/* Connection tracking via netlink socket. Allows for user space
   * protocol helpers and general trouble making from userspace.
   *
   * (C) 2001 by Jay Schulist <jschlst@samba.org>

   * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>

   * (C) 2003 by Patrick Mchardy <kaber@trash.net>

   * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>

   *

   * Initial connection tracking via netlink development funded and

   * generally made possible by Network Robots, Inc. (www.networkrobots.com)
   *
   * Further development of this code funded by Astaro AG (http://www.astaro.com)
   *
   * This software may be used and distributed according to the terms
   * of the GNU General Public License, incorporated herein by reference.

   */
  
  #include <linux/init.h>
  #include <linux/module.h>
  #include <linux/kernel.h>

  #include <linux/rculist.h>

  #include <linux/rculist_nulls.h>

  #include <linux/types.h>
  #include <linux/timer.h>

  #include <linux/security.h>

  #include <linux/skbuff.h>
  #include <linux/errno.h>
  #include <linux/netlink.h>
  #include <linux/spinlock.h>

  #include <linux/interrupt.h>

  #include <linux/slab.h>

  
  #include <linux/netfilter.h>

  #include <net/netlink.h>

  #include <net/sock.h>

  #include <net/netfilter/nf_conntrack.h>
  #include <net/netfilter/nf_conntrack_core.h>

  #include <net/netfilter/nf_conntrack_expect.h>

  #include <net/netfilter/nf_conntrack_helper.h>
  #include <net/netfilter/nf_conntrack_l3proto.h>

  #include <net/netfilter/nf_conntrack_l4proto.h>

  #include <net/netfilter/nf_conntrack_tuple.h>

  #include <net/netfilter/nf_conntrack_acct.h>

  #include <net/netfilter/nf_conntrack_zones.h>

  #include <net/netfilter/nf_conntrack_timestamp.h>

  #include <net/netfilter/nf_conntrack_labels.h>

  #ifdef CONFIG_NF_NAT_NEEDED
  #include <net/netfilter/nf_nat_core.h>

  #include <net/netfilter/nf_nat_l4proto.h>

  #include <net/netfilter/nf_nat_helper.h>

  #endif

  
  #include <linux/netfilter/nfnetlink.h>
  #include <linux/netfilter/nfnetlink_conntrack.h>
  
  MODULE_LICENSE("GPL");

  static char __initdata version[] = "0.93";

  static inline int

  ctnetlink_dump_tuples_proto(struct sk_buff *skb,

  			    const struct nf_conntrack_tuple *tuple,

  			    struct nf_conntrack_l4proto *l4proto)

  {

  	int ret = 0;

  	struct nlattr *nest_parms;

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;

  	if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
  		goto nla_put_failure;

  	if (likely(l4proto->tuple_to_nlattr))
  		ret = l4proto->tuple_to_nlattr(skb, tuple);

  	nla_nest_end(skb, nest_parms);

  
  	return ret;

  nla_put_failure:

  	return -1;
  }
  
  static inline int

  ctnetlink_dump_tuples_ip(struct sk_buff *skb,
  			 const struct nf_conntrack_tuple *tuple,
  			 struct nf_conntrack_l3proto *l3proto)

  {

  	int ret = 0;

  	struct nlattr *nest_parms;
  
  	nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;

  	if (likely(l3proto->tuple_to_nlattr))
  		ret = l3proto->tuple_to_nlattr(skb, tuple);

  	nla_nest_end(skb, nest_parms);

  	return ret;

  nla_put_failure:

  	return -1;
  }

  static int

  ctnetlink_dump_tuples(struct sk_buff *skb,
  		      const struct nf_conntrack_tuple *tuple)
  {
  	int ret;
  	struct nf_conntrack_l3proto *l3proto;

  	struct nf_conntrack_l4proto *l4proto;

  	rcu_read_lock();

  	l3proto = __nf_ct_l3proto_find(tuple->src.l3num);

  	ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);

  	if (ret >= 0) {
  		l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
  					       tuple->dst.protonum);
  		ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
  	}
  	rcu_read_unlock();

  	return ret;

  }
  
  static inline int
  ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
  {

  	if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }
  
  static inline int
  ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
  {

  	long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ;

  	if (timeout < 0)

  		timeout = 0;

  	if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }
  
  static inline int

  ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)

  {

  	struct nf_conntrack_l4proto *l4proto;

  	struct nlattr *nest_proto;

  	int ret;

  	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
  	if (!l4proto->to_nlattr)

  		return 0;

  	nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
  	if (!nest_proto)
  		goto nla_put_failure;

  	ret = l4proto->to_nlattr(skb, nest_proto, ct);

  	nla_nest_end(skb, nest_proto);

  
  	return ret;

  nla_put_failure:

  	return -1;
  }
  
  static inline int
  ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
  {

  	struct nlattr *nest_helper;

  	const struct nf_conn_help *help = nfct_help(ct);

  	struct nf_conntrack_helper *helper;

  	if (!help)

  		return 0;

  	helper = rcu_dereference(help->helper);
  	if (!helper)
  		goto out;

  	nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
  	if (!nest_helper)
  		goto nla_put_failure;

  	if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
  		goto nla_put_failure;

  	if (helper->to_nlattr)
  		helper->to_nlattr(skb, ct);

  	nla_nest_end(skb, nest_helper);

  out:

  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int

  dump_counters(struct sk_buff *skb, u64 pkts, u64 bytes,
  	      enum ip_conntrack_dir dir)

  {
  	enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;

  	struct nlattr *nest_count;

  	nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
  	if (!nest_count)
  		goto nla_put_failure;

  	if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts)) ||
  	    nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes)))
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_count);

  
  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int

  ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
  			enum ip_conntrack_dir dir, int type)
  {
  	struct nf_conn_counter *acct;
  	u64 pkts, bytes;
  
  	acct = nf_conn_acct_find(ct);
  	if (!acct)
  		return 0;
  
  	if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
  		pkts = atomic64_xchg(&acct[dir].packets, 0);
  		bytes = atomic64_xchg(&acct[dir].bytes, 0);
  	} else {
  		pkts = atomic64_read(&acct[dir].packets);
  		bytes = atomic64_read(&acct[dir].bytes);
  	}
  	return dump_counters(skb, pkts, bytes, dir);
  }
  
  static int

  ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
  {
  	struct nlattr *nest_count;
  	const struct nf_conn_tstamp *tstamp;
  
  	tstamp = nf_conn_tstamp_find(ct);
  	if (!tstamp)
  		return 0;
  
  	nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
  	if (!nest_count)
  		goto nla_put_failure;

  	if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start)) ||
  	    (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
  					       cpu_to_be64(tstamp->stop))))
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_count);
  
  	return 0;
  
  nla_put_failure:
  	return -1;
  }

  #ifdef CONFIG_NF_CONNTRACK_MARK
  static inline int
  ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
  {

  	if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }
  #else
  #define ctnetlink_dump_mark(a, b) (0)
  #endif

  #ifdef CONFIG_NF_CONNTRACK_SECMARK
  static inline int

  ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)

  {

  	struct nlattr *nest_secctx;
  	int len, ret;
  	char *secctx;
  
  	ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
  	if (ret)

  		return 0;

  
  	ret = -1;
  	nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
  	if (!nest_secctx)
  		goto nla_put_failure;

  	if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
  		goto nla_put_failure;

  	nla_nest_end(skb, nest_secctx);
  
  	ret = 0;

  nla_put_failure:

  	security_release_secctx(secctx, len);
  	return ret;

  }
  #else

  #define ctnetlink_dump_secctx(a, b) (0)

  #endif

  #ifdef CONFIG_NF_CONNTRACK_LABELS
  static int ctnetlink_label_size(const struct nf_conn *ct)
  {
  	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
  
  	if (!labels)
  		return 0;
  	return nla_total_size(labels->words * sizeof(long));
  }
  
  static int
  ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
  {
  	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
  	unsigned int len, i;
  
  	if (!labels)
  		return 0;
  
  	len = labels->words * sizeof(long);
  	i = 0;
  	do {
  		if (labels->bits[i] != 0)
  			return nla_put(skb, CTA_LABELS, len, labels->bits);
  		i++;
  	} while (i < labels->words);
  
  	return 0;
  }
  #else
  #define ctnetlink_dump_labels(a, b) (0)
  #define ctnetlink_label_size(a)	(0)
  #endif

  #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
  
  static inline int
  ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
  {
  	struct nlattr *nest_parms;
  
  	if (!(ct->status & IPS_EXPECTED))
  		return 0;
  
  	nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;
  	if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
  		goto nla_put_failure;
  	nla_nest_end(skb, nest_parms);
  
  	return 0;
  
  nla_put_failure:
  	return -1;
  }

  #ifdef CONFIG_NF_NAT_NEEDED

  static int

  dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type)
  {

  	struct nlattr *nest_parms;
  
  	nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;

  	if (nla_put_be32(skb, CTA_NAT_SEQ_CORRECTION_POS,
  			 htonl(natseq->correction_pos)) ||
  	    nla_put_be32(skb, CTA_NAT_SEQ_OFFSET_BEFORE,
  			 htonl(natseq->offset_before)) ||
  	    nla_put_be32(skb, CTA_NAT_SEQ_OFFSET_AFTER,
  			 htonl(natseq->offset_after)))
  		goto nla_put_failure;

  
  	nla_nest_end(skb, nest_parms);
  
  	return 0;
  
  nla_put_failure:
  	return -1;
  }
  
  static inline int
  ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
  {
  	struct nf_nat_seq *natseq;
  	struct nf_conn_nat *nat = nfct_nat(ct);
  
  	if (!(ct->status & IPS_SEQ_ADJUST) || !nat)
  		return 0;
  
  	natseq = &nat->seq[IP_CT_DIR_ORIGINAL];
  	if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1)
  		return -1;
  
  	natseq = &nat->seq[IP_CT_DIR_REPLY];
  	if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1)
  		return -1;
  
  	return 0;
  }
  #else
  #define ctnetlink_dump_nat_seq_adj(a, b) (0)
  #endif

  static inline int
  ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
  {

  	if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }
  
  static inline int
  ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
  {

  	if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
  		goto nla_put_failure;

  	return 0;

  nla_put_failure:

  	return -1;
  }

  static int

  ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,

  		    struct nf_conn *ct)

  {
  	struct nlmsghdr *nlh;
  	struct nfgenmsg *nfmsg;

  	struct nlattr *nest_parms;

  	unsigned int flags = portid ? NLM_F_MULTI : 0, event;

  	event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW);

  	nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);

  	if (nlh == NULL)
  		goto nlmsg_failure;

  	nfmsg = nlmsg_data(nlh);

  	nfmsg->nfgen_family = nf_ct_l3num(ct);

  	nfmsg->version      = NFNETLINK_V0;
  	nfmsg->res_id	    = 0;

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)

  		goto nla_put_failure;
  	nla_nest_end(skb, nest_parms);

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)

  		goto nla_put_failure;
  	nla_nest_end(skb, nest_parms);

  	if (nf_ct_zone(ct) &&
  	    nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
  		goto nla_put_failure;

  	if (ctnetlink_dump_status(skb, ct) < 0 ||
  	    ctnetlink_dump_timeout(skb, ct) < 0 ||

  	    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL, type) < 0 ||
  	    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY, type) < 0 ||

  	    ctnetlink_dump_timestamp(skb, ct) < 0 ||

  	    ctnetlink_dump_protoinfo(skb, ct) < 0 ||
  	    ctnetlink_dump_helpinfo(skb, ct) < 0 ||
  	    ctnetlink_dump_mark(skb, ct) < 0 ||

  	    ctnetlink_dump_secctx(skb, ct) < 0 ||

  	    ctnetlink_dump_labels(skb, ct) < 0 ||

  	    ctnetlink_dump_id(skb, ct) < 0 ||

  	    ctnetlink_dump_use(skb, ct) < 0 ||

  	    ctnetlink_dump_master(skb, ct) < 0 ||

  	    ctnetlink_dump_nat_seq_adj(skb, ct) < 0)

  		goto nla_put_failure;

  	nlmsg_end(skb, nlh);

  	return skb->len;
  
  nlmsg_failure:

  nla_put_failure:

  	nlmsg_cancel(skb, nlh);

  	return -1;
  }

  static inline size_t
  ctnetlink_proto_size(const struct nf_conn *ct)

  {
  	struct nf_conntrack_l3proto *l3proto;
  	struct nf_conntrack_l4proto *l4proto;

  	size_t len = 0;
  
  	rcu_read_lock();
  	l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
  	len += l3proto->nla_size;
  
  	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
  	len += l4proto->nla_size;
  	rcu_read_unlock();
  
  	return len;
  }
  
  static inline size_t

  ctnetlink_counters_size(const struct nf_conn *ct)
  {
  	if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
  		return 0;
  	return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
  	       + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
  	       + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
  	       ;
  }

  static inline int
  ctnetlink_secctx_size(const struct nf_conn *ct)

  {

  #ifdef CONFIG_NF_CONNTRACK_SECMARK
  	int len, ret;

  	ret = security_secid_to_secctx(ct->secmark, NULL, &len);
  	if (ret)
  		return 0;

  	return nla_total_size(0) /* CTA_SECCTX */
  	       + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
  #else
  	return 0;

  #endif

  }

  static inline size_t

  ctnetlink_timestamp_size(const struct nf_conn *ct)
  {
  #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
  	if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
  		return 0;
  	return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t));
  #else
  	return 0;
  #endif
  }
  
  static inline size_t

  ctnetlink_nlmsg_size(const struct nf_conn *ct)
  {
  	return NLMSG_ALIGN(sizeof(struct nfgenmsg))
  	       + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
  	       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
  	       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
  	       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */

  	       + ctnetlink_counters_size(ct)

  	       + ctnetlink_timestamp_size(ct)

  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
  	       + nla_total_size(0) /* CTA_PROTOINFO */
  	       + nla_total_size(0) /* CTA_HELP */
  	       + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */

  	       + ctnetlink_secctx_size(ct)

  #ifdef CONFIG_NF_NAT_NEEDED

  	       + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
  	       + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */

  #endif
  #ifdef CONFIG_NF_CONNTRACK_MARK

  	       + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */

  #endif

  	       + ctnetlink_proto_size(ct)

  	       + ctnetlink_label_size(ct)

  	       ;

  }

  #ifdef CONFIG_NF_CONNTRACK_EVENTS

  static int
  ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)

  {

  	struct net *net;

  	struct nlmsghdr *nlh;
  	struct nfgenmsg *nfmsg;

  	struct nlattr *nest_parms;

  	struct nf_conn *ct = item->ct;

  	struct sk_buff *skb;
  	unsigned int type;

  	unsigned int flags = 0, group;

  	int err;

  
  	/* ignore our fake conntrack entry */

  	if (nf_ct_is_untracked(ct))

  		return 0;

  	if (events & (1 << IPCT_DESTROY)) {

  		type = IPCTNL_MSG_CT_DELETE;
  		group = NFNLGRP_CONNTRACK_DESTROY;

  	} else  if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {

  		type = IPCTNL_MSG_CT_NEW;
  		flags = NLM_F_CREATE|NLM_F_EXCL;

  		group = NFNLGRP_CONNTRACK_NEW;

  	} else  if (events) {

  		type = IPCTNL_MSG_CT_NEW;
  		group = NFNLGRP_CONNTRACK_UPDATE;
  	} else

  		return 0;

  	net = nf_ct_net(ct);
  	if (!item->report && !nfnetlink_has_listeners(net, group))

  		return 0;

  	skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
  	if (skb == NULL)

  		goto errout;

  	type |= NFNL_SUBSYS_CTNETLINK << 8;

  	nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);

  	if (nlh == NULL)
  		goto nlmsg_failure;

  	nfmsg = nlmsg_data(nlh);

  	nfmsg->nfgen_family = nf_ct_l3num(ct);

  	nfmsg->version	= NFNETLINK_V0;
  	nfmsg->res_id	= 0;

  	rcu_read_lock();

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)

  		goto nla_put_failure;
  	nla_nest_end(skb, nest_parms);

  	nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
  	if (!nest_parms)
  		goto nla_put_failure;

  	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)

  		goto nla_put_failure;
  	nla_nest_end(skb, nest_parms);

  	if (nf_ct_zone(ct) &&
  	    nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
  		goto nla_put_failure;

  	if (ctnetlink_dump_id(skb, ct) < 0)
  		goto nla_put_failure;

  	if (ctnetlink_dump_status(skb, ct) < 0)
  		goto nla_put_failure;

  	if (events & (1 << IPCT_DESTROY)) {

  		if (ctnetlink_dump_counters(skb, ct,
  					    IP_CT_DIR_ORIGINAL, type) < 0 ||
  		    ctnetlink_dump_counters(skb, ct,
  					    IP_CT_DIR_REPLY, type) < 0 ||

  		    ctnetlink_dump_timestamp(skb, ct) < 0)

  			goto nla_put_failure;

  	} else {

  		if (ctnetlink_dump_timeout(skb, ct) < 0)

  			goto nla_put_failure;

  		if (events & (1 << IPCT_PROTOINFO)

  		    && ctnetlink_dump_protoinfo(skb, ct) < 0)

  			goto nla_put_failure;

  		if ((events & (1 << IPCT_HELPER) || nfct_help(ct))

  		    && ctnetlink_dump_helpinfo(skb, ct) < 0)

  			goto nla_put_failure;

  #ifdef CONFIG_NF_CONNTRACK_SECMARK

  		if ((events & (1 << IPCT_SECMARK) || ct->secmark)

  		    && ctnetlink_dump_secctx(skb, ct) < 0)

  			goto nla_put_failure;

  #endif

  		if (events & (1 << IPCT_LABEL) &&
  		     ctnetlink_dump_labels(skb, ct) < 0)
  			goto nla_put_failure;

  		if (events & (1 << IPCT_RELATED) &&

  		    ctnetlink_dump_master(skb, ct) < 0)
  			goto nla_put_failure;

  		if (events & (1 << IPCT_NATSEQADJ) &&

  		    ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
  			goto nla_put_failure;

  	}

  #ifdef CONFIG_NF_CONNTRACK_MARK

  	if ((events & (1 << IPCT_MARK) || ct->mark)

  	    && ctnetlink_dump_mark(skb, ct) < 0)
  		goto nla_put_failure;
  #endif

  	rcu_read_unlock();

  	nlmsg_end(skb, nlh);

  	err = nfnetlink_send(skb, net, item->portid, group, item->report,

  			     GFP_ATOMIC);

  	if (err == -ENOBUFS || err == -EAGAIN)
  		return -ENOBUFS;

  	return 0;

  nla_put_failure:

  	rcu_read_unlock();

  	nlmsg_cancel(skb, nlh);

  nlmsg_failure:

  	kfree_skb(skb);

  errout:

  	if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
  		return -ENOBUFS;

  	return 0;

  }
  #endif /* CONFIG_NF_CONNTRACK_EVENTS */
  
  static int ctnetlink_done(struct netlink_callback *cb)
  {

  	if (cb->args[1])
  		nf_ct_put((struct nf_conn *)cb->args[1]);

  	if (cb->data)
  		kfree(cb->data);

  	return 0;
  }

  struct ctnetlink_dump_filter {
  	struct {
  		u_int32_t val;
  		u_int32_t mask;
  	} mark;
  };

  static int
  ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
  {

  	struct net *net = sock_net(skb->sk);

  	struct nf_conn *ct, *last;

  	struct nf_conntrack_tuple_hash *h;

  	struct hlist_nulls_node *n;

  	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);

  	u_int8_t l3proto = nfmsg->nfgen_family;

  	int res;

  #ifdef CONFIG_NF_CONNTRACK_MARK
  	const struct ctnetlink_dump_filter *filter = cb->data;
  #endif

  	spin_lock_bh(&nf_conntrack_lock);

  	last = (struct nf_conn *)cb->args[1];

  	for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {

  restart:

  		hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]],

  					 hnnode) {

  			if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)

  				continue;
  			ct = nf_ct_tuplehash_to_ctrack(h);

  			/* Dump entries of a given L3 protocol number.
  			 * If it is not specified, ie. l3proto == 0,
  			 * then dump everything. */

  			if (l3proto && nf_ct_l3num(ct) != l3proto)

  				continue;

  			if (cb->args[1]) {
  				if (ct != last)

  					continue;

  				cb->args[1] = 0;

  			}

  #ifdef CONFIG_NF_CONNTRACK_MARK
  			if (filter && !((ct->mark & filter->mark.mask) ==
  					filter->mark.val)) {
  				continue;
  			}
  #endif

  			rcu_read_lock();
  			res =

  			ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,

  					    cb->nlh->nlmsg_seq,
  					    NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
  					    ct);
  			rcu_read_unlock();
  			if (res < 0) {

  				nf_conntrack_get(&ct->ct_general);

  				cb->args[1] = (unsigned long)ct;

  				goto out;

  			}
  		}

  		if (cb->args[1]) {

  			cb->args[1] = 0;
  			goto restart;

  		}
  	}

  out:

  	spin_unlock_bh(&nf_conntrack_lock);

  	if (last)
  		nf_ct_put(last);

  	return skb->len;
  }

  static inline int

  ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)

  {

  	struct nlattr *tb[CTA_IP_MAX+1];

  	struct nf_conntrack_l3proto *l3proto;
  	int ret = 0;

  	nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);

  	rcu_read_lock();
  	l3proto = __nf_ct_l3proto_find(tuple->src.l3num);

  	if (likely(l3proto->nlattr_to_tuple)) {
  		ret = nla_validate_nested(attr, CTA_IP_MAX,
  					  l3proto->nla_policy);
  		if (ret == 0)
  			ret = l3proto->nlattr_to_tuple(tb, tuple);
  	}

  	rcu_read_unlock();

  	return ret;
  }

  static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
  	[CTA_PROTO_NUM]	= { .type = NLA_U8 },

  };
  
  static inline int

  ctnetlink_parse_tuple_proto(struct nlattr *attr,

  			    struct nf_conntrack_tuple *tuple)
  {

  	struct nlattr *tb[CTA_PROTO_MAX+1];

  	struct nf_conntrack_l4proto *l4proto;

  	int ret = 0;

  	ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
  	if (ret < 0)
  		return ret;

  	if (!tb[CTA_PROTO_NUM])

  		return -EINVAL;

  	tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);

  	rcu_read_lock();
  	l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);

  	if (likely(l4proto->nlattr_to_tuple)) {
  		ret = nla_validate_nested(attr, CTA_PROTO_MAX,
  					  l4proto->nla_policy);
  		if (ret == 0)
  			ret = l4proto->nlattr_to_tuple(tb, tuple);
  	}

  	rcu_read_unlock();

  	return ret;
  }

  static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
  	[CTA_TUPLE_IP]		= { .type = NLA_NESTED },
  	[CTA_TUPLE_PROTO]	= { .type = NLA_NESTED },
  };

  static int

  ctnetlink_parse_tuple(const struct nlattr * const cda[],
  		      struct nf_conntrack_tuple *tuple,

  		      enum ctattr_type type, u_int8_t l3num)

  {

  	struct nlattr *tb[CTA_TUPLE_MAX+1];

  	int err;

  	memset(tuple, 0, sizeof(*tuple));

  	nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy);

  	if (!tb[CTA_TUPLE_IP])

  		return -EINVAL;
  
  	tuple->src.l3num = l3num;

  	err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);

  	if (err < 0)
  		return err;

  	if (!tb[CTA_TUPLE_PROTO])

  		return -EINVAL;

  	err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);

  	if (err < 0)
  		return err;
  
  	/* orig and expect tuples get DIR_ORIGINAL */
  	if (type == CTA_TUPLE_REPLY)
  		tuple->dst.dir = IP_CT_DIR_REPLY;
  	else
  		tuple->dst.dir = IP_CT_DIR_ORIGINAL;

  	return 0;
  }

  static int
  ctnetlink_parse_zone(const struct nlattr *attr, u16 *zone)
  {
  	if (attr)
  #ifdef CONFIG_NF_CONNTRACK_ZONES
  		*zone = ntohs(nla_get_be16(attr));
  #else
  		return -EOPNOTSUPP;
  #endif
  	else
  		*zone = 0;
  
  	return 0;
  }

  static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {

  	[CTA_HELP_NAME]		= { .type = NLA_NUL_STRING,
  				    .len = NF_CT_HELPER_NAME_LEN - 1 },

  };

  static inline int

  ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
  		     struct nlattr **helpinfo)

  {

  	struct nlattr *tb[CTA_HELP_MAX+1];

  	nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy);

  	if (!tb[CTA_HELP_NAME])

  		return -EINVAL;

  	*helper_name = nla_data(tb[CTA_HELP_NAME]);

  	if (tb[CTA_HELP_INFO])
  		*helpinfo = tb[CTA_HELP_INFO];

  	return 0;
  }

  #define __CTA_LABELS_MAX_LENGTH ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)

  static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {

  	[CTA_TUPLE_ORIG]	= { .type = NLA_NESTED },
  	[CTA_TUPLE_REPLY]	= { .type = NLA_NESTED },

  	[CTA_STATUS] 		= { .type = NLA_U32 },

  	[CTA_PROTOINFO]		= { .type = NLA_NESTED },
  	[CTA_HELP]		= { .type = NLA_NESTED },
  	[CTA_NAT_SRC]		= { .type = NLA_NESTED },

  	[CTA_TIMEOUT] 		= { .type = NLA_U32 },
  	[CTA_MARK]		= { .type = NLA_U32 },

  	[CTA_ID]		= { .type = NLA_U32 },

  	[CTA_NAT_DST]		= { .type = NLA_NESTED },
  	[CTA_TUPLE_MASTER]	= { .type = NLA_NESTED },

  	[CTA_NAT_SEQ_ADJ_ORIG]  = { .type = NLA_NESTED },
  	[CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },

  	[CTA_ZONE]		= { .type = NLA_U16 },

  	[CTA_MARK_MASK]		= { .type = NLA_U32 },

  	[CTA_LABELS]		= { .type = NLA_BINARY,
  				    .len = __CTA_LABELS_MAX_LENGTH },
  	[CTA_LABELS_MASK]	= { .type = NLA_BINARY,
  				    .len = __CTA_LABELS_MAX_LENGTH },

  };
  
  static int

  ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,

  			const struct nlmsghdr *nlh,
  			const struct nlattr * const cda[])

  {

  	struct net *net = sock_net(ctnl);

  	struct nf_conntrack_tuple_hash *h;
  	struct nf_conntrack_tuple tuple;
  	struct nf_conn *ct;

  	struct nfgenmsg *nfmsg = nlmsg_data(nlh);

  	u_int8_t u3 = nfmsg->nfgen_family;

  	u16 zone;
  	int err;
  
  	err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
  	if (err < 0)
  		return err;

  	if (cda[CTA_TUPLE_ORIG])

  		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);

  	else if (cda[CTA_TUPLE_REPLY])

  		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
  	else {
  		/* Flush the whole table */

  		nf_conntrack_flush_report(net,

  					 NETLINK_CB(skb).portid,

  					 nlmsg_report(nlh));

  		return 0;
  	}
  
  	if (err < 0)
  		return err;

  	h = nf_conntrack_find_get(net, zone, &tuple);

  	if (!h)

  		return -ENOENT;

  
  	ct = nf_ct_tuplehash_to_ctrack(h);

  	if (cda[CTA_ID]) {

  		u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));

  		if (id != (u32)(unsigned long)ct) {

  			nf_ct_put(ct);
  			return -ENOENT;
  		}

  	}

  	if (del_timer(&ct->timeout)) {
  		if (nf_conntrack_event_report(IPCT_DESTROY, ct,

  					      NETLINK_CB(skb).portid,

  					      nlmsg_report(nlh)) < 0) {
  			nf_ct_delete_from_lists(ct);
  			/* we failed to report the event, try later */

  			nf_ct_dying_timeout(ct);

  			nf_ct_put(ct);
  			return 0;
  		}
  		/* death_by_timeout would report the event again */
  		set_bit(IPS_DYING_BIT, &ct->status);

  		nf_ct_delete_from_lists(ct);

  		nf_ct_put(ct);

  	}

  	nf_ct_put(ct);

  
  	return 0;
  }
  
  static int

  ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,

  			const struct nlmsghdr *nlh,
  			const struct nlattr * const cda[])

  {

  	struct net *net = sock_net(ctnl);

  	struct nf_conntrack_tuple_hash *h;
  	struct nf_conntrack_tuple tuple;
  	struct nf_conn *ct;
  	struct sk_buff *skb2 = NULL;

  	struct nfgenmsg *nfmsg = nlmsg_data(nlh);

  	u_int8_t u3 = nfmsg->nfgen_family;

  	u16 zone;
  	int err;

  	if (nlh->nlmsg_flags & NLM_F_DUMP) {
  		struct netlink_dump_control c = {
  			.dump = ctnetlink_dump_table,
  			.done = ctnetlink_done,
  		};

  #ifdef CONFIG_NF_CONNTRACK_MARK
  		if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
  			struct ctnetlink_dump_filter *filter;
  
  			filter = kzalloc(sizeof(struct ctnetlink_dump_filter),
  					 GFP_ATOMIC);
  			if (filter == NULL)
  				return -ENOMEM;
  
  			filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
  			filter->mark.mask =
  				ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
  			c.data = filter;
  		}
  #endif

  		return netlink_dump_start(ctnl, skb, nlh, &c);
  	}

  	err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
  	if (err < 0)
  		return err;

  	if (cda[CTA_TUPLE_ORIG])

  		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);

  	else if (cda[CTA_TUPLE_REPLY])

  		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
  	else
  		return -EINVAL;
  
  	if (err < 0)
  		return err;

  	h = nf_conntrack_find_get(net, zone, &tuple);

  	if (!h)

  		return -ENOENT;

  	ct = nf_ct_tuplehash_to_ctrack(h);
  
  	err = -ENOMEM;

  	skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
  	if (skb2 == NULL) {

  		nf_ct_put(ct);
  		return -ENOMEM;
  	}

  	rcu_read_lock();

  	err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,

  				  NFNL_MSG_TYPE(nlh->nlmsg_type), ct);

  	rcu_read_unlock();

  	nf_ct_put(ct);
  	if (err <= 0)
  		goto free;

  	err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);

  	if (err < 0)
  		goto out;

  	return 0;
  
  free:
  	kfree_skb(skb2);
  out:

  	/* this avoids a loop in nfnetlink. */
  	return err == -EAGAIN ? -ENOBUFS : err;

  }

  static int ctnetlink_done_list(struct netlink_callback *cb)
  {
  	if (cb->args[1])
  		nf_ct_put((struct nf_conn *)cb->args[1]);
  	return 0;
  }
  
  static int
  ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb,
  		    struct hlist_nulls_head *list)
  {
  	struct nf_conn *ct, *last;
  	struct nf_conntrack_tuple_hash *h;
  	struct hlist_nulls_node *n;
  	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
  	u_int8_t l3proto = nfmsg->nfgen_family;
  	int res;
  
  	if (cb->args[2])
  		return 0;
  
  	spin_lock_bh(&nf_conntrack_lock);
  	last = (struct nf_conn *)cb->args[1];
  restart:
  	hlist_nulls_for_each_entry(h, n, list, hnnode) {
  		ct = nf_ct_tuplehash_to_ctrack(h);
  		if (l3proto && nf_ct_l3num(ct) != l3proto)
  			continue;
  		if (cb->args[1]) {
  			if (ct != last)
  				continue;
  			cb->args[1] = 0;
  		}
  		rcu_read_lock();
  		res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
  					  cb->nlh->nlmsg_seq,
  					  NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
  					  ct);
  		rcu_read_unlock();
  		if (res < 0) {
  			nf_conntrack_get(&ct->ct_general);
  			cb->args[1] = (unsigned long)ct;
  			goto out;
  		}
  	}
  	if (cb->args[1]) {
  		cb->args[1] = 0;
  		goto restart;
  	} else
  		cb->args[2] = 1;
  out:
  	spin_unlock_bh(&nf_conntrack_lock);
  	if (last)
  		nf_ct_put(last);
  
  	return skb->len;
  }
  
  static int
  ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
  {
  	struct net *net = sock_net(skb->sk);
  
  	return ctnetlink_dump_list(skb, cb, &net->ct.dying);
  }
  
  static int
  ctnetlink_get_ct_dying(struct sock *ctnl, struct sk_buff *skb,
  		       const struct nlmsghdr *nlh,
  		       const struct nlattr * const cda[])
  {
  	if (nlh->nlmsg_flags & NLM_F_DUMP) {
  		struct netlink_dump_control c = {
  			.dump = ctnetlink_dump_dying,
  			.done = ctnetlink_done_list,
  		};
  		return netlink_dump_start(ctnl, skb, nlh, &c);
  	}
  
  	return -EOPNOTSUPP;
  }
  
  static int
  ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
  {
  	struct net *net = sock_net(skb->sk);
  
  	return ctnetlink_dump_list(skb, cb, &net->ct.unconfirmed);
  }
  
  static int
  ctnetlink_get_ct_unconfirmed(struct sock *ctnl, struct sk_buff *skb,
  			     const struct nlmsghdr *nlh,
  			     const struct nlattr * const cda[])
  {
  	if (nlh->nlmsg_flags & NLM_F_DUMP) {
  		struct netlink_dump_control c = {
  			.dump = ctnetlink_dump_unconfirmed,
  			.done = ctnetlink_done_list,
  		};
  		return netlink_dump_start(ctnl, skb, nlh, &c);
  	}
  
  	return -EOPNOTSUPP;
  }

  #ifdef CONFIG_NF_NAT_NEEDED

  static int

  ctnetlink_parse_nat_setup(struct nf_conn *ct,
  			  enum nf_nat_manip_type manip,

  			  const struct nlattr *attr)

  {
  	typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;

  	int err;

  
  	parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
  	if (!parse_nat_setup) {

  #ifdef CONFIG_MODULES

  		rcu_read_unlock();

  		nfnl_unlock(NFNL_SUBSYS_CTNETLINK);

  		if (request_module("nf-nat") < 0) {

  			nfnl_lock(NFNL_SUBSYS_CTNETLINK);

  			rcu_read_lock();
  			return -EOPNOTSUPP;
  		}

  		nfnl_lock(NFNL_SUBSYS_CTNETLINK);

  		rcu_read_lock();
  		if (nfnetlink_parse_nat_setup_hook)
  			return -EAGAIN;
  #endif
  		return -EOPNOTSUPP;
  	}

  	err = parse_nat_setup(ct, manip, attr);
  	if (err == -EAGAIN) {
  #ifdef CONFIG_MODULES
  		rcu_read_unlock();

  		nfnl_unlock(NFNL_SUBSYS_CTNETLINK);

  		if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {

  			nfnl_lock(NFNL_SUBSYS_CTNETLINK);

  			rcu_read_lock();
  			return -EOPNOTSUPP;
  		}

  		nfnl_lock(NFNL_SUBSYS_CTNETLINK);

  		rcu_read_lock();
  #else
  		err = -EOPNOTSUPP;
  #endif
  	}
  	return err;

  }

  #endif

  
  static int

  ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])

  {
  	unsigned long d;

  	unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));

  	d = ct->status ^ status;
  
  	if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
  		/* unchangeable */

  		return -EBUSY;

  	if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
  		/* SEEN_REPLY bit can only be set */

  		return -EBUSY;

  	if (d & IPS_ASSURED && !(status & IPS_ASSURED))
  		/* ASSURED bit can only be set */

  		return -EBUSY;

  	/* Be careful here, modifying NAT bits can screw up things,
  	 * so don't let users modify them directly if they don't pass

  	 * nf_nat_range. */

  	ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
  	return 0;
  }

  static int

  ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])

  {
  #ifdef CONFIG_NF_NAT_NEEDED
  	int ret;
  
  	if (cda[CTA_NAT_DST]) {
  		ret = ctnetlink_parse_nat_setup(ct,

  						NF_NAT_MANIP_DST,

  						cda[CTA_NAT_DST]);
  		if (ret < 0)
  			return ret;
  	}
  	if (cda[CTA_NAT_SRC]) {
  		ret = ctnetlink_parse_nat_setup(ct,

  						NF_NAT_MANIP_SRC,

  						cda[CTA_NAT_SRC]);
  		if (ret < 0)
  			return ret;
  	}
  	return 0;
  #else
  	return -EOPNOTSUPP;
  #endif
  }

  
  static inline int

  ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])

  {
  	struct nf_conntrack_helper *helper;

  	struct nf_conn_help *help = nfct_help(ct);

  	char *helpname = NULL;

  	struct nlattr *helpinfo = NULL;

  	int err;

  	/* don't change helper of sibling connections */
  	if (ct->master)

  		return -EBUSY;

  	err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);

  	if (err < 0)
  		return err;

  	if (!strcmp(helpname, "")) {
  		if (help && help->helper) {

  			/* we had a helper before ... */
  			nf_ct_remove_expectations(ct);

  			RCU_INIT_POINTER(help->helper, NULL);

  		}

  
  		return 0;

  	}

  	helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
  					    nf_ct_protonum(ct));

  	if (helper == NULL) {
  #ifdef CONFIG_MODULES
  		spin_unlock_bh(&nf_conntrack_lock);
  
  		if (request_module("nfct-helper-%s", helpname) < 0) {
  			spin_lock_bh(&nf_conntrack_lock);
  			return -EOPNOTSUPP;
  		}
  
  		spin_lock_bh(&nf_conntrack_lock);

  		helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
  						    nf_ct_protonum(ct));

  		if (helper)
  			return -EAGAIN;
  #endif

  		return -EOPNOTSUPP;

  	}

  	if (help) {

  		if (help->helper == helper) {
  			/* update private helper data if allowed. */

  			if (helper->from_nlattr)

  				helper->from_nlattr(helpinfo, ct);

  			return 0;

  		} else

  			return -EBUSY;

  	}

  	/* we cannot set a helper for an existing conntrack */
  	return -EOPNOTSUPP;

  }
  
  static inline int

  ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[])

  {

  	u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));

  	if (!del_timer(&ct->timeout))
  		return -ETIME;
  
  	ct->timeout.expires = jiffies + timeout * HZ;
  	add_timer(&ct->timeout);
  
  	return 0;
  }

  static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
  	[CTA_PROTOINFO_TCP]	= { .type = NLA_NESTED },
  	[CTA_PROTOINFO_DCCP]	= { .type = NLA_NESTED },
  	[CTA_PROTOINFO_SCTP]	= { .type = NLA_NESTED },
  };

  static inline int

  ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[])

  {

  	const struct nlattr *attr = cda[CTA_PROTOINFO];
  	struct nlattr *tb[CTA_PROTOINFO_MAX+1];

  	struct nf_conntrack_l4proto *l4proto;

  	int err = 0;

  	nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy);

  	rcu_read_lock();
  	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));

  	if (l4proto->from_nlattr)
  		err = l4proto->from_nlattr(tb, ct);

  	rcu_read_unlock();

  
  	return err;
  }

  #ifdef CONFIG_NF_NAT_NEEDED

  static const struct nla_policy nat_seq_policy[CTA_NAT_SEQ_MAX+1] = {
  	[CTA_NAT_SEQ_CORRECTION_POS]	= { .type = NLA_U32 },
  	[CTA_NAT_SEQ_OFFSET_BEFORE]	= { .type = NLA_U32 },
  	[CTA_NAT_SEQ_OFFSET_AFTER]	= { .type = NLA_U32 },
  };

  static inline int

  change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr)

  {
  	struct nlattr *cda[CTA_NAT_SEQ_MAX+1];

  	nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, nat_seq_policy);

  
  	if (!cda[CTA_NAT_SEQ_CORRECTION_POS])
  		return -EINVAL;
  
  	natseq->correction_pos =

  		ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS]));

  
  	if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE])
  		return -EINVAL;
  
  	natseq->offset_before =

  		ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE]));

  
  	if (!cda[CTA_NAT_SEQ_OFFSET_AFTER])
  		return -EINVAL;
  
  	natseq->offset_after =

  		ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER]));

  
  	return 0;
  }
  
  static int

  ctnetlink_change_nat_seq_adj(struct nf_conn *ct,
  			     const struct nlattr * const cda[])