ipset: update to 6.9.1-genl

doc/changelog.txt

@@ -8,6 +8,7 @@ Fixes:
 Changes:
 - Remove unsupported ipset 4.x from the Xtables-addons distribution
 - ipset: move ipset_errcode from src to library to avoid undefined reference
+- update to ipset 6.9.1
 
 
 v1.38 (2011-08-20)

extensions/ipset-6/Kbuild

@@ -8,4 +8,4 @@ obj-m += ip_set_hash_netiface.o ip_set_hash_netport.o ip_set_list_set.o
 
 ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
 
-EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256
+EXTRA_CFLAGS += -DLCONFIG_IP_SET_MAX=256 -DIPSET_EXTERNAL_MODULE=1

extensions/ipset-6/include/libipset/linux_ip_set.h

@@ -11,6 +11,8 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/types.h>
+
 /* The protocol version */
 #define IPSET_PROTOCOL		0x60
 
@@ -168,4 +170,30 @@ enum ipset_adt {
 	IPSET_CADT_MAX,
 };
 
+/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
+ * and IPSET_INVALID_ID if you want to increase the max number of sets.
+ */
+typedef __u16 ip_set_id_t;
+
+#define IPSET_INVALID_ID		65535
+
+enum ip_set_dim {
+	IPSET_DIM_ZERO = 0,
+	IPSET_DIM_ONE,
+	IPSET_DIM_TWO,
+	IPSET_DIM_THREE,
+	/* Max dimension in elements.
+	 * If changed, new revision of iptables match/target is required.
+	 */
+	IPSET_DIM_MAX = 6,
+};
+
+/* Option flags for kernel operations */
+enum ip_set_kopt {
+	IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
+	IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
+	IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
+	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
+};
+
 #endif /* __IP_SET_H */

extensions/ipset-6/include/libipset/nfproto.h

@@ -0,0 +1,19 @@
+#ifndef LIBIPSET_NFPROTO_H
+#define LIBIPSET_NFPROTO_H
+
+/*
+ * The constants to select, same as in linux/netfilter.h.
+ * Like nf_inet_addr.h, this is just here so that we need not to rely on
+ * the presence of a recent-enough netfilter.h.
+ */
+enum {
+	NFPROTO_UNSPEC =  0,
+	NFPROTO_IPV4   =  2,
+	NFPROTO_ARP    =  3,
+	NFPROTO_BRIDGE =  7,
+	NFPROTO_IPV6   = 10,
+	NFPROTO_DECNET = 12,
+	NFPROTO_NUMPROTO,
+};
+
+#endif /* LIBIPSET_NFPROTO_H */

extensions/ipset-6/include/libipset/types.h

@@ -14,24 +14,22 @@
 #include <libipset/parse.h>			/* ipset_parsefn */
 #include <libipset/print.h>			/* ipset_printfn */
 #include <libipset/linux_ip_set.h>		/* IPSET_MAXNAMELEN */
-
+#include <libipset/nfproto.h>			/* for NFPROTO_ */
-#define AF_INET46		255
 
 /* Family rules:
- * - AF_UNSPEC:	type is family-neutral
+ * - NFPROTO_UNSPEC:		type is family-neutral
- * - AF_INET:	type supports IPv4 only
+ * - NFPROTO_IPV4:		type supports IPv4 only
- * - AF_INET6:	type supports IPv6 only
+ * - NFPROTO_IPV6:		type supports IPv6 only
- * - AF_INET46:	type supports both IPv4 and IPv6
+ * Special (userspace) ipset-only extra value:
+ * - NFPROTO_IPSET_IPV46:	type supports both IPv4 and IPv6
  */
-
-/* Set dimensions */
 enum {
-	IPSET_DIM_ONE,			/* foo */
+	NFPROTO_IPSET_IPV46 = 255,
-	IPSET_DIM_TWO,			/* foo,bar */
-	IPSET_DIM_THREE,		/* foo,bar,fie */
-	IPSET_DIM_MAX,
 };
 
+/* The maximal type dimension userspace supports */
+#define IPSET_DIM_UMAX		3
+
 /* Parser options */
 enum {
 	IPSET_NO_ARG = -1,
@@ -76,7 +74,7 @@ struct ipset_type {
 	uint8_t dimension;			/* elem dimension */
 	int8_t kernel_check;			/* kernel check */
 	bool last_elem_optional;		/* last element optional */
-	struct ipset_elem elem[IPSET_DIM_MAX];	/* parse elem */
+	struct ipset_elem elem[IPSET_DIM_UMAX];	/* parse elem */
 	ipset_parsefn compat_parse_elem;	/* compatibility parser */
 	const struct ipset_arg *args[IPSET_CADT_MAX]; /* create/ADT args besides elem */
 	uint64_t mandatory[IPSET_CADT_MAX];	/* create/ADT mandatory flags */

extensions/ipset-6/ip_set.h

@@ -11,6 +11,7 @@
  * published by the Free Software Foundation.
  */
 
+#include <linux/types.h>
 #include <linux/netlink.h>
 
 /* The protocol version */
@@ -170,19 +171,10 @@ enum ipset_adt {
 	IPSET_CADT_MAX,
 };
 
-#ifdef __KERNEL__
-#include <linux/ip.h>
-#include <linux/ipv6.h>
-#include <linux/netlink.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter/x_tables.h>
-#include <linux/vmalloc.h>
-#include <net/netlink.h>
-
 /* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
  * and IPSET_INVALID_ID if you want to increase the max number of sets.
  */
-typedef u16 ip_set_id_t;
+typedef __u16 ip_set_id_t;
 
 #define IPSET_INVALID_ID		65535
 
@@ -205,6 +197,15 @@ enum ip_set_kopt {
 	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
 };
 
+#ifdef __KERNEL__
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/vmalloc.h>
+#include <net/netlink.h>
+
 /* Set features */
 enum ip_set_feature {
 	IPSET_TYPE_IP_FLAG = 0,
@@ -290,7 +291,10 @@ struct ip_set_type {
 	u8 features;
 	/* Set type dimension */
 	u8 dimension;
-	/* Supported family: may be AF_UNSPEC for both AF_INET/AF_INET6 */
+	/*
+	 * Supported family: may be NFPROTO_UNSPEC for both
+	 * NFPROTO_IPV4/NFPROTO_IPV6.
+	 */
 	u8 family;
 	/* Type revisions */
 	u8 revision_min, revision_max;
@@ -465,6 +469,8 @@ bitmap_bytes(u32 a, u32 b)
 	return 4 * ((((b - a + 8) / 8) + 3) / 4);
 }
 
+#endif /* __KERNEL__ */
+
 /* Interface to iptables/ip6tables */
 
 #define SO_IP_SET		83
@@ -490,6 +496,4 @@ struct ip_set_req_version {
 	unsigned version;
 };
 
-#endif	/* __KERNEL__ */
-
 #endif /*_IP_SET_H */

extensions/ipset-6/ip_set_bitmap_ip.c

@@ -442,7 +442,7 @@ init_map_ip(struct ip_set *set, struct bitmap_ip *map,
 	map->timeout = IPSET_NO_TIMEOUT;
 
 	set->data = map;
-	set->family = AF_INET;
+	set->family = NFPROTO_IPV4;
 
 	return true;
 }
@@ -550,7 +550,7 @@ static struct ip_set_type bitmap_ip_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP,
 	.dimension	= IPSET_DIM_ONE,
-	.family		= AF_INET,
+	.family		= NFPROTO_IPV4,
 	.revision_min	= 0,
 	.revision_max	= 0,
 	.create		= bitmap_ip_create,

extensions/ipset-6/ip_set_bitmap_ipmac.c

@@ -543,7 +543,7 @@ init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
 	map->timeout = IPSET_NO_TIMEOUT;
 
 	set->data = map;
-	set->family = AF_INET;
+	set->family = NFPROTO_IPV4;
 
 	return true;
 }
@@ -623,7 +623,7 @@ static struct ip_set_type bitmap_ipmac_type = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_MAC,
 	.dimension	= IPSET_DIM_TWO,
-	.family		= AF_INET,
+	.family		= NFPROTO_IPV4,
 	.revision_min	= 0,
 	.revision_max	= 0,
 	.create		= bitmap_ipmac_create,

extensions/ipset-6/ip_set_bitmap_port.c

@@ -422,7 +422,7 @@ init_map_port(struct ip_set *set, struct bitmap_port *map,
 	map->timeout = IPSET_NO_TIMEOUT;
 
 	set->data = map;
-	set->family = AF_UNSPEC;
+	set->family = NFPROTO_UNSPEC;
 
 	return true;
 }
@@ -483,7 +483,7 @@ static struct ip_set_type bitmap_port_type = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_PORT,
 	.dimension	= IPSET_DIM_ONE,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 0,
 	.create		= bitmap_port_create,

extensions/ipset-6/ip_set_core.c

@@ -17,7 +17,9 @@
 #include <linux/spinlock.h>
 #include <linux/netlink.h>
 #include <linux/rculist.h>
+#ifdef IPSET_EXTERNAL_MODULE
 #include <linux/version.h>
+#endif
 #include <net/netlink.h>
 
 #include <linux/netfilter.h>
@@ -75,7 +77,7 @@ find_set_type(const char *name, u8 family, u8 revision)
 
 	list_for_each_entry_rcu(type, &ip_set_type_list, list)
 		if (STREQ(type->name, name) &&
-		    (type->family == family || type->family == AF_UNSPEC) &&
+		    (type->family == family || type->family == NFPROTO_UNSPEC) &&
 		    revision >= type->revision_min &&
 		    revision <= type->revision_max)
 			return type;
@@ -83,37 +85,42 @@ find_set_type(const char *name, u8 family, u8 revision)
 }
 
 /* Unlock, try to load a set type module and lock again */
-static int
+static bool
-try_to_load_type(const char *name)
+load_settype(const char *name)
 {
 	genl_unlock();
 	pr_debug("try to load ip_set_%s\n", name);
 	if (request_module("ip_set_%s", name) < 0) {
 		pr_warning("Can't find ip_set type %s\n", name);
 		genl_lock();
-		return -IPSET_ERR_FIND_TYPE;
+		return false;
 	}
 	genl_lock();
-	return -EAGAIN;
+	return true;
 }
 
 /* Find a set type and reference it */
+#define find_set_type_get(name, family, revision, found)	\
+	__find_set_type_get(name, family, revision, found, false)
+
 static int
-find_set_type_get(const char *name, u8 family, u8 revision,
+__find_set_type_get(const char *name, u8 family, u8 revision,
-		  struct ip_set_type **found)
+		    struct ip_set_type **found, bool retry)
 {
 	struct ip_set_type *type;
-	unsigned int retry = 0;
 	int err;
 
-retry:
+	if (retry && !load_settype(name))
+		return -IPSET_ERR_FIND_TYPE;
+
 	rcu_read_lock();
 	*found = find_set_type(name, family, revision);
 	if (*found) {
 		err = !try_module_get((*found)->me) ? -EFAULT : 0;
 		goto unlock;
 	}
-	/* Make sure the type is loaded but we don't support the revision */
+	/* Make sure the type is already loaded
+	 * but we don't support the revision */
 	list_for_each_entry_rcu(type, &ip_set_type_list, list)
 		if (STREQ(type->name, name)) {
 			err = -IPSET_ERR_FIND_TYPE;
@@ -121,10 +128,8 @@ retry:
 		}
 	rcu_read_unlock();
 
-	err = try_to_load_type(name);
+	return retry ? -IPSET_ERR_FIND_TYPE :
-	if (err == -EAGAIN && retry++ == 0)
+		__find_set_type_get(name, family, revision, found, true);
-		goto retry;
-	return err;
 
 unlock:
 	rcu_read_unlock();
@@ -135,20 +140,24 @@ unlock:
  * If we succeeded, the supported minimal and maximum revisions are
  * filled out.
  */
+#define find_set_type_minmax(name, family, min, max) \
+	__find_set_type_minmax(name, family, min, max, false)
+
 static int
-find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max)
+__find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
+		       bool retry)
 {
 	struct ip_set_type *type;
 	bool found = false;
-	unsigned int retry = 0;
-	int err;
 
-retry:
+	if (retry && !load_settype(name))
+		return -IPSET_ERR_FIND_TYPE;
+
 	*min = 255; *max = 0;
 	rcu_read_lock();
 	list_for_each_entry_rcu(type, &ip_set_type_list, list)
 		if (STREQ(type->name, name) &&
-		    (type->family == family || type->family == AF_UNSPEC)) {
+		    (type->family == family || type->family == NFPROTO_UNSPEC)) {
 			found = true;
 			if (type->revision_min < *min)
 				*min = type->revision_min;
@@ -159,14 +168,12 @@ retry:
 	if (found)
 		return 0;
 
-	err = try_to_load_type(name);
+	return retry ? -IPSET_ERR_FIND_TYPE :
-	if (err == -EAGAIN && retry++ == 0)
+		__find_set_type_minmax(name, family, min, max, true);
-		goto retry;
-	return err;
 }
 
-#define family_name(f)	((f) == AF_INET ? "inet" : \
+#define family_name(f)	((f) == NFPROTO_IPV4 ? "inet" : \
-			 (f) == AF_INET6 ? "inet6" : "any")
+			 (f) == NFPROTO_IPV6 ? "inet6" : "any")
 
 /* Register a set type structure. The type is identified by
  * the unique triple of name, family and revision.
@@ -360,7 +367,7 @@ ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
 	pr_debug("set %s, index %u\n", set->name, index);
 
 	if (opt->dim < set->type->dimension ||
-	    !(opt->family == set->family || set->family == AF_UNSPEC))
+	    !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
 		return 0;
 
 	read_lock_bh(&set->lock);
@@ -393,7 +400,7 @@ ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
 	pr_debug("set %s, index %u\n", set->name, index);
 
 	if (opt->dim < set->type->dimension ||
-	    !(opt->family == set->family || set->family == AF_UNSPEC))
+	    !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
 		return 0;
 
 	write_lock_bh(&set->lock);
@@ -416,7 +423,7 @@ ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
 	pr_debug("set %s, index %u\n", set->name, index);
 
 	if (opt->dim < set->type->dimension ||
-	    !(opt->family == set->family || set->family == AF_UNSPEC))
+	    !(opt->family == set->family || set->family == NFPROTO_UNSPEC))
 		return 0;
 
 	write_lock_bh(&set->lock);
@@ -1137,6 +1144,7 @@ release_refcount:
 	if (ret || !cb->args[2]) {
 		pr_debug("release set %s\n", ip_set_list[index]->name);
 		ip_set_put_byindex(index);
+		cb->args[2] = 0;
 	}
 out:
 	if (nlh) {
@@ -1160,12 +1168,12 @@ ip_set_dump(struct sk_buff *skb, struct genl_info *info)
 		return -IPSET_ERR_PROTOCOL;
 
 	genl_unlock();
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 1, 0)
-	ret = netlink_dump_start(ctnl, skb, nlh, ip_set_dump_start, ip_set_dump_done, 0);
-#else
 	ret = netlink_dump_start(ctnl, skb, nlh,
 				  ip_set_dump_start,
+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 1, 0)
 				  ip_set_dump_done);
+#else
+				  ip_set_dump_done, 0);
 #endif
 	genl_lock();
 	return ret;
@@ -1738,10 +1746,8 @@ ip_set_init(void)
 
 	ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max,
 			      GFP_KERNEL);
-	if (!ip_set_list) {
+	if (!ip_set_list)
-		pr_err("ip_set: Unable to create ip_set_list\n");
 		return -ENOMEM;
-	}
 
 	ret = genl_register_family_with_ops(&ip_set_netlink_subsys,
 	      ip_set_netlink_subsys_cb, ARRAY_SIZE(ip_set_netlink_subsys_cb));

extensions/ipset-6/ip_set_getport.c

@@ -133,10 +133,10 @@ ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port)
 	u8 proto;
 
 	switch (pf) {
-	case AF_INET:
+	case NFPROTO_IPV4:
 		ret = ip_set_get_ip4_port(skb, src, port, &proto);
 		break;
-	case AF_INET6:
+	case NFPROTO_IPV6:
 		ret = ip_set_get_ip6_port(skb, src, port, &proto);
 		break;
 	default:

extensions/ipset-6/ip_set_hash_ip.c

@@ -366,11 +366,11 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	u8 netmask, hbits;
 	struct ip_set_hash *h;
 
-	if (!(set->family == AF_INET || set->family == AF_INET6))
+	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
 		return -IPSET_ERR_INVALID_FAMILY;
-	netmask = set->family == AF_INET ? 32 : 128;
+	netmask = set->family == NFPROTO_IPV4 ? 32 : 128;
 	pr_debug("Create set %s with family %s\n",
-		 set->name, set->family == AF_INET ? "inet" : "inet6");
+		 set->name, set->family == NFPROTO_IPV4 ? "inet" : "inet6");
 
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
 		     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
@@ -389,8 +389,8 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_NETMASK]) {
 		netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
 
-		if ((set->family == AF_INET && netmask > 32) ||
+		if ((set->family == NFPROTO_IPV4 && netmask > 32) ||
-		    (set->family == AF_INET6 && netmask > 128) ||
+		    (set->family == NFPROTO_IPV6 && netmask > 128) ||
 		    netmask == 0)
 			return -IPSET_ERR_INVALID_NETMASK;
 	}
@@ -419,15 +419,15 @@ hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ip4_tvariant : &hash_ip6_tvariant;
 
-		if (set->family == AF_INET)
+		if (set->family == NFPROTO_IPV4)
 			hash_ip4_gc_init(set);
 		else
 			hash_ip6_gc_init(set);
 	} else {
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ip4_variant : &hash_ip6_variant;
 	}
 
@@ -443,7 +443,7 @@ static struct ip_set_type hash_ip_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP,
 	.dimension	= IPSET_DIM_ONE,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 0,
 	.create		= hash_ip_create,

extensions/ipset-6/ip_set_hash_ipport.c

@@ -450,7 +450,7 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 
-	if (!(set->family == AF_INET || set->family == AF_INET6))
+	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
 		return -IPSET_ERR_INVALID_FAMILY;
 
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
@@ -490,15 +490,15 @@ hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ipport4_tvariant : &hash_ipport6_tvariant;
 
-		if (set->family == AF_INET)
+		if (set->family == NFPROTO_IPV4)
 			hash_ipport4_gc_init(set);
 		else
 			hash_ipport6_gc_init(set);
 	} else {
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ipport4_variant : &hash_ipport6_variant;
 	}
 
@@ -514,7 +514,7 @@ static struct ip_set_type hash_ipport_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT,
 	.dimension	= IPSET_DIM_TWO,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 1,	/* SCTP and UDPLITE support added */
 	.create		= hash_ipport_create,

extensions/ipset-6/ip_set_hash_ipportip.c

@@ -468,7 +468,7 @@ hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 
-	if (!(set->family == AF_INET || set->family == AF_INET6))
+	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
 		return -IPSET_ERR_INVALID_FAMILY;
 
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
@@ -508,15 +508,15 @@ hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ipportip4_tvariant : &hash_ipportip6_tvariant;
 
-		if (set->family == AF_INET)
+		if (set->family == NFPROTO_IPV4)
 			hash_ipportip4_gc_init(set);
 		else
 			hash_ipportip6_gc_init(set);
 	} else {
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ipportip4_variant : &hash_ipportip6_variant;
 	}
 
@@ -532,7 +532,7 @@ static struct ip_set_type hash_ipportip_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
 	.dimension	= IPSET_DIM_THREE,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 1,	/* SCTP and UDPLITE support added */
 	.create		= hash_ipportip_create,

extensions/ipset-6/ip_set_hash_ipportnet.c

@@ -554,7 +554,7 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 
-	if (!(set->family == AF_INET || set->family == AF_INET6))
+	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
 		return -IPSET_ERR_INVALID_FAMILY;
 
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
@@ -573,7 +573,7 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
-		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+		      * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 
@@ -596,16 +596,16 @@ hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ipportnet4_tvariant
 			: &hash_ipportnet6_tvariant;
 
-		if (set->family == AF_INET)
+		if (set->family == NFPROTO_IPV4)
 			hash_ipportnet4_gc_init(set);
 		else
 			hash_ipportnet6_gc_init(set);
 	} else {
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_ipportnet4_variant : &hash_ipportnet6_variant;
 	}
 
@@ -621,7 +621,7 @@ static struct ip_set_type hash_ipportnet_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
 	.dimension	= IPSET_DIM_THREE,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	/*		  1	   SCTP and UDPLITE support added */
 	.revision_max	= 2,	/* Range as input support for IPv4 added */

extensions/ipset-6/ip_set_hash_net.c

@@ -406,7 +406,7 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	struct ip_set_hash *h;
 	u8 hbits;
 
-	if (!(set->family == AF_INET || set->family == AF_INET6))
+	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
 		return -IPSET_ERR_INVALID_FAMILY;
 
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
@@ -425,7 +425,7 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
-		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+		      * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 
@@ -448,15 +448,15 @@ hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_net4_tvariant : &hash_net6_tvariant;
 
-		if (set->family == AF_INET)
+		if (set->family == NFPROTO_IPV4)
 			hash_net4_gc_init(set);
 		else
 			hash_net6_gc_init(set);
 	} else {
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_net4_variant : &hash_net6_variant;
 	}
 
@@ -472,7 +472,7 @@ static struct ip_set_type hash_net_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP,
 	.dimension	= IPSET_DIM_ONE,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 1,	/* Range as input support for IPv4 added */
 	.create		= hash_net_create,

extensions/ipset-6/ip_set_hash_netiface.c

@@ -678,7 +678,7 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 
-	if (!(set->family == AF_INET || set->family == AF_INET6))
+	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
 		return -IPSET_ERR_INVALID_FAMILY;
 
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
@@ -697,7 +697,7 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
-		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+		      * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 
@@ -722,15 +722,15 @@ hash_netiface_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_netiface4_tvariant : &hash_netiface6_tvariant;
 
-		if (set->family == AF_INET)
+		if (set->family == NFPROTO_IPV4)
 			hash_netiface4_gc_init(set);
 		else
 			hash_netiface6_gc_init(set);
 	} else {
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_netiface4_variant : &hash_netiface6_variant;
 	}
 
@@ -746,7 +746,7 @@ static struct ip_set_type hash_netiface_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_IFACE,
 	.dimension	= IPSET_DIM_TWO,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	.create		= hash_netiface_create,
 	.create_policy	= {

extensions/ipset-6/ip_set_hash_netport.c

@@ -507,7 +507,7 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
 	u8 hbits;
 
-	if (!(set->family == AF_INET || set->family == AF_INET6))
+	if (!(set->family == NFPROTO_IPV4 || set->family == NFPROTO_IPV6))
 		return -IPSET_ERR_INVALID_FAMILY;
 
 	if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
@@ -526,7 +526,7 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 
 	h = kzalloc(sizeof(*h)
 		    + sizeof(struct ip_set_hash_nets)
-		      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+		      * (set->family == NFPROTO_IPV4 ? 32 : 128), GFP_KERNEL);
 	if (!h)
 		return -ENOMEM;
 
@@ -549,15 +549,15 @@ hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
 	if (tb[IPSET_ATTR_TIMEOUT]) {
 		h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
 
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_netport4_tvariant : &hash_netport6_tvariant;
 
-		if (set->family == AF_INET)
+		if (set->family == NFPROTO_IPV4)
 			hash_netport4_gc_init(set);
 		else
 			hash_netport6_gc_init(set);
 	} else {
-		set->variant = set->family == AF_INET
+		set->variant = set->family == NFPROTO_IPV4
 			? &hash_netport4_variant : &hash_netport6_variant;
 	}
 
@@ -573,7 +573,7 @@ static struct ip_set_type hash_netport_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_IP | IPSET_TYPE_PORT,
 	.dimension	= IPSET_DIM_TWO,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	/*		  1	   SCTP and UDPLITE support added */
 	.revision_max	= 2,	/* Range as input support for IPv4 added */

extensions/ipset-6/ip_set_list_set.c

@@ -575,7 +575,7 @@ static struct ip_set_type list_set_type __read_mostly = {
 	.protocol	= IPSET_PROTOCOL,
 	.features	= IPSET_TYPE_NAME | IPSET_DUMP_LAST,
 	.dimension	= IPSET_DIM_ONE,
-	.family		= AF_UNSPEC,
+	.family		= NFPROTO_UNSPEC,
 	.revision_min	= 0,
 	.revision_max	= 0,
 	.create		= list_set_create,

extensions/ipset-6/libipset/data.c

@@ -8,7 +8,6 @@
 #include <arpa/inet.h>				/* ntoh* */
 #include <net/ethernet.h>			/* ETH_ALEN */
 #include <net/if.h>				/* IFNAMSIZ */
-#include <sys/socket.h>				/* AF_ */
 #include <stdlib.h>				/* malloc, free */
 #include <string.h>				/* memset */
 
@@ -81,7 +80,7 @@ struct ipset_data {
 static void
 copy_addr(uint8_t family, union nf_inet_addr *ip, const void *value)
 {
-	if (family == AF_INET)
+	if (family == NFPROTO_IPV4)
 		in4cpy(&ip->in, value);
 	else
 		in6cpy(&ip->in6, value);
@@ -213,12 +212,12 @@ ipset_data_set(struct ipset_data *data, enum ipset_opt opt, const void *value)
 		break;
 	/* CADT options */
 	case IPSET_OPT_IP:
-		if (!(data->family == AF_INET || data->family == AF_INET6))
+		if (!(data->family == NFPROTO_IPV4 || data->family == NFPROTO_IPV6))
 			return -1;
 		copy_addr(data->family, &data->ip, value);
 		break;
 	case IPSET_OPT_IP_TO:
-		if (!(data->family == AF_INET || data->family == AF_INET6))
+		if (!(data->family == NFPROTO_IPV4 || data->family == NFPROTO_IPV6))
 			return -1;
 		copy_addr(data->family, &data->ip_to, value);
 		break;
@@ -288,12 +287,12 @@ ipset_data_set(struct ipset_data *data, enum ipset_opt opt, const void *value)
 		ipset_strlcpy(data->adt.nameref, value, IPSET_MAXNAMELEN);
 		break;
 	case IPSET_OPT_IP2:
-		if (!(data->family == AF_INET || data->family == AF_INET6))
+		if (!(data->family == NFPROTO_IPV4 || data->family == NFPROTO_IPV6))
 			return -1;
 		copy_addr(data->family, &data->adt.ip2, value);
 		break;
 	case IPSET_OPT_IP2_TO:
-		if (!(data->family == AF_INET || data->family == AF_INET6))
+		if (!(data->family == NFPROTO_IPV4 || data->family == NFPROTO_IPV6))
 			return -1;
 		copy_addr(data->family, &data->adt.ip2_to, value);
 		break;
@@ -456,7 +455,7 @@ ipset_data_sizeof(enum ipset_opt opt, uint8_t family)
 	case IPSET_OPT_IP_TO:
 	case IPSET_OPT_IP2:
 	case IPSET_OPT_IP2_TO:
-		return family == AF_INET ? sizeof(uint32_t)
+		return family == NFPROTO_IPV4 ? sizeof(uint32_t)
 					 : sizeof(struct in6_addr);
 	case IPSET_OPT_PORT:
 	case IPSET_OPT_PORT_TO:
@@ -511,14 +510,14 @@ ipset_data_setname(const struct ipset_data *data)
  * @data: data blob
  *
  * Return the INET family supported by the set from the data blob.
- * If the family is not set yet, AF_UNSPEC is returned.
+ * If the family is not set yet, NFPROTO_UNSPEC is returned.
  */
 uint8_t
 ipset_data_family(const struct ipset_data *data)
 {
 	assert(data);
 	return ipset_data_test(data, IPSET_OPT_FAMILY)
-		? data->family : AF_UNSPEC;
+		? data->family : NFPROTO_UNSPEC;
 }
 
 /**
@@ -534,8 +533,8 @@ ipset_data_cidr(const struct ipset_data *data)
 {
 	assert(data);
 	return ipset_data_test(data, IPSET_OPT_CIDR) ? data->cidr :
-	       data->family == AF_INET ? 32 :
+	       data->family == NFPROTO_IPV4 ? 32 :
-	       data->family == AF_INET6 ? 128 : 0;
+	       data->family == NFPROTO_IPV6 ? 128 : 0;
 }
 
 /**

extensions/ipset-6/libipset/debug.c

@@ -116,14 +116,14 @@ debug_cadt_attrs(int max, const struct ipset_attr_policy *policy,
 				d = mnl_attr_get_payload(
 					ipattr[IPSET_ATTR_IPADDR_IPV4]);
 
-				inet_ntop(AF_INET, d, addr, INET6_ADDRSTRLEN);
+				inet_ntop(NFPROTO_IPV4, d, addr, INET6_ADDRSTRLEN);
 				fprintf(stderr, "\t\t%s: %s\n",
 					attr2name[i].name, addr);
 			} else if (ipattr[IPSET_ATTR_IPADDR_IPV6]) {
 				d = mnl_attr_get_payload(
 					ipattr[IPSET_ATTR_IPADDR_IPV6]);
 
-				inet_ntop(AF_INET6, d, addr, INET6_ADDRSTRLEN);
+				inet_ntop(NFPROTO_IPV6, d, addr, INET6_ADDRSTRLEN);
 				fprintf(stderr, "\t\t%s: %s\n",
 					attr2name[i].name, addr);
 			}

extensions/ipset-6/libipset/parse.c

@@ -511,7 +511,7 @@ ipset_parse_proto_port(struct ipset_session *session,
 			tmp = a;
 			goto parse_port;
 		case IPPROTO_ICMP:
-			if (family != AF_INET) {
+			if (family != NFPROTO_IPV4) {
 				syntax_err("Protocol ICMP can be used "
 					   "with family INET only");
 				goto error;
@@ -519,7 +519,7 @@ ipset_parse_proto_port(struct ipset_session *session,
 			err = ipset_parse_icmp(session, opt, a);
 			break;
 		case IPPROTO_ICMPV6:
-			if (family != AF_INET6) {
+			if (family != NFPROTO_IPV6) {
 				syntax_err("Protocol ICMPv6 can be used "
 					   "with family INET6 only");
 				goto error;
@@ -577,11 +577,11 @@ ipset_parse_family(struct ipset_session *session,
 			   "multiple times");
 
 	if (STREQ(str, "inet") || STREQ(str, "ipv4") || STREQ(str, "-4"))
-		family = AF_INET;
+		family = NFPROTO_IPV4;
 	else if (STREQ(str, "inet6") || STREQ(str, "ipv6") || STREQ(str, "-6"))
-		family = AF_INET6;
+		family = NFPROTO_IPV6;
 	else if (STREQ(str, "any") || STREQ(str, "unspec"))
-		family = AF_UNSPEC;
+		family = NFPROTO_UNSPEC;
 	else
 		return syntax_err("unknown INET family %s", str);
 
@@ -610,7 +610,7 @@ call_getaddrinfo(struct ipset_session *session, const char *str,
 
 	if ((err = getaddrinfo(str, NULL, &hints, &res)) != 0) {
 		syntax_err("cannot resolve '%s' to an %s address: %s",
-			   str, family == AF_INET6 ? "IPv6" : "IPv4",
+			   str, family == NFPROTO_IPV6 ? "IPv6" : "IPv4",
 			   gai_strerror(err));
 		return NULL;
 	} else
@@ -625,13 +625,13 @@ get_addrinfo(struct ipset_session *session,
 	     uint8_t family)
 {
 	struct addrinfo *i;
-	size_t addrlen = family == AF_INET ? sizeof(struct sockaddr_in)
+	size_t addrlen = family == NFPROTO_IPV4 ? sizeof(struct sockaddr_in)
 					   : sizeof(struct sockaddr_in6);
 	int found, err = 0;
 
 	if ((*info = call_getaddrinfo(session, str, family)) == NULL) {
 		syntax_err("cannot parse %s: resolving to %s address failed",
-			   str, family == AF_INET ? "IPv4" : "IPv6");
+			   str, family == NFPROTO_IPV4 ? "IPv4" : "IPv6");
 		return EINVAL;
 	}
 
@@ -639,7 +639,7 @@ get_addrinfo(struct ipset_session *session,
 		if (i->ai_family != family || i->ai_addrlen != addrlen)
 			continue;
 		if (found == 0) {
-			if (family == AF_INET) {
+			if (family == NFPROTO_IPV4) {
 				/* Workaround: direct cast increases
 				 * required alignment on Sparc
 				 */
@@ -668,7 +668,7 @@ get_addrinfo(struct ipset_session *session,
 	if (found == 0)
 		return syntax_err("cannot parse %s: "
 				  "%s address could not be resolved",
-				  str, family == AF_INET ? "IPv4" : "IPv6");
+				  str, family == NFPROTO_IPV4 ? "IPv4" : "IPv6");
 	return err;
 }
 
@@ -677,7 +677,7 @@ parse_ipaddr(struct ipset_session *session,
 	     enum ipset_opt opt, const char *str,
 	     uint8_t family)
 {
-	uint8_t m = family == AF_INET ? 32 : 128;
+	uint8_t m = family == NFPROTO_IPV4 ? 32 : 128;
 	int aerr = EINVAL, err = 0, range = 0;
 	char *saved = strdup(str);
 	char *a, *tmp = saved;
@@ -737,7 +737,7 @@ cidr_hostaddr(const char *str, uint8_t family)
 {
 	char *a = cidr_separator(str);
 
-	return family == AF_INET ? STREQ(a, "/32") : STREQ(a, "/128");
+	return family == NFPROTO_IPV4 ? STREQ(a, "/32") : STREQ(a, "/128");
 }
 
 static int
@@ -747,8 +747,8 @@ parse_ip(struct ipset_session *session,
 	struct ipset_data *data = ipset_session_data(session);
 	uint8_t family = ipset_data_family(data);
 
-	if (family == AF_UNSPEC) {
+	if (family == NFPROTO_UNSPEC) {
-		family = AF_INET;
+		family = NFPROTO_IPV4;
 		ipset_data_set(data, IPSET_OPT_FAMILY, &family);
 	}
 
@@ -985,12 +985,12 @@ ipset_parse_ip4_single6(struct ipset_session *session,
 	data = ipset_session_data(session);
 	family = ipset_data_family(data);
 
-	if (family == AF_UNSPEC) {
+	if (family == NFPROTO_UNSPEC) {
-		family = AF_INET;
+		family = NFPROTO_IPV4;
 		ipset_data_set(data, IPSET_OPT_FAMILY, &family);
 	}
 
-	return family == AF_INET ? ipset_parse_ip(session, opt, str)
+	return family == NFPROTO_IPV4 ? ipset_parse_ip(session, opt, str)
 				 : ipset_parse_single_ip(session, opt, str);
 
 }
@@ -1025,12 +1025,12 @@ ipset_parse_ip4_net6(struct ipset_session *session,
 	data = ipset_session_data(session);
 	family = ipset_data_family(data);
 
-	if (family == AF_UNSPEC) {
+	if (family == NFPROTO_UNSPEC) {
-		family = AF_INET;
+		family = NFPROTO_IPV4;
 		ipset_data_set(data, IPSET_OPT_FAMILY, &family);
 	}
 
-	return family == AF_INET ? parse_ip(session, opt, str, IPADDR_ANY)
+	return family == NFPROTO_IPV4 ? parse_ip(session, opt, str, IPADDR_ANY)
 				 : ipset_parse_ipnet(session, opt, str);
 
 }
@@ -1330,21 +1330,21 @@ ipset_parse_netmask(struct ipset_session *session,
 
 	data = ipset_session_data(session);
 	family = ipset_data_family(data);
-	if (family == AF_UNSPEC) {
+	if (family == NFPROTO_UNSPEC) {
-		family = AF_INET;
+		family = NFPROTO_IPV4;
 		ipset_data_set(data, IPSET_OPT_FAMILY, &family);
 	}
 
 	err = string_to_cidr(session, str,
-			     family == AF_INET ? 1 : 4,
+			     family == NFPROTO_IPV4 ? 1 : 4,
-			     family == AF_INET ? 31 : 124,
+			     family == NFPROTO_IPV4 ? 31 : 124,
 			     &cidr);
 
 	if (err)
 		return syntax_err("netmask is out of the inclusive range "
 				  "of %u-%u",
-				  family == AF_INET ? 1 : 4,
+				  family == NFPROTO_IPV4 ? 1 : 4,
-				  family == AF_INET ? 31 : 124);
+				  family == NFPROTO_IPV4 ? 31 : 124);
 
 	return ipset_data_set(data, opt, &cidr);
 }
@@ -1525,9 +1525,9 @@ ipset_call_parser(struct ipset_session *session,
 
 #define parse_elem(s, t, d, str)					\
 do {									\
-	if (!(t)->elem[d].parse)					\
+	if (!(t)->elem[d - 1].parse)					\
 		goto internal;						\
-	ret = (t)->elem[d].parse(s, (t)->elem[d].opt, str);		\
+	ret = (t)->elem[d - 1].parse(s, (t)->elem[d - 1].opt, str);	\
 	if (ret)							\
 		goto out;						\
 } while (0)
@@ -1582,7 +1582,7 @@ ipset_parse_elem(struct ipset_session *session,
 	} else if (a != NULL) {
 		if (type->compat_parse_elem) {
 			ret = type->compat_parse_elem(session,
-					type->elem[IPSET_DIM_ONE].opt,
+					type->elem[IPSET_DIM_ONE - 1].opt,
 					saved);
 			goto out;
 		}

extensions/ipset-6/libipset/print.c

@@ -152,7 +152,7 @@ __getnameinfo4(char *buf, unsigned int len,
 
 	memset(&saddr, 0, sizeof(saddr));
 	in4cpy(&saddr.sin_addr, &addr->in);
-	saddr.sin_family = AF_INET;
+	saddr.sin_family = NFPROTO_IPV4;
 
 	err = getnameinfo((const struct sockaddr *)&saddr,
 			  sizeof(saddr),
@@ -178,7 +178,7 @@ __getnameinfo6(char *buf, unsigned int len,
 
 	memset(&saddr, 0, sizeof(saddr));
 	in6cpy(&saddr.sin6_addr, &addr->in6);
-	saddr.sin6_family = AF_INET6;
+	saddr.sin6_family = NFPROTO_IPV6;
 
 	err = getnameinfo((const struct sockaddr *)&saddr,
 			  sizeof(saddr),
@@ -253,14 +253,14 @@ ipset_print_ip(char *buf, unsigned int len,
 		cidr = *(const uint8_t *) ipset_data_get(data, cidropt);
 		D("CIDR: %u", cidr);
 	} else
-		cidr = family == AF_INET6 ? 128 : 32;
+		cidr = family == NFPROTO_IPV6 ? 128 : 32;
 	flags = (env & IPSET_ENV_RESOLVE) ? 0 : NI_NUMERICHOST;
 
 	ip = ipset_data_get(data, opt);
 	assert(ip);
-	if (family == AF_INET)
+	if (family == NFPROTO_IPV4)
 		size = snprintf_ipv4(buf, len, flags, ip, cidr);
-	else if (family == AF_INET6)
+	else if (family == NFPROTO_IPV6)
 		size = snprintf_ipv6(buf, len, flags, ip, cidr);
 	else
 		return -1;
@@ -275,9 +275,9 @@ ipset_print_ip(char *buf, unsigned int len,
 	SNPRINTF_FAILURE(size, len, offset);
 
 	ip = ipset_data_get(data, IPSET_OPT_IP_TO);
-	if (family == AF_INET)
+	if (family == NFPROTO_IPV4)
 		size = snprintf_ipv4(buf + offset, len, flags, ip, cidr);
-	else if (family == AF_INET6)
+	else if (family == NFPROTO_IPV6)
 		size = snprintf_ipv6(buf + offset, len, flags, ip, cidr);
 	else
 		return -1;
@@ -320,14 +320,14 @@ ipset_print_ipaddr(char *buf, unsigned int len,
 	if (ipset_data_test(data, cidropt))
 		cidr = *(const uint8_t *) ipset_data_get(data, cidropt);
 	else
-		cidr = family == AF_INET6 ? 128 : 32;
+		cidr = family == NFPROTO_IPV6 ? 128 : 32;
 	flags = (env & IPSET_ENV_RESOLVE) ? 0 : NI_NUMERICHOST;
 
 	ip = ipset_data_get(data, opt);
 	assert(ip);
-	if (family == AF_INET)
+	if (family == NFPROTO_IPV4)
 		return snprintf_ipv4(buf, len, flags, ip, cidr);
-	else if (family == AF_INET6)
+	else if (family == NFPROTO_IPV6)
 		return snprintf_ipv6(buf, len, flags, ip, cidr);
 
 	return -1;
@@ -705,30 +705,30 @@ ipset_print_elem(char *buf, unsigned int len,
 	if (!type)
 		return -1;
 
-	size = type->elem[IPSET_DIM_ONE].print(buf, len, data,
+	size = type->elem[IPSET_DIM_ONE - 1].print(buf, len, data,
-			type->elem[IPSET_DIM_ONE].opt, env);
+			type->elem[IPSET_DIM_ONE - 1].opt, env);
 	SNPRINTF_FAILURE(size, len, offset);
-	IF_D(ipset_data_test(data, type->elem[IPSET_DIM_TWO].opt),
+	IF_D(ipset_data_test(data, type->elem[IPSET_DIM_TWO - 1].opt),
 	     "print second elem");
 	if (type->dimension == IPSET_DIM_ONE ||
 	    (type->last_elem_optional &&
-	     !ipset_data_test(data, type->elem[IPSET_DIM_TWO].opt)))
+	     !ipset_data_test(data, type->elem[IPSET_DIM_TWO - 1].opt)))
 		return offset;
 
 	size = snprintf(buf + offset, len, IPSET_ELEM_SEPARATOR);
 	SNPRINTF_FAILURE(size, len, offset);
-	size = type->elem[IPSET_DIM_TWO].print(buf + offset, len, data,
+	size = type->elem[IPSET_DIM_TWO - 1].print(buf + offset, len, data,
-			type->elem[IPSET_DIM_TWO].opt, env);
+			type->elem[IPSET_DIM_TWO - 1].opt, env);
 	SNPRINTF_FAILURE(size, len, offset);
 	if (type->dimension == IPSET_DIM_TWO ||
 	    (type->last_elem_optional &&
-	     !ipset_data_test(data, type->elem[IPSET_DIM_THREE].opt)))
+	     !ipset_data_test(data, type->elem[IPSET_DIM_THREE - 1].opt)))
 		return offset;
 
 	size = snprintf(buf + offset, len, IPSET_ELEM_SEPARATOR);
 	SNPRINTF_FAILURE(size, len, offset);
-	size = type->elem[IPSET_DIM_THREE].print(buf + offset, len, data,
+	size = type->elem[IPSET_DIM_THREE - 1].print(buf + offset, len, data,
-			type->elem[IPSET_DIM_THREE].opt, env);
+			type->elem[IPSET_DIM_THREE - 1].opt, env);
 	SNPRINTF_FAILURE(size, len, offset);
 
 	return offset;

extensions/ipset-6/libipset/session.c

@@ -570,7 +570,7 @@ attr2data(struct ipset_session *session, struct nlattr *nla[],
 
 		/* Validate by hand */
 		switch (family) {
-		case AF_INET:
+		case NFPROTO_IPV4:
 			atype = IPSET_ATTR_IPADDR_IPV4;
 			if (!ipattr[atype])
 				FAILURE("Broken kernel message: IPv4 address "
@@ -580,7 +580,7 @@ attr2data(struct ipset_session *session, struct nlattr *nla[],
 					"cannot validate IPv4 "
 					"address attribute!");
 			break;
-		case AF_INET6:
+		case NFPROTO_IPV6:
 			atype = IPSET_ATTR_IPADDR_IPV6;
 			if (!ipattr[atype])
 				FAILURE("Broken kernel message: IPv6 address "
@@ -816,8 +816,8 @@ list_adt(struct ipset_session *session, struct nlattr *nla[])
 }
 
 #define FAMILY_TO_STR(f)		\
-	((f) == AF_INET ? "inet" :	\
+	((f) == NFPROTO_IPV4 ? "inet" :	\
-	 (f) == AF_INET6 ? "inet6" : "any")
+	 (f) == NFPROTO_IPV6 ? "inet6" : "any")
 
 static int
 list_create(struct ipset_session *session, struct nlattr *nla[])
@@ -1415,7 +1415,7 @@ attr_len(const struct ipset_attr_policy *attr, uint8_t family, uint16_t *flags)
 			return attr->len;
 
 		*flags = NLA_F_NET_BYTEORDER;
-		return family == AF_INET ? sizeof(uint32_t)
+		return family == NFPROTO_IPV4 ? sizeof(uint32_t)
 					 : sizeof(struct in6_addr);
 	case MNL_TYPE_U32:
 		*flags = NLA_F_NET_BYTEORDER;
@@ -1448,7 +1448,7 @@ rawdata2attr(struct ipset_session *session, struct nlmsghdr *nlh,
 	if (attr->type == MNL_TYPE_NESTED) {
 		/* IP addresses */
 		struct nlattr *nested;
-		int atype = family == AF_INET ? IPSET_ATTR_IPADDR_IPV4
+		int atype = family == NFPROTO_IPV4 ? IPSET_ATTR_IPADDR_IPV4
 					      : IPSET_ATTR_IPADDR_IPV6;
 
 		alen = attr_len(attr, family, &flags);
@@ -1456,8 +1456,8 @@ rawdata2attr(struct ipset_session *session, struct nlmsghdr *nlh,
 				MNL_ATTR_HDRLEN, alen))
 			return 1;
 		nested = mnl_attr_nest_start(nlh, type);
-		D("family: %s", family == AF_INET ? "INET" :
+		D("family: %s", family == NFPROTO_IPV4 ? "INET" :
-				family == AF_INET6 ? "INET6" : "UNSPEC");
+				family == NFPROTO_IPV6 ? "INET6" : "UNSPEC");
 		mnl_attr_put(nlh, atype | flags, alen, d);
 		mnl_attr_nest_end(nlh, nested);
 
@@ -1511,14 +1511,14 @@ data2attr(struct ipset_session *session, struct nlmsghdr *nlh,
 	data2attr(session, nlh, data, type, family, attrs)
 
 #define ADDATTR_SETNAME(session, nlh, data)				\
-	data2attr(session, nlh, data, IPSET_ATTR_SETNAME, AF_INET, cmd_attrs)
+	data2attr(session, nlh, data, IPSET_ATTR_SETNAME, NFPROTO_IPV4, cmd_attrs)
 
 #define ADDATTR_IF(session, nlh, data, type, family, attrs)		\
 	ipset_data_test(data, attrs[type].opt) ?			\
 		data2attr(session, nlh, data, type, family, attrs) : 0
 
 #define ADDATTR_RAW(session, nlh, data, type, attrs)			\
-	rawdata2attr(session, nlh, data, type, AF_INET, attrs)
+	rawdata2attr(session, nlh, data, type, NFPROTO_IPV4, attrs)
 
 static void
 addattr_create(struct ipset_session *session,
@@ -1574,13 +1574,13 @@ build_send_private_msg(struct ipset_session *session, enum ipset_cmd cmd)
 				"Invalid internal TYPE command: "
 				"missing settype");
 		ADDATTR(session, nlh, data, IPSET_ATTR_TYPENAME,
-			AF_INET, cmd_attrs);
+			NFPROTO_IPV4, cmd_attrs);
 		if (ipset_data_test(data, IPSET_OPT_FAMILY))
 			ADDATTR(session, nlh, data, IPSET_ATTR_FAMILY,
-				AF_INET, cmd_attrs);
+				NFPROTO_IPV4, cmd_attrs);
 		else
 			/* bitmap:port and list:set types */
-			mnl_attr_put_u8(nlh, IPSET_ATTR_FAMILY, AF_UNSPEC);
+			mnl_attr_put_u8(nlh, IPSET_ATTR_FAMILY, NFPROTO_UNSPEC);
 		break;
 	default:
 		return ipset_err(session, "Internal error: "
@@ -1640,17 +1640,17 @@ build_msg(struct ipset_session *session, bool aggregate)
 		 * setname, typename, revision, family, flags (optional) */
 		ADDATTR_SETNAME(session, nlh, data);
 		ADDATTR(session, nlh, data, IPSET_ATTR_TYPENAME,
-			AF_INET, cmd_attrs);
+			NFPROTO_IPV4, cmd_attrs);
 		ADDATTR_RAW(session, nlh, &type->revision,
 			    IPSET_ATTR_REVISION, cmd_attrs);
 		D("family: %u, type family %u",
 		  ipset_data_family(data), type->family);
 		if (ipset_data_test(data, IPSET_OPT_FAMILY))
 			ADDATTR(session, nlh, data, IPSET_ATTR_FAMILY,
-				AF_INET, cmd_attrs);
+				NFPROTO_IPV4, cmd_attrs);
 		else
 			/* bitmap:port and list:set types */
-			mnl_attr_put_u8(nlh, IPSET_ATTR_FAMILY, AF_UNSPEC);
+			mnl_attr_put_u8(nlh, IPSET_ATTR_FAMILY, NFPROTO_UNSPEC);
 
 		/* Type-specific create attributes */
 		D("call open_nested");
@@ -1677,7 +1677,7 @@ build_msg(struct ipset_session *session, bool aggregate)
 			ADDATTR_SETNAME(session, nlh, data);
 		if (flags && session->mode != IPSET_LIST_SAVE) {
 			ipset_data_set(data, IPSET_OPT_FLAGS, &flags);
-			ADDATTR(session, nlh, data, IPSET_ATTR_FLAGS, AF_INET,
+			ADDATTR(session, nlh, data, IPSET_ATTR_FLAGS, NFPROTO_IPV4,
 				cmd_attrs);
 		}
 		break;

extensions/ipset-6/libipset/types.c

@@ -173,7 +173,8 @@ ipset_cache_swap(const char *from, const char *to)
 }
 
 #define MATCH_FAMILY(type, f)	\
-	(f == AF_UNSPEC || type->family == f || type->family == AF_INET46)
+	(f == NFPROTO_UNSPEC || type->family == f || \
+	 type->family == NFPROTO_IPSET_IPV46)
 
 bool
 ipset_match_typename(const char *name, const struct ipset_type *type)
@@ -227,8 +228,9 @@ create_type_get(struct ipset_session *session)
 				    typename);
 
 	/* Family is unspecified yet: set from matching set type */
-	if (family == AF_UNSPEC && match->family != AF_UNSPEC) {
+	if (family == NFPROTO_UNSPEC && match->family != NFPROTO_UNSPEC) {
-		family = match->family == AF_INET46 ? AF_INET : match->family;
+		family = match->family == NFPROTO_IPSET_IPV46 ?
+			 NFPROTO_IPV4 : match->family;
 		ipset_data_set(data, IPSET_OPT_FAMILY, &family);
 	}
 
@@ -254,8 +256,8 @@ create_type_get(struct ipset_session *session)
 				"with maximal revision %u.\n"
 				"You need to upgrade your ipset program.",
 				typename,
-				family == AF_INET ? "INET" :
+				family == NFPROTO_IPV4 ? "INET" :
-				family == AF_INET6 ? "INET6" : "UNSPEC",
+				family == NFPROTO_IPV6 ? "INET6" : "UNSPEC",
 				kmin, tmax);
 		else
 			return ipset_errptr(session,
@@ -264,8 +266,8 @@ create_type_get(struct ipset_session *session)
 				"with minimal revision %u.\n"
 				"You need to upgrade your kernel.",
 				typename,
-				family == AF_INET ? "INET" :
+				family == NFPROTO_IPV4 ? "INET" :
-				family == AF_INET6 ? "INET6" : "UNSPEC",
+				family == NFPROTO_IPV6 ? "INET6" : "UNSPEC",
 				kmax, tmin);
 	}
 
@@ -290,8 +292,9 @@ found:
 }
 
 #define set_family_and_type(data, match, family) do {		\
-	if (family == AF_UNSPEC && match->family != AF_UNSPEC)	\
+	if (family == NFPROTO_UNSPEC && match->family != NFPROTO_UNSPEC)	\
-		family = match->family == AF_INET46 ? AF_INET : match->family;\
+		family = match->family == NFPROTO_IPSET_IPV46 ? \
+			 NFPROTO_IPV4 : match->family;\
 	ipset_data_set(data, IPSET_OPT_FAMILY, &family);	\
 	ipset_data_set(data, IPSET_OPT_TYPE, match);		\
 } while (0)
@@ -306,7 +309,7 @@ adt_type_get(struct ipset_session *session)
 	const struct ipset_type *match;
 	const char *setname, *typename;
 	const uint8_t *revision;
-	uint8_t family = AF_UNSPEC;
+	uint8_t family = NFPROTO_UNSPEC;
 	int ret;
 
 	data = ipset_session_data(session);
@@ -352,8 +355,8 @@ adt_type_get(struct ipset_session *session)
 				    "ipset library does not support the "
 				    "settype with that family and revision.",
 				    setname, typename,
-				    family == AF_INET ? "inet" :
+				    family == NFPROTO_IPV4 ? "inet" :
-				    family == AF_INET6 ? "inet6" : "unspec",
+				    family == NFPROTO_IPV6 ? "inet6" : "unspec",
 				    *revision);
 
 	set_family_and_type(data, match, family);
@@ -409,7 +412,7 @@ ipset_type_check(struct ipset_session *session)
 	const struct ipset_type *t, *match = NULL;
 	struct ipset_data *data;
 	const char *typename;
-	uint8_t family = AF_UNSPEC, revision;
+	uint8_t family = NFPROTO_UNSPEC, revision;
 
 	assert(session);
 	data = ipset_session_data(session);

extensions/ipset-6/src/ipset.c

@@ -24,7 +24,7 @@
 #include <libipset/utils.h>		/* STREQ */
 
 static char program_name[] = "ipset";
-static char program_version[] = "6.8-genl-xta";
+static char program_version[] = "6.9.1-genl-xta";
 
 static struct ipset_session *session;
 static uint32_t restore_line;
@@ -324,9 +324,9 @@ static const char *
 session_family(void)
 {
 	switch (ipset_data_family(ipset_session_data(session))) {
-	case AF_INET:
+	case NFPROTO_IPV4:
 		return "inet";
-	case AF_INET6:
+	case NFPROTO_IPV6:
 		return "inet6";
 	default:
 		return "unspec";
@@ -581,10 +581,10 @@ parse_commandline(int argc, char *argv[])
 				       type->name, type->usage);
 				if (type->usagefn)
 					type->usagefn();
-				if (type->family == AF_UNSPEC)
+				if (type->family == NFPROTO_UNSPEC)
 					printf("\nType %s is family neutral.\n",
 					       type->name);
-				else if (type->family == AF_INET46)
+				else if (type->family == NFPROTO_IPSET_IPV46)
 					printf("\nType %s supports INET "
 					       "and INET6.\n",
 					       type->name);
@@ -592,7 +592,7 @@ parse_commandline(int argc, char *argv[])
 					printf("\nType %s supports family "
 					       "%s only.\n",
 					       type->name,
-					       type->family == AF_INET
+					       type->family == NFPROTO_IPV4
 						? "INET" : "INET6");
 			} else {
 				printf("\nSupported set types:\n");

extensions/ipset-6/src/ipset_bitmap_ip.c

@@ -60,10 +60,10 @@ struct ipset_type ipset_bitmap_ip0 = {
 	.name = "bitmap:ip",
 	.alias = { "ipmap", NULL },
 	.revision = 0,
-	.family = AF_INET,
+	.family = NFPROTO_IPV4,
 	.dimension = IPSET_DIM_ONE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP

extensions/ipset-6/src/ipset_bitmap_ipmac.c

@@ -57,16 +57,16 @@ struct ipset_type ipset_bitmap_ipmac0 = {
 	.name = "bitmap:ip,mac",
 	.alias = { "macipmap", NULL },
 	.revision = 0,
-	.family = AF_INET,
+	.family = NFPROTO_IPV4,
 	.dimension = IPSET_DIM_TWO,
 	.last_elem_optional = true,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_single_ip,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_ether,
 			.print = ipset_print_ether,
 			.opt = IPSET_OPT_ETHER

extensions/ipset-6/src/ipset_bitmap_port.c

@@ -51,10 +51,10 @@ struct ipset_type ipset_bitmap_port0 = {
 	.name = "bitmap:port",
 	.alias = { "portmap", NULL },
 	.revision = 0,
-	.family = AF_UNSPEC,
+	.family = NFPROTO_UNSPEC,
 	.dimension = IPSET_DIM_ONE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_tcp_port,
 			.print = ipset_print_port,
 			.opt = IPSET_OPT_PORT

extensions/ipset-6/src/ipset_hash_ip.c

@@ -83,10 +83,10 @@ struct ipset_type ipset_hash_ip0 = {
 	.name = "hash:ip",
 	.alias = { "iphash", NULL },
 	.revision = 0,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_ONE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_single6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP

extensions/ipset-6/src/ipset_hash_ipport.c

@@ -89,15 +89,15 @@ struct ipset_type ipset_hash_ipport1 = {
 	.name = "hash:ip,port",
 	.alias = { "ipporthash", NULL },
 	.revision = 1,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_TWO,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_single6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_proto_port,
 			.print = ipset_print_proto_port,
 			.opt = IPSET_OPT_PORT

extensions/ipset-6/src/ipset_hash_ipportip.c

@@ -89,20 +89,20 @@ struct ipset_type ipset_hash_ipportip1 = {
 	.name = "hash:ip,port,ip",
 	.alias = { "ipportiphash", NULL },
 	.revision = 1,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_THREE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_single6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_proto_port,
 			.print = ipset_print_proto_port,
 			.opt = IPSET_OPT_PORT
 		},
-		[IPSET_DIM_THREE] = {
+		[IPSET_DIM_THREE - 1] = {
 			.parse = ipset_parse_single_ip,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP2

extensions/ipset-6/src/ipset_hash_ipportnet.c

@@ -90,20 +90,20 @@ struct ipset_type ipset_hash_ipportnet1 = {
 	.name = "hash:ip,port,net",
 	.alias = { "ipportnethash", NULL },
 	.revision = 1,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_THREE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_single6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_proto_port,
 			.print = ipset_print_proto_port,
 			.opt = IPSET_OPT_PORT
 		},
-		[IPSET_DIM_THREE] = {
+		[IPSET_DIM_THREE - 1] = {
 			.parse = ipset_parse_ipnet,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP2
@@ -180,20 +180,20 @@ struct ipset_type ipset_hash_ipportnet2 = {
 	.name = "hash:ip,port,net",
 	.alias = { "ipportnethash", NULL },
 	.revision = 2,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_THREE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_single6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_proto_port,
 			.print = ipset_print_proto_port,
 			.opt = IPSET_OPT_PORT
 		},
-		[IPSET_DIM_THREE] = {
+		[IPSET_DIM_THREE - 1] = {
 			.parse = ipset_parse_ip4_net6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP2

extensions/ipset-6/src/ipset_hash_net.c

@@ -73,10 +73,10 @@ struct ipset_type ipset_hash_net0 = {
 	.name = "hash:net",
 	.alias = { "nethash", NULL },
 	.revision = 0,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_ONE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ipnet,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
@@ -125,10 +125,10 @@ struct ipset_type ipset_hash_net1 = {
 	.name = "hash:net",
 	.alias = { "nethash", NULL },
 	.revision = 1,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_ONE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_net6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP

extensions/ipset-6/src/ipset_hash_netiface.c

@@ -66,15 +66,15 @@ struct ipset_type ipset_hash_netiface0 = {
 	.name = "hash:net,iface",
 	.alias = { "netifacehash", NULL },
 	.revision = 0,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_TWO,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_net6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_iface,
 			.print = ipset_print_iface,
 			.opt = IPSET_OPT_IFACE

extensions/ipset-6/src/ipset_hash_netport.c

@@ -67,15 +67,15 @@ struct ipset_type ipset_hash_netport1 = {
 	.name = "hash:net,port",
 	.alias = { "netporthash", NULL },
 	.revision = 1,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_TWO,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ipnet,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_proto_port,
 			.print = ipset_print_proto_port,
 			.opt = IPSET_OPT_PORT
@@ -141,15 +141,15 @@ struct ipset_type ipset_hash_netport2 = {
 	.name = "hash:net,port",
 	.alias = { "netporthash", NULL },
 	.revision = 2,
-	.family = AF_INET46,
+	.family = NFPROTO_IPSET_IPV46,
 	.dimension = IPSET_DIM_TWO,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_ip4_net6,
 			.print = ipset_print_ip,
 			.opt = IPSET_OPT_IP
 		},
-		[IPSET_DIM_TWO] = {
+		[IPSET_DIM_TWO - 1] = {
 			.parse = ipset_parse_proto_port,
 			.print = ipset_print_proto_port,
 			.opt = IPSET_OPT_PORT

extensions/ipset-6/src/ipset_list_set.c

@@ -50,10 +50,10 @@ struct ipset_type ipset_list_set0 = {
 	.name = "list:set",
 	.alias = { "setlist", NULL },
 	.revision = 0,
-	.family = AF_UNSPEC,
+	.family = NFPROTO_UNSPEC,
 	.dimension = IPSET_DIM_ONE,
 	.elem = {
-		[IPSET_DIM_ONE] = {
+		[IPSET_DIM_ONE - 1] = {
 			.parse = ipset_parse_setname,
 			.print = ipset_print_name,
 			.opt = IPSET_OPT_NAME

extensions/ipset-6/xt_set.c

@@ -13,7 +13,6 @@
 
 #include <linux/module.h>
 #include <linux/skbuff.h>
-#include <linux/version.h>
 
 #include <linux/netfilter/x_tables.h>
 #include "xt_set.h"

extensions/ipset-6/xt_set.h

@@ -58,8 +58,8 @@ struct xt_set_info_target_v1 {
 struct xt_set_info_target_v2 {
 	struct xt_set_info add_set;
 	struct xt_set_info del_set;
-	u32 flags;
+	__u32 flags;
-	u32 timeout;
+	__u32 timeout;
 };
 
 #endif /*_XT_SET_H*/