x_tables, take 5. nfsim tested.
Today I've posted the (hopefully) final version of x_tables, the in-kernel generalization of {arp,ip,ip6}_tables to netfilter-devel.
After some nfsim hacking, I've been able to add x_tables support to nfsim and have been successfully running the full nfsim testsuite. The testsuite found a single bug (which has been fixed) but otherwise all tests are passed.
Seems like we're going to push x_tables as well as the nf_conntrack port of ctnetlink (nf_conntrack_netlink) for 2.6.16. Also, as I just noticed on kaber's blog, his IPsec patches have made it in time, too. Userspace conntrack helper support is definitely 2.6.17, though.