diff --git a/configure.ac b/configure.ac
index 0bf8a71..7438472 100644
--- a/configure.ac
+++ b/configure.ac
@@ -59,7 +59,7 @@ if test -n "$kbuilddir"; then
 		echo "$kmajor.$kminor.$kmicro.$kstable in $kbuilddir";
 		if test "$kmajor" -gt 4 -o "$kmajor" -eq 4 -a "$kminor" -gt 12; then
 			echo "WARNING: That kernel version is not officially supported yet. Continue at own luck.";
-		elif test "$kmajor" -eq 4 -a "$kminor" -le 8; then
+		elif test "$kmajor" -eq 4 -a "$kminor" -le 9; then
 			echo "WARNING: That kernel version is not officially supported.";
 		elif test "$kmajor" -eq 4 -a "$kminor" -le 10; then
 			:;
diff --git a/doc/changelog.txt b/doc/changelog.txt
index 27f1386..29102c3 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -4,7 +4,7 @@ HEAD
 Enhancements:
 - support for Linux up to 4.15
 Changes:
-- remove support for Linux 3.7--4.8
+- remove support for Linux 3.7--4.9
 
 
 v2.14 (2017-11-22)
diff --git a/extensions/ACCOUNT/xt_ACCOUNT.c b/extensions/ACCOUNT/xt_ACCOUNT.c
index bd455df..67d49cb 100644
--- a/extensions/ACCOUNT/xt_ACCOUNT.c
+++ b/extensions/ACCOUNT/xt_ACCOUNT.c
@@ -482,11 +482,7 @@ static void ipt_acc_depth2_insert(struct ipt_acc_mask_8 *mask_8,
 static unsigned int
 ipt_acc_target(struct sk_buff *skb, const struct xt_action_param *par)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct ipt_acc_net *ian = net_generic(par->state->net, ipt_acc_net_id);
-#else
-	struct ipt_acc_net *ian = net_generic(par->net, ipt_acc_net_id);
-#endif
 	struct ipt_acc_table *ipt_acc_tables = ian->ipt_acc_tables;
 	const struct ipt_acc_info *info =
 		par->targinfo;
diff --git a/extensions/compat_xtables.h b/extensions/compat_xtables.h
index 23785d9..2286aa2 100644
--- a/extensions/compat_xtables.h
+++ b/extensions/compat_xtables.h
@@ -8,8 +8,8 @@
 
 #define DEBUGP Use__pr_debug__instead
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 0)
-#	warning Kernels below 4.9 not supported.
+#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 10, 0)
+#	warning Kernels below 4.10 not supported.
 #endif
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
@@ -44,11 +44,7 @@
 
 static inline struct net *par_net(const struct xt_action_param *par)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 10, 0)
 	return par->state->net;
-#else
-	return par->net;
-#endif
 }
 
 #ifndef NF_CT_ASSERT
diff --git a/extensions/xt_CHAOS.c b/extensions/xt_CHAOS.c
index cee2026..eec36d4 100644
--- a/extensions/xt_CHAOS.c
+++ b/extensions/xt_CHAOS.c
@@ -58,12 +58,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 
 	{
 		struct xt_action_param local_par;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
-#else
-		local_par.in        = par->in,
-		local_par.out       = par->out,
-#endif
 		local_par.match     = xm_tcp;
 		local_par.matchinfo = &tcp_params;
 		local_par.fragoff   = fragoff;
@@ -78,14 +73,7 @@ xt_chaos_total(struct sk_buff *skb, const struct xt_action_param *par)
 	destiny = (info->variant == XTCHAOS_TARPIT) ? xt_tarpit : xt_delude;
 	{
 		struct xt_action_param local_par;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
-#else
-		local_par.in       = par->in;
-		local_par.out      = par->out;
-		local_par.hooknum  = par->hooknum;
-		local_par.family   = par->family;
-#endif
 		local_par.target   = destiny;
 		local_par.targinfo = par->targinfo;
 		destiny->target(skb, &local_par);
@@ -108,27 +96,15 @@ chaos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 
 	if ((unsigned int)prandom_u32() <= reject_percentage) {
 		struct xt_action_param local_par;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		local_par.state    = par->state;
-#else
-		local_par.in       = par->in;
-		local_par.out      = par->out;
-		local_par.hooknum  = par->hooknum;
-#endif
 		local_par.target   = xt_reject;
 		local_par.targinfo = &reject_params;
 		return xt_reject->target(skb, &local_par);
 	}
 
 	/* TARPIT/DELUDE may not be called from the OUTPUT chain */
-	if (iph->protocol == IPPROTO_TCP &&
-	    info->variant != XTCHAOS_NORMAL &&
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
-	    par->state->hook
-#else
-	    par->hooknum
-#endif
-	    != NF_INET_LOCAL_OUT)
+	if (iph->protocol == IPPROTO_TCP && info->variant != XTCHAOS_NORMAL &&
+	    par->state->hook != NF_INET_LOCAL_OUT)
 		xt_chaos_total(skb, par);
 
 	return NF_DROP;
diff --git a/extensions/xt_DELUDE.c b/extensions/xt_DELUDE.c
index 221f342..618de5e 100644
--- a/extensions/xt_DELUDE.c
+++ b/extensions/xt_DELUDE.c
@@ -146,13 +146,7 @@ delude_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	 * a problem, as that is supported since Linux 2.6.35. But since we do not
 	 * actually want to have a connection open, we are still going to drop it.
 	 */
-	delude_send_reset(par_net(par), skb,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
-	                  par->state->hook
-#else
-	                  par->hooknum
-#endif
-	                  );
+	delude_send_reset(par_net(par), skb, par->state->hook);
 	return NF_DROP;
 }
 
diff --git a/extensions/xt_DNETMAP.c b/extensions/xt_DNETMAP.c
index c574251..1b415c3 100644
--- a/extensions/xt_DNETMAP.c
+++ b/extensions/xt_DNETMAP.c
@@ -356,11 +356,7 @@ out:
 static unsigned int
 dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct net *net = dev_net(par->state->in ? par->state->in : par->state->out);
-#else
-	struct net *net = dev_net(par->in ? par->in : par->out);
-#endif
 	struct dnetmap_net *dnetmap_net = dnetmap_pernet(net);
 	struct nf_conn *ct;
 	enum ip_conntrack_info ctinfo;
@@ -371,11 +367,7 @@ dnetmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	struct dnetmap_entry *e;
 	struct dnetmap_prefix *p;
 	__s32 jttl;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	unsigned int hooknum = par->state->hook;
-#else
-	unsigned int hooknum = par->hooknum;
-#endif
 	ct = nf_ct_get(skb, &ctinfo);
 
 	jttl = tginfo->flags & XT_DNETMAP_TTL ? tginfo->ttl * HZ : jtimeout;
@@ -500,12 +492,7 @@ bind_new_prefix:
 	newrange.max_addr.ip = postnat_ip;
 	newrange.min_proto = mr->min_proto;
 	newrange.max_proto = mr->max_proto;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->state->hook));
-#else
-	return nf_nat_setup_info(ct, &newrange, HOOK2MANIP(par->hooknum));
-#endif
-
 no_rev_map:
 no_free_ip:
 	spin_unlock_bh(&dnetmap_lock);
diff --git a/extensions/xt_ECHO.c b/extensions/xt_ECHO.c
index 60cb815..e99312b 100644
--- a/extensions/xt_ECHO.c
+++ b/extensions/xt_ECHO.c
@@ -35,11 +35,7 @@ echo_tg6(struct sk_buff *oldskb, const struct xt_action_param *par)
 	void *payload;
 	struct flowi6 fl;
 	struct dst_entry *dst = NULL;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	struct net *net = dev_net((par->state->in != NULL) ? par->state->in : par->state->out);
-#else
-	struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
-#endif
 
 	/* This allows us to do the copy operation in fewer lines of code. */
 	if (skb_linearize(oldskb) < 0)
diff --git a/extensions/xt_LOGMARK.c b/extensions/xt_LOGMARK.c
index 02e32be..a4e4061 100644
--- a/extensions/xt_LOGMARK.c
+++ b/extensions/xt_LOGMARK.c
@@ -77,11 +77,7 @@ logmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	printk("<%u>%.*s""iif=%d hook=%s nfmark=0x%x "
 	       "secmark=0x%x classify=0x%x",
 	       info->level, (unsigned int)sizeof(info->prefix), info->prefix,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	       skb_ifindex(skb), hook_names[par->state->hook],
-#else
-	       skb_ifindex(skb), hook_names[par->hooknum],
-#endif
 	       skb_nfmark(skb), skb_secmark(skb), skb->priority);
 
 	ct = nf_ct_get(skb, &ctinfo);
diff --git a/extensions/xt_TARPIT.c b/extensions/xt_TARPIT.c
index b78683c..cb98e9e 100644
--- a/extensions/xt_TARPIT.c
+++ b/extensions/xt_TARPIT.c
@@ -431,12 +431,7 @@ tarpit_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 	/* We are not interested in fragments */
 	if (iph->frag_off & htons(IP_OFFSET))
 		return NF_DROP;
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	tarpit_tcp4(par_net(par), skb, par->state->hook, info->variant);
-#else
-	tarpit_tcp4(par_net(par), skb, par->hooknum, info->variant);
-#endif
 	return NF_DROP;
 }
 
@@ -477,12 +472,7 @@ tarpit_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 		pr_debug("addr is not unicast.\n");
 		return NF_DROP;
 	}
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 	tarpit_tcp6(par_net(par), skb, par->state->hook, info->variant);
-#else
-	tarpit_tcp6(par_net(par), skb, par->hooknum, info->variant);
-#endif
 	return NF_DROP;
 }
 #endif
diff --git a/extensions/xt_iface.c b/extensions/xt_iface.c
index be52a52..7704686 100644
--- a/extensions/xt_iface.c
+++ b/extensions/xt_iface.c
@@ -45,17 +45,9 @@ static const struct net_device *iface_get(const struct xt_iface_mtinfo *info,
     const struct xt_action_param *par, struct net_device **put)
 {
 	if (info->flags & XT_IFACE_DEV_IN)
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		return par->state->in;
-#else
-		return par->in;
-#endif
 	else if (info->flags & XT_IFACE_DEV_OUT)
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		return par->state->out;
-#else
-		return par->out;
-#endif
 	return *put = dev_get_by_name(&init_net, info->ifname);
 }
 
diff --git a/extensions/xt_lscan.c b/extensions/xt_lscan.c
index 3a7d2ed..060fe44 100644
--- a/extensions/xt_lscan.c
+++ b/extensions/xt_lscan.c
@@ -204,11 +204,7 @@ lscan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 		unsigned int n;
 
 		n = lscan_mt_full(ctdata->mark & connmark_mask, ctstate,
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
 		    par->state->in == init_net.loopback_dev, tcph,
-#else
-		    par->in == init_net.loopback_dev, tcph,
-#endif
 		    skb->len - par->thoff - 4 * tcph->doff);
 
 		ctdata->mark = (ctdata->mark & ~connmark_mask) | n;