Merge branch 'cthelper9' of git://git.netfilter.org/conntrack-tools into user_space_helpers

Conflicts:
	.gitignore
	src/run.c

14 files changed, 618 insertions, 9 deletions

diff --git a/include/Makefile.am b/include/Makefile.am
index cbbca6b..6bd0f7f 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -1,8 +1,10 @@
+SUBDIRS = linux
 
 noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
 		 sync.h conntrackd.h local.h udp.h tcp.h \
 		 debug.h log.h hash.h mcast.h conntrack.h \
 		 network.h filter.h queue.h vector.h cidr.h \
 		 traffic_stats.h netlink.h fds.h event.h bitops.h channel.h \
-		 process.h origin.h internal.h external.h date.h
+		 process.h origin.h internal.h external.h date.h nfct.h \
+		 helper.h myct.h stack.h
 
diff --git a/include/channel.h b/include/channel.h
index 9b5fad8..46a354f 100644
--- a/include/channel.h
+++ b/include/channel.h
@@ -35,7 +35,8 @@ struct tcp_channel {
 #define CHANNEL_F_BUFFERED	(1 << 1)
 #define CHANNEL_F_STREAM	(1 << 2)
 #define CHANNEL_F_ERRORS	(1 << 3)
-#define CHANNEL_F_MAX		(1 << 4)
+#define CHANNEL_F_ACCEPT	(1 << 4)
+#define CHANNEL_F_MAX		(1 << 5)
 
 union channel_type_conf {
 	struct mcast_conf mcast;
@@ -52,8 +53,12 @@ struct channel_conf {
 
 struct nlif_handle;
 
+#define CHANNEL_T_DATAGRAM	0
+#define CHANNEL_T_STREAM	1
+
 struct channel_ops {
 	int	headersiz;
+	int	type;
 	void *	(*open)(void *conf);
 	void	(*close)(void *channel);
 	int	(*send)(void *channel, const void *data, int len);
@@ -97,6 +102,8 @@ void channel_stats(struct channel *c, int fd);
 void channel_stats_extended(struct channel *c, int active,
 			    struct nlif_handle *h, int fd);
 
+int channel_type(struct channel *c);
+
 #define MULTICHANNEL_MAX	4
 
 struct multichannel {
@@ -119,6 +126,6 @@ void multichannel_stats_extended(struct multichannel *m,
 int multichannel_get_ifindex(struct multichannel *m, int i);
 int multichannel_get_current_ifindex(struct multichannel *m);
 void multichannel_set_current_channel(struct multichannel *m, int i);
-void multichannel_change_current_channel(struct multichannel *m, int i);
+void multichannel_change_current_channel(struct multichannel *m, struct channel *c);
 
 #endif /* _CHANNEL_H_ */
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 9359dfa..19e613c 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -69,6 +69,7 @@
 #define CTD_SYNC_NOTRACK	(1UL << 4)
 #define CTD_POLL		(1UL << 5)
 #define CTD_EXPECT		(1UL << 6)
+#define CTD_HELPER		(1UL << 7)
 
 /* FILENAME_MAX is 4096 on my system, perhaps too much? */
 #ifndef FILENAME_MAXLEN
@@ -134,6 +135,9 @@ struct ct_conf {
 		int syslog_facility;
 		size_t buffer_size;
 	} stats;
+	struct {
+		struct list_head list;
+	} cthelper;
 };
 
 #define STATE(x) st.x
@@ -252,24 +256,41 @@ struct ct_stats_state {
 	struct cache *cache;            /* internal events cache (netlink) */
 };
 
-union ct_state {
+#define STATE_CTH(x) state.cthelper->x
+
+struct ct_helper_state {
+	struct mnl_socket *nl;
+	uint32_t portid;
+};
+
+struct ct_state {
 	struct ct_sync_state *sync;
 	struct ct_stats_state *stats;
+	struct ct_helper_state *cthelper;
 };
 
 extern struct ct_conf conf;
-extern union ct_state state;
+extern struct ct_state state;
 extern struct ct_general_state st;
 
 struct ct_mode {
 	struct internal_handler *internal;
 	int (*init)(void);
-	void (*run)(fd_set *readfds);
 	int (*local)(int fd, int type, void *data);
 	void (*kill)(void);
 };
 
-/* conntrackd modes */
+/* basic ctnl functions */
+void ctnl_kill(void);
+int ctnl_local(int fd, int type, void *data);
+int ctnl_init(void);
+
+/* basic cthelper functions */
+void cthelper_kill(void);
+int cthelper_local(int fd, int type, void *data);
+int cthelper_init(void);
+
+/* conntrackd ctnl modes */
 extern struct ct_mode sync_mode;
 extern struct ct_mode stats_mode;
 
@@ -278,7 +299,7 @@ extern struct ct_mode stats_mode;
 /* These live in run.c */
 void killer(int foo);
 int init(void);
-void run(void);
+void select_main_loop(void);
 
 /* from read_config_yy.c */
 int
diff --git a/include/fds.h b/include/fds.h
index f3728d7..ed0c8be 100644
--- a/include/fds.h
+++ b/include/fds.h
@@ -12,11 +12,13 @@ struct fds {
 struct fds_item {
 	struct list_head        head;
 	int                     fd;
+	void			(*cb)(void *data);
+	void			*data;
 };
 
 struct fds *create_fds(void);
 void destroy_fds(struct fds *);
-int register_fd(int fd, struct fds *fds);
+int register_fd(int fd, void (*cb)(void *data), void *data, struct fds *fds);
 int unregister_fd(int fd, struct fds *fds);
 
 #endif
diff --git a/include/helper.h b/include/helper.h
new file mode 100644
index 0000000..ce5ae9b
--- /dev/null
+++ b/include/helper.h
@@ -0,0 +1,104 @@
+#ifndef _CTD_HELPER_H_
+#define _CTD_HELPER_H_
+
+#include <stdint.h>
+#include "linux_list.h"
+#include "myct.h"
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+struct pkt_buff;
+
+#define CTD_HELPER_NAME_LEN	16
+#define CTD_HELPER_POLICY_MAX	4
+
+struct ctd_helper_policy {
+	char		name[CTD_HELPER_NAME_LEN];
+	uint32_t	expect_timeout;
+	uint32_t	expect_max;
+};
+
+struct ctd_helper {
+	struct list_head	head;
+	char			name[CTD_HELPER_NAME_LEN];
+	uint8_t			l4proto;
+	int			(*cb)(struct pkt_buff *pkt,
+				      uint32_t protoff,
+				      struct myct *ct,
+				      u_int32_t ctinfo);
+
+	struct ctd_helper_policy policy[CTD_HELPER_POLICY_MAX];
+
+	int			priv_data_len;
+};
+
+struct ctd_helper_instance {
+	struct list_head	head;
+	uint32_t		queue_num;
+	uint16_t		l3proto;
+	uint8_t			l4proto;
+	struct ctd_helper	*helper;
+	struct ctd_helper_policy policy[CTD_HELPER_POLICY_MAX];
+};
+
+extern int cthelper_expect_init(struct nf_expect *exp, struct nf_conntrack *master, uint32_t class, union nfct_attr_grp_addr *saddr, union nfct_attr_grp_addr *daddr, uint8_t l4proto, uint16_t *sport, uint16_t *dport);
+extern int cthelper_add_expect(struct nf_expect *exp);
+extern int cthelper_del_expect(struct nf_expect *exp);
+
+extern void cthelper_get_addr_src(struct nf_conntrack *ct, int dir, union nfct_attr_grp_addr *addr);
+extern void cthelper_get_addr_dst(struct nf_conntrack *ct, int dir, union nfct_attr_grp_addr *addr);
+
+extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
+extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
+
+extern void helper_register(struct ctd_helper *helper);
+struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
+
+#define min_t(type, x, y) ({			\
+	type __min1 = (x);			\
+	type __min2 = (y);			\
+	__min1 < __min2 ? __min1: __min2; })
+
+#define max_t(type, x, y) ({			\
+	type __max1 = (x);			\
+	type __max2 = (y);			\
+	__max1 > __max2 ? __max1: __max2; })
+
+#define ARRAY_SIZE MNL_ARRAY_SIZE
+
+enum ip_conntrack_dir {
+	IP_CT_DIR_ORIGINAL,
+	IP_CT_DIR_REPLY,
+	IP_CT_DIR_MAX
+};
+
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info {
+	/* Part of an established connection (either direction). */
+	IP_CT_ESTABLISHED,
+
+	/* Like NEW, but related to an existing connection, or ICMP error
+	   (in either direction). */
+	IP_CT_RELATED,
+
+	/* Started a new connection to track (only
+	   IP_CT_DIR_ORIGINAL); may be a retransmission. */
+	IP_CT_NEW,
+
+	/* >= this indicates reply direction */
+	IP_CT_IS_REPLY,
+
+	IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+	IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+	IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
+	/* Number of distinct IP_CT types (no NEW in reply dirn). */
+	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
+
+#define pr_debug printf
+
+#endif
diff --git a/include/linux/Makefile.am b/include/linux/Makefile.am
new file mode 100644
index 0000000..38eb109
--- /dev/null
+++ b/include/linux/Makefile.am
@@ -0,0 +1 @@
+SUBDIRS = netfilter
diff --git a/include/linux/netfilter/Makefile.am b/include/linux/netfilter/Makefile.am
new file mode 100644
index 0000000..6574060
--- /dev/null
+++ b/include/linux/netfilter/Makefile.am
@@ -0,0 +1 @@
+noinst_HEADERS = nfnetlink.h nfnetlink_cttimeout.h nfnetlink_queue.h nfnetlink_cthelper.h
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
new file mode 100644
index 0000000..b64454c
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink.h
@@ -0,0 +1,94 @@
+#ifndef _NFNETLINK_H
+#define _NFNETLINK_H
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink_compat.h>
+
+enum nfnetlink_groups {
+	NFNLGRP_NONE,
+#define NFNLGRP_NONE			NFNLGRP_NONE
+	NFNLGRP_CONNTRACK_NEW,
+#define NFNLGRP_CONNTRACK_NEW		NFNLGRP_CONNTRACK_NEW
+	NFNLGRP_CONNTRACK_UPDATE,
+#define NFNLGRP_CONNTRACK_UPDATE	NFNLGRP_CONNTRACK_UPDATE
+	NFNLGRP_CONNTRACK_DESTROY,
+#define NFNLGRP_CONNTRACK_DESTROY	NFNLGRP_CONNTRACK_DESTROY
+	NFNLGRP_CONNTRACK_EXP_NEW,
+#define	NFNLGRP_CONNTRACK_EXP_NEW	NFNLGRP_CONNTRACK_EXP_NEW
+	NFNLGRP_CONNTRACK_EXP_UPDATE,
+#define NFNLGRP_CONNTRACK_EXP_UPDATE	NFNLGRP_CONNTRACK_EXP_UPDATE
+	NFNLGRP_CONNTRACK_EXP_DESTROY,
+#define NFNLGRP_CONNTRACK_EXP_DESTROY	NFNLGRP_CONNTRACK_EXP_DESTROY
+	__NFNLGRP_MAX,
+};
+#define NFNLGRP_MAX	(__NFNLGRP_MAX - 1)
+
+/* General form of address family dependent message.
+ */
+struct nfgenmsg {
+	__u8  nfgen_family;		/* AF_xxx */
+	__u8  version;		/* nfnetlink version */
+	__be16    res_id;		/* resource id */
+};
+
+#define NFNETLINK_V0	0
+
+/* netfilter netlink message types are split in two pieces:
+ * 8 bit subsystem, 8bit operation.
+ */
+
+#define NFNL_SUBSYS_ID(x)	((x & 0xff00) >> 8)
+#define NFNL_MSG_TYPE(x)	(x & 0x00ff)
+
+/* No enum here, otherwise __stringify() trick of MODULE_ALIAS_NFNL_SUBSYS()
+ * won't work anymore */
+#define NFNL_SUBSYS_NONE 		0
+#define NFNL_SUBSYS_CTNETLINK		1
+#define NFNL_SUBSYS_CTNETLINK_EXP	2
+#define NFNL_SUBSYS_QUEUE		3
+#define NFNL_SUBSYS_ULOG		4
+#define NFNL_SUBSYS_OSF			5
+#define NFNL_SUBSYS_IPSET		6
+#define NFNL_SUBSYS_ACCT		7
+#define NFNL_SUBSYS_COUNT		8
+
+#ifdef __KERNEL__
+
+#include <linux/netlink.h>
+#include <linux/capability.h>
+#include <net/netlink.h>
+
+struct nfnl_callback {
+	int (*call)(struct sock *nl, struct sk_buff *skb, 
+		    const struct nlmsghdr *nlh,
+		    const struct nlattr * const cda[]);
+	int (*call_rcu)(struct sock *nl, struct sk_buff *skb, 
+		    const struct nlmsghdr *nlh,
+		    const struct nlattr * const cda[]);
+	const struct nla_policy *policy;	/* netlink attribute policy */
+	const u_int16_t attr_count;		/* number of nlattr's */
+};
+
+struct nfnetlink_subsystem {
+	const char *name;
+	__u8 subsys_id;			/* nfnetlink subsystem ID */
+	__u8 cb_count;			/* number of callbacks */
+	const struct nfnl_callback *cb;	/* callback for individual types */
+};
+
+extern int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
+extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
+
+extern int nfnetlink_has_listeners(struct net *net, unsigned int group);
+extern int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 pid, unsigned group,
+			  int echo, gfp_t flags);
+extern int nfnetlink_set_err(struct net *net, u32 pid, u32 group, int error);
+extern int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u_int32_t pid, int flags);
+
+extern void nfnl_lock(void);
+extern void nfnl_unlock(void);
+
+#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
+	MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
+
+#endif	/* __KERNEL__ */
+#endif	/* _NFNETLINK_H */
diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/linux/netfilter/nfnetlink_cthelper.h
new file mode 100644
index 0000000..33659f6
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_cthelper.h
@@ -0,0 +1,55 @@
+#ifndef _NFNL_CTHELPER_H_
+#define _NFNL_CTHELPER_H_
+
+#define NFCT_HELPER_STATUS_DISABLED	0
+#define NFCT_HELPER_STATUS_ENABLED	1
+
+enum nfnl_acct_msg_types {
+	NFNL_MSG_CTHELPER_NEW,
+	NFNL_MSG_CTHELPER_GET,
+	NFNL_MSG_CTHELPER_DEL,
+	NFNL_MSG_CTHELPER_MAX
+};
+
+enum nfnl_cthelper_type {
+	NFCTH_UNSPEC,
+	NFCTH_NAME,
+	NFCTH_TUPLE,
+	NFCTH_QUEUE_NUM,
+	NFCTH_POLICY,
+	NFCTH_PRIV_DATA_LEN,
+	NFCTH_STATUS,
+	__NFCTH_MAX
+};
+#define NFCTH_MAX (__NFCTH_MAX - 1)
+
+enum nfnl_cthelper_policy_type {
+	NFCTH_POLICY_SET_UNSPEC,
+	NFCTH_POLICY_SET_NUM,
+	NFCTH_POLICY_SET,
+	NFCTH_POLICY_SET1	= NFCTH_POLICY_SET,
+	NFCTH_POLICY_SET2,
+	NFCTH_POLICY_SET3,
+	NFCTH_POLICY_SET4,
+	__NFCTH_POLICY_SET_MAX
+};
+#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
+
+enum nfnl_cthelper_pol_type {
+	NFCTH_POLICY_UNSPEC,
+	NFCTH_POLICY_NAME,
+	NFCTH_POLICY_EXPECT_MAX,
+	NFCTH_POLICY_EXPECT_TIMEOUT,
+	__NFCTH_POLICY_MAX
+};
+#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
+
+enum nfnl_cthelper_tuple_type {
+	NFCTH_TUPLE_UNSPEC,
+	NFCTH_TUPLE_L3PROTONUM,
+	NFCTH_TUPLE_L4PROTONUM,
+	__NFCTH_TUPLE_MAX,
+};
+#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
+
+#endif /* _NFNL_CTHELPER_H */
diff --git a/include/linux/netfilter/nfnetlink_cttimeout.h b/include/linux/netfilter/nfnetlink_cttimeout.h
new file mode 100644
index 0000000..a2810a7
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_cttimeout.h
@@ -0,0 +1,114 @@
+#ifndef _CTTIMEOUT_NETLINK_H
+#define _CTTIMEOUT_NETLINK_H
+#include <linux/netfilter/nfnetlink.h>
+
+enum ctnl_timeout_msg_types {
+	IPCTNL_MSG_TIMEOUT_NEW,
+	IPCTNL_MSG_TIMEOUT_GET,
+	IPCTNL_MSG_TIMEOUT_DELETE,
+
+	IPCTNL_MSG_TIMEOUT_MAX
+};
+
+enum ctattr_timeout {
+	CTA_TIMEOUT_UNSPEC,
+	CTA_TIMEOUT_NAME,
+	CTA_TIMEOUT_L3PROTO,
+	CTA_TIMEOUT_L4PROTO,
+	CTA_TIMEOUT_DATA,
+	CTA_TIMEOUT_USE,
+	__CTA_TIMEOUT_MAX
+};
+#define CTA_TIMEOUT_MAX (__CTA_TIMEOUT_MAX - 1)
+
+enum ctattr_timeout_generic {
+	CTA_TIMEOUT_GENERIC_UNSPEC,
+	CTA_TIMEOUT_GENERIC_TIMEOUT,
+	__CTA_TIMEOUT_GENERIC_MAX
+};
+#define CTA_TIMEOUT_GENERIC_MAX (__CTA_TIMEOUT_GENERIC_MAX - 1)
+
+enum ctattr_timeout_tcp {
+	CTA_TIMEOUT_TCP_UNSPEC,
+	CTA_TIMEOUT_TCP_SYN_SENT,
+	CTA_TIMEOUT_TCP_SYN_RECV,
+	CTA_TIMEOUT_TCP_ESTABLISHED,
+	CTA_TIMEOUT_TCP_FIN_WAIT,
+	CTA_TIMEOUT_TCP_CLOSE_WAIT,
+	CTA_TIMEOUT_TCP_LAST_ACK,
+	CTA_TIMEOUT_TCP_TIME_WAIT,
+	CTA_TIMEOUT_TCP_CLOSE,
+	CTA_TIMEOUT_TCP_SYN_SENT2,
+	CTA_TIMEOUT_TCP_RETRANS,
+	CTA_TIMEOUT_TCP_UNACK,
+	__CTA_TIMEOUT_TCP_MAX
+};
+#define CTA_TIMEOUT_TCP_MAX (__CTA_TIMEOUT_TCP_MAX - 1)
+
+enum ctattr_timeout_udp {
+	CTA_TIMEOUT_UDP_UNSPEC,
+	CTA_TIMEOUT_UDP_UNREPLIED,
+	CTA_TIMEOUT_UDP_REPLIED,
+	__CTA_TIMEOUT_UDP_MAX
+};
+#define CTA_TIMEOUT_UDP_MAX (__CTA_TIMEOUT_UDP_MAX - 1)
+
+enum ctattr_timeout_udplite {
+	CTA_TIMEOUT_UDPLITE_UNSPEC,
+	CTA_TIMEOUT_UDPLITE_UNREPLIED,
+	CTA_TIMEOUT_UDPLITE_REPLIED,
+	__CTA_TIMEOUT_UDPLITE_MAX
+};
+#define CTA_TIMEOUT_UDPLITE_MAX (__CTA_TIMEOUT_UDPLITE_MAX - 1)
+
+enum ctattr_timeout_icmp {
+	CTA_TIMEOUT_ICMP_UNSPEC,
+	CTA_TIMEOUT_ICMP_TIMEOUT,
+	__CTA_TIMEOUT_ICMP_MAX
+};
+#define CTA_TIMEOUT_ICMP_MAX (__CTA_TIMEOUT_ICMP_MAX - 1)
+
+enum ctattr_timeout_dccp {
+	CTA_TIMEOUT_DCCP_UNSPEC,
+	CTA_TIMEOUT_DCCP_REQUEST,
+	CTA_TIMEOUT_DCCP_RESPOND,
+	CTA_TIMEOUT_DCCP_PARTOPEN,
+	CTA_TIMEOUT_DCCP_OPEN,
+	CTA_TIMEOUT_DCCP_CLOSEREQ,
+	CTA_TIMEOUT_DCCP_CLOSING,
+	CTA_TIMEOUT_DCCP_TIMEWAIT,
+	__CTA_TIMEOUT_DCCP_MAX
+};
+#define CTA_TIMEOUT_DCCP_MAX (__CTA_TIMEOUT_DCCP_MAX - 1)
+
+enum ctattr_timeout_sctp {
+	CTA_TIMEOUT_SCTP_UNSPEC,
+	CTA_TIMEOUT_SCTP_CLOSED,
+	CTA_TIMEOUT_SCTP_COOKIE_WAIT,
+	CTA_TIMEOUT_SCTP_COOKIE_ECHOED,
+	CTA_TIMEOUT_SCTP_ESTABLISHED,
+	CTA_TIMEOUT_SCTP_SHUTDOWN_SENT,
+	CTA_TIMEOUT_SCTP_SHUTDOWN_RECD,
+	CTA_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
+	__CTA_TIMEOUT_SCTP_MAX
+};
+#define CTA_TIMEOUT_SCTP_MAX (__CTA_TIMEOUT_SCTP_MAX - 1)
+
+enum ctattr_timeout_icmpv6 {
+	CTA_TIMEOUT_ICMPV6_UNSPEC,
+	CTA_TIMEOUT_ICMPV6_TIMEOUT,
+	__CTA_TIMEOUT_ICMPV6_MAX
+};
+#define CTA_TIMEOUT_ICMPV6_MAX (__CTA_TIMEOUT_ICMPV6_MAX - 1)
+
+enum ctattr_timeout_gre {
+	CTA_TIMEOUT_GRE_UNSPEC,
+	CTA_TIMEOUT_GRE_UNREPLIED,
+	CTA_TIMEOUT_GRE_REPLIED,
+	__CTA_TIMEOUT_GRE_MAX
+};
+#define CTA_TIMEOUT_GRE_MAX (__CTA_TIMEOUT_GRE_MAX - 1)
+
+#define CTNL_TIMEOUT_NAME_MAX	32
+
+#endif
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
new file mode 100644
index 0000000..da44b33
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -0,0 +1,98 @@
+#ifndef _NFNETLINK_QUEUE_H
+#define _NFNETLINK_QUEUE_H
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nfqnl_msg_types {
+	NFQNL_MSG_PACKET,		/* packet from kernel to userspace */
+	NFQNL_MSG_VERDICT,		/* verdict from userspace to kernel */
+	NFQNL_MSG_CONFIG,		/* connect to a particular queue */
+	NFQNL_MSG_VERDICT_BATCH,	/* batchv from userspace to kernel */
+
+	NFQNL_MSG_MAX
+};
+
+struct nfqnl_msg_packet_hdr {
+	__be32		packet_id;	/* unique ID of packet in queue */
+	__be16		hw_protocol;	/* hw protocol (network order) */
+	__u8	hook;		/* netfilter hook */
+} __attribute__ ((packed));
+
+struct nfqnl_msg_packet_hw {
+	__be16		hw_addrlen;
+	__u16	_pad;
+	__u8	hw_addr[8];
+};
+
+struct nfqnl_msg_packet_timestamp {
+	__aligned_be64	sec;
+	__aligned_be64	usec;
+};
+
+enum nfqnl_attr_type {
+	NFQA_UNSPEC,
+	NFQA_PACKET_HDR,
+	NFQA_VERDICT_HDR,		/* nfqnl_msg_verdict_hrd */
+	NFQA_MARK,			/* __u32 nfmark */
+	NFQA_TIMESTAMP,			/* nfqnl_msg_packet_timestamp */
+	NFQA_IFINDEX_INDEV,		/* __u32 ifindex */
+	NFQA_IFINDEX_OUTDEV,		/* __u32 ifindex */
+	NFQA_IFINDEX_PHYSINDEV,		/* __u32 ifindex */
+	NFQA_IFINDEX_PHYSOUTDEV,	/* __u32 ifindex */
+	NFQA_HWADDR,			/* nfqnl_msg_packet_hw */
+	NFQA_PAYLOAD,			/* opaque data payload */
+	NFQA_CT,			/* nf_conntrack_netlink.h */
+	NFQA_CT_INFO,			/* enum ip_conntrack_info */
+
+	__NFQA_MAX
+};
+#define NFQA_MAX (__NFQA_MAX - 1)
+
+struct nfqnl_msg_verdict_hdr {
+	__be32 verdict;
+	__be32 id;
+};
+
+
+enum nfqnl_msg_config_cmds {
+	NFQNL_CFG_CMD_NONE,
+	NFQNL_CFG_CMD_BIND,
+	NFQNL_CFG_CMD_UNBIND,
+	NFQNL_CFG_CMD_PF_BIND,
+	NFQNL_CFG_CMD_PF_UNBIND,
+};
+
+struct nfqnl_msg_config_cmd {
+	__u8	command;	/* nfqnl_msg_config_cmds */
+	__u8	_pad;
+	__be16		pf;		/* AF_xxx for PF_[UN]BIND */
+};
+
+enum nfqnl_config_mode {
+	NFQNL_COPY_NONE,
+	NFQNL_COPY_META,
+	NFQNL_COPY_PACKET,
+};
+
+struct nfqnl_msg_config_params {
+	__be32		copy_range;
+	__u8	copy_mode;	/* enum nfqnl_config_mode */
+} __attribute__ ((packed));
+
+enum nfqnl_flags {
+	NFQNL_F_NONE		= 0,
+	NFQNL_F_CONNTRACK	= (1 << 0),
+};
+
+enum nfqnl_attr_config {
+	NFQA_CFG_UNSPEC,
+	NFQA_CFG_CMD,			/* nfqnl_msg_config_cmd */
+	NFQA_CFG_PARAMS,		/* nfqnl_msg_config_params */
+	NFQA_CFG_QUEUE_MAXLEN,		/* __u32 */
+	NFQA_CFG_FLAGS,			/* __u32 */
+	__NFQA_CFG_MAX
+};
+#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
+
+#endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/myct.h b/include/myct.h
new file mode 100644
index 0000000..45d9f29
--- /dev/null
+++ b/include/myct.h
@@ -0,0 +1,43 @@
+#ifndef _MYCT_H_
+#define _MYCT_H_
+
+#include "linux_list.h"
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+struct nf_conntrack;
+
+enum {
+	MYCT_NONE		= 0,
+	MYCT_ESTABLISHED	= (1 << 0),
+};
+
+enum {
+	MYCT_DIR_ORIG = 0,
+	MYCT_DIR_REPL,
+	MYCT_DIR_MAX,
+};
+
+union myct_proto {
+	uint16_t port;
+	uint16_t all;
+};
+
+struct myct_man {
+	union nfct_attr_grp_addr u3;
+	union myct_proto	u;
+	uint16_t		l3num;
+	uint8_t			protonum;
+};
+
+struct myct_tuple {
+	struct myct_man		src;
+	struct myct_man		dst;
+};
+
+struct myct {
+	struct nf_conntrack *ct;
+	void *priv_data;
+};
+
+#endif
diff --git a/include/nfct.h b/include/nfct.h
new file mode 100644
index 0000000..5548b03
--- /dev/null
+++ b/include/nfct.h
@@ -0,0 +1,39 @@
+#ifndef _NFCT_H_
+#define _NFCT_H_
+
+enum {
+	NFCT_SUBSYS_NONE = 0,
+	NFCT_SUBSYS_TIMEOUT,
+	NFCT_SUBSYS_HELPER,
+	NFCT_SUBSYS_VERSION,
+	NFCT_SUBSYS_HELP,
+};
+
+enum {
+	NFCT_CMD_NONE = 0,
+	NFCT_CMD_LIST,
+	NFCT_CMD_ADD,
+	NFCT_CMD_DELETE,
+	NFCT_CMD_GET,
+	NFCT_CMD_FLUSH,
+	NFCT_CMD_DISABLE,
+};
+
+void nfct_perror(const char *msg);
+
+int nfct_cmd_timeout_parse_params(int argc, char *argv[]);
+int nfct_cmd_timeout_list(int argc, char *argv[]);
+int nfct_cmd_timeout_add(int argc, char *argv[]);
+int nfct_cmd_timeout_delete(int argc, char *argv[]);
+int nfct_cmd_timeout_get(int argc, char *argv[]);
+int nfct_cmd_timeout_flush(int argc, char *argv[]);
+
+int nfct_cmd_helper_parse_params(int argc, char *argv[]);
+int nfct_cmd_helper_list(int argc, char *argv[]);
+int nfct_cmd_helper_add(int argc, char *argv[]);
+int nfct_cmd_helper_delete(int argc, char *argv[]);
+int nfct_cmd_helper_get(int argc, char *argv[]);
+int nfct_cmd_helper_flush(int argc, char *argv[]);
+int nfct_cmd_helper_disable(int argc, char *argv[]);
+
+#endif
diff --git a/include/stack.h b/include/stack.h
new file mode 100644
index 0000000..512a30f
--- /dev/null
+++ b/include/stack.h
@@ -0,0 +1,28 @@
+#ifndef _STACK_H_
+#define _STACK_H_
+
+#include "linux_list.h"
+
+struct stack {
+	struct list_head	list;
+	int			items;
+};
+
+static inline void stack_init(struct stack *s)
+{
+	INIT_LIST_HEAD(&s->list);
+}
+
+struct stack_item {
+	struct list_head	head;
+	int			type;
+	int			data_len;
+	char			data[0];
+};
+
+struct stack_item *stack_item_alloc(int type, size_t data_len);
+void stack_item_free(struct stack_item *e);
+void stack_item_push(struct stack *s, struct stack_item *e);
+struct stack_item *stack_item_pop(struct stack *s, int type);
+
+#endif