-		break;
-
-	case '2':
-		check_inverse(argv[optind-1], &invert, &optind, 0);
-		proto = check_proto(entry);
-		parse_multi_ports(argv[optind-1], minfo, proto);
-		minfo->flags = IPT_MPORT_DESTINATION;
-		break;
-
-	case '3':
-		check_inverse(argv[optind-1], &invert, &optind, 0);
-		proto = check_proto(entry);
-		parse_multi_ports(argv[optind-1], minfo, proto);
-		minfo->flags = IPT_MPORT_EITHER;
-		break;
-
-	default:
-		return 0;
-	}
-
-	if (invert)
-		exit_error(PARAMETER_PROBLEM,
-			   "multiport does not support invert");
-
-	if (*flags)
-		exit_error(PARAMETER_PROBLEM,
-			   "multiport can only have one option");
-	*flags = 1;
-	return 1;
-}
-
-/* Final check; must specify something. */
-static void
-final_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM, "mport expects an option");
-}
-
-static char *
-port_to_service(int port, u_int8_t proto)
-{
-	struct servent *service;
-
-	if ((service = getservbyport(htons(port),
-				     proto == IPPROTO_TCP ? "tcp" : "udp")))
-		return service->s_name;
-
-	return NULL;
-}
-
-static void
-print_port(u_int16_t port, u_int8_t protocol, int numeric)
-{
-	char *service;
-
-	if (numeric || (service = port_to_service(port, protocol)) == NULL)
-		printf("%u", port);
-	else
-		printf("%s", service);
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	const struct ipt_mport *minfo
-		= (const struct ipt_mport *)match->data;
-	unsigned int i;
-        u_int16_t pflags = minfo->pflags;
-
-	printf("mport ");
-
-	switch (minfo->flags) {
-	case IPT_MPORT_SOURCE:
-		printf("sports ");
-		break;
-
-	case IPT_MPORT_DESTINATION:
-		printf("dports ");
-		break;
-
-	case IPT_MPORT_EITHER:
-		printf("ports ");
-		break;
-
-	default:
-		printf("ERROR ");
-		break;
-	}
-
-	for (i=0; i < IPT_MULTI_PORTS; i++) {
-                if (pflags & (1<<i)
-                    && minfo->ports[i] == 65535)
-                        break;
-                if (i == IPT_MULTI_PORTS-1
-                    && minfo->ports[i-1] == minfo->ports[i])
-                        break;
-		printf("%s", i ? "," : "");
-		print_port(minfo->ports[i], ip->proto, numeric);
-                if (pflags & (1<<i)) {
-                        printf(":");
-                        print_port(minfo->ports[++i], ip->proto, numeric);
-                }
-	}
-	printf(" ");
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	const struct ipt_mport *minfo
-		= (const struct ipt_mport *)match->data;
-	unsigned int i;
-        u_int16_t pflags = minfo->pflags;
-
-	switch (minfo->flags) {
-	case IPT_MPORT_SOURCE:
-		printf("--sports ");
-		break;
-
-	case IPT_MPORT_DESTINATION:
-		printf("--dports ");
-		break;
-
-	case IPT_MPORT_EITHER:
-		printf("--ports ");
-		break;
-	}
-
-	for (i=0; i < IPT_MULTI_PORTS; i++) {
-                if (pflags & (1<<i)
-                    && minfo->ports[i] == 65535)
-                        break;
-                if (i == IPT_MULTI_PORTS-1
-                    && minfo->ports[i-1] == minfo->ports[i])
-                        break;
-		printf("%s", i ? "," : "");
-		print_port(minfo->ports[i], ip->proto, 1);
-                if (pflags & (1<<i)) {
-                        printf(":");
-                        print_port(minfo->ports[++i], ip->proto, 1);
-                }
-	}
-	printf(" ");
-}
-
-static struct iptables_match mport = { 
-	.next		= NULL,
-	.name		= "mport",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_mport)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_mport)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void
-_init(void)
-{
-	register_match(&mport);
-}
diff --git a/extensions/libipt_mport.man b/extensions/libipt_mport.man
deleted file mode 100644
index cead84e7..00000000
--- a/extensions/libipt_mport.man
+++ /dev/null
@@ -1,19 +0,0 @@
-This module matches a set of source or destination ports.  Up to 15
-ports can be specified.  It can only be used in conjunction with
-.B "-p tcp"
-or
-.BR "-p udp" .
-.TP
-.BR "--source-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the source port is one of the given ports.  The flag
-.B --sports
-is a convenient alias for this option.
-.TP
-.BR "--destination-ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the destination port is one of the given ports.  The flag
-.B --dports
-is a convenient alias for this option.
-.TP
-.BR "--ports " "\fIport\fP[,\fIport\fP[,\fIport\fP...]]"
-Match if the both the source and destination ports are equal to each
-other and to one of the given ports.
diff --git a/extensions/libipt_multiport.c b/extensions/libipt_multiport.c
index 2a10abd4..694d69d4 100644
--- a/extensions/libipt_multiport.c
+++ b/extensions/libipt_multiport.c
@@ -5,6 +5,7 @@
 #include <stdlib.h>
 #include <getopt.h>
 #include <iptables.h>
+#include <netinet/in.h>
 /* To ensure that iptables compiles with an old kernel */
 #include "../include/linux/netfilter_ipv4/ipt_multiport.h"
 
@@ -59,6 +60,8 @@ proto_to_name(u_int8_t proto)
 		return "tcp";
 	case IPPROTO_UDP:
 		return "udp";
+	case IPPROTO_UDPLITE:
+		return "udplite";
 	case IPPROTO_SCTP:
 		return "sctp";
 	case IPPROTO_DCCP:
@@ -141,16 +144,17 @@ check_proto(const struct ipt_entry *entry)
 
 	if (entry->ip.invflags & IPT_INV_PROTO)
 		exit_error(PARAMETER_PROBLEM,
-			   "multiport only works with TCP or UDP");
+			   "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
 
 	if ((proto = proto_to_name(entry->ip.proto)) != NULL)
 		return proto;
 	else if (!entry->ip.proto)
 		exit_error(PARAMETER_PROBLEM,
-			   "multiport needs `-p tcp', `-p udp', `-p sctp' or `-p dccp'");
+			   "multiport needs `-p tcp', `-p udp', `-p udplite', "
+			   "`-p sctp' or `-p dccp'");
 	else
 		exit_error(PARAMETER_PROBLEM,
-			   "multiport only works with TCP, UDP, SCTP and DCCP");
+			   "multiport only works with TCP, UDP, UDPLITE, SCTP and DCCP");
 }
 
 /* Function which parses command options; returns true if it
@@ -457,7 +461,7 @@ static struct iptables_match multiport_v1 = {
 };
 
 void
-_init(void)
+ipt_multiport_init(void)
 {
 	register_match(&multiport);
 	register_match(&multiport_v1);
diff --git a/extensions/libipt_nth.c b/extensions/libipt_nth.c
deleted file mode 100644
index 6f483b9f..00000000
--- a/extensions/libipt_nth.c
+++ /dev/null
@@ -1,230 +0,0 @@
-/* 
-   Shared library add-on to iptables to add match support for every Nth packet
-   
-   This file is distributed under the terms of the GNU General Public
-   License (GPL). Copies of the GPL can be obtained from:
-   ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-   2001-07-17 Fabrice MARIE <fabrice@netfilter.org> : initial development.
-   2001-09-20 Richard Wagner (rwagner@cloudnet.com)
-        * added support for multiple counters
-        * added support for matching on individual packets
-          in the counter cycle
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_nth.h>
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"nth v%s options:\n"
-"   --every     Nth              Match every Nth packet\n"
-"  [--counter   num ]            Use counter 0-%u (default:0)\n"
-"  [--start     num ]            Initialize the counter at the number 'num'\n"
-"                                instead of 0. Must be between 0 and Nth-1\n"
-"  [--packet    num ]            Match on 'num' packet. Must be between 0\n"
-"                                and Nth-1.\n\n"
-"                                If --packet is used for a counter than\n"
-"                                there must be Nth number of --packet\n"
-"                                rules, covering all values between 0 and\n"
-"                                Nth-1 inclusively.\n",
-IPTABLES_VERSION, IPT_NTH_NUM_COUNTERS-1);
-}
-
-static struct option opts[] = {
-	{ "every", 1, 0, '1' },
-	{ "start", 1, 0, '2' },
-        { "counter", 1, 0, '3' },
-        { "packet", 1, 0, '4' },
-	{ 0 }
-};
-
-#define IPT_NTH_OPT_EVERY	0x01
-#define IPT_NTH_OPT_NOT_EVERY	0x02
-#define IPT_NTH_OPT_START	0x04
-#define IPT_NTH_OPT_COUNTER     0x08
-#define IPT_NTH_OPT_PACKET      0x10
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_nth_info *nthinfo = (struct ipt_nth_info *)(*match)->data;
-	unsigned int num;
-
-	switch (c) {
-	case '1':
-		/* check for common mistakes... */
-		if ((!invert) && (*flags & IPT_NTH_OPT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --every twice");
-		if (invert && (*flags & IPT_NTH_OPT_NOT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --every twice");
-		if ((!invert) && (*flags & IPT_NTH_OPT_NOT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --every with ! --every");
-		if (invert && (*flags & IPT_NTH_OPT_EVERY))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --every with --every");
-
-		/* Remember, this function will interpret a leading 0 to be 
-		   Octal, a leading 0x to be hexdecimal... */
-                if (string_to_number(optarg, 2, 100, &num) == -1 || num < 2)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --every `%s', must be between 2 and 100", optarg);
-
-		/* assign the values */
-		nthinfo->every = num-1;
-		nthinfo->startat = 0;
-                nthinfo->packet = 0xFF;
-                if(!(*flags & IPT_NTH_OPT_EVERY))
-                {
-                        nthinfo->counter = 0;
-                }
-		if (invert)
-		{
-			*flags |= IPT_NTH_OPT_NOT_EVERY;
-			nthinfo->not = 1;
-		}
-		else
-		{
-			*flags |= IPT_NTH_OPT_EVERY;
-			nthinfo->not = 0;
-		}
-		break;
-	case '2':
-		/* check for common mistakes... */
-		if (!((*flags & IPT_NTH_OPT_EVERY) ||
-		      (*flags & IPT_NTH_OPT_NOT_EVERY)))
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --start before --every");
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify with ! --start");
-		if (*flags & IPT_NTH_OPT_START)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --start twice");
-		if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --start `%s', must between 0 and %u", optarg, nthinfo->every);
-		*flags |= IPT_NTH_OPT_START;
-		nthinfo->startat = num;
-		break;
-        case '3':
-                /* check for common mistakes... */
-                if (invert)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify with ! --counter");
-                if (*flags & IPT_NTH_OPT_COUNTER)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --counter twice");
-                if (string_to_number(optarg, 0, IPT_NTH_NUM_COUNTERS-1, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --counter `%s', must between 0 and %u", optarg, IPT_NTH_NUM_COUNTERS-1);
-                /* assign the values */
-                *flags |= IPT_NTH_OPT_COUNTER;
-                nthinfo->counter = num;
-                break;
-        case '4':
-                /* check for common mistakes... */
-                if (!((*flags & IPT_NTH_OPT_EVERY) ||
-                      (*flags & IPT_NTH_OPT_NOT_EVERY)))
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --packet before --every");
-                if ((*flags & IPT_NTH_OPT_NOT_EVERY))
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --packet with ! --every");
-                if (invert)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify with ! --packet");
-                if (*flags & IPT_NTH_OPT_PACKET)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --packet twice");
-                if (string_to_number(optarg, 0, nthinfo->every, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --packet `%s', must between 0 and %u", optarg, nthinfo->every);
-                *flags |= IPT_NTH_OPT_PACKET;
-                nthinfo->packet = num;
-                break;
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	const struct ipt_nth_info *nthinfo
-		= (const struct ipt_nth_info *)match->data;
-
-	if (nthinfo->not == 1)
-		printf(" !");
-	printf("every %uth ", (nthinfo->every +1));
-	if (nthinfo->counter != 0) 
-		printf("counter #%u ", (nthinfo->counter));
-        if (nthinfo->packet != 0xFF)
-                printf("packet #%u ", nthinfo->packet);
-	if (nthinfo->startat != 0)
-		printf("start at %u ", nthinfo->startat);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	const struct ipt_nth_info *nthinfo
-		= (const struct ipt_nth_info *)match->data;
-
-	if (nthinfo->not == 1)
-		printf("! ");
-	printf("--every %u ", (nthinfo->every +1));
-	printf("--counter %u ", (nthinfo->counter));
-	if (nthinfo->startat != 0)
-		printf("--start %u ", nthinfo->startat );
-        if (nthinfo->packet != 0xFF)
-                printf("--packet %u ", nthinfo->packet );
-}
-
-static struct iptables_match nth = { 
-	.next		= NULL,
-	.name		= "nth",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_nth_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_nth_info)),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&nth);
-}
diff --git a/extensions/libipt_nth.man b/extensions/libipt_nth.man
deleted file mode 100644
index d215fd55..00000000
--- a/extensions/libipt_nth.man
+++ /dev/null
@@ -1,14 +0,0 @@
-This module matches every `n'th packet
-.TP
-.BI "--every " "value"
-Match every `value' packet
-.TP
-.BI "[" "--counter " "num" "]"
-Use internal counter number `num'.  Default is `0'.
-.TP
-.BI "[" "--start " "num" "]"
-Initialize the counter at the number `num' insetad of `0'.  Most between `0'
-and `value'-1.
-.TP
-.BI "[" "--packet " "num" "]"
-Match on `num' packet.  Most be between `0' and `value'-1.
diff --git a/extensions/libipt_osf.c b/extensions/libipt_osf.c
deleted file mode 100644
index a2edb85a..00000000
--- a/extensions/libipt_osf.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * libipt_osf.c
- *
- * Copyright (c) 2003 Evgeniy Polyakov <johnpol@2ka.mipt.ru>
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-/*
- * iptables interface for OS fingerprint matching module.
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <ctype.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_osf.h>
-
-static void help(void)
-{
-	printf("OS fingerprint match options:\n"
-		"--genre [!] string	Match a OS genre by passive fingerprinting.\n"
-		"--smart		Use some smart extensions to determine OS (do not use TTL).\n"
-		"--log level		Log all(or only first) determined genres even if "
-					"they do not match desired one. "
-					"Level may be 0(all) or 1(only first entry).\n"
-		"--netlink		Log through netlink(NETLINK_NFLOG).\n",
-		"--connector		Log through kernel connector [in 2.6.12-mm+].\n"
-		);
-}
-
-
-static struct option opts[] = {
-	{ .name = "genre",	.has_arg = 1, .flag = 0, .val = '1' },
-	{ .name = "smart",	.has_arg = 0, .flag = 0, .val = '2' },
-	{ .name = "log",	.has_arg = 1, .flag = 0, .val = '3' },
-	{ .name = "netlink",	.has_arg = 0, .flag = 0, .val = '4' },
-	{ .name = "connector",	.has_arg = 0, .flag = 0, .val = '5' },
-	{ .name = 0 }
-};
-
-static void parse_string(const unsigned char *s, struct ipt_osf_info *info)
-{
-	if (strlen(s) < MAXGENRELEN) 
-		strcpy(info->genre, s);
-	else 
-		exit_error(PARAMETER_PROBLEM, "Genre string too long `%s' [%d], max=%d", 
-				s, strlen(s), MAXGENRELEN);
-}
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
-      			const struct ipt_entry *entry,
-      			unsigned int *nfcache,
-      			struct ipt_entry_match **match)
-{
-	struct ipt_osf_info *info = (struct ipt_osf_info *)(*match)->data;
-	
-	switch(c) 
-	{
-		case '1': /* --genre */
-			if (*flags & IPT_OSF_GENRE)
-				exit_error(PARAMETER_PROBLEM, "Can't specify multiple genre parameter");
-			check_inverse(optarg, &invert, &optind, 0);
-			parse_string(argv[optind-1], info);
-			if (invert)
-				info->invert = 1;
-			info->len=strlen((char *)info->genre);
-			*flags |= IPT_OSF_GENRE;
-			break;
-		case '2': /* --smart */
-			if (*flags & IPT_OSF_SMART)
-				exit_error(PARAMETER_PROBLEM, "Can't specify multiple smart parameter");
-			*flags |= IPT_OSF_SMART;
-			info->flags |= IPT_OSF_SMART;
-			break;
-		case '3': /* --log */
-			if (*flags & IPT_OSF_LOG)
-				exit_error(PARAMETER_PROBLEM, "Can't specify multiple log parameter");
-			*flags |= IPT_OSF_LOG;
-			info->loglevel = atoi(argv[optind-1]);
-			info->flags |= IPT_OSF_LOG;
-			break;
-		case '4': /* --netlink */
-			if (*flags & IPT_OSF_NETLINK)
-				exit_error(PARAMETER_PROBLEM, "Can't specify multiple netlink parameter");
-			*flags |= IPT_OSF_NETLINK;
-			info->flags |= IPT_OSF_NETLINK;
-			break;
-		case '5': /* --connector */
-			if (*flags & IPT_OSF_CONNECTOR)
-				exit_error(PARAMETER_PROBLEM, "Can't specify multiple connector parameter");
-			*flags |= IPT_OSF_CONNECTOR;
-			info->flags |= IPT_OSF_CONNECTOR;
-			break;
-		default:
-			return 0;
-	}
-
-	return 1;
-}
-
-static void final_check(unsigned int flags)
-{
-	if (!flags)
-		exit_error(PARAMETER_PROBLEM, "OS fingerprint match: You must specify `--genre'");
-}
-
-static void print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric)
-{
-	const struct ipt_osf_info *info = (const struct ipt_osf_info*) match->data;
-
-	printf("OS fingerprint match %s%s ", (info->invert) ? "!" : "", info->genre);
-}
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	const struct ipt_osf_info *info = (const struct ipt_osf_info*) match->data;
-
-	printf("--genre %s%s ", (info->invert) ? "! ": "", info->genre);
-       if (info->flags & IPT_OSF_SMART)
-               printf("--smart ");
-       if (info->flags & IPT_OSF_LOG)
-               printf("--log %d ", info->loglevel);
-       if (info->flags & IPT_OSF_NETLINK)
-               printf("--netlink ");
-       if (info->flags & IPT_OSF_CONNECTOR)
-               printf("--connector ");
-}
-
-
-static struct iptables_match osf_match = {
-    .name          = "osf",
-    .version       = IPTABLES_VERSION,
-    .size          = IPT_ALIGN(sizeof(struct ipt_osf_info)),
-    .userspacesize = IPT_ALIGN(sizeof(struct ipt_osf_info)),
-    .help          = &help,
-    .parse         = &parse,
-    .final_check   = &final_check,
-    .print         = &print,
-    .save          = &save,
-    .extra_opts    = opts
-};
-
-
-void _init(void)
-{
-	register_match(&osf_match);
-}
diff --git a/extensions/libipt_osf.man b/extensions/libipt_osf.man
deleted file mode 100644
index 38d25a03..00000000
--- a/extensions/libipt_osf.man
+++ /dev/null
@@ -1,47 +0,0 @@
-The idea of passive OS fingerprint matching exists for quite a long time,
-but was created as extension fo OpenBSD pf only some weeks ago.
-Original idea was lurked in some OpenBSD mailing list (thanks
-grange@open...) and than adopted for Linux netfilter in form of this code.
-
-Original fingerprint table was created by Michal Zalewski <lcamtuf@coredump.cx>.
-
-This module compares some data(WS, MSS, options and it's order, ttl,
-df and others) from first SYN packet (actually from packets with SYN
-bit set) with dynamically loaded OS fingerprints.
-.TP
-.B "--log 1/0" 
-If present, OSF will log determined genres even if they don't match
-desired one.	
-0 - log all determined entries, 
-1 - only first one.
-
-In syslog you find something like this:
-.IP
-ipt_osf: Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139
-.IP
-ipt_osf: Unknown: 16384:106:1:48:020405B401010402 44.33.22.11:1239 -> 11.22.33.44:80
-.TP
-.B "--smart"
-if present, OSF will use some smartness to determine remote OS.
-OSF will use initial TTL only if source of connection is in our local network.
-.TP
-.B "--netlink"
-If present, OSF will log all events also through netlink NETLINK_NFLOG groupt 1.
-.TP
-.BI "--genre " "[!] string"
-Match a OS genre by passive fingerprinting
-.P
-Example:
-
-#iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 1 --smart
-
-NOTE: -p tcp is obviously required as it is a TCP match.
-
-Fingerprints can be loaded and read through /proc/sys/net/ipv4/osf file.
-One can flush all fingerprints with following command:
-.IP
-echo -en FLUSH > /proc/sys/net/ipv4/osf
-.P
-Only one fingerprint per open/write/close.
-
-Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os
diff --git a/extensions/libipt_owner.c b/extensions/libipt_owner.c
index cf13cb97..89e1a7c6 100644
--- a/extensions/libipt_owner.c
+++ b/extensions/libipt_owner.c
@@ -244,7 +244,7 @@ static struct iptables_match owner = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_owner_init(void)
 {
 	register_match(&owner);
 }
diff --git a/extensions/libipt_physdev.c b/extensions/libipt_physdev.c
index 28ee8271..ab87cf8f 100644
--- a/extensions/libipt_physdev.c
+++ b/extensions/libipt_physdev.c
@@ -187,7 +187,7 @@ static struct iptables_match physdev = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_physdev_init(void)
 {
 	register_match(&physdev);
 }
diff --git a/extensions/libipt_pkttype.c b/extensions/libipt_pkttype.c
index ea6439ef..7fa1c999 100644
--- a/extensions/libipt_pkttype.c
+++ b/extensions/libipt_pkttype.c
@@ -161,7 +161,7 @@ static struct iptables_match pkttype = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_pkttype_init(void)
 {
 	register_match(&pkttype);
 }
diff --git a/extensions/libipt_policy.c b/extensions/libipt_policy.c
index 681995ad..cd8b43dc 100644
--- a/extensions/libipt_policy.c
+++ b/extensions/libipt_policy.c
@@ -430,7 +430,7 @@ struct iptables_match policy = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_policy_init(void)
 {
 	register_match(&policy);
 }
diff --git a/extensions/libipt_psd.c b/extensions/libipt_psd.c
deleted file mode 100644
index 3d0034ab..00000000
--- a/extensions/libipt_psd.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/* 
-  Shared library add-on to iptables to add PSD support 
-   
-  Copyright (C) 2000,2001 astaro AG
-
-  This file is distributed under the terms of the GNU General Public
-  License (GPL). Copies of the GPL can be obtained from:
-     ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-  2000-05-04 Markus Hennig <hennig@astaro.de> : initial
-  2000-08-18 Dennis Koslowski <koslowski@astaro.de> : first release
-  2000-12-01 Dennis Koslowski <koslowski@astaro.de> : UDP scans detection added
-  2001-02-04 Jan Rekorajski <baggins@pld.org.pl> : converted from target to match
-  2003-03-02 Harald Welte <laforge@netfilter.org>: fix 'storage' bug
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_psd.h>
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"psd v%s options:\n"
-" --psd-weight-threshold threshhold  Portscan detection weight threshold\n\n"
-" --psd-delay-threshold  delay       Portscan detection delay threshold\n\n"
-" --psd-lo-ports-weight  lo          Privileged ports weight\n\n"
-" --psd-hi-ports-weight  hi          High ports weight\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "psd-weight-threshold", 1, 0, '1' },
-	{ "psd-delay-threshold", 1, 0, '2' },
-	{ "psd-lo-ports-weight", 1, 0, '3' },
-	{ "psd-hi-ports-weight", 1, 0, '4' },
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	struct ipt_psd_info *psdinfo = (struct ipt_psd_info *)m->data;
-
-	psdinfo->weight_threshold = SCAN_WEIGHT_THRESHOLD;  
-	psdinfo->delay_threshold = SCAN_DELAY_THRESHOLD;
-	psdinfo->lo_ports_weight = PORT_WEIGHT_PRIV;
-	psdinfo->hi_ports_weight = PORT_WEIGHT_HIGH;
-}
-
-
-typedef struct _code {
-	char	*c_name;
-	int	c_val;
-} CODE;
-
-
-
-#define IPT_PSD_OPT_CTRESH 0x01
-#define IPT_PSD_OPT_DTRESH 0x02
-#define IPT_PSD_OPT_LPWEIGHT 0x04
-#define IPT_PSD_OPT_HPWEIGHT 0x08
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_psd_info *psdinfo = (struct ipt_psd_info *)(*match)->data;
-	unsigned int num;
-	
-	switch (c) {
-	/* PSD-weight-threshold */
-	case '1':
-		if (*flags & IPT_PSD_OPT_CTRESH)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --psd-weight-threshold "
-				   "twice");
-                if (string_to_number(optarg, 0, 10000, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --psd-weight-threshold `%s'", optarg);
-		psdinfo->weight_threshold = num;
-		*flags |= IPT_PSD_OPT_CTRESH;
-		break;
-
-	/* PSD-delay-threshold */
-	case '2':
-		if (*flags & IPT_PSD_OPT_DTRESH)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --psd-delay-threshold twice");
-                if (string_to_number(optarg, 0, 10000, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --psd-delay-threshold `%s'", optarg);
-		psdinfo->delay_threshold = num;
-		*flags |= IPT_PSD_OPT_DTRESH;
-		break;
-
-	/* PSD-lo-ports-weight */
-	case '3':
-		if (*flags & IPT_PSD_OPT_LPWEIGHT)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --psd-lo-ports-weight twice");
-                if (string_to_number(optarg, 0, 10000, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --psd-lo-ports-weight `%s'", optarg);
-		psdinfo->lo_ports_weight = num;
-		*flags |= IPT_PSD_OPT_LPWEIGHT;
-		break;
-
-	/* PSD-hi-ports-weight */
-	case '4':
-		if (*flags & IPT_PSD_OPT_HPWEIGHT)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --psd-hi-ports-weight twice");
-                if (string_to_number(optarg, 0, 10000, &num) == -1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --psd-hi-ports-weight `%s'", optarg);
-		psdinfo->hi_ports_weight = num;
-		*flags |= IPT_PSD_OPT_HPWEIGHT;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	const struct ipt_psd_info *psdinfo
-		= (const struct ipt_psd_info *)match->data;
-
-	printf("psd ");
-	printf("weight-threshold: %u ", psdinfo->weight_threshold);
-	printf("delay-threshold: %u ", psdinfo->delay_threshold);
-	printf("lo-ports-weight: %u ", psdinfo->lo_ports_weight);
-	printf("hi-ports-weight: %u ", psdinfo->hi_ports_weight);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	const struct ipt_psd_info *psdinfo
-		= (const struct ipt_psd_info *)match->data;
-
-	printf("--psd-weight-threshold %u ", psdinfo->weight_threshold);
-	printf("--psd-delay-threshold %u ", psdinfo->delay_threshold);
-	printf("--psd-lo-ports-weight %u ", psdinfo->lo_ports_weight);
-	printf("--psd-hi-ports-weight %u ", psdinfo->hi_ports_weight);
-}
-
-static struct iptables_match psd = { 
-	.next		= NULL,
-	.name		= "psd",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_psd_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_psd_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&psd);
-}
diff --git a/extensions/libipt_psd.man b/extensions/libipt_psd.man
deleted file mode 100644
index b73fffc0..00000000
--- a/extensions/libipt_psd.man
+++ /dev/null
@@ -1,18 +0,0 @@
-Attempt to detect TCP and UDP port scans. This match was derived from
-Solar Designer's scanlogd.
-.TP
-.BI "--psd-weight-threshold " "threshold"
-Total weight of the latest TCP/UDP packets with different
-destination ports coming from the same host to be treated as port
-scan sequence.
-.TP
-.BI "--psd-delay-threshold " "delay"
-Delay (in hundredths of second) for the packets with different
-destination ports coming from the same host to be treated as
-possible port scan subsequence.
-.TP
-.BI "--psd-lo-ports-weight " "weight"
-Weight of the packet with privileged (<=1024) destination port.
-.TP
-.BI "--psd-hi-ports-weight " "weight"
-Weight of the packet with non-priviliged destination port.
diff --git a/extensions/libipt_quota.c b/extensions/libipt_quota.c
index 83807541..68e36722 100644
--- a/extensions/libipt_quota.c
+++ b/extensions/libipt_quota.c
@@ -101,7 +101,7 @@ struct iptables_match quota = {
 };
 
 void
-_init(void)
+ipt_quota_init(void)
 {
         register_match(&quota);
 }
diff --git a/extensions/libipt_random.c b/extensions/libipt_random.c
deleted file mode 100644
index d28ab8ce..00000000
--- a/extensions/libipt_random.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/* 
-   Shared library add-on to iptables to add match support for random match.
-   
-   This file is distributed under the terms of the GNU General Public
-   License (GPL). Copies of the GPL can be obtained from:
-   ftp://prep.ai.mit.edu/pub/gnu/GPL
-
-   2001-10-14 Fabrice MARIE <fabrice@netfilter.org> : initial development.
-*/
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ipt_random.h>
-
-/**
- * The kernel random routing returns numbers between 0 and 255.
- * To ease the task of the user in choosing the probability
- * of matching, we want him to be able to use percentages.
- * Therefore we have to accept numbers in percentage here,
- * turn them into number between 0 and 255 for the kernel module,
- * and turn them back to percentages when we print/save
- * the rule.
- */
-
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"random v%s options:\n"
-"  [--average      percent ]    The probability in percentage of the match\n"
-"                               If ommited, a probability of 50%% percent is set.\n"
-"                               Percentage must be within : 1 <= percent <= 99.\n\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "average", 1, 0, '1' },
-	{ 0 }
-};
-
-/* Initialize the target. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	struct ipt_rand_info *randinfo = (struct ipt_rand_info *)(m)->data;
-
-	/* We assign the average to be 50 which is our default value */
-	/* 50 * 2.55 = 128 */
-	randinfo->average = 128;
-}
-
-#define IPT_RAND_OPT_AVERAGE	0x01
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_rand_info *randinfo = (struct ipt_rand_info *)(*match)->data;
-	unsigned int num;
-
-	switch (c) {
-	case '1':
-		/* check for common mistakes... */
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify ! --average");
-		if (*flags & IPT_RAND_OPT_AVERAGE)
-			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --average twice");
-
-		/* Remember, this function will interpret a leading 0 to be 
-		   Octal, a leading 0x to be hexdecimal... */
-                if (string_to_number(optarg, 1, 99, &num) == -1 || num < 1)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "bad --average `%s', must be between 1 and 99", optarg);
-
-		/* assign the values */
-		randinfo->average = (int)(num * 2.55);
-		*flags |= IPT_RAND_OPT_AVERAGE;
-		break;
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-/* Final check; nothing. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the targinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	const struct ipt_rand_info *randinfo
-		= (const struct ipt_rand_info *)match->data;
-	div_t result = div((randinfo->average*100), 255);
-	if (result.rem > 127)  /* round up... */
-		++result.quot;
-
-	printf(" random %u%% ", result.quot);
-}
-
-/* Saves the union ipt_targinfo in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	const struct ipt_rand_info *randinfo
-		= (const struct ipt_rand_info *)match->data;
-	div_t result = div((randinfo->average *100), 255);
-	if (result.rem > 127)  /* round up... */
-		++result.quot;
-
-	printf("--average %u ", result.quot);
-}
-
-struct iptables_match rand_match = { 
-	.next		= NULL,
-	.name		= "random",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_rand_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_rand_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&rand_match);
-}
diff --git a/extensions/libipt_random.man b/extensions/libipt_random.man
deleted file mode 100644
index f808a779..00000000
--- a/extensions/libipt_random.man
+++ /dev/null
@@ -1,4 +0,0 @@
-This module randomly matches a certain percentage of all packets.
-.TP
-.BI "--average " "percent"
-Matches the given percentage.  If omitted, a probability of 50% is set. 
diff --git a/extensions/libipt_realm.c b/extensions/libipt_realm.c
index 15646778..966d76e8 100644
--- a/extensions/libipt_realm.c
+++ b/extensions/libipt_realm.c
@@ -264,7 +264,7 @@ static struct iptables_match realm = { NULL,
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_realm_init(void)
 {
 	register_match(&realm);
 }
diff --git a/extensions/libipt_recent.c b/extensions/libipt_recent.c
index 0b0ed2d1..beb180c6 100644
--- a/extensions/libipt_recent.c
+++ b/extensions/libipt_recent.c
@@ -234,7 +234,7 @@ static struct iptables_match recent = {
     .extra_opts    = opts
 };
 
-void _init(void)
+void ipt_recent_init(void)
 {
 	register_match(&recent);
 }
diff --git a/extensions/libipt_record_rpc.c b/extensions/libipt_record_rpc.c
deleted file mode 100644
index 571d286b..00000000
--- a/extensions/libipt_record_rpc.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/* Shared library add-on to iptables for rpc match */
-#include <stdio.h>
-#include <getopt.h>
-#include <iptables.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"record_rpc v%s takes no options\n"
-"\n", IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{0}
-};
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	return 0;
-}
-
-/* Final check; must have specified --mac. */
-static void final_check(unsigned int flags)
-{
-}
-
-/* Prints out the union ipt_matchinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-}
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-}
-
-static
-struct iptables_match record_rpc = { 
-	.next		= NULL,
-	.name 		= "record_rpc",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(0),
-	.userspacesize	= IPT_ALIGN(0),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&record_rpc);
-}
diff --git a/extensions/libipt_rpc.c b/extensions/libipt_rpc.c
deleted file mode 100644
index dbfb3962..00000000
--- a/extensions/libipt_rpc.c
+++ /dev/null
@@ -1,373 +0,0 @@
-/* RPC extension for IP connection matching, Version 2.2
- * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
- *	- original rpc tracking module
- *	- "recent" connection handling for kernel 2.3+ netfilter
- *
- * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
- *	- upgraded conntrack modules to oldnat api - kernel 2.4.0+
- *
- * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
- *	- upgraded conntrack modules to newnat api - kernel 2.4.20+
- *	- extended matching to support filtering on procedures
- *
- * libipt_rpc.c,v 2.2 2003/01/12 18:30:00
- *
- *	This program is free software; you can redistribute it and/or
- *	modify it under the terms of the GNU General Public License
- *	as published by the Free Software Foundation; either version
- *	2 of the License, or (at your option) any later version.
- **
- *	Userspace library syntax:
- *	--rpc [--rpcs procedure1,procedure2,...procedure128] [--static]
- *
- *	Procedures can be supplied in either numeric or named formats.
- *	Without --rpcs, this module will behave as the old record-rpc.
- **
- *	Note to all:
- *
- *	RPCs should not be exposed to the internet - ask the Pentagon;
- *
- *	  "The unidentified crackers pleaded guilty in July to charges
- *	   of juvenile delinquency stemming from a string of Pentagon
- *	   network intrusions in February.
- *
- *	   The youths, going by the names TooShort and Makaveli, used
- *	   a common server security hole to break in, according to
- *	   Dane Jasper, owner of the California Internet service
- *	   provider, Sonic. They used the hole, known as the 'statd'
- *	   exploit, to attempt more than 800 break-ins, Jasper said."
- *
- *	From: Wired News; "Pentagon Kids Kicked Off Grid" - Nov 6, 1998
- *	URL:  http://www.wired.com/news/politics/0,1283,16098,00.html
- **
- */
-
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <rpc/rpc.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_rpc.h>
-#include <time.h>
-
-
-const int IPT_RPC_RPCS = 1;
-const int IPT_RPC_STRC = 2;
-
-const int IPT_RPC_INT_LBL = 1;
-const int IPT_RPC_INT_NUM = 2;
-const int IPT_RPC_INT_BTH = 3;
-
-const int IPT_RPC_CHAR_LEN = 11;
-const int IPT_RPC_MAX_ENTS = 128;
-
-const char preerr[11] = "RPC match:";
-
-
-static int k_itoa(char *string, int number)
-{
-	int maxoctet = IPT_RPC_CHAR_LEN - 1;
-	int store[IPT_RPC_CHAR_LEN];
-	int counter;
-
-
-        for (counter=0 ; maxoctet != 0 && number != 0; counter++, maxoctet--) {
-		store[counter] = number / 10;
-		store[counter] = number - ( store[counter] * 10 );
-		number = number / 10;
-        }
-
-        for ( ; counter != 0; counter--, string++)
-		*string = store[counter - 1] + 48;
-
-	*string = 0;
-
-	return(0);
-}
-
-
-static int k_atoi(char *string)
-{
-	unsigned int result = 0;
-	int maxoctet = IPT_RPC_CHAR_LEN;
-
-
-        for ( ; *string != 0 && maxoctet != 0; maxoctet--, string++) {
-                if (*string < 0)
-                        return(0);
-                if (*string == 0)
-                        break;
-                if (*string < 48 || *string > 57) {
-                        return(0);
-                }
-                result = result * 10 + ( *string - 48 );
-        }
-
-	return(result);
-}
-
-
-static void print_rpcs(char *c_procs, int i_procs, int labels)
-{
-	int   proc_ctr;
-	char *proc_ptr;
-	unsigned int proc_num;
-	struct rpcent *rpcent;
-
-
-	for (proc_ctr=0; proc_ctr <= i_procs; proc_ctr++) {
-
-		if ( proc_ctr != 0 )
-			printf(",");
-
-		proc_ptr = c_procs;
-		proc_ptr += proc_ctr * IPT_RPC_CHAR_LEN;
-		proc_num = k_atoi(proc_ptr);
-
-		/* labels(1) == no labels, only numbers
-		 * labels(2) == no numbers, only labels
-		 * labels(3) == both labels and numbers
-		 */
-
-		if (labels == IPT_RPC_INT_LBL || labels == IPT_RPC_INT_BTH ) {
-			if ( (rpcent = getrpcbynumber(proc_num)) == NULL )
-				printf("unknown");
-			else
-				printf("%s", rpcent->r_name);
-		}
-
-		if (labels == IPT_RPC_INT_BTH )
-			printf("(");
-
-		if (labels == IPT_RPC_INT_NUM || labels == IPT_RPC_INT_BTH )
-			printf("%i", proc_num);
-
-		if (labels == IPT_RPC_INT_BTH )
-			printf(")");
-
-	}
-
-}
-
-
-static void help(void) 
-{
-	printf(
-		"RPC v%s options:\n"
-		"  --rpcs list,of,procedures"
-		"\ta list of rpc program numbers to apply\n"
-		"\t\t\t\tie. 100003,mountd,rquotad (numeric or\n"
-		"\t\t\t\tname form; see /etc/rpc).\n"
-		"  --strict"
-		"\t\t\ta flag to force the drop of packets\n"
-		"\t\t\t\tnot containing \"get\" portmapper requests.\n",
-		IPTABLES_VERSION);
-}
-
-
-static struct option opts[] = {
-	{ "rpcs", 1, 0, '1'},
-	{ "strict", 0, 0, '2'},
-	{0}
-};
-
-
-static void init(struct ipt_entry_match *match, unsigned int *nfcache)
-{
-	struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
-
-
-
-	/* initialise those funky user vars */
-	rpcinfo->i_procs = -1;
-	rpcinfo->strict  =  0;
-	memset((char *)rpcinfo->c_procs, 0, sizeof(rpcinfo->c_procs));
-}
-
-
-static void parse_rpcs_string(char *string, struct ipt_entry_match **match)
-{
-	char err1[64] = "%s invalid --rpcs option-set: `%s' (at character %i)";
-	char err2[64] = "%s unable to resolve rpc name entry: `%s'";
-	char err3[64] = "%s maximum number of --rpc options (%i) exceeded";
-	char buf[256];
-	char *dup = buf;
-	int idup = 0;
-	int term = 0;
-	char *src, *dst;
-	char *c_procs;
-	struct rpcent *rpcent_ptr;
-	struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
-
-
-	memset(buf, 0, sizeof(buf));
-
-	for (src=string, dst=buf; term != 1 ; src++, dst++) {
-
-		if ( *src != ',' && *src != '\0' ) {
-			if ( ( *src >= 65 && *src <= 90 ) || ( *src >= 97 && *src <= 122) ) {
-				*dst = *src;
-				idup = 1;
-
-			} else if ( *src >= 48 && *src <= 57 ) {
-				*dst = *src;
-
-			} else {
-				exit_error(PARAMETER_PROBLEM, err1, preerr,
-					   string, src - string + 1);
-
-			}
-
-		} else {
-			*dst = '\0';
-			if ( idup == 1 ) {
-				if ( (rpcent_ptr = getrpcbyname(dup)) == NULL )
-					exit_error(PARAMETER_PROBLEM, err2,
-						   preerr, dup);
-				idup = rpcent_ptr->r_number;
-			} else {
-				idup = k_atoi(dup);
-			}
-
-			rpcinfo->i_procs++;
-			if ( rpcinfo->i_procs > IPT_RPC_MAX_ENTS )
-				exit_error(PARAMETER_PROBLEM, err3, preerr,
-					   IPT_RPC_MAX_ENTS);
-				
-			c_procs  = (char *)rpcinfo->c_procs;
-			c_procs += rpcinfo->i_procs * IPT_RPC_CHAR_LEN;
-			
-			memset(buf, 0, sizeof(buf));
-			k_itoa((char *)dup, idup);
-
-			strcpy(c_procs, dup);
-	
-			if ( *src == '\0')
-				term = 1;
-
-			idup = 0;
-			memset(buf, 0, sizeof(buf));
-			dst = (char *)buf - 1;
-		}
-	}
-
-	return;
-}
-
-
-static int parse(int c, char **argv, int invert, unsigned int *flags,
-		const struct ipt_entry *entry,
-		unsigned int *nfcache,
-		struct ipt_entry_match **match)
-{
-	struct ipt_rpc_info *rpcinfo = (struct ipt_rpc_info *)(*match)->data;
-
-
-	switch (c)
-	{
-	case '1':
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-                                   "%s unexpected '!' with --rpcs\n", preerr);
-		if (*flags & IPT_RPC_RPCS)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "%s repeated use of --rpcs\n", preerr);
-		parse_rpcs_string(optarg, match);
-
-		*flags |= IPT_RPC_RPCS;
-		break;
-
-	case '2':
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-                                   "%s unexpected '!' with --strict\n", preerr);
-		if (*flags & IPT_RPC_STRC)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "%s repeated use of --strict\n", preerr);
-		rpcinfo->strict = 1;
-		*flags |= IPT_RPC_STRC;
-		break;
-
-	default:
-		return 0;
-	}
-
-	return 1;
-
-}
-
-
-static void final_check(unsigned int flags)
-{
-	if (flags != (flags | IPT_RPC_RPCS)) {
-		printf("%s option \"--rpcs\" was not used ... reverting ", preerr);
-		printf("to old \"record-rpc\" functionality ..\n");
-	}
-}
-
-
-static void print(const struct ipt_ip *ip,
-		const struct ipt_entry_match *match,
-		int numeric)
-{
-	struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
-
-
-	printf("RPCs");
-	if(rpcinfo->strict == 1)
-		printf("[strict]");
-
-	printf(": ");
-
-	if(rpcinfo->i_procs == -1) {
-		printf("any(*)");
-
-	} else {
-		print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_BTH);
-	}
-	printf(" ");
-
-}
-
-
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
-
-
-	if(rpcinfo->i_procs > -1) {
-		printf("--rpcs ");
-		print_rpcs((char *)&rpcinfo->c_procs, rpcinfo->i_procs, IPT_RPC_INT_NUM);
-		printf(" ");
-	}
-
-	if(rpcinfo->strict == 1)
-		printf("--strict ");
-
-}
-
-
-static struct iptables_match rpcstruct = { 
-	.next		= NULL,
-	.name		= "rpc",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_rpc_info)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_rpc_info)),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-
-void _init(void)
-{
-	register_match(&rpcstruct);
-}
-
diff --git a/extensions/libipt_sctp.c b/extensions/libipt_sctp.c
index 0354d191..63019533 100644
--- a/extensions/libipt_sctp.c
+++ b/extensions/libipt_sctp.c
@@ -13,6 +13,7 @@
 #include <getopt.h>
 #include <netdb.h>
 #include <ctype.h>
+#include <netinet/in.h>
 
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
@@ -543,7 +544,7 @@ struct iptables_match sctp
     .extra_opts    = opts
 };
 
-void _init(void)
+void ipt_sctp_init(void)
 {
 	register_match(&sctp);
 }
diff --git a/extensions/libipt_standard.c b/extensions/libipt_standard.c
index 4c5a3f5a..9c3cdc2a 100644
--- a/extensions/libipt_standard.c
+++ b/extensions/libipt_standard.c
@@ -63,7 +63,7 @@ struct iptables_target standard = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_standard_init(void)
 {
 	register_target(&standard);
 }
diff --git a/extensions/libipt_state.c b/extensions/libipt_state.c
index acafe9a7..48d834d4 100644
--- a/extensions/libipt_state.c
+++ b/extensions/libipt_state.c
@@ -157,7 +157,7 @@ static struct iptables_match state = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_state_init(void)
 {
 	register_match(&state);
 }
diff --git a/extensions/libipt_statistic.c b/extensions/libipt_statistic.c
index 4ed18138..58ac983e 100644
--- a/extensions/libipt_statistic.c
+++ b/extensions/libipt_statistic.c
@@ -169,7 +169,7 @@ static struct iptables_match statistic = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_statistic_init(void)
 {
 	register_match(&statistic);
 }
diff --git a/extensions/libipt_string.c b/extensions/libipt_string.c
index 5492cfc5..82bf748b 100644
--- a/extensions/libipt_string.c
+++ b/extensions/libipt_string.c
@@ -307,7 +307,7 @@ print(const struct ipt_ip *ip,
 	if (info->from_offset != 0)
 		printf("FROM %u ", info->from_offset);
 	if (info->to_offset != 0)
-		printf("TO %u", info->to_offset);
+		printf("TO %u ", info->to_offset);
 }
 
 
@@ -348,7 +348,7 @@ static struct iptables_match string = {
 };
 
 
-void _init(void)
+void ipt_string_init(void)
 {
 	register_match(&string);
 }
diff --git a/extensions/libipt_tcp.c b/extensions/libipt_tcp.c
index c712b927..935212c2 100644
--- a/extensions/libipt_tcp.c
+++ b/extensions/libipt_tcp.c
@@ -6,6 +6,7 @@
 #include <getopt.h>
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
+#include <netinet/in.h>
 
 /* Function which prints out usage message. */
 static void
@@ -410,7 +411,7 @@ static struct iptables_match tcp = {
 };
 
 void
-_init(void)
+ipt_tcp_init(void)
 {
 	register_match(&tcp);
 }
diff --git a/extensions/libipt_tcp.man b/extensions/libipt_tcp.man
index e1f44057..648c81e3 100644
--- a/extensions/libipt_tcp.man
+++ b/extensions/libipt_tcp.man
@@ -43,7 +43,3 @@ option is inverted.
 .TP
 .BR "--tcp-option " "[!] \fInumber\fP"
 Match if TCP option set.
-.TP
-.BR "--mss " "\fIvalue\fP[:\fIvalue\fP]"
-Match TCP SYN or SYN/ACK packets with the specified MSS value (or range),
-which control the maximum packet size for that connection.
diff --git a/extensions/libipt_tcpmss.man b/extensions/libipt_tcpmss.man
index 5115d6b9..91fe322e 100644
--- a/extensions/libipt_tcpmss.man
+++ b/extensions/libipt_tcpmss.man
@@ -1,4 +1,4 @@
 This matches the TCP MSS (maximum segment size) field of the TCP header.  You can only use this on TCP SYN or SYN/ACK packets, since the MSS is only negotiated during the TCP handshake at connection startup time.
 .TP
-.BI "[!] "--mss " "value[:value]"
+.BI "[!] "--mss " value[:value]"
 Match a given TCP MSS value or range.
diff --git a/extensions/libipt_time.c b/extensions/libipt_time.c
deleted file mode 100644
index dcf2dc67..00000000
--- a/extensions/libipt_time.c
+++ /dev/null
@@ -1,549 +0,0 @@
-/* Shared library add-on to iptables to add TIME matching support. */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stddef.h> /* for 'offsetof' */
-#include <getopt.h>
-
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_time.h>
-#include <time.h>
-
-static int globaldays;
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf(
-"TIME v%s options:\n"
-" [ --timestart value ] [ --timestop value] [ --days listofdays ] [ --datestart value ] [ --datestop value ]\n"
-"          timestart value : HH:MM (default 00:00)\n"
-"          timestop  value : HH:MM (default 23:59)\n"
-"                            Note: daylight savings time changes are not tracked\n"
-"          listofdays value: a list of days to apply\n"
-"                            from Mon,Tue,Wed,Thu,Fri,Sat,Sun\n"
-"                            Coma speparated, no space, case sensitive.\n"
-"                            Defaults to all days.\n"
-"          datestart value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
-"                            If any of month, day, hour, minute or second is\n"
-"                            not specified, then defaults to their smallest\n"
-"                            1900 <= YYYY < 2037\n"
-"                               1 <= MM <= 12\n"
-"                               1 <= DD <= 31\n"
-"                               0 <= hh <= 23\n"
-"                               0 <= mm <= 59\n"
-"                               0 <= ss <= 59\n"
-"          datestop  value : YYYY[:MM[:DD[:hh[:mm[:ss]]]]]\n"
-"                            If the whole option is ommited, default to never stop\n"
-"                            If any of month, day, hour, minute or second is\n"
-"                            not specified, then default to their smallest\n",
-IPTABLES_VERSION);
-}
-
-static struct option opts[] = {
-	{ "timestart", 1, 0, '1' },
-	{ "timestop", 1, 0, '2' },
-	{ "days", 1, 0, '3'},
-	{ "datestart", 1, 0, '4' },
-	{ "datestop", 1, 0, '5' },
-	{0}
-};
-
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	struct ipt_time_info *info = (struct ipt_time_info *)m->data;
-	globaldays = 0;
-        /* By default, we match on everyday */
-	info->days_match = 127;
-	/* By default, we match on every hour:min of the day */
-	info->time_start = 0;
-	info->time_stop  = 1439;  /* (23*60+59 = 1439 */
-	/* By default, we don't have any date-begin or date-end boundaries */
-	info->date_start = 0;
-	info->date_stop  = LONG_MAX;
-}
-
-/**
- * param: part1, a pointer on a string 2 chars maximum long string, that will contain the hours.
- * param: part2, a pointer on a string 2 chars maximum long string, that will contain the minutes.
- * param: str_2_parse, the string to parse.
- * return: 1 if ok, 0 if error.
- */
-static int
-split_time(char **part1, char **part2, const char *str_2_parse)
-{
-	unsigned short int i,j=0;
-	char *rpart1 = *part1;
-	char *rpart2 = *part2;
-	unsigned char found_column = 0;
-
-	/* Check the length of the string */
-	if (strlen(str_2_parse) > 5)
-		return 0;
-	/* parse the first part until the ':' */
-	for (i=0; i<2; i++)
-	{
-		if (str_2_parse[i] == ':')
-			found_column = 1;
-		else
-			rpart1[i] = str_2_parse[i];
-	}
-	if (!found_column)
-		i++;
-	j=i;
-	/* parse the second part */
-	for (; i<strlen(str_2_parse); i++)
-	{
-		rpart2[i-j] = str_2_parse[i];
-	}
-	/* if we are here, format should be ok. */
-	return 1;
-}
-
-static int
-parse_number(char *str, int num_min, int num_max, int *number)
-{
-	/* if the number starts with 0, replace it with a space else
-	string_to_number() will interpret it as octal !! */
-	if (strlen(str) == 0)
-		return 0;
-
-	if ((str[0] == '0') && (str[1] != '\0'))
-		str[0] = ' ';
-
-	return string_to_number(str, num_min, num_max, number);
-}
-
-static void
-parse_time_string(int *hour, int *minute, const char *time)
-{
-	char *hours;
-	char *minutes;
-	hours = (char *)malloc(3);
-	minutes = (char *)malloc(3);
-	memset(hours, 0, 3);
-	memset(minutes, 0, 3);
-
-	if (split_time((char **)&hours, (char **)&minutes, time) == 1)
-	{
-		*hour = 0;
-		*minute = 0;
-		if ((parse_number((char *)hours, 0, 23, hour) != -1) &&
-		    (parse_number((char *)minutes, 0, 59, minute) != -1))
-		{
-			free(hours);
-			free(minutes);
-			return;
-		}
-	}
-
-	free(hours);
-	free(minutes);
-
-	/* If we are here, there was a problem ..*/
-	exit_error(PARAMETER_PROBLEM,
-		   "invalid time `%s' specified, should be HH:MM format", time);
-}
-
-/* return 1->ok, return 0->error */
-static int
-parse_day(int *days, int from, int to, const char *string)
-{
-	char *dayread;
-	char *days_str[7] = {"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"};
-	unsigned short int days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
-	unsigned int i;
-
-	dayread = (char *)malloc(4);
-	bzero(dayread, 4);
-	if ((to-from) != 3) {
-		free(dayread);
-		return 0;
-	}
-	for (i=from; i<to; i++)
-		dayread[i-from] = string[i];
-	for (i=0; i<7; i++)
-		if (strcmp(dayread, days_str[i]) == 0)
-		{
-			*days |= days_of_week[i];
-			free(dayread);
-			return 1;
-		}
-	/* if we are here, we didn't read a valid day */
-	free(dayread);
-	return 0;
-}
-
-static void
-parse_days_string(int *days, const char *daystring)
-{
-	int len;
-	int i=0;
-	char *err = "invalid days `%s' specified, should be Sun,Mon,Tue... format";
-
-	len = strlen(daystring);
-	if (len < 3)
-		exit_error(PARAMETER_PROBLEM, err, daystring);	
-	while(i<len)
-	{
-		if (parse_day(days, i, i+3, daystring) == 0)
-			exit_error(PARAMETER_PROBLEM, err, daystring);
-		i += 4;
-	}
-}
-
-static int
-parse_date_field(const char *str_to_parse, int str_to_parse_s, int start_pos,
-                 char *dest, int *next_pos)
-{
-	unsigned char found_value = 0;
-	unsigned char found_column = 0;
-	int i;
-
-	for (i=0; i<2; i++)
-	{
-		if ((i+start_pos) >= str_to_parse_s) /* don't exit boundaries of the string..  */
-			break;
-		if (str_to_parse[i+start_pos] == ':')
-			found_column = 1;
-		else
-		{
-			found_value = 1;
-			dest[i] = str_to_parse[i+start_pos];
-		}
-	}
-	if (found_value == 0)
-		return 0;
-	*next_pos = i + start_pos;
-	if (found_column == 0)
-		++(*next_pos);
-	return 1;
-}
-
-static int
-split_date(char *year, char *month,  char *day,
-           char *hour, char *minute, char *second,
-           const char *str_to_parse)
-{
-        int i;
-        unsigned char found_column = 0;
-	int str_to_parse_s = strlen(str_to_parse);
-
-        /* Check the length of the string */
-        if ((str_to_parse_s > 19) ||  /* YYYY:MM:DD:HH:MM:SS */
-            (str_to_parse_s < 4))     /* YYYY*/
-                return 0;
-
-	/* Clear the buffers */
-        memset(year, 0, 4);
-	memset(month, 0, 2);
-	memset(day, 0, 2);
-	memset(hour, 0, 2);
-	memset(minute, 0, 2);
-	memset(second, 0, 2);
-
-	/* parse the year YYYY */
-	found_column = 0;
-	for (i=0; i<5; i++)
-	{
-		if (i >= str_to_parse_s)
-			break;
-		if (str_to_parse[i] == ':')
-		{
-			found_column = 1;
-			break;
-		}
-		else
-			year[i] = str_to_parse[i];
-	}
-	if (found_column == 1)
-		++i;
-
-	/* parse the month if it exists */
-	if (! parse_date_field(str_to_parse, str_to_parse_s, i, month, &i))
-		return 1;
-
-	if (! parse_date_field(str_to_parse, str_to_parse_s, i, day, &i))
-		return 1;
-
-	if (! parse_date_field(str_to_parse, str_to_parse_s, i, hour, &i))
-		return 1;
-
-	if (! parse_date_field(str_to_parse, str_to_parse_s, i, minute, &i))
-		return 1;
-
-	parse_date_field(str_to_parse, str_to_parse_s, i, second, &i);
-
-        /* if we are here, format should be ok. */
-        return 1;
-}
-
-static time_t
-parse_date_string(const char *str_to_parse)
-{
-	char year[5];
-	char month[3];
-	char day[3];
-	char hour[3];
-	char minute[3];
-	char second[3];
-	struct tm t;
-	time_t temp_time;
-
-	memset(year, 0, 5);
-	memset(month, 0, 3);
-	memset(day, 0, 3);
-	memset(hour, 0, 3);
-	memset(minute, 0, 3);
-	memset(second, 0, 3);
-
-        if (split_date(year, month, day, hour, minute, second, str_to_parse) == 1)
-        {
-		memset((void *)&t, 0, sizeof(struct tm));
-		t.tm_isdst = -1;
-		t.tm_mday = 1;
-		if (!((parse_number(year, 1900, 2037, &(t.tm_year)) == -1) ||
-		      (parse_number(month, 1, 12, &(t.tm_mon)) == -1) ||
-		      (parse_number(day, 1, 31, &(t.tm_mday)) == -1) ||
-		      (parse_number(hour, 0, 9999, &(t.tm_hour)) == -1) ||
-		      (parse_number(minute, 0, 59, &(t.tm_min)) == -1) ||
-		      (parse_number(second, 0, 59, &(t.tm_sec)) == -1)))
-		{
-			t.tm_year -= 1900;
-			--(t.tm_mon);
-			temp_time = mktime(&t);
-			if (temp_time != -1)
-				return temp_time;
-		}
-	}
-	exit_error(PARAMETER_PROBLEM,
-		   "invalid date `%s' specified, should be YYYY[:MM[:DD[:hh[:mm[:ss]]]]] format", str_to_parse);
-}
-
-#define IPT_TIME_START 0x01
-#define IPT_TIME_STOP  0x02
-#define IPT_TIME_DAYS  0x04
-#define IPT_DATE_START 0x08
-#define IPT_DATE_STOP  0x10
-
-/* Function which parses command options; returns true if it
-   ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_time_info *timeinfo = (struct ipt_time_info *)(*match)->data;
-	int hours, minutes;
-	time_t temp_date;
-
-	switch (c)
-	{
-		/* timestart */
-	case '1':
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-                                   "unexpected '!' with --timestart");
-		if (*flags & IPT_TIME_START)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --timestart twice");
-		parse_time_string(&hours, &minutes, optarg);
-		timeinfo->time_start = (hours * 60) + minutes;
-		*flags |= IPT_TIME_START;
-		break;
-		/* timestop */
-	case '2':
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-                                   "unexpected '!' with --timestop");
-		if (*flags & IPT_TIME_STOP)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --timestop twice");
-		parse_time_string(&hours, &minutes, optarg);
-		timeinfo->time_stop = (hours * 60) + minutes;
-		*flags |= IPT_TIME_STOP;
-		break;
-
-		/* days */
-	case '3':
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-                                   "unexpected '!' with --days");
-		if (*flags & IPT_TIME_DAYS)
-                        exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --days twice");
-		parse_days_string(&globaldays, optarg);
-		timeinfo->days_match = globaldays;
-		*flags |= IPT_TIME_DAYS;
-		break;
-
-		/* datestart */
-	case '4':
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-                                   "unexpected '!' with --datestart");
-		if (*flags & IPT_DATE_START)
-			exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --datestart twice");
-		temp_date = parse_date_string(optarg);
-		timeinfo->date_start = temp_date;
-		*flags |= IPT_DATE_START;
-		break;
-
-		/* datestop*/
-	case '5':
-		if (invert)
-			exit_error(PARAMETER_PROBLEM,
-                                   "unexpected '!' with --datestop");
-		if (*flags & IPT_DATE_STOP)
-			exit_error(PARAMETER_PROBLEM,
-                                   "Can't specify --datestop twice");
-		temp_date = parse_date_string(optarg);
-		timeinfo->date_stop = temp_date;
-		*flags |= IPT_DATE_STOP;
-		break;
-	default:
-		return 0;
-	}
-	return 1;
-}
-
-/* Final check */
-static void
-final_check(unsigned int flags)
-{
-	/* Nothing to do */
-}
-
-
-static void
-print_days(int daynum)
-{
-	char *days[7] = {"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"};
-	unsigned short int days_of_week[7] = {64, 32, 16, 8, 4, 2, 1};
-	unsigned short int i, nbdays=0;
-
-	for (i=0; i<7; i++) {
-		if ((days_of_week[i] & daynum) == days_of_week[i])
-		{
-			if (nbdays>0)
-				printf(",%s", days[i]);
-			else
-				printf("%s", days[i]);
-			++nbdays;
-		}
-	}
-	printf(" ");
-}
-
-static void
-divide_time(int fulltime, int *hours, int *minutes)
-{
-	*hours = fulltime / 60;
-	*minutes = fulltime % 60;
-}
-
-static void
-print_date(time_t date, char *command)
-{
-	struct tm *t;
-
-	/* If it's default value, don't print..*/
-	if (((date == 0) || (date == LONG_MAX)) && (command != NULL))
-		return;
-	t = localtime(&date);
-	if (command != NULL)
-		printf("%s %d:%d:%d:%d:%d:%d ", command, (t->tm_year + 1900), (t->tm_mon + 1),
-			t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
-        else
-        	printf("%d-%d-%d %d:%d:%d ", (t->tm_year + 1900), (t->tm_mon + 1),
-			t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	struct ipt_time_info *time = ((struct ipt_time_info *)match->data);
-	int hour_start, hour_stop, minute_start, minute_stop;
-
-	divide_time(time->time_start, &hour_start, &minute_start);
-	divide_time(time->time_stop, &hour_stop, &minute_stop);
-	printf("TIME ");
-	if (time->time_start != 0)
-		printf("from %d:%d ", hour_start, minute_start);
-	if (time->time_stop != 1439) /* 23*60+59 = 1439 */
-		printf("to %d:%d ", hour_stop, minute_stop);
-	printf("on ");
-	if (time->days_match == 127)
-		printf("all days ");
-	else
-		print_days(time->days_match);
-	if (time->date_start != 0)
-	{
-		printf("starting from ");
-		print_date(time->date_start, NULL);
-	}
-	if (time->date_stop != LONG_MAX)
-	{
-		printf("until date ");
-		print_date(time->date_stop, NULL);
-	}
-}
-
-/* Saves the data in parsable form to stdout. */
-static void
-save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	struct ipt_time_info *time = ((struct ipt_time_info *)match->data);
-	int hour_start, hour_stop, minute_start, minute_stop;
-
-	divide_time(time->time_start, &hour_start, &minute_start);
-	divide_time(time->time_stop, &hour_stop, &minute_stop);
-	if (time->time_start != 0)
-		printf("--timestart %.2d:%.2d ",
-		        hour_start, minute_start);
-	
-	if (time->time_stop != 1439) /* 23*60+59 = 1439 */
-		printf("--timestop %.2d:%.2d ",
-		        hour_stop, minute_stop);
-	
-	if (time->days_match != 127)
-	{
-		printf("--days ");
-		print_days(time->days_match);
-		printf(" ");
-	}
-	print_date(time->date_start, "--datestart");
-	print_date(time->date_stop, "--datestop");
-}
-
-/* have to use offsetof() instead of IPT_ALIGN(), since kerneltime must not
- * be compared when user deletes rule with '-D' */
-static
-struct iptables_match timestruct = {
-	.next		= NULL,
-	.name		= "time",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_time_info)),
-	.userspacesize	= offsetof(struct ipt_time_info, kerneltime),
-	.help		= &help,
-	.init		= &init,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void _init(void)
-{
-	register_match(&timestruct);
-}
diff --git a/extensions/libipt_time.man b/extensions/libipt_time.man
deleted file mode 100644
index 94b40531..00000000
--- a/extensions/libipt_time.man
+++ /dev/null
@@ -1,16 +0,0 @@
-This matches if the packet arrival time/date is within a given range. All options are facultative.
-.TP
-.BI " --timestart " "value"
-Match only if it is after `value' (Inclusive, format: HH:MM ; default 00:00).
-.TP
-.BI "--timestop  " "value"
-Match only if it is before `value' (Inclusive, format: HH:MM ; default 23:59).
-.TP
-.BI "--days " "listofdays"
-Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default everyday)
-.TP
-.BI "--datestart " "date"
-Match only if it is after `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 1970)
-.TP
-.BI "--datestop " "date"
-Match only if it is before `date' (Inclusive, format: YYYY[:MM[:DD[:hh[:mm[:ss]]]]] ; h,m,s start from 0 ; default to 2037)
diff --git a/extensions/libipt_u32.c b/extensions/libipt_u32.c
deleted file mode 100644
index 75045100..00000000
--- a/extensions/libipt_u32.c
+++ /dev/null
@@ -1,264 +0,0 @@
-/* Shared library add-on to iptables to add u32 matching,
- * generalized matching on values found at packet offsets
- *
- * Detailed doc is in the kernel module source
- * net/ipv4/netfilter/ipt_u32.c
- *
- * (C) 2002 by Don Cohen <don-netf@isis.cs3-inc.com>
- * Released under the terms of GNU GPL v2
- */
-#include <stdio.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <getopt.h>
-#include <iptables.h>
-#include <linux/netfilter_ipv4/ipt_u32.h>
-#include <errno.h>
-#include <ctype.h>
-
-/* Function which prints out usage message. */
-static void
-help(void)
-{
-	printf( "u32 v%s options:\n"
-		" --u32 tests\n"
-		" tests := location = value | tests && location = value\n"
-		" value := range | value , range\n"
-		" range := number | number : number\n"
-		" location := number | location operator number\n"
-		" operator := & | << | >> | @\n"
-		,IPTABLES_VERSION);
-}
-
-/* defined in /usr/include/getopt.h maybe in man getopt */
-static struct option opts[] = {
-	{ "u32", 1, 0, '1' },
-	{ 0 }
-};
-
-/* shared printing code */
-static void print_u32(struct ipt_u32 *data)
-{
-	unsigned int testind;
-
-	for (testind=0; testind < data->ntests; testind++) {
-		if (testind) printf("&&");
-		{
-			unsigned int i;
-
-			printf("0x%x", data->tests[testind].location[0].number);
-			for (i = 1; i < data->tests[testind].nnums; i++) {
-				switch (data->tests[testind].location[i].nextop) {
-				case IPT_U32_AND: printf("&"); break;
-				case IPT_U32_LEFTSH: printf("<<"); break;
-				case IPT_U32_RIGHTSH: printf(">>"); break;
-				case IPT_U32_AT: printf("@"); break;
-				}
-				printf("0x%x", data->tests[testind].location[i].number);
-			}
-			printf("=");
-			for (i = 0; i < data->tests[testind].nvalues; i++) {
-				if (i) printf(",");
-				if (data->tests[testind].value[i].min
-				    == data->tests[testind].value[i].max)
-					printf("0x%x", data->tests[testind].value[i].min);
-				else printf("0x%x:0x%x", data->tests[testind].value[i].min,
-					    data->tests[testind].value[i].max);
-			}
-		}
-	}
-	printf(" ");
-}
-
-/* string_to_number is not quite what we need here ... */
-u_int32_t parse_number(char **s, int pos)
-{
-	u_int32_t number;
-	char *end;
-	errno = 0;
-
-	number = strtoul(*s, &end, 0);
-	if (end == *s)
-		exit_error(PARAMETER_PROBLEM, 
-			   "u32: at char %d expected number", pos);
-	if (errno)
-		exit_error(PARAMETER_PROBLEM, 
-			   "u32: at char %d error reading number", pos);
-	*s = end;
-	return number;
-}
-
-/* Function which parses command options; returns true if it ate an option */
-static int
-parse(int c, char **argv, int invert, unsigned int *flags,
-      const struct ipt_entry *entry,
-      unsigned int *nfcache,
-      struct ipt_entry_match **match)
-{
-	struct ipt_u32 *data = (struct ipt_u32 *)(*match)->data;
-	char *arg = argv[optind-1]; /* the argument string */
-	char *start = arg;
-	int state=0, testind=0, locind=0, valind=0;
-
-	if (c != '1') return 0;
-	/* states: 0 = looking for numbers and operations, 1 = looking for ranges */
-	while (1) { /* read next operand/number or range */
-		while (isspace(*arg)) 
-			arg++;  /* skip white space */
-		if (! *arg) { /* end of argument found */
-			if (state == 0)
-				exit_error(PARAMETER_PROBLEM, 
-					   "u32: input ended in location spec");
-			if (valind == 0)
-				exit_error(PARAMETER_PROBLEM, 
-					   "u32: test ended with no value spec");
-			data->tests[testind].nnums = locind;
-			data->tests[testind].nvalues = valind;
-			testind++;
-			data->ntests=testind;
-			if (testind > U32MAXSIZE)
-				exit_error(PARAMETER_PROBLEM, 
-					   "u32: at char %d too many &&'s",
-					   arg-start);
-			/* debugging 
-			   print_u32(data);printf("\n");
-			   exit_error(PARAMETER_PROBLEM, "debugging output done"); */
-			return 1;
-		}
-		if (state == 0) {
-			/* reading location: read a number if nothing read yet,
-			   otherwise either op number or = to end location spec */	 
-			if (*arg == '=') {
-				if (locind == 0)
-					exit_error(PARAMETER_PROBLEM,
-						   "u32: at char %d location spec missing", arg-start);
-				else {
-					arg++; 
-					state=1;
-				}
-			}
-			else {
-				if (locind) { /* need op before number */
-					if (*arg == '&') {
-						data->tests[testind].location[locind].nextop = IPT_U32_AND;
-					}
-					else if (*arg == '<') {
-						arg++;
-						if (*arg != '<')
-							exit_error(PARAMETER_PROBLEM,
-								   "u32: at char %d a second < expected", arg-start);
-						data->tests[testind].location[locind].nextop = IPT_U32_LEFTSH;
-					}
-					else if (*arg == '>') {
-						arg++;
-						if (*arg != '>')
-							exit_error(PARAMETER_PROBLEM,
-								   "u32: at char %d a second > expected", arg-start);
-						data->tests[testind].location[locind].nextop = IPT_U32_RIGHTSH;
-					}
-					else if (*arg == '@') {
-						data->tests[testind].location[locind].nextop = IPT_U32_AT;
-					}
-					else exit_error(PARAMETER_PROBLEM,
-							"u32: at char %d operator expected", arg-start);
-					arg++;
-				}
-				/* now a number; string_to_number skips white space? */
-				data->tests[testind].location[locind].number =
-					parse_number(&arg, arg-start);
-				locind++;
-				if (locind > U32MAXSIZE)
-					exit_error(PARAMETER_PROBLEM,
-						   "u32: at char %d too many operators", arg-start);
-			}
-		}
-		else {
-			/* state 1 - reading values: read a range if nothing read yet,
-			   otherwise either ,range or && to end test spec */
-			if (*arg == '&') {
-				arg++;
-				if (*arg != '&')
-					exit_error(PARAMETER_PROBLEM,
-						   "u32: at char %d a second & expected", arg-start);
-				if (valind == 0)
-					exit_error(PARAMETER_PROBLEM,
-						   "u32: at char %d value spec missing", arg-start);
-				else {
-					data->tests[testind].nnums = locind;
-					data->tests[testind].nvalues = valind;
-					testind++;
-					if (testind > U32MAXSIZE)
-						exit_error(PARAMETER_PROBLEM,
-							   "u32: at char %d too many &&'s", arg-start);
-					arg++; state=0; locind=0; valind=0;
-				}
-			}
-			else { /* read value range */
-				if (valind) { /* need , before number */
-					if (*arg != ',')
-						exit_error(PARAMETER_PROBLEM,
-							   "u32: at char %d expected , or &&", arg-start);
-					arg++;
-				}
-				data->tests[testind].value[valind].min = parse_number(&arg, arg-start);
-				while (isspace(*arg)) 
-					arg++;  /* another place white space could be */
-				if (*arg==':') {
-					arg++;
-					data->tests[testind].value[valind].max
-						= parse_number(&arg, arg-start);
-				}
-				else data->tests[testind].value[valind].max
-					     = data->tests[testind].value[valind].min;
-				valind++;
-				if (valind > U32MAXSIZE)
-					exit_error(PARAMETER_PROBLEM,
-						   "u32: at char %d too many ,'s", arg-start);
-			}
-		}
-	}
-}
-
-/* Final check; must specify something. */
-static void
-final_check(unsigned int flags)
-{
-}
-
-/* Prints out the matchinfo. */
-static void
-print(const struct ipt_ip *ip,
-      const struct ipt_entry_match *match,
-      int numeric)
-{
-	printf("u32 ");
-	print_u32((struct ipt_u32 *)match->data);
-}
-
-/* Saves the union ipt_matchinfo in parsable form to stdout. */
-static void save(const struct ipt_ip *ip, const struct ipt_entry_match *match)
-{
-	printf("--u32 ");
-	print_u32((struct ipt_u32 *)match->data);
-}
-
-struct iptables_match u32 = {
-	.next		= NULL,
-	.name		= "u32",
-	.version	= IPTABLES_VERSION,
-	.size		= IPT_ALIGN(sizeof(struct ipt_u32)),
-	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_u32)),
-	.help		= &help,
-	.parse		= &parse,
-	.final_check	= &final_check,
-	.print		= &print,
-	.save		= &save,
-	.extra_opts	= opts
-};
-
-void
-_init(void)
-{
-	register_match(&u32);
-}
diff --git a/extensions/libipt_u32.man b/extensions/libipt_u32.man
deleted file mode 100644
index 7028bd5f..00000000
--- a/extensions/libipt_u32.man
+++ /dev/null
@@ -1,8 +0,0 @@
-U32 allows you to extract quantities of up to 4 bytes from a packet,
-AND them with specified masks, shift them by specified amounts and
-test whether the results are in any of a set of specified ranges.
-The specification of what to extract is general enough to skip over
-headers with lengths stored in the packet, as in IP or TCP header
-lengths.
-
-Details and examples are in the kernel module source.
diff --git a/extensions/libipt_udp.c b/extensions/libipt_udp.c
index 7f461d83..1b36430a 100644
--- a/extensions/libipt_udp.c
+++ b/extensions/libipt_udp.c
@@ -6,6 +6,7 @@
 #include <getopt.h>
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
+#include <netinet/in.h>
 
 /* Function which prints out usage message. */
 static void
@@ -224,7 +225,7 @@ struct iptables_match udp = {
 };
 
 void
-_init(void)
+ipt_udp_init(void)
 {
 	register_match(&udp);
 }
diff --git a/extensions/libipt_unclean.c b/extensions/libipt_unclean.c
index 7b9b3e42..6f4333a3 100644
--- a/extensions/libipt_unclean.c
+++ b/extensions/libipt_unclean.c
@@ -48,7 +48,7 @@ struct iptables_match unclean = {
 	.extra_opts	= opts
 };
 
-void _init(void)
+void ipt_unclean_init(void)
 {
 	register_match(&unclean);
 }
diff --git a/extensions/rename-dups.sh b/extensions/rename-dups.sh
new file mode 100755
index 00000000..bd940bc6
--- /dev/null
+++ b/extensions/rename-dups.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+t1=`mktemp`
+t2=`mktemp`
+
+ls *.c | tr [A-Z] [a-z] | sort > $t1
+cat $t1 | sort -u > $t2
+for f in `diff $t1 $t2 | grep "< " | awk -F"< " '{print $2}'`; do
+	n=`echo $f | sed -e 's/t_/t_2/g'`;
+	"Renaming $f --> $n.";
+	p4 integrate $f $n;
+	p4 delete $f;
+done;
+
+rm -f $t1 $t2
+
+
diff --git a/include/ip6tables.h b/include/ip6tables.h
index 7907f66b..f8f709bc 100644
--- a/include/ip6tables.h
+++ b/include/ip6tables.h
@@ -14,6 +14,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_UDPLITE
+#define IPPROTO_UDPLITE 136
+#endif
 
 #ifndef IP6T_SO_GET_REVISION_MATCH /* Old kernel source. */
 #define IP6T_SO_GET_REVISION_MATCH	68
diff --git a/include/iptables.h b/include/iptables.h
index 6b3b956a..cd514284 100644
--- a/include/iptables.h
+++ b/include/iptables.h
@@ -14,6 +14,9 @@
 #ifndef IPPROTO_DCCP
 #define IPPROTO_DCCP 33
 #endif
+#ifndef IPPROTO_UDPLITE
+#define IPPROTO_UDPLITE	136
+#endif
 
 #ifndef IPT_SO_GET_REVISION_MATCH /* Old kernel source. */
 #define IPT_SO_GET_REVISION_MATCH	(IPT_BASE_CTL + 2)
diff --git a/include/linux/netfilter_ipv4/ipt_connmark.h b/include/linux/netfilter_ipv4/ipt_2connmark.h
index 151e2687..151e2687 100644
--- a/include/linux/netfilter_ipv4/ipt_connmark.h
+++ b/include/linux/netfilter_ipv4/ipt_2connmark.h
diff --git a/include/linux/netfilter_ipv4/ipt_dscp.h b/include/linux/netfilter_ipv4/ipt_2dscp.h
index b6c59bdd..b6c59bdd 100644
--- a/include/linux/netfilter_ipv4/ipt_dscp.h
+++ b/include/linux/netfilter_ipv4/ipt_2dscp.h
diff --git a/include/linux/netfilter_ipv4/ipt_ecn.h b/include/linux/netfilter_ipv4/ipt_2ecn.h
index 326c0c0c..0231a0c5 100644
--- a/include/linux/netfilter_ipv4/ipt_ecn.h
+++ b/include/linux/netfilter_ipv4/ipt_2ecn.h
@@ -8,7 +8,7 @@
 */
 #ifndef _IPT_ECN_H
 #define _IPT_ECN_H
-#include <linux/netfilter_ipv4/ipt_dscp.h>
+#include <linux/netfilter_ipv4/ipt_dscp_.h>
 
 #define IPT_ECN_IP_MASK	(~IPT_DSCP_MASK)
 
diff --git a/include/linux/netfilter_ipv4/ipt_mark.h b/include/linux/netfilter_ipv4/ipt_2mark.h
index b9e79fd2..b9e79fd2 100644
--- a/include/linux/netfilter_ipv4/ipt_mark.h
+++ b/include/linux/netfilter_ipv4/ipt_2mark.h
diff --git a/include/linux/netfilter_ipv4/ipt_tcpmss.h b/include/linux/netfilter_ipv4/ipt_2tcpmss.h
index e2b14397..e2b14397 100644
--- a/include/linux/netfilter_ipv4/ipt_tcpmss.h
+++ b/include/linux/netfilter_ipv4/ipt_2tcpmss.h
diff --git a/include/linux/netfilter_ipv4/ipt_ttl.h b/include/linux/netfilter_ipv4/ipt_2ttl.h
index ee24fd86..ee24fd86 100644
--- a/include/linux/netfilter_ipv4/ipt_ttl.h
+++ b/include/linux/netfilter_ipv4/ipt_2ttl.h
diff --git a/include/linux/netfilter_ipv6/ip6t_TCPMSS.h b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
new file mode 100644
index 00000000..412d1cbc
--- /dev/null
+++ b/include/linux/netfilter_ipv6/ip6t_TCPMSS.h
@@ -0,0 +1,10 @@
+#ifndef _IP6T_TCPMSS_H
+#define _IP6T_TCPMSS_H
+
+struct ip6t_tcpmss_info {
+	u_int16_t mss;
+};
+
+#define IP6T_TCPMSS_CLAMP_PMTU 0xffff
+
+#endif /*_IP6T_TCPMSS_H*/
diff --git a/include/linux/netfilter_ipv6/ip6t_hl.h b/include/linux/netfilter_ipv6/ip6t_hl_.h
index 5ef91b83..5ef91b83 100644
--- a/include/linux/netfilter_ipv6/ip6t_hl.h
+++ b/include/linux/netfilter_ipv6/ip6t_hl_.h
diff --git a/include/linux/netfilter_ipv6/ip6t_mark.h b/include/linux/netfilter_ipv6/ip6t_mark_.h
index 7ede185e..7ede185e 100644
--- a/include/linux/netfilter_ipv6/ip6t_mark.h
+++ b/include/linux/netfilter_ipv6/ip6t_mark_.h
diff --git a/ip6tables-restore.c b/ip6tables-restore.c
index 06d7ce8a..e9f163bc 100644
--- a/ip6tables-restore.c
+++ b/ip6tables-restore.c
@@ -7,7 +7,7 @@
  * 	Rusty Russell <rusty@linuxcare.com.au>
  * This code is distributed under the terms of GNU GPL v2
  *
- * $Id: ip6tables-restore.c 6460 2006-02-09 14:35:38Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org $
+ * $Id: ip6tables-restore.c 6706 2006-12-09 13:06:04Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org $
  */
 
 #include <getopt.h>
@@ -74,7 +74,7 @@ ip6tc_handle_t create_handle(const char *tablename, const char* modprobe)
 	return handle;
 }
 
-int parse_counters(char *string, struct ip6t_counters *ctr)
+static int parse_counters(char *string, struct ip6t_counters *ctr)
 {
 	return (sscanf(string, "[%llu:%llu]", (unsigned long long *)&ctr->pcnt, (unsigned long long *)&ctr->bcnt) == 2);
 }
diff --git a/ip6tables.c b/ip6tables.c
index 9b1370a4..211b81a7 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -223,6 +223,7 @@ struct pprot {
 static const struct pprot chain_protos[] = {
 	{ "tcp", IPPROTO_TCP },
 	{ "udp", IPPROTO_UDP },
+	{ "udplite", IPPROTO_UDPLITE },
 	{ "icmpv6", IPPROTO_ICMPV6 },
 	{ "ipv6-icmp", IPPROTO_ICMPV6 },
 	{ "esp", IPPROTO_ESP },
diff --git a/iptables-multi.c b/iptables-multi.c
index 05630995..7ade3335 100644
--- a/iptables-multi.c
+++ b/iptables-multi.c
@@ -6,6 +6,7 @@
 int iptables_main(int argc, char **argv);
 int iptables_save_main(int argc, char **argv);
 int iptables_restore_main(int argc, char **argv);
+int iptables_xml_main(int argc, char **argv);
 
 int main(int argc, char **argv) {
   char *progname;
@@ -25,6 +26,9 @@ int main(int argc, char **argv) {
     if (!strcmp(progname, "iptables-restore"))
       return iptables_restore_main(argc, argv);
     
+    if (!strcmp(progname, "iptables-xml"))
+      return iptables_xml_main(argc, argv);
+    
     fprintf(stderr, "iptables multi-purpose version: unknown applet name %s\n", progname);
     exit(1);
   }
diff --git a/iptables-restore.c b/iptables-restore.c
index e03fb7b9..7cde347c 100644
--- a/iptables-restore.c
+++ b/iptables-restore.c
@@ -4,7 +4,7 @@
  *
  * This code is distributed under the terms of GNU GPL v2
  *
- * $Id: iptables-restore.c 6460 2006-02-09 14:35:38Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org $
+ * $Id: iptables-restore.c 6706 2006-12-09 13:06:04Z /C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=yasuyuki/emailAddress=yasuyuki@netfilter.org $
  */
 
 #include <getopt.h>
@@ -71,7 +71,7 @@ iptc_handle_t create_handle(const char *tablename, const char* modprobe )
 	return handle;
 }
 
-int parse_counters(char *string, struct ipt_counters *ctr)
+static int parse_counters(char *string, struct ipt_counters *ctr)
 {
 	return (sscanf(string, "[%llu:%llu]", (unsigned long long *)&ctr->pcnt, (unsigned long long *)&ctr->bcnt) == 2);
 }
diff --git a/iptables-xml.c b/iptables-xml.c
index 34437e07..ce3049c2 100644
--- a/iptables-xml.c
+++ b/iptables-xml.c
@@ -26,10 +26,10 @@
 /* no need to link with iptables.o */
 const char *program_name;
 const char *program_version;
-int line = 0;
 
-void
-exit_error(enum exittype status, char *msg, ...)
+#ifndef IPTABLES_MULTI
+int line = 0;
+void exit_error(enum exittype status, char *msg, ...)
 {
 	va_list args;
 
@@ -41,6 +41,7 @@ exit_error(enum exittype status, char *msg, ...)
 	/* On error paths, make sure that we don't leak memory */
 	exit(status);
 }
+#endif
 
 static void print_usage(const char *name, const char *version)
 	    __attribute__ ((noreturn));
@@ -66,7 +67,7 @@ print_usage(const char *name, const char *version)
 	exit(1);
 }
 
-int
+static int
 parse_counters(char *string, struct ipt_counters *ctr)
 {
 	if (string != NULL)
@@ -605,7 +606,7 @@ do_rule(char *pcnt, char *bcnt, int argc, char *argv[], int argvattr[])
 
 #ifdef IPTABLES_MULTI
 int
-iptables_restore_main(int argc, char *argv[])
+iptables_xml_main(int argc, char *argv[])
 #else
 int
 main(int argc, char *argv[])
diff --git a/iptables.c b/iptables.c
index 7d8771d0..ab0f9e6d 100644
--- a/iptables.c
+++ b/iptables.c
@@ -40,6 +40,7 @@
 #include <fcntl.h>
 #include <sys/wait.h>
 #include <sys/utsname.h>
+#include <netinet/in.h>
 
 #ifndef TRUE
 #define TRUE 1
@@ -227,6 +228,7 @@ struct pprot {
 static const struct pprot chain_protos[] = {
 	{ "tcp", IPPROTO_TCP },
 	{ "udp", IPPROTO_UDP },
+	{ "udplite", IPPROTO_UDPLITE },
 	{ "icmp", IPPROTO_ICMP },
 	{ "esp", IPPROTO_ESP },
 	{ "ah", IPPROTO_AH },
@@ -1164,9 +1166,10 @@ static int compatible_revision(const char *name, u_int8_t revision, int opt)
 			/* Assume only revision 0 support (old kernel) */
 			return (revision == 0);
 		} else {
-			fprintf(stderr, "getsockopt failed strangely: %s\n",
-				strerror(errno));
-			exit(1);
+			fprintf(stderr, "getsockopt for %s failed strangely: %s\n",
+                    name,
+                    strerror(errno));
+			/* exit(1); */
 		}
 	}
 	close(sockfd);
diff --git a/libipq/Makefile b/libipq/Makefile.orig
index 64633f33..64633f33 100644
--- a/libipq/Makefile
+++ b/libipq/Makefile.orig
diff --git a/libiptc/Makefile b/libiptc/Makefile.orig
index 180de13c..180de13c 100644
--- a/libiptc/Makefile
+++ b/libiptc/Makefile.orig
diff --git a/libiptc/libip4tc.c b/libiptc/libip4tc.c
index a0cdc2f8..92dfdc76 100644
--- a/libiptc/libip4tc.c
+++ b/libiptc/libip4tc.c
@@ -17,15 +17,12 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <unistd.h>
+#include <netinet/in.h>
 
 #ifdef DEBUG_CONNTRACK
 #define inline
 #endif
 
-#if !defined(__GLIBC__) || (__GLIBC__ < 2)
-typedef unsigned int socklen_t;
-#endif
-
 #include "libiptc/libiptc.h"
 
 #define IP_VERSION	4