diff --git a/extensions/compat_xtables.c b/extensions/compat_xtables.c
index 69fd607..9ee4dfb 100644
--- a/extensions/compat_xtables.c
+++ b/extensions/compat_xtables.c
@@ -34,7 +34,7 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 27)
 {
 	struct xtnu_match *nm = xtcompat_numatch(cm);
-	bool lo_drop = false, lo_ret;
+	bool lo_ret;
 	struct xt_action_param local_par;
 	local_par.in        = in;
 	local_par.out       = out;
@@ -42,13 +42,13 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 	local_par.matchinfo = matchinfo;
 	local_par.fragoff   = offset;
 	local_par.thoff     = protoff;
-	local_par.hotdrop   = &lo_drop;
+	local_par.hotdrop   = false;
 	local_par.family    = NFPROTO_UNSPEC; /* don't have that info */
 
 	if (nm == NULL || nm->match == NULL)
 		return false;
 	lo_ret = nm->match(skb, &local_par);
-	*hotdrop = lo_drop;
+	*hotdrop = local_par.hotdrop;
 	return lo_ret;
 }
 #endif
@@ -59,6 +59,7 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 {
 	struct xtnu_match *nm = xtcompat_numatch(par->match);
 	struct xt_action_param local_par;
+	bool ret;
 
 	local_par.in        = par->in;
 	local_par.out       = par->out;
@@ -66,12 +67,14 @@ static bool xtnu_match_run(const struct sk_buff *skb,
 	local_par.matchinfo = par->matchinfo;
 	local_par.fragoff   = par->fragoff;
 	local_par.thoff     = par->thoff;
-	local_par.hotdrop   = par->hotdrop;
+	local_par.hotdrop   = false;
 	local_par.family    = par->family;
 
 	if (nm == NULL || nm->match == NULL)
 		return false;
-	return nm->match(skb, &local_par);
+	ret = nm->match(skb, &local_par);
+	*par->hotdrop = local_par.hotdrop;
+	return ret;
 }
 #endif
 
diff --git a/extensions/compat_xtnu.h b/extensions/compat_xtnu.h
index 4ff8adb..02b6575 100644
--- a/extensions/compat_xtnu.h
+++ b/extensions/compat_xtnu.h
@@ -84,7 +84,7 @@ struct xt_action_param {
 	int fragoff;
 	unsigned int thoff, hooknum;
 	u_int8_t family;
-	bool *hotdrop;
+	bool hotdrop;
 };
 #endif
 
diff --git a/extensions/pknock/xt_pknock.c b/extensions/pknock/xt_pknock.c
index c62df39..979a1da 100644
--- a/extensions/pknock/xt_pknock.c
+++ b/extensions/pknock/xt_pknock.c
@@ -975,7 +975,7 @@ static bool pknock_mt(const struct sk_buff *skb,
 		/* We've been asked to examine this packet, and we
 		 * can't. Hence, no choice but to drop.
 		 */
-		*par->hotdrop = true;
+		par->hotdrop = true;
 		return false;
 	}
 
diff --git a/extensions/xt_length2.c b/extensions/xt_length2.c
index 9ba3739..08e5519 100644
--- a/extensions/xt_length2.c
+++ b/extensions/xt_length2.c
@@ -209,7 +209,7 @@ length2_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 	if (info->flags & XT_LENGTH_LAYER3) {
 		len = sizeof(struct ipv6hdr) + ntohs(iph->payload_len);
 	} else {
-		l4proto = llayer4_proto(skb, &thoff, par->hotdrop);
+		l4proto = llayer4_proto(skb, &thoff, &par->hotdrop);
 		if (l4proto == NEXTHDR_MAX)
 			return false;
 		if (info->flags & XT_LENGTH_LAYER4)