/* Connection tracking via netlink socket. Allows for user space
   * protocol helpers and general trouble making from userspace.
   *
   * (C) 2001 by Jay Schulist <jschlst@samba.org>

   * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>

   * (C) 2003 by Patrick Mchardy <kaber@trash.net>

   * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>

   *

   * Initial connection tracking via netlink development funded and

   * generally made possible by Network Robots, Inc. (www.networkrobots.com)
   *
   * Further development of this code funded by Astaro AG (http://www.astaro.com)
   *
   * This software may be used and distributed according to the terms
   * of the GNU General Public License, incorporated herein by reference.

   */
  
  #include <linux/init.h>
  #include <linux/module.h>
  #include <linux/kernel.h>

  #include <linux/rculist.h>

  #include <linux/rculist_nulls.h>

  #include <linux/types.h>
  #include <linux/timer.h>

  #include <linux/security.h>

  #include <linux/skbuff.h>
  #include <linux/errno.h>
  #include <linux/netlink.h>
  #include <linux/spinlock.h>

  #include <linux/interrupt.h>

  #include <linux/slab.h>

  #include <linux/siphash.h>

  
  #include <linux/netfilter.h>

  #include <net/netlink.h>

  #include <net/sock.h>

  #include <net/netfilter/nf_conntrack.h>
  #include <net/netfilter/nf_conntrack_core.h>

  #include <net/netfilter/nf_conntrack_expect.h>

  #include <net/netfilter/nf_conntrack_helper.h>

  #include <net/netfilter/nf_conntrack_seqadj.h>

  #include <net/netfilter/nf_conntrack_l4proto.h>

  #include <net/netfilter/nf_conntrack_tuple.h>

  #include <net/netfilter/nf_conntrack_acct.h>

  #include <net/netfilter/nf_conntrack_zones.h>

  #include <net/netfilter/nf_conntrack_timestamp.h>

  #include <net/netfilter/nf_conntrack_labels.h>

  #include <net/netfilter/nf_conntrack_synproxy.h>

  #if IS_ENABLED(CONFIG_NF_NAT)

  #include <net/netfilter/nf_nat.h>

  #include <net/netfilter/nf_nat_helper.h>

  #endif

  
  #include <linux/netfilter/nfnetlink.h>
  #include <linux/netfilter/nfnetlink_conntrack.h>

  #include "nf_internals.h"

  MODULE_LICENSE("GPL");

  static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,

  				const struct nf_conntrack_tuple *tuple,
  				const struct nf_conntrack_l4proto *l4proto)

  {

  	int ret = 0;

  	struct nlattr *nest_parms;

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);

  	if (!nest_parms)
  		goto nla_put_failure;

  	if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
  		goto nla_put_failure;

  	if (likely(l4proto->tuple_to_nlattr))
  		ret = l4proto->tuple_to_nlattr(skb, tuple);

  	nla_nest_end(skb, nest_parms);

  
  	return ret;

  nla_put_failure:

  	return -1;
  }

  static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
  				const struct nf_conntrack_tuple *tuple)
  {
  	if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
  	    nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
  		return -EMSGSIZE;
  	return 0;
  }
  
  static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
  				const struct nf_conntrack_tuple *tuple)
  {
  	if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
  	    nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
  		return -EMSGSIZE;
  	return 0;
  }

  static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,

  				    const struct nf_conntrack_tuple *tuple)

  {

  	int ret = 0;

  	struct nlattr *nest_parms;

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_IP);

  	if (!nest_parms)
  		goto nla_put_failure;

  	switch (tuple->src.l3num) {
  	case NFPROTO_IPV4:
  		ret = ipv4_tuple_to_nlattr(skb, tuple);
  		break;
  	case NFPROTO_IPV6:
  		ret = ipv6_tuple_to_nlattr(skb, tuple);
  		break;
  	}

  	nla_nest_end(skb, nest_parms);

  	return ret;

  nla_put_failure:

  	return -1;
  }

  static int ctnetlink_dump_tuples(struct sk_buff *skb,
  				 const struct nf_conntrack_tuple *tuple)

  {

  	const struct nf_conntrack_l4proto *l4proto;

  	int ret;

  	rcu_read_lock();

  	ret = ctnetlink_dump_tuples_ip(skb, tuple);

  	if (ret >= 0) {

  		l4proto = nf_ct_l4proto_find(tuple->dst.protonum);

  		ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
  	}
  	rcu_read_unlock();

  	return ret;

  }

  static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
  				  const struct nf_conntrack_zone *zone, int dir)

  {
  	if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
  		return 0;
  	if (nla_put_be16(skb, attrtype, htons(zone->id)))
  		goto nla_put_failure;
  	return 0;
  
  nla_put_failure:
  	return -1;
  }

  static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)

  {

  	if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)

  {

  	long timeout = nf_ct_expires(ct) / HZ;

  	if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)

  {

  	const struct nf_conntrack_l4proto *l4proto;

  	struct nlattr *nest_proto;

  	int ret;

  	l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));

  	if (!l4proto->to_nlattr)

  		return 0;

  	nest_proto = nla_nest_start(skb, CTA_PROTOINFO);

  	if (!nest_proto)
  		goto nla_put_failure;

  	ret = l4proto->to_nlattr(skb, nest_proto, ct);

  	nla_nest_end(skb, nest_proto);

  
  	return ret;

  nla_put_failure:

  	return -1;
  }

  static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
  				   const struct nf_conn *ct)

  {

  	struct nlattr *nest_helper;

  	const struct nf_conn_help *help = nfct_help(ct);

  	struct nf_conntrack_helper *helper;

  	if (!help)

  		return 0;

  	helper = rcu_dereference(help->helper);
  	if (!helper)
  		goto out;

  	nest_helper = nla_nest_start(skb, CTA_HELP);

  	if (!nest_helper)
  		goto nla_put_failure;

  	if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
  		goto nla_put_failure;

  	if (helper->to_nlattr)
  		helper->to_nlattr(skb, ct);

  	nla_nest_end(skb, nest_helper);

  out:

  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int

  dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
  	      enum ip_conntrack_dir dir, int type)

  {

  	enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
  	struct nf_conn_counter *counter = acct->counter;

  	struct nlattr *nest_count;

  	u64 pkts, bytes;

  	if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
  		pkts = atomic64_xchg(&counter[dir].packets, 0);
  		bytes = atomic64_xchg(&counter[dir].bytes, 0);
  	} else {
  		pkts = atomic64_read(&counter[dir].packets);
  		bytes = atomic64_read(&counter[dir].bytes);
  	}

  	nest_count = nla_nest_start(skb, attr);

  	if (!nest_count)
  		goto nla_put_failure;

  	if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
  			 CTA_COUNTERS_PAD) ||
  	    nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
  			 CTA_COUNTERS_PAD))

  		goto nla_put_failure;

  	nla_nest_end(skb, nest_count);

  
  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int

  ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)

  {

  	struct nf_conn_acct *acct = nf_conn_acct_find(ct);

  	if (!acct)
  		return 0;

  	if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
  		return -1;
  	if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
  		return -1;
  
  	return 0;

  }
  
  static int

  ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
  {
  	struct nlattr *nest_count;
  	const struct nf_conn_tstamp *tstamp;
  
  	tstamp = nf_conn_tstamp_find(ct);
  	if (!tstamp)
  		return 0;

  	nest_count = nla_nest_start(skb, CTA_TIMESTAMP);

  	if (!nest_count)
  		goto nla_put_failure;

  	if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
  			 CTA_TIMESTAMP_PAD) ||

  	    (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,

  					       cpu_to_be64(tstamp->stop),
  					       CTA_TIMESTAMP_PAD)))

  		goto nla_put_failure;

  	nla_nest_end(skb, nest_count);
  
  	return 0;
  
  nla_put_failure:
  	return -1;
  }

  #ifdef CONFIG_NF_CONNTRACK_MARK

  static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)

  {

  	if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }
  #else
  #define ctnetlink_dump_mark(a, b) (0)
  #endif

  #ifdef CONFIG_NF_CONNTRACK_SECMARK

  static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)

  {

  	struct nlattr *nest_secctx;
  	int len, ret;
  	char *secctx;
  
  	ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
  	if (ret)

  		return 0;

  
  	ret = -1;

  	nest_secctx = nla_nest_start(skb, CTA_SECCTX);

  	if (!nest_secctx)
  		goto nla_put_failure;

  	if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_secctx);
  
  	ret = 0;

  nla_put_failure:

  	security_release_secctx(secctx, len);
  	return ret;

  }
  #else

  #define ctnetlink_dump_secctx(a, b) (0)

  #endif

  #ifdef CONFIG_NF_CONNTRACK_LABELS

  static inline int ctnetlink_label_size(const struct nf_conn *ct)

  {
  	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
  
  	if (!labels)
  		return 0;

  	return nla_total_size(sizeof(labels->bits));

  }
  
  static int
  ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
  {
  	struct nf_conn_labels *labels = nf_ct_labels_find(ct);

  	unsigned int i;

  
  	if (!labels)
  		return 0;

  	i = 0;
  	do {
  		if (labels->bits[i] != 0)

  			return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
  				       labels->bits);

  		i++;

  	} while (i < ARRAY_SIZE(labels->bits));

  
  	return 0;
  }
  #else
  #define ctnetlink_dump_labels(a, b) (0)
  #define ctnetlink_label_size(a)	(0)
  #endif

  #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)

  static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)

  {
  	struct nlattr *nest_parms;
  
  	if (!(ct->status & IPS_EXPECTED))
  		return 0;

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);

  	if (!nest_parms)
  		goto nla_put_failure;
  	if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
  		goto nla_put_failure;
  	nla_nest_end(skb, nest_parms);
  
  	return 0;
  
  nla_put_failure:
  	return -1;
  }

  static int

  dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)

  {

  	struct nlattr *nest_parms;

  	nest_parms = nla_nest_start(skb, type);

  	if (!nest_parms)
  		goto nla_put_failure;

  	if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
  			 htonl(seq->correction_pos)) ||
  	    nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
  			 htonl(seq->offset_before)) ||
  	    nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
  			 htonl(seq->offset_after)))

  		goto nla_put_failure;

  
  	nla_nest_end(skb, nest_parms);
  
  	return 0;
  
  nla_put_failure:
  	return -1;
  }

  static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)

  {

  	struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
  	struct nf_ct_seqadj *seq;

  	if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)

  		return 0;

  	spin_lock_bh(&ct->lock);

  	seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
  	if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)

  		goto err;

  	seq = &seqadj->seq[IP_CT_DIR_REPLY];
  	if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)

  		goto err;

  	spin_unlock_bh(&ct->lock);

  	return 0;

  err:
  	spin_unlock_bh(&ct->lock);
  	return -1;

  }

  static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
  {
  	struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
  	struct nlattr *nest_parms;
  
  	if (!synproxy)
  		return 0;

  	nest_parms = nla_nest_start(skb, CTA_SYNPROXY);

  	if (!nest_parms)
  		goto nla_put_failure;
  
  	if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
  	    nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
  	    nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
  		goto nla_put_failure;
  
  	nla_nest_end(skb, nest_parms);
  
  	return 0;
  
  nla_put_failure:
  	return -1;
  }

  static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)

  {

  	__be32 id = (__force __be32)nf_ct_get_id(ct);
  
  	if (nla_put_be32(skb, CTA_ID, id))

  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)

  {

  	if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }

  /* all these functions access ct->ext. Caller must either hold a reference
   * on ct or prevent its deletion by holding either the bucket spinlock or
   * pcpu dying list lock.
   */
  static int ctnetlink_dump_extinfo(struct sk_buff *skb,
  				  struct nf_conn *ct, u32 type)
  {
  	if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
  	    ctnetlink_dump_timestamp(skb, ct) < 0 ||
  	    ctnetlink_dump_helpinfo(skb, ct) < 0 ||
  	    ctnetlink_dump_labels(skb, ct) < 0 ||
  	    ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
  	    ctnetlink_dump_ct_synproxy(skb, ct) < 0)
  		return -1;
  
  	return 0;
  }
  
  static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
  {
  	if (ctnetlink_dump_status(skb, ct) < 0 ||
  	    ctnetlink_dump_mark(skb, ct) < 0 ||
  	    ctnetlink_dump_secctx(skb, ct) < 0 ||
  	    ctnetlink_dump_id(skb, ct) < 0 ||
  	    ctnetlink_dump_use(skb, ct) < 0 ||
  	    ctnetlink_dump_master(skb, ct) < 0)
  		return -1;
  
  	if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
  	    (ctnetlink_dump_timeout(skb, ct) < 0 ||
  	     ctnetlink_dump_protoinfo(skb, ct) < 0))
  		return -1;
  
  	return 0;
  }

  static int

  ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,

  		    struct nf_conn *ct, bool extinfo, unsigned int flags)

  {

  	const struct nf_conntrack_zone *zone;

  	struct nlmsghdr *nlh;
  	struct nfgenmsg *nfmsg;

  	struct nlattr *nest_parms;

  	unsigned int event;

  	if (portid)
  		flags |= NLM_F_MULTI;

  	event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);

  	nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);

  	if (nlh == NULL)
  		goto nlmsg_failure;

  	nfmsg = nlmsg_data(nlh);

  	nfmsg->nfgen_family = nf_ct_l3num(ct);

  	nfmsg->version      = NFNETLINK_V0;
  	nfmsg->res_id	    = 0;

  	zone = nf_ct_zone(ct);

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);

  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)

  		goto nla_put_failure;

  	if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
  				   NF_CT_ZONE_DIR_ORIG) < 0)
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_parms);

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);

  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)

  		goto nla_put_failure;

  	if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
  				   NF_CT_ZONE_DIR_REPL) < 0)
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_parms);

  	if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
  				   NF_CT_DEFAULT_ZONE_DIR) < 0)

  		goto nla_put_failure;

  	if (ctnetlink_dump_info(skb, ct) < 0)

  		goto nla_put_failure;

  	if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0)

  		goto nla_put_failure;

  	nlmsg_end(skb, nlh);

  	return skb->len;
  
  nlmsg_failure:

  nla_put_failure:

  	nlmsg_cancel(skb, nlh);

  	return -1;
  }

  static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
  	[CTA_IP_V4_SRC]	= { .type = NLA_U32 },
  	[CTA_IP_V4_DST]	= { .type = NLA_U32 },
  	[CTA_IP_V6_SRC]	= { .len = sizeof(__be32) * 4 },
  	[CTA_IP_V6_DST]	= { .len = sizeof(__be32) * 4 },
  };

  #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)

  static size_t ctnetlink_proto_size(const struct nf_conn *ct)

  {

  	const struct nf_conntrack_l4proto *l4proto;

  	size_t len, len4 = 0;

  	len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);

  	len *= 3u; /* ORIG, REPLY, MASTER */

  	l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));

  	len += l4proto->nlattr_size;

  	if (l4proto->nlattr_tuple_size) {
  		len4 = l4proto->nlattr_tuple_size();
  		len4 *= 3u; /* ORIG, REPLY, MASTER */
  	}

  	return len + len4;

  }

  #endif

  static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)

  {
  	if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
  		return 0;
  	return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */

  	       + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
  	       + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */

  	       ;
  }

  static inline int ctnetlink_secctx_size(const struct nf_conn *ct)

  {

  #ifdef CONFIG_NF_CONNTRACK_SECMARK
  	int len, ret;

  	ret = security_secid_to_secctx(ct->secmark, NULL, &len);
  	if (ret)
  		return 0;

  	return nla_total_size(0) /* CTA_SECCTX */
  	       + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
  #else
  	return 0;

  #endif

  }

  static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)

  {
  #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
  	if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
  		return 0;

  	return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));

  #else
  	return 0;
  #endif
  }

  #ifdef CONFIG_NF_CONNTRACK_EVENTS
  static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)

  {
  	return NLMSG_ALIGN(sizeof(struct nfgenmsg))
  	       + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
  	       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
  	       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
  	       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */

  	       + ctnetlink_acct_size(ct)

  	       + ctnetlink_timestamp_size(ct)

  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
  	       + nla_total_size(0) /* CTA_PROTOINFO */
  	       + nla_total_size(0) /* CTA_HELP */
  	       + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */

  	       + ctnetlink_secctx_size(ct)

  #if IS_ENABLED(CONFIG_NF_NAT)

  	       + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
  	       + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */

  #endif
  #ifdef CONFIG_NF_CONNTRACK_MARK

  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */

  #endif

  #ifdef CONFIG_NF_CONNTRACK_ZONES

  	       + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */

  #endif

  	       + ctnetlink_proto_size(ct)

  	       + ctnetlink_label_size(ct)

  	       ;

  }

  static int
  ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)

  {

  	const struct nf_conntrack_zone *zone;

  	struct net *net;

  	struct nlmsghdr *nlh;
  	struct nfgenmsg *nfmsg;

  	struct nlattr *nest_parms;

  	struct nf_conn *ct = item->ct;

  	struct sk_buff *skb;
  	unsigned int type;

  	unsigned int flags = 0, group;

  	int err;

  	if (events & (1 << IPCT_DESTROY)) {

  		type = IPCTNL_MSG_CT_DELETE;
  		group = NFNLGRP_CONNTRACK_DESTROY;

  	} else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {

  		type = IPCTNL_MSG_CT_NEW;
  		flags = NLM_F_CREATE|NLM_F_EXCL;

  		group = NFNLGRP_CONNTRACK_NEW;

  	} else if (events) {

  		type = IPCTNL_MSG_CT_NEW;
  		group = NFNLGRP_CONNTRACK_UPDATE;
  	} else

  		return 0;

  	net = nf_ct_net(ct);
  	if (!item->report && !nfnetlink_has_listeners(net, group))

  		return 0;

  	skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
  	if (skb == NULL)

  		goto errout;

  	type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);

  	nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);

  	if (nlh == NULL)
  		goto nlmsg_failure;

  	nfmsg = nlmsg_data(nlh);

  	nfmsg->nfgen_family = nf_ct_l3num(ct);

  	nfmsg->version	= NFNETLINK_V0;
  	nfmsg->res_id	= 0;

  	zone = nf_ct_zone(ct);

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);

  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)

  		goto nla_put_failure;

  	if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
  				   NF_CT_ZONE_DIR_ORIG) < 0)
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_parms);

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);

  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)

  		goto nla_put_failure;

  	if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
  				   NF_CT_ZONE_DIR_REPL) < 0)
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_parms);

  	if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
  				   NF_CT_DEFAULT_ZONE_DIR) < 0)

  		goto nla_put_failure;

  	if (ctnetlink_dump_id(skb, ct) < 0)
  		goto nla_put_failure;

  	if (ctnetlink_dump_status(skb, ct) < 0)
  		goto nla_put_failure;

  	if (events & (1 << IPCT_DESTROY)) {

  		if (ctnetlink_dump_acct(skb, ct, type) < 0 ||

  		    ctnetlink_dump_timestamp(skb, ct) < 0)

  			goto nla_put_failure;

  	} else {

  		if (ctnetlink_dump_timeout(skb, ct) < 0)

  			goto nla_put_failure;

  		if (events & (1 << IPCT_PROTOINFO)

  		    && ctnetlink_dump_protoinfo(skb, ct) < 0)

  			goto nla_put_failure;

  		if ((events & (1 << IPCT_HELPER) || nfct_help(ct))

  		    && ctnetlink_dump_helpinfo(skb, ct) < 0)

  			goto nla_put_failure;

  #ifdef CONFIG_NF_CONNTRACK_SECMARK

  		if ((events & (1 << IPCT_SECMARK) || ct->secmark)

  		    && ctnetlink_dump_secctx(skb, ct) < 0)

  			goto nla_put_failure;

  #endif

  		if (events & (1 << IPCT_LABEL) &&
  		     ctnetlink_dump_labels(skb, ct) < 0)
  			goto nla_put_failure;

  		if (events & (1 << IPCT_RELATED) &&

  		    ctnetlink_dump_master(skb, ct) < 0)
  			goto nla_put_failure;

  		if (events & (1 << IPCT_SEQADJ) &&
  		    ctnetlink_dump_ct_seq_adj(skb, ct) < 0)

  			goto nla_put_failure;

  
  		if (events & (1 << IPCT_SYNPROXY) &&
  		    ctnetlink_dump_ct_synproxy(skb, ct) < 0)
  			goto nla_put_failure;

  	}

  #ifdef CONFIG_NF_CONNTRACK_MARK

  	if ((events & (1 << IPCT_MARK) || ct->mark)

  	    && ctnetlink_dump_mark(skb, ct) < 0)
  		goto nla_put_failure;
  #endif

  	nlmsg_end(skb, nlh);

  	err = nfnetlink_send(skb, net, item->portid, group, item->report,

  			     GFP_ATOMIC);

  	if (err == -ENOBUFS || err == -EAGAIN)
  		return -ENOBUFS;

  	return 0;

  nla_put_failure:

  	nlmsg_cancel(skb, nlh);

  nlmsg_failure:

  	kfree_skb(skb);

  errout:

  	if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
  		return -ENOBUFS;

  	return 0;

  }
  #endif /* CONFIG_NF_CONNTRACK_EVENTS */
  
  static int ctnetlink_done(struct netlink_callback *cb)
  {

  	if (cb->args[1])
  		nf_ct_put((struct nf_conn *)cb->args[1]);

  	kfree(cb->data);

  	return 0;
  }

  struct ctnetlink_filter {

  	u8 family;

  
  	u_int32_t orig_flags;
  	u_int32_t reply_flags;
  
  	struct nf_conntrack_tuple orig;
  	struct nf_conntrack_tuple reply;
  	struct nf_conntrack_zone zone;

  	struct {
  		u_int32_t val;
  		u_int32_t mask;
  	} mark;
  };

  static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = {
  	[CTA_FILTER_ORIG_FLAGS]		= { .type = NLA_U32 },
  	[CTA_FILTER_REPLY_FLAGS]	= { .type = NLA_U32 },
  };
  
  static int ctnetlink_parse_filter(const struct nlattr *attr,
  				  struct ctnetlink_filter *filter)
  {
  	struct nlattr *tb[CTA_FILTER_MAX + 1];
  	int ret = 0;
  
  	ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy,
  			       NULL);
  	if (ret)
  		return ret;
  
  	if (tb[CTA_FILTER_ORIG_FLAGS]) {
  		filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]);
  		if (filter->orig_flags & ~CTA_FILTER_F_ALL)
  			return -EOPNOTSUPP;
  	}
  
  	if (tb[CTA_FILTER_REPLY_FLAGS]) {
  		filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]);
  		if (filter->reply_flags & ~CTA_FILTER_F_ALL)
  			return -EOPNOTSUPP;
  	}
  
  	return 0;
  }
  
  static int ctnetlink_parse_zone(const struct nlattr *attr,
  				struct nf_conntrack_zone *zone);
  static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
  					 struct nf_conntrack_tuple *tuple,
  					 u32 type, u_int8_t l3num,
  					 struct nf_conntrack_zone *zone,
  					 u_int32_t flags);

  static struct ctnetlink_filter *

  ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)

  {

  	struct ctnetlink_filter *filter;

  	int err;

  #ifndef CONFIG_NF_CONNTRACK_MARK

  	if (cda[CTA_MARK] || cda[CTA_MARK_MASK])

  		return ERR_PTR(-EOPNOTSUPP);
  #endif

  	filter = kzalloc(sizeof(*filter), GFP_KERNEL);
  	if (filter == NULL)
  		return ERR_PTR(-ENOMEM);

  	filter->family = family;
  
  #ifdef CONFIG_NF_CONNTRACK_MARK

  	if (cda[CTA_MARK]) {

  		filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));

  		if (cda[CTA_MARK_MASK])

  			filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));

  		else

  			filter->mark.mask = 0xffffffff;

  	} else if (cda[CTA_MARK_MASK]) {

  		err = -EINVAL;
  		goto err_filter;

  	}

  #endif

  	if (!cda[CTA_FILTER])
  		return filter;
  
  	err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone);
  	if (err < 0)

  		goto err_filter;

  
  	err = ctnetlink_parse_filter(cda[CTA_FILTER], filter);
  	if (err < 0)

  		goto err_filter;

  
  	if (filter->orig_flags) {

  		if (!cda[CTA_TUPLE_ORIG]) {
  			err = -EINVAL;
  			goto err_filter;
  		}

  
  		err = ctnetlink_parse_tuple_filter(cda, &filter->orig,
  						   CTA_TUPLE_ORIG,
  						   filter->family,
  						   &filter->zone,
  						   filter->orig_flags);
  		if (err < 0)

  			goto err_filter;

  	}
  
  	if (filter->reply_flags) {

  		if (!cda[CTA_TUPLE_REPLY]) {
  			err = -EINVAL;
  			goto err_filter;
  		}

  
  		err = ctnetlink_parse_tuple_filter(cda, &filter->reply,
  						   CTA_TUPLE_REPLY,
  						   filter->family,
  						   &filter->zone,
  						   filter->orig_flags);

  		if (err < 0) {
  			err = -EINVAL;
  			goto err_filter;
  		}

  	}

  	return filter;

  
  err_filter:
  	kfree(filter);
  
  	return ERR_PTR(err);

  }

  static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda)
  {
  	return family || cda[CTA_MARK] || cda[CTA_FILTER];
  }

  static int ctnetlink_start(struct netlink_callback *cb)
  {
  	const struct nlattr * const *cda = cb->data;
  	struct ctnetlink_filter *filter = NULL;

  	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
  	u8 family = nfmsg->nfgen_family;

  	if (ctnetlink_needs_filter(family, cda)) {

  		filter = ctnetlink_alloc_filter(cda, family);

  		if (IS_ERR(filter))
  			return PTR_ERR(filter);
  	}
  
  	cb->data = filter;
  	return 0;
  }

  static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple,
  					struct nf_conntrack_tuple *ct_tuple,
  					u_int32_t flags, int family)
  {
  	switch (family) {
  	case NFPROTO_IPV4:
  		if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
  		    filter_tuple->src.u3.ip != ct_tuple->src.u3.ip)
  			return  0;
  
  		if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
  		    filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip)
  			return  0;
  		break;
  	case NFPROTO_IPV6:
  		if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
  		    !ipv6_addr_cmp(&filter_tuple->src.u3.in6,
  				   &ct_tuple->src.u3.in6))
  			return 0;
  
  		if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
  		    !ipv6_addr_cmp(&filter_tuple->dst.u3.in6,
  				   &ct_tuple->dst.u3.in6))
  			return 0;
  		break;
  	}
  
  	if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) &&
  	    filter_tuple->dst.protonum != ct_tuple->dst.protonum)
  		return 0;
  
  	switch (ct_tuple->dst.protonum) {
  	case IPPROTO_TCP:
  	case IPPROTO_UDP:
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) &&
  		    filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port)
  			return 0;
  
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) &&
  		    filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port)
  			return 0;
  		break;
  	case IPPROTO_ICMP:
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) &&
  		    filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
  			return 0;
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) &&
  		    filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
  			return 0;
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) &&
  		    filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
  			return 0;
  		break;
  	case IPPROTO_ICMPV6:
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) &&
  		    filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
  			return 0;
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) &&
  		    filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
  			return 0;
  		if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) &&
  		    filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
  			return 0;
  		break;
  	}
  
  	return 1;
  }

  static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
  {
  	struct ctnetlink_filter *filter = data;

  	struct nf_conntrack_tuple *tuple;

  
  	if (filter == NULL)

  		goto out;
  
  	/* Match entries of a given L3 protocol number.
  	 * If it is not specified, ie. l3proto == 0,
  	 * then match everything.
  	 */
  	if (filter->family && nf_ct_l3num(ct) != filter->family)
  		goto ignore_entry;

  	if (filter->orig_flags) {
  		tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL);
  		if (!ctnetlink_filter_match_tuple(&filter->orig, tuple,
  						  filter->orig_flags,
  						  filter->family))
  			goto ignore_entry;
  	}
  
  	if (filter->reply_flags) {
  		tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY);
  		if (!ctnetlink_filter_match_tuple(&filter->reply, tuple,
  						  filter->reply_flags,
  						  filter->family))
  			goto ignore_entry;
  	}

  #ifdef CONFIG_NF_CONNTRACK_MARK

  	if ((ct->mark & filter->mark.mask) != filter->mark.val)

  		goto ignore_entry;

  #endif

  out:
  	return 1;
  
  ignore_entry:

  	return 0;
  }

  static int
  ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
  {

  	unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;

  	struct net *net = sock_net(skb->sk);

  	struct nf_conn *ct, *last;

  	struct nf_conntrack_tuple_hash *h;

  	struct hlist_nulls_node *n;

  	struct nf_conn *nf_ct_evict[8];
  	int res, i;

  	spinlock_t *lockp;

  	last = (struct nf_conn *)cb->args[1];

  	i = 0;

  
  	local_bh_disable();

  	for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {

  restart:

  		while (i) {
  			i--;
  			if (nf_ct_should_gc(nf_ct_evict[i]))
  				nf_ct_kill(nf_ct_evict[i]);
  			nf_ct_put(nf_ct_evict[i]);
  		}

  		lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];

  		nf_conntrack_lock(lockp);

  		if (cb->args[0] >= nf_conntrack_htable_size) {

  			spin_unlock(lockp);
  			goto out;
  		}

  		hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
  					   hnnode) {

  			if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)

  				continue;
  			ct = nf_ct_tuplehash_to_ctrack(h);

  			if (nf_ct_is_expired(ct)) {
  				if (i < ARRAY_SIZE(nf_ct_evict) &&
  				    atomic_inc_not_zero(&ct->ct_general.use))
  					nf_ct_evict[i++] = ct;
  				continue;
  			}

  			if (!net_eq(net, nf_ct_net(ct)))
  				continue;

  			if (cb->args[1]) {
  				if (ct != last)

  					continue;

  				cb->args[1] = 0;

  			}

  			if (!ctnetlink_filter_match(ct, cb->data))

  				continue;

  			res =

  			ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,

  					    cb->nlh->nlmsg_seq,
  					    NFNL_MSG_TYPE(cb->nlh->nlmsg_type),

  					    ct, true, flags);

  			if (res < 0) {

  				nf_conntrack_get(&ct->ct_general);

  				cb->args[1] = (unsigned long)ct;

  				spin_unlock(lockp);

  				goto out;

  			}
  		}

  		spin_unlock(lockp);

  		if (cb->args[1]) {

  			cb->args[1] = 0;
  			goto restart;

  		}
  	}

  out:

  	local_bh_enable();

  	if (last) {
  		/* nf ct hash resize happened, now clear the leftover. */
  		if ((struct nf_conn *)cb->args[1] == last)
  			cb->args[1] = 0;

  		nf_ct_put(last);

  	}

  	while (i) {
  		i--;
  		if (nf_ct_should_gc(nf_ct_evict[i]))
  			nf_ct_kill(nf_ct_evict[i]);
  		nf_ct_put(nf_ct_evict[i]);
  	}

  	return skb->len;
  }

  static int ipv4_nlattr_to_tuple(struct nlattr *tb[],

  				struct nf_conntrack_tuple *t,
  				u_int32_t flags)

  {

  	if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
  		if (!tb[CTA_IP_V4_SRC])
  			return -EINVAL;
  
  		t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
  	}

  	if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
  		if (!tb[CTA_IP_V4_DST])
  			return -EINVAL;
  
  		t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
  	}

  
  	return 0;
  }
  
  static int ipv6_nlattr_to_tuple(struct nlattr *tb[],

  				struct nf_conntrack_tuple *t,
  				u_int32_t flags)

  {

  	if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
  		if (!tb[CTA_IP_V6_SRC])
  			return -EINVAL;
  
  		t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
  	}

  	if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
  		if (!tb[CTA_IP_V6_DST])
  			return -EINVAL;
  
  		t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
  	}

  
  	return 0;
  }

  static int ctnetlink_parse_tuple_ip(struct nlattr *attr,

  				    struct nf_conntrack_tuple *tuple,
  				    u_int32_t flags)

  {

  	struct nlattr *tb[CTA_IP_MAX+1];

  	int ret = 0;

  	ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);

  	if (ret < 0)
  		return ret;

  	ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
  					     cta_ip_nla_policy, NULL);

  	if (ret)
  		return ret;

  	switch (tuple->src.l3num) {
  	case NFPROTO_IPV4:

  		ret = ipv4_nlattr_to_tuple(tb, tuple, flags);

  		break;
  	case NFPROTO_IPV6:

  		ret = ipv6_nlattr_to_tuple(tb, tuple, flags);

  		break;

  	}

  	return ret;
  }

  static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
  	[CTA_PROTO_NUM]	= { .type = NLA_U8 },

  };

  static int ctnetlink_parse_tuple_proto(struct nlattr *attr,

  				       struct nf_conntrack_tuple *tuple,
  				       u_int32_t flags)

  {

  	const struct nf_conntrack_l4proto *l4proto;

  	struct nlattr *tb[CTA_PROTO_MAX+1];

  	int ret = 0;

  	ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr,
  					  proto_nla_policy, NULL);

  	if (ret < 0)
  		return ret;

  	if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)))
  		return 0;

  	if (!tb[CTA_PROTO_NUM])

  		return -EINVAL;

  	tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);

  	rcu_read_lock();

  	l4proto = nf_ct_l4proto_find(tuple->dst.protonum);

  	if (likely(l4proto->nlattr_to_tuple)) {

  		ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX,
  						     l4proto->nla_policy,
  						     NULL);

  		if (ret == 0)

  			ret = l4proto->nlattr_to_tuple(tb, tuple, flags);

  	}

  	rcu_read_unlock();

  	return ret;
  }

  static int
  ctnetlink_parse_zone(const struct nlattr *attr,
  		     struct nf_conntrack_zone *zone)
  {

  	nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
  			NF_CT_DEFAULT_ZONE_DIR, 0);

  #ifdef CONFIG_NF_CONNTRACK_ZONES
  	if (attr)
  		zone->id = ntohs(nla_get_be16(attr));
  #else
  	if (attr)
  		return -EOPNOTSUPP;
  #endif
  	return 0;
  }
  
  static int
  ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
  			   struct nf_conntrack_zone *zone)
  {
  	int ret;
  
  	if (zone->id != NF_CT_DEFAULT_ZONE_ID)
  		return -EINVAL;
  
  	ret = ctnetlink_parse_zone(attr, zone);
  	if (ret < 0)
  		return ret;
  
  	if (type == CTA_TUPLE_REPLY)
  		zone->dir = NF_CT_ZONE_DIR_REPL;
  	else
  		zone->dir = NF_CT_ZONE_DIR_ORIG;
  
  	return 0;
  }

  static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
  	[CTA_TUPLE_IP]		= { .type = NLA_NESTED },
  	[CTA_TUPLE_PROTO]	= { .type = NLA_NESTED },

  	[CTA_TUPLE_ZONE]	= { .type = NLA_U16 },

  };

  #define CTA_FILTER_F_ALL_CTA_PROTO \
    (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \
     CTA_FILTER_F_CTA_PROTO_DST_PORT | \
     CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \
     CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \
     CTA_FILTER_F_CTA_PROTO_ICMP_ID | \
     CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \
     CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \
     CTA_FILTER_F_CTA_PROTO_ICMPV6_ID)

  static int

  ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
  			      struct nf_conntrack_tuple *tuple, u32 type,
  			      u_int8_t l3num, struct nf_conntrack_zone *zone,
  			      u_int32_t flags)

  {

  	struct nlattr *tb[CTA_TUPLE_MAX+1];

  	int err;

  	memset(tuple, 0, sizeof(*tuple));

  	err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type],
  					  tuple_nla_policy, NULL);

  	if (err < 0)
  		return err;

  	if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
  		return -EOPNOTSUPP;

  	tuple->src.l3num = l3num;

  	if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
  	    flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
  		if (!tb[CTA_TUPLE_IP])
  			return -EINVAL;

  		err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags);
  		if (err < 0)
  			return err;
  	}

  	if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) {
  		if (!tb[CTA_TUPLE_PROTO])
  			return -EINVAL;

  		err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags);
  		if (err < 0)
  			return err;
  	} else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) {
  		/* Can't manage proto flags without a protonum  */
  		return -EINVAL;
  	}
  
  	if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) {

  		if (!zone)
  			return -EINVAL;
  
  		err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
  						 type, zone);
  		if (err < 0)
  			return err;
  	}

  	/* orig and expect tuples get DIR_ORIGINAL */
  	if (type == CTA_TUPLE_REPLY)
  		tuple->dst.dir = IP_CT_DIR_REPLY;
  	else
  		tuple->dst.dir = IP_CT_DIR_ORIGINAL;

  	return 0;
  }

  static int
  ctnetlink_parse_tuple(const struct nlattr * const cda[],
  		      struct nf_conntrack_tuple *tuple, u32 type,
  		      u_int8_t l3num, struct nf_conntrack_zone *zone)
  {
  	return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone,
  					    CTA_FILTER_FLAG(ALL));
  }

  static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {

  	[CTA_HELP_NAME]		= { .type = NLA_NUL_STRING,
  				    .len = NF_CT_HELPER_NAME_LEN - 1 },

  };