6 files changed, 73 insertions, 322 deletions
diff --git a/include/linux/netfilter/ipset/Kbuild b/include/linux/netfilter/ipset/Kbuild
index 601fe71..e69de29 100644
--- a/include/linux/netfilter/ipset/Kbuild
+++ b/include/linux/netfilter/ipset/Kbuild
@@ -1,4 +0,0 @@
-header-y += ip_set.h
-header-y += ip_set_bitmap.h
-header-y += ip_set_hash.h
-header-y += ip_set_list.h
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 2edc64c..7958e84 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -1,6 +1,3 @@
-#ifndef _IP_SET_H
-#define _IP_SET_H
-
 /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
  *                         Patrick Schaaf <bof@bof.de>
  *                         Martin Josefsson <gandalf@wlug.westbo.se>
@@ -10,204 +7,23 @@
  * it under the terms of the GNU General Public License version 2 as
  * published by the Free Software Foundation.
  */
+#ifndef _IP_SET_H
+#define _IP_SET_H
 
-#include <linux/types.h>
-
-/* The protocol version */
-#define IPSET_PROTOCOL		6
-
-/* The max length of strings including NUL: set and type identifiers */
-#define IPSET_MAXNAMELEN	32
-
-/* Message types and commands */
-enum ipset_cmd {
-	IPSET_CMD_NONE,
-	IPSET_CMD_PROTOCOL,	/* 1: Return protocol version */
-	IPSET_CMD_CREATE,	/* 2: Create a new (empty) set */
-	IPSET_CMD_DESTROY,	/* 3: Destroy a (empty) set */
-	IPSET_CMD_FLUSH,	/* 4: Remove all elements from a set */
-	IPSET_CMD_RENAME,	/* 5: Rename a set */
-	IPSET_CMD_SWAP,		/* 6: Swap two sets */
-	IPSET_CMD_LIST,		/* 7: List sets */
-	IPSET_CMD_SAVE,		/* 8: Save sets */
-	IPSET_CMD_ADD,		/* 9: Add an element to a set */
-	IPSET_CMD_DEL,		/* 10: Delete an element from a set */
-	IPSET_CMD_TEST,		/* 11: Test an element in a set */
-	IPSET_CMD_HEADER,	/* 12: Get set header data only */
-	IPSET_CMD_TYPE,		/* 13: Get set type */
-	IPSET_MSG_MAX,		/* Netlink message commands */
-
-	/* Commands in userspace: */
-	IPSET_CMD_RESTORE = IPSET_MSG_MAX, /* 14: Enter restore mode */
-	IPSET_CMD_HELP,		/* 15: Get help */
-	IPSET_CMD_VERSION,	/* 16: Get program version */
-	IPSET_CMD_QUIT,		/* 17: Quit from interactive mode */
-
-	IPSET_CMD_MAX,
-
-	IPSET_CMD_COMMIT = IPSET_CMD_MAX, /* 18: Commit buffered commands */
-};
-
-/* Attributes at command level */
-enum {
-	IPSET_ATTR_UNSPEC,
-	IPSET_ATTR_PROTOCOL,	/* 1: Protocol version */
-	IPSET_ATTR_SETNAME,	/* 2: Name of the set */
-	IPSET_ATTR_TYPENAME,	/* 3: Typename */
-	IPSET_ATTR_SETNAME2 = IPSET_ATTR_TYPENAME, /* Setname at rename/swap */
-	IPSET_ATTR_REVISION,	/* 4: Settype revision */
-	IPSET_ATTR_FAMILY,	/* 5: Settype family */
-	IPSET_ATTR_FLAGS,	/* 6: Flags at command level */
-	IPSET_ATTR_DATA,	/* 7: Nested attributes */
-	IPSET_ATTR_ADT,		/* 8: Multiple data containers */
-	IPSET_ATTR_LINENO,	/* 9: Restore lineno */
-	IPSET_ATTR_PROTOCOL_MIN, /* 10: Minimal supported version number */
-	IPSET_ATTR_REVISION_MIN	= IPSET_ATTR_PROTOCOL_MIN, /* type rev min */
-	__IPSET_ATTR_CMD_MAX,
-};
-#define IPSET_ATTR_CMD_MAX	(__IPSET_ATTR_CMD_MAX - 1)
-
-/* CADT specific attributes */
-enum {
-	IPSET_ATTR_IP = IPSET_ATTR_UNSPEC + 1,
-	IPSET_ATTR_IP_FROM = IPSET_ATTR_IP,
-	IPSET_ATTR_IP_TO,	/* 2 */
-	IPSET_ATTR_CIDR,	/* 3 */
-	IPSET_ATTR_PORT,	/* 4 */
-	IPSET_ATTR_PORT_FROM = IPSET_ATTR_PORT,
-	IPSET_ATTR_PORT_TO,	/* 5 */
-	IPSET_ATTR_TIMEOUT,	/* 6 */
-	IPSET_ATTR_PROTO,	/* 7 */
-	IPSET_ATTR_CADT_FLAGS,	/* 8 */
-	IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO,	/* 9 */
-	/* Reserve empty slots */
-	IPSET_ATTR_CADT_MAX = 16,
-	/* Create-only specific attributes */
-	IPSET_ATTR_GC,
-	IPSET_ATTR_HASHSIZE,
-	IPSET_ATTR_MAXELEM,
-	IPSET_ATTR_NETMASK,
-	IPSET_ATTR_PROBES,
-	IPSET_ATTR_RESIZE,
-	IPSET_ATTR_SIZE,
-	/* Kernel-only */
-	IPSET_ATTR_ELEMENTS,
-	IPSET_ATTR_REFERENCES,
-	IPSET_ATTR_MEMSIZE,
-
-	__IPSET_ATTR_CREATE_MAX,
-};
-#define IPSET_ATTR_CREATE_MAX	(__IPSET_ATTR_CREATE_MAX - 1)
-
-/* ADT specific attributes */
-enum {
-	IPSET_ATTR_ETHER = IPSET_ATTR_CADT_MAX + 1,
-	IPSET_ATTR_NAME,
-	IPSET_ATTR_NAMEREF,
-	IPSET_ATTR_IP2,
-	IPSET_ATTR_CIDR2,
-	IPSET_ATTR_IP2_TO,
-	IPSET_ATTR_IFACE,
-	__IPSET_ATTR_ADT_MAX,
-};
-#define IPSET_ATTR_ADT_MAX	(__IPSET_ATTR_ADT_MAX - 1)
-
-/* IP specific attributes */
-enum {
-	IPSET_ATTR_IPADDR_IPV4 = IPSET_ATTR_UNSPEC + 1,
-	IPSET_ATTR_IPADDR_IPV6,
-	__IPSET_ATTR_IPADDR_MAX,
-};
-#define IPSET_ATTR_IPADDR_MAX	(__IPSET_ATTR_IPADDR_MAX - 1)
-
-/* Error codes */
-enum ipset_errno {
-	IPSET_ERR_PRIVATE = 4096,
-	IPSET_ERR_PROTOCOL,
-	IPSET_ERR_FIND_TYPE,
-	IPSET_ERR_MAX_SETS,
-	IPSET_ERR_BUSY,
-	IPSET_ERR_EXIST_SETNAME2,
-	IPSET_ERR_TYPE_MISMATCH,
-	IPSET_ERR_EXIST,
-	IPSET_ERR_INVALID_CIDR,
-	IPSET_ERR_INVALID_NETMASK,
-	IPSET_ERR_INVALID_FAMILY,
-	IPSET_ERR_TIMEOUT,
-	IPSET_ERR_REFERENCED,
-	IPSET_ERR_IPADDR_IPV4,
-	IPSET_ERR_IPADDR_IPV6,
-
-	/* Type specific error codes */
-	IPSET_ERR_TYPE_SPECIFIC = 4352,
-};
-
-/* Flags at command level */
-enum ipset_cmd_flags {
-	IPSET_FLAG_BIT_EXIST	= 0,
-	IPSET_FLAG_EXIST	= (1 << IPSET_FLAG_BIT_EXIST),
-	IPSET_FLAG_BIT_LIST_SETNAME = 1,
-	IPSET_FLAG_LIST_SETNAME	= (1 << IPSET_FLAG_BIT_LIST_SETNAME),
-	IPSET_FLAG_BIT_LIST_HEADER = 2,
-	IPSET_FLAG_LIST_HEADER	= (1 << IPSET_FLAG_BIT_LIST_HEADER),
-	IPSET_FLAG_CMD_MAX = 15,	/* Lower half */
-};
-
-/* Flags at CADT attribute level */
-enum ipset_cadt_flags {
-	IPSET_FLAG_BIT_BEFORE	= 0,
-	IPSET_FLAG_BEFORE	= (1 << IPSET_FLAG_BIT_BEFORE),
-	IPSET_FLAG_BIT_PHYSDEV	= 1,
-	IPSET_FLAG_PHYSDEV	= (1 << IPSET_FLAG_BIT_PHYSDEV),
-	IPSET_FLAG_BIT_NOMATCH	= 2,
-	IPSET_FLAG_NOMATCH	= (1 << IPSET_FLAG_BIT_NOMATCH),
-	IPSET_FLAG_CADT_MAX	= 15,	/* Upper half */
-};
-
-/* Commands with settype-specific attributes */
-enum ipset_adt {
-	IPSET_ADD,
-	IPSET_DEL,
-	IPSET_TEST,
-	IPSET_ADT_MAX,
-	IPSET_CREATE = IPSET_ADT_MAX,
-	IPSET_CADT_MAX,
-};
-
-/* Sets are identified by an index in kernel space. Tweak with ip_set_id_t
- * and IPSET_INVALID_ID if you want to increase the max number of sets.
- */
-typedef __u16 ip_set_id_t;
-
-#define IPSET_INVALID_ID		65535
-
-enum ip_set_dim {
-	IPSET_DIM_ZERO = 0,
-	IPSET_DIM_ONE,
-	IPSET_DIM_TWO,
-	IPSET_DIM_THREE,
-	/* Max dimension in elements.
-	 * If changed, new revision of iptables match/target is required.
-	 */
-	IPSET_DIM_MAX = 6,
-};
-
-/* Option flags for kernel operations */
-enum ip_set_kopt {
-	IPSET_INV_MATCH = (1 << IPSET_DIM_ZERO),
-	IPSET_DIM_ONE_SRC = (1 << IPSET_DIM_ONE),
-	IPSET_DIM_TWO_SRC = (1 << IPSET_DIM_TWO),
-	IPSET_DIM_THREE_SRC = (1 << IPSET_DIM_THREE),
-};
-
-#ifdef __KERNEL__
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/x_tables.h>
+#include <linux/stringify.h>
 #include <linux/vmalloc.h>
 #include <net/netlink.h>
+#include <uapi/linux/netfilter/ipset/ip_set.h>
+
+#define _IP_SET_MODULE_DESC(a, b, c)		\
+	MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
+#define IP_SET_MODULE_DESC(a, b, c)		\
+	_IP_SET_MODULE_DESC(a, __stringify(b), __stringify(c))
 
 /* Set features */
 enum ip_set_feature {
@@ -223,6 +39,8 @@ enum ip_set_feature {
 	IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),
 	IPSET_TYPE_IFACE_FLAG = 5,
 	IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),
+	IPSET_TYPE_NOMATCH_FLAG = 6,
+	IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG),
 	/* Strictly speaking not a feature, but a flag for dumping:
 	 * this settype must be dumped last */
 	IPSET_DUMP_LAST_FLAG = 7,
@@ -249,7 +67,7 @@ struct ip_set_type_variant {
 	 *		returns negative error code,
 	 *			zero for no match/success to add/delete
 	 *			positive for matching element */
-	int (*kadt)(struct ip_set *set, const struct sk_buff * skb,
+	int (*kadt)(struct ip_set *set, const struct sk_buff *skb,
 		    const struct xt_action_param *par,
 		    enum ipset_adt adt, const struct ip_set_adt_opt *opt);
 
@@ -424,7 +242,8 @@ static inline int nla_put_ipaddr4(struct sk_buff *skb, int type, __be32 ipaddr)
 	return ret;
 }
 
-static inline int nla_put_ipaddr6(struct sk_buff *skb, int type, const struct in6_addr *ipaddrptr)
+static inline int nla_put_ipaddr6(struct sk_buff *skb, int type,
+				  const struct in6_addr *ipaddrptr)
 {
 	struct nlattr *__nested = ipset_nest_start(skb, type);
 	int ret;
@@ -465,31 +284,4 @@ bitmap_bytes(u32 a, u32 b)
 	return 4 * ((((b - a + 8) / 8) + 3) / 4);
 }
 
-#endif /* __KERNEL__ */
-
-/* Interface to iptables/ip6tables */
-
-#define SO_IP_SET		83
-
-union ip_set_name_index {
-	char name[IPSET_MAXNAMELEN];
-	ip_set_id_t index;
-};
-
-#define IP_SET_OP_GET_BYNAME	0x00000006	/* Get set index by name */
-struct ip_set_req_get_set {
-	unsigned int op;
-	unsigned int version;
-	union ip_set_name_index set;
-};
-
-#define IP_SET_OP_GET_BYINDEX	0x00000007	/* Get set name by index */
-/* Uses ip_set_req_get_set */
-
-#define IP_SET_OP_VERSION	0x00000100	/* Ask kernel version */
-struct ip_set_req_version {
-	unsigned int op;
-	unsigned int version;
-};
-
 #endif /*_IP_SET_H */
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index b114d35..ef9acd3 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -137,50 +137,59 @@ htable_bits(u32 hashsize)
 #endif
 
 #define SET_HOST_MASK(family)	(family == AF_INET ? 32 : 128)
+#ifdef IP_SET_HASH_WITH_MULTI
+#define NETS_LENGTH(family)	(SET_HOST_MASK(family) + 1)
+#else
+#define NETS_LENGTH(family)	SET_HOST_MASK(family)
+#endif
 
 /* Network cidr size book keeping when the hash stores different
  * sized networks */
 static void
-add_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)
+add_cidr(struct ip_set_hash *h, u8 cidr, u8 nets_length)
 {
-	u8 i;
-
-	++h->nets[cidr-1].nets;
-
-	pr_debug("add_cidr added %u: %u\n", cidr, h->nets[cidr-1].nets);
+	int i, j;
 
-	if (h->nets[cidr-1].nets > 1)
-		return;
-
-	/* New cidr size */
-	for (i = 0; i < host_mask && h->nets[i].cidr; i++) {
-		/* Add in increasing prefix order, so larger cidr first */
-		if (h->nets[i].cidr < cidr)
-			swap(h->nets[i].cidr, cidr);
+	/* Add in increasing prefix order, so larger cidr first */
+	for (i = 0, j = -1; i < nets_length && h->nets[i].nets; i++) {
+		if (j != -1)
+			continue;
+		else if (h->nets[i].cidr < cidr)
+			j = i;
+		else if (h->nets[i].cidr == cidr) {
+			h->nets[i].nets++;
+			return;
+		}
+	}
+	if (j != -1) {
+		for (; i > j; i--) {
+			h->nets[i].cidr = h->nets[i - 1].cidr;
+			h->nets[i].nets = h->nets[i - 1].nets;
+		}
 	}
-	if (i < host_mask)
-		h->nets[i].cidr = cidr;
+	h->nets[i].cidr = cidr;
+	h->nets[i].nets = 1;
 }
 
 static void
-del_cidr(struct ip_set_hash *h, u8 cidr, u8 host_mask)
+del_cidr(struct ip_set_hash *h, u8 cidr, u8 nets_length)
 {
-	u8 i;
-
-	--h->nets[cidr-1].nets;
+	u8 i, j;
 
-	pr_debug("del_cidr deleted %u: %u\n", cidr, h->nets[cidr-1].nets);
+	for (i = 0; i < nets_length - 1 && h->nets[i].cidr != cidr; i++)
+		;
+	h->nets[i].nets--;
 
-	if (h->nets[cidr-1].nets != 0)
+	if (h->nets[i].nets != 0)
 		return;
 
-	/* All entries with this cidr size deleted, so cleanup h->cidr[] */
-	for (i = 0; i < host_mask - 1 && h->nets[i].cidr; i++) {
-		if (h->nets[i].cidr == cidr)
-			h->nets[i].cidr = cidr = h->nets[i+1].cidr;
+	for (j = i; j < nets_length - 1 && h->nets[j].nets; j++) {
+		h->nets[j].cidr = h->nets[j + 1].cidr;
+		h->nets[j].nets = h->nets[j + 1].nets;
 	}
-	h->nets[i - 1].cidr = 0;
 }
+#else
+#define NETS_LENGTH(family)		0
 #endif
 
 /* Destroy the hashtable part of the set */
@@ -202,14 +211,14 @@ ahash_destroy(struct htable *t)
 
 /* Calculate the actual memory size of the set data */
 static size_t
-ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 host_mask)
+ahash_memsize(const struct ip_set_hash *h, size_t dsize, u8 nets_length)
 {
 	u32 i;
 	struct htable *t = h->table;
 	size_t memsize = sizeof(*h)
 			 + sizeof(*t)
 #ifdef IP_SET_HASH_WITH_NETS
-			 + sizeof(struct ip_set_hash_nets) * host_mask
+			 + sizeof(struct ip_set_hash_nets) * nets_length
 #endif
 			 + jhash_size(t->htable_bits) * sizeof(struct hbucket);
 
@@ -238,7 +247,7 @@ ip_set_hash_flush(struct ip_set *set)
 	}
 #ifdef IP_SET_HASH_WITH_NETS
 	memset(h->nets, 0, sizeof(struct ip_set_hash_nets)
-			   * SET_HOST_MASK(set->family));
+			   * NETS_LENGTH(set->family));
 #endif
 	h->elements = 0;
 }
@@ -271,9 +280,6 @@ ip_set_hash_destroy(struct ip_set *set)
 (jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval)	\
 	& jhash_mask(htable_bits))
 
-#define CONCAT(a, b, c)		a##b##c
-#define TOKEN(a, b, c)		CONCAT(a, b, c)
-
 /* Type/family dependent function prototypes */
 
 #define type_pf_data_equal	TOKEN(TYPE, PF, _data_equal)
@@ -478,7 +484,7 @@ type_pf_add(struct ip_set *set, void *value, u32 timeout, u32 flags)
 	}
 
 #ifdef IP_SET_HASH_WITH_NETS
-	add_cidr(h, CIDR(d->cidr), HOST_MASK);
+	add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
 #endif
 	h->elements++;
 out:
@@ -513,7 +519,7 @@ type_pf_del(struct ip_set *set, void *value, u32 timeout, u32 flags)
 		n->pos--;
 		h->elements--;
 #ifdef IP_SET_HASH_WITH_NETS
-		del_cidr(h, CIDR(d->cidr), HOST_MASK);
+		del_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
 #endif
 		if (n->pos + AHASH_INIT_SIZE < n->size) {
 			void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
@@ -546,10 +552,10 @@ type_pf_test_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout)
 	const struct type_pf_elem *data;
 	int i, j = 0;
 	u32 key, multi = 0;
-	u8 host_mask = SET_HOST_MASK(set->family);
+	u8 nets_length = NETS_LENGTH(set->family);
 
 	pr_debug("test by nets\n");
-	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
+	for (; j < nets_length && h->nets[j].nets && !multi; j++) {
 		type_pf_data_netmask(d, h->nets[j].cidr);
 		key = HKEY(d, h->initval, t->htable_bits);
 		n = hbucket(t, key);
@@ -604,7 +610,7 @@ type_pf_head(struct ip_set *set, struct sk_buff *skb)
 	memsize = ahash_memsize(h, with_timeout(h->timeout)
 					? sizeof(struct type_pf_telem)
 					: sizeof(struct type_pf_elem),
-				set->family == AF_INET ? 32 : 128);
+				NETS_LENGTH(set->family));
 	read_unlock_bh(&set->lock);
 
 	nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
@@ -690,7 +696,7 @@ nla_put_failure:
 }
 
 static int
-type_pf_kadt(struct ip_set *set, const struct sk_buff * skb,
+type_pf_kadt(struct ip_set *set, const struct sk_buff *skb,
 	     const struct xt_action_param *par,
 	     enum ipset_adt adt, const struct ip_set_adt_opt *opt);
 static int
@@ -783,7 +789,7 @@ type_pf_elem_tadd(struct hbucket *n, const struct type_pf_elem *value,
 
 /* Delete expired elements from the hashtable */
 static void
-type_pf_expire(struct ip_set_hash *h)
+type_pf_expire(struct ip_set_hash *h, u8 nets_length)
 {
 	struct htable *t = h->table;
 	struct hbucket *n;
@@ -798,7 +804,7 @@ type_pf_expire(struct ip_set_hash *h)
 			if (type_pf_data_expired(data)) {
 				pr_debug("expired %u/%u\n", i, j);
 #ifdef IP_SET_HASH_WITH_NETS
-				del_cidr(h, CIDR(data->cidr), HOST_MASK);
+				del_cidr(h, CIDR(data->cidr), nets_length);
 #endif
 				if (j != n->pos - 1)
 					/* Not last one */
@@ -839,7 +845,7 @@ type_pf_tresize(struct ip_set *set, bool retried)
 	if (!retried) {
 		i = h->elements;
 		write_lock_bh(&set->lock);
-		type_pf_expire(set->data);
+		type_pf_expire(set->data, NETS_LENGTH(set->family));
 		write_unlock_bh(&set->lock);
 		if (h->elements <  i)
 			return 0;
@@ -904,7 +910,7 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags)
 
 	if (h->elements >= h->maxelem)
 		/* FIXME: when set is full, we slow down here */
-		type_pf_expire(h);
+		type_pf_expire(h, NETS_LENGTH(set->family));
 	if (h->elements >= h->maxelem) {
 		if (net_ratelimit())
 			pr_warning("Set %s is full, maxelem %u reached\n",
@@ -933,8 +939,8 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags)
 	if (j != AHASH_MAX(h) + 1) {
 		data = ahash_tdata(n, j);
 #ifdef IP_SET_HASH_WITH_NETS
-		del_cidr(h, CIDR(data->cidr), HOST_MASK);
-		add_cidr(h, CIDR(d->cidr), HOST_MASK);
+		del_cidr(h, CIDR(data->cidr), NETS_LENGTH(set->family));
+		add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
 #endif
 		type_pf_data_copy(data, d);
 		type_pf_data_timeout_set(data, timeout);
@@ -952,7 +958,7 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags)
 	}
 
 #ifdef IP_SET_HASH_WITH_NETS
-	add_cidr(h, CIDR(d->cidr), HOST_MASK);
+	add_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
 #endif
 	h->elements++;
 out:
@@ -986,7 +992,7 @@ type_pf_tdel(struct ip_set *set, void *value, u32 timeout, u32 flags)
 		n->pos--;
 		h->elements--;
 #ifdef IP_SET_HASH_WITH_NETS
-		del_cidr(h, CIDR(d->cidr), HOST_MASK);
+		del_cidr(h, CIDR(d->cidr), NETS_LENGTH(set->family));
 #endif
 		if (n->pos + AHASH_INIT_SIZE < n->size) {
 			void *tmp = kzalloc((n->size - AHASH_INIT_SIZE)
@@ -1016,9 +1022,9 @@ type_pf_ttest_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout)
 	struct hbucket *n;
 	int i, j = 0;
 	u32 key, multi = 0;
-	u8 host_mask = SET_HOST_MASK(set->family);
+	u8 nets_length = NETS_LENGTH(set->family);
 
-	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
+	for (; j < nets_length && h->nets[j].nets && !multi; j++) {
 		type_pf_data_netmask(d, h->nets[j].cidr);
 		key = HKEY(d, h->initval, t->htable_bits);
 		n = hbucket(t, key);
@@ -1147,7 +1153,7 @@ type_pf_gc(unsigned long ul_set)
 
 	pr_debug("called\n");
 	write_lock_bh(&set->lock);
-	type_pf_expire(h);
+	type_pf_expire(h, NETS_LENGTH(set->family));
 	write_unlock_bh(&set->lock);
 
 	h->gc.expires = jiffies + IPSET_GC_PERIOD(h->timeout) * HZ;
diff --git a/include/linux/netfilter/ipset/ip_set_bitmap.h b/include/linux/netfilter/ipset/ip_set_bitmap.h
index 61a9e87..1a30646 100644
--- a/include/linux/netfilter/ipset/ip_set_bitmap.h
+++ b/include/linux/netfilter/ipset/ip_set_bitmap.h
@@ -1,15 +1,8 @@
 #ifndef __IP_SET_BITMAP_H
 #define __IP_SET_BITMAP_H
 
-/* Bitmap type specific error codes */
-enum {
-	/* The element is out of the range of the set */
-	IPSET_ERR_BITMAP_RANGE = IPSET_ERR_TYPE_SPECIFIC,
-	/* The range exceeds the size limit of the set type */
-	IPSET_ERR_BITMAP_RANGE_SIZE,
-};
+#include <uapi/linux/netfilter/ipset/ip_set_bitmap.h>
 
-#ifdef __KERNEL__
 #define IPSET_BITMAP_MAX_RANGE	0x0000FFFF
 
 /* Common functions */
@@ -26,6 +19,4 @@ range_to_mask(u32 from, u32 to, u8 *bits)
 	return mask;
 }
 
-#endif /* __KERNEL__ */
-
 #endif /* __IP_SET_BITMAP_H */
diff --git a/include/linux/netfilter/ipset/ip_set_hash.h b/include/linux/netfilter/ipset/ip_set_hash.h
index e2a9fae..f98ddfb 100644
--- a/include/linux/netfilter/ipset/ip_set_hash.h
+++ b/include/linux/netfilter/ipset/ip_set_hash.h
@@ -1,23 +1,8 @@
 #ifndef __IP_SET_HASH_H
 #define __IP_SET_HASH_H
 
-/* Hash type specific error codes */
-enum {
-	/* Hash is full */
-	IPSET_ERR_HASH_FULL = IPSET_ERR_TYPE_SPECIFIC,
-	/* Null-valued element */
-	IPSET_ERR_HASH_ELEM,
-	/* Invalid protocol */
-	IPSET_ERR_INVALID_PROTO,
-	/* Protocol missing but must be specified */
-	IPSET_ERR_MISSING_PROTO,
-	/* Range not supported */
-	IPSET_ERR_HASH_RANGE_UNSUPPORTED,
-	/* Invalid range */
-	IPSET_ERR_HASH_RANGE,
-};
+#include <uapi/linux/netfilter/ipset/ip_set_hash.h>
 
-#ifdef __KERNEL__
 
 #define IPSET_DEFAULT_HASHSIZE		1024
 #define IPSET_MIMINAL_HASHSIZE		64
@@ -25,6 +10,4 @@ enum {
 #define IPSET_DEFAULT_PROBES		4
 #define IPSET_DEFAULT_RESIZE		100
 
-#endif /* __KERNEL__ */
-
 #endif /* __IP_SET_HASH_H */
diff --git a/include/linux/netfilter/ipset/ip_set_list.h b/include/linux/netfilter/ipset/ip_set_list.h
index 40a63f3..68c2aea 100644
--- a/include/linux/netfilter/ipset/ip_set_list.h
+++ b/include/linux/netfilter/ipset/ip_set_list.h
@@ -1,27 +1,10 @@
 #ifndef __IP_SET_LIST_H
 #define __IP_SET_LIST_H
 
-/* List type specific error codes */
-enum {
-	/* Set name to be added/deleted/tested does not exist. */
-	IPSET_ERR_NAME = IPSET_ERR_TYPE_SPECIFIC,
-	/* list:set type is not permitted to add */
-	IPSET_ERR_LOOP,
-	/* Missing reference set */
-	IPSET_ERR_BEFORE,
-	/* Reference set does not exist */
-	IPSET_ERR_NAMEREF,
-	/* Set is full */
-	IPSET_ERR_LIST_FULL,
-	/* Reference set is not added to the set */
-	IPSET_ERR_REF_EXIST,
-};
+#include <uapi/linux/netfilter/ipset/ip_set_list.h>
 
-#ifdef __KERNEL__
 
 #define IP_SET_LIST_DEFAULT_SIZE	8
 #define IP_SET_LIST_MIN_SIZE		4
 
-#endif /* __KERNEL__ */
-
 #endif /* __IP_SET_LIST_H */