struct xt_af {
     struct mutex mutex;    该结构的锁
     struct list_head match;  管理扩展match
     struct list_head target;     管理扩展target
#ifdef CONFIG_COMPAT
     struct mutex compat_mutex;
     struct compat_delta *compat_tab;
     unsigned int number; /* number of slots in compat_tab[] */
     unsigned int cur; /* number of used slots in compat_tab[] */
#endif
};

match结构：struct xt_match:

struct xt_match {
     struct list_head list;

     const char name[XT_EXTENSION_MAXNAMELEN];
     u_int8_t revision;

     /* Return true or false: return FALSE and set *hotdrop = 1 to
           force immediate packet drop. */
     /* Arguments changed since 2.6.9, as this must now handle
        non-linear skb, using skb_header_pointer and
        skb_ip_make_writable. */
     bool (*match)(const struct sk_buff *skb,
                struct xt_action_param *);

     /* Called when user tries to insert an entry of this type. */
     int (*checkentry)(const struct xt_mtchk_param *);

     /* Called when entry of this type deleted. */
     void (*destroy)(const struct xt_mtdtor_param *);
#ifdef CONFIG_COMPAT
     /* Called when userspace align differs from kernel space one */
     void (*compat_from_user)(void *dst, const void *src);
     int (*compat_to_user)(void __user *dst, const void *src);
#endif
     /* Set this to THIS_MODULE if you are a module, otherwise NULL */
     struct module *me;

     const char *table;
     unsigned int matchsize;
#ifdef CONFIG_COMPAT
     unsigned int compatsize;
#endif
     unsigned int hooks;
     unsigned short proto;

     unsigned short family;
};

target的结构 struct xt_target:

struct xt_target {
     struct list_head list;

     const char name[XT_EXTENSION_MAXNAMELEN];
     u_int8_t revision;

     /* Returns verdict. Argument order changed since 2.6.9, as this
        must now handle non-linear skbs, using skb_copy_bits and
        skb_ip_make_writable. */
     unsigned int (*target)(struct sk_buff *skb,
                      const struct xt_action_param *);

     /* Called when user tries to insert an entry of this type:
           hook_mask is a bitmask of hooks from which it can be
           called. */
     /* Should return 0 on success or an error code otherwise (-Exxxx). */
     int (*checkentry)(const struct xt_tgchk_param *);

     /* Called when entry of this type deleted. */
     void (*destroy)(const struct xt_tgdtor_param *);
#ifdef CONFIG_COMPAT
     /* Called when userspace align differs from kernel space one */
     void (*compat_from_user)(void *dst, const void *src);
     int (*compat_to_user)(void __user *dst, const void *src);
#endif
     /* Set this to THIS_MODULE if you are a module, otherwise NULL */
     struct module *me;

     const char *table;
     unsigned int targetsize;
#ifdef CONFIG_COMPAT
     unsigned int compatsize;
#endif
     unsigned int hooks;
     unsigned short proto;

     unsigned short family;
};