Merge tag 'upstream/1.4.1'

Upstream version 1.4.1

5 files changed, 2175 insertions, 0 deletions

diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
new file mode 100644
index 0000000..589b4f3
--- /dev/null
+++ b/src/helpers/Makefile.am
@@ -0,0 +1,17 @@
+include $(top_srcdir)/Make_global.am
+
+pkglib_LTLIBRARIES = ct_helper_ftp.la	\
+		     ct_helper_rpc.la	\
+		     ct_helper_tns.la
+
+ct_helper_ftp_la_SOURCES = ftp.c
+ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+
+ct_helper_rpc_la_SOURCES = rpc.c
+ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+
+ct_helper_tns_la_SOURCES = tns.c
+ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
diff --git a/src/helpers/Makefile.in b/src/helpers/Makefile.in
new file mode 100644
index 0000000..c02a89c
--- /dev/null
+++ b/src/helpers/Makefile.in
@@ -0,0 +1,659 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \
+	$(top_srcdir)/Make_global.am
+subdir = src/helpers
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \
+	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+	$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
+	$(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(pkglibdir)"
+LTLIBRARIES = $(pkglib_LTLIBRARIES)
+ct_helper_ftp_la_LIBADD =
+am_ct_helper_ftp_la_OBJECTS = ct_helper_ftp_la-ftp.lo
+ct_helper_ftp_la_OBJECTS = $(am_ct_helper_ftp_la_OBJECTS)
+AM_V_lt = $(am__v_lt_@AM_V@)
+am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+ct_helper_ftp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(ct_helper_ftp_la_CFLAGS) $(CFLAGS) \
+	$(ct_helper_ftp_la_LDFLAGS) $(LDFLAGS) -o $@
+ct_helper_rpc_la_LIBADD =
+am_ct_helper_rpc_la_OBJECTS = ct_helper_rpc_la-rpc.lo
+ct_helper_rpc_la_OBJECTS = $(am_ct_helper_rpc_la_OBJECTS)
+ct_helper_rpc_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(ct_helper_rpc_la_CFLAGS) $(CFLAGS) \
+	$(ct_helper_rpc_la_LDFLAGS) $(LDFLAGS) -o $@
+ct_helper_tns_la_LIBADD =
+am_ct_helper_tns_la_OBJECTS = ct_helper_tns_la-tns.lo
+ct_helper_tns_la_OBJECTS = $(am_ct_helper_tns_la_OBJECTS)
+ct_helper_tns_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+	$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+	$(ct_helper_tns_la_CFLAGS) $(CFLAGS) \
+	$(ct_helper_tns_la_LDFLAGS) $(LDFLAGS) -o $@
+DEFAULT_INCLUDES = -I.@am__isrc@
+depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+	$(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+	$(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_@AM_V@)
+am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@)
+am__v_CC_0 = @echo "  CC    " $@;
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+	$(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+	$(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_@AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo "  CCLD  " $@;
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo "  GEN   " $@;
+SOURCES = $(ct_helper_ftp_la_SOURCES) $(ct_helper_rpc_la_SOURCES) \
+	$(ct_helper_tns_la_SOURCES)
+DIST_SOURCES = $(ct_helper_ftp_la_SOURCES) $(ct_helper_rpc_la_SOURCES) \
+	$(ct_helper_tns_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBMNL_CFLAGS = @LIBMNL_CFLAGS@
+LIBMNL_LIBS = @LIBMNL_LIBS@
+LIBNETFILTER_CONNTRACK_CFLAGS = @LIBNETFILTER_CONNTRACK_CFLAGS@
+LIBNETFILTER_CONNTRACK_LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
+LIBNETFILTER_CTHELPER_CFLAGS = @LIBNETFILTER_CTHELPER_CFLAGS@
+LIBNETFILTER_CTHELPER_LIBS = @LIBNETFILTER_CTHELPER_LIBS@
+LIBNETFILTER_CTTIMEOUT_CFLAGS = @LIBNETFILTER_CTTIMEOUT_CFLAGS@
+LIBNETFILTER_CTTIMEOUT_LIBS = @LIBNETFILTER_CTTIMEOUT_LIBS@
+LIBNETFILTER_QUEUE_CFLAGS = @LIBNETFILTER_QUEUE_CFLAGS@
+LIBNETFILTER_QUEUE_LIBS = @LIBNETFILTER_QUEUE_LIBS@
+LIBNFNETLINK_CFLAGS = @LIBNFNETLINK_CFLAGS@
+LIBNFNETLINK_LIBS = @LIBNFNETLINK_LIBS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libdl_LIBS = @libdl_LIBS@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+AM_CPPFLAGS = -I$(top_srcdir)/include
+AM_CFLAGS = -std=gnu99 -W -Wall \
+	-Wmissing-prototypes -Wwrite-strings -Wcast-qual -Wfloat-equal -Wshadow -Wpointer-arith -Wbad-function-cast -Wsign-compare -Waggregate-return -Wmissing-declarations -Wredundant-decls -Wnested-externs -Winline -Wstrict-prototypes -Wundef \
+	-Wno-unused-parameter ${LIBNFNETLINK_CFLAGS} ${LIBMNL_CFLAGS} \
+	${LIBNETFILTER_CONNTRACK_CFLAGS} \
+	${LIBNETFILTER_CTTIMEOUT_CFLAGS} \
+	${LIBNETFILTER_QUEUE_CFLAGS} \
+	${LIBNETFILTER_CTHELPER_CFLAGS}
+
+pkglib_LTLIBRARIES = ct_helper_ftp.la	\
+		     ct_helper_rpc.la	\
+		     ct_helper_tns.la
+
+ct_helper_ftp_la_SOURCES = ftp.c
+ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+ct_helper_rpc_la_SOURCES = rpc.c
+ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+ct_helper_tns_la_SOURCES = tns.c
+ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am $(top_srcdir)/Make_global.am $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/helpers/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --foreign src/helpers/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+$(top_srcdir)/Make_global.am:
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \
+	}
+
+uninstall-pkglibLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \
+	done
+
+clean-pkglibLTLIBRARIES:
+	-test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES)
+	@list='$(pkglib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+ct_helper_ftp.la: $(ct_helper_ftp_la_OBJECTS) $(ct_helper_ftp_la_DEPENDENCIES) $(EXTRA_ct_helper_ftp_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(ct_helper_ftp_la_LINK) -rpath $(pkglibdir) $(ct_helper_ftp_la_OBJECTS) $(ct_helper_ftp_la_LIBADD) $(LIBS)
+ct_helper_rpc.la: $(ct_helper_rpc_la_OBJECTS) $(ct_helper_rpc_la_DEPENDENCIES) $(EXTRA_ct_helper_rpc_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(ct_helper_rpc_la_LINK) -rpath $(pkglibdir) $(ct_helper_rpc_la_OBJECTS) $(ct_helper_rpc_la_LIBADD) $(LIBS)
+ct_helper_tns.la: $(ct_helper_tns_la_OBJECTS) $(ct_helper_tns_la_DEPENDENCIES) $(EXTRA_ct_helper_tns_la_DEPENDENCIES) 
+	$(AM_V_CCLD)$(ct_helper_tns_la_LINK) -rpath $(pkglibdir) $(ct_helper_tns_la_OBJECTS) $(ct_helper_tns_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ct_helper_ftp_la-ftp.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ct_helper_rpc_la-rpc.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ct_helper_tns_la-tns.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+@am__fastdepCC_TRUE@	$(am__mv) $$depbase.Tpo $$depbase.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+ct_helper_ftp_la-ftp.lo: ftp.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ct_helper_ftp_la_CFLAGS) $(CFLAGS) -MT ct_helper_ftp_la-ftp.lo -MD -MP -MF $(DEPDIR)/ct_helper_ftp_la-ftp.Tpo -c -o ct_helper_ftp_la-ftp.lo `test -f 'ftp.c' || echo '$(srcdir)/'`ftp.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ct_helper_ftp_la-ftp.Tpo $(DEPDIR)/ct_helper_ftp_la-ftp.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='ftp.c' object='ct_helper_ftp_la-ftp.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ct_helper_ftp_la_CFLAGS) $(CFLAGS) -c -o ct_helper_ftp_la-ftp.lo `test -f 'ftp.c' || echo '$(srcdir)/'`ftp.c
+
+ct_helper_rpc_la-rpc.lo: rpc.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ct_helper_rpc_la_CFLAGS) $(CFLAGS) -MT ct_helper_rpc_la-rpc.lo -MD -MP -MF $(DEPDIR)/ct_helper_rpc_la-rpc.Tpo -c -o ct_helper_rpc_la-rpc.lo `test -f 'rpc.c' || echo '$(srcdir)/'`rpc.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ct_helper_rpc_la-rpc.Tpo $(DEPDIR)/ct_helper_rpc_la-rpc.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='rpc.c' object='ct_helper_rpc_la-rpc.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ct_helper_rpc_la_CFLAGS) $(CFLAGS) -c -o ct_helper_rpc_la-rpc.lo `test -f 'rpc.c' || echo '$(srcdir)/'`rpc.c
+
+ct_helper_tns_la-tns.lo: tns.c
+@am__fastdepCC_TRUE@	$(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ct_helper_tns_la_CFLAGS) $(CFLAGS) -MT ct_helper_tns_la-tns.lo -MD -MP -MF $(DEPDIR)/ct_helper_tns_la-tns.Tpo -c -o ct_helper_tns_la-tns.lo `test -f 'tns.c' || echo '$(srcdir)/'`tns.c
+@am__fastdepCC_TRUE@	$(AM_V_at)$(am__mv) $(DEPDIR)/ct_helper_tns_la-tns.Tpo $(DEPDIR)/ct_helper_tns_la-tns.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='tns.c' object='ct_helper_tns_la-tns.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ct_helper_tns_la_CFLAGS) $(CFLAGS) -c -o ct_helper_tns_la-tns.lo `test -f 'tns.c' || echo '$(srcdir)/'`tns.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(pkglibdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-pkglibLTLIBRARIES \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am:
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am: install-pkglibLTLIBRARIES
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pkglibLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-libtool clean-pkglibLTLIBRARIES ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am install-man \
+	install-pdf install-pdf-am install-pkglibLTLIBRARIES \
+	install-ps install-ps-am install-strip installcheck \
+	installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-pkglibLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
new file mode 100644
index 0000000..2c8dcd6
--- /dev/null
+++ b/src/helpers/ftp.c
@@ -0,0 +1,604 @@
+/*
+ * (C) 2010-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Based on: kernel-space FTP extension for connection tracking.
+ *
+ * This port has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ *
+ * Original copyright notice:
+ *
+ * (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "network.h"	/* for before and after */
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <ctype.h>	/* for isdigit */
+#include <errno.h>
+
+#include <netinet/tcp.h>
+
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+static bool loose; /* XXX: export this as config option. */
+
+#define NUM_SEQ_TO_REMEMBER 2
+
+/* This structure exists only once per master */
+struct ftp_info {
+	/* Valid seq positions for cmd matching after newline */
+	uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
+	/* 0 means seq_match_aft_nl not set */
+	int seq_aft_nl_num[MYCT_DIR_MAX];
+};
+
+enum nf_ct_ftp_type {
+	/* PORT command from client */
+	NF_CT_FTP_PORT,
+	/* PASV response from server */
+	NF_CT_FTP_PASV,
+	/* EPRT command from client */
+	NF_CT_FTP_EPRT,
+	/* EPSV response from server */
+	NF_CT_FTP_EPSV,
+};
+
+static int
+get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term)
+{
+	const char *end;
+	int ret = in6_pton(src, min_t(size_t, dlen, 0xffff),
+				(uint8_t *)dst, term, &end);
+	if (ret > 0)
+		return (int)(end - src);
+	return 0;
+}
+
+static int try_number(const char *data, size_t dlen, uint32_t array[],
+		      int array_size, char sep, char term)
+{
+	uint32_t len;
+	int i;
+
+	memset(array, 0, sizeof(array[0])*array_size);
+
+	/* Keep data pointing at next char. */
+	for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
+		if (*data >= '0' && *data <= '9') {
+			array[i] = array[i]*10 + *data - '0';
+		}
+		else if (*data == sep)
+			i++;
+		else {
+			/* Unexpected character; true if it's the
+			   terminator and we're finished. */
+			if (*data == term && i == array_size - 1)
+				return len;
+			pr_debug("Char %u (got %u nums) `%u' unexpected\n",
+				 len, i, *data);
+			return 0;
+		}
+	}
+	pr_debug("Failed to fill %u numbers separated by %c\n",
+		 array_size, sep);
+	return 0;
+}
+
+/* Grab port: number up to delimiter */
+static int get_port(const char *data, int start, size_t dlen, char delim,
+		    struct myct_man *cmd)
+{
+	uint16_t tmp_port = 0;
+	uint32_t i;
+
+	for (i = start; i < dlen; i++) {
+		/* Finished? */
+		if (data[i] == delim) {
+			if (tmp_port == 0)
+				break;
+			cmd->u.port = htons(tmp_port);
+			pr_debug("get_port: return %d\n", tmp_port);
+			return i + 1;
+		}
+		else if (data[i] >= '0' && data[i] <= '9')
+			tmp_port = tmp_port*10 + data[i] - '0';
+		else { /* Some other crap */
+			pr_debug("get_port: invalid char.\n");
+			break;
+		}
+	}
+	return 0;
+}
+
+/* Returns 0, or length of numbers: 192,168,1,1,5,6 */
+static int try_rfc959(const char *data, size_t dlen, struct myct_man *cmd,
+		      uint16_t l3protonum, char term)
+{
+	int length;
+	uint32_t array[6];
+
+	length = try_number(data, dlen, array, 6, ',', term);
+	if (length == 0)
+		return 0;
+
+	cmd->u3.ip =  htonl((array[0] << 24) | (array[1] << 16) |
+			   (array[2] << 8) | array[3]);
+	cmd->u.port = htons((array[4] << 8) | array[5]);
+	return length;
+}
+
+/* Returns 0, or length of numbers: |1|132.235.1.2|6275| or |2|3ffe::1|6275| */
+static int try_eprt(const char *data, size_t dlen,
+		    struct myct_man *cmd, uint16_t l3protonum, char term)
+{
+	char delim;
+	int length;
+
+	/* First character is delimiter, then "1" for IPv4 or "2" for IPv6,
+	   then delimiter again. */
+	if (dlen <= 3) {
+		pr_debug("EPRT: too short\n");
+		return 0;
+	}
+	delim = data[0];
+	if (isdigit(delim) || delim < 33 || delim > 126 || data[2] != delim) {
+		pr_debug("try_eprt: invalid delimitter.\n");
+		return 0;
+	}
+
+	if ((l3protonum == PF_INET && data[1] != '1') ||
+	    (l3protonum == PF_INET6 && data[1] != '2')) {
+		pr_debug("EPRT: invalid protocol number.\n");
+		return 0;
+	}
+
+	pr_debug("EPRT: Got %c%c%c\n", delim, data[1], delim);
+	if (data[1] == '1') {
+		uint32_t array[4];
+
+		/* Now we have IP address. */
+		length = try_number(data + 3, dlen - 3, array, 4, '.', delim);
+		if (length != 0)
+			cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16)
+					   | (array[2] << 8) | array[3]);
+	} else {
+		/* Now we have IPv6 address. */
+		length = get_ipv6_addr(data + 3, dlen - 3,
+				       (struct in6_addr *)cmd->u3.ip6, delim);
+	}
+
+	if (length == 0)
+		return 0;
+	pr_debug("EPRT: Got IP address!\n");
+	/* Start offset includes initial "|1|", and trailing delimiter */
+	return get_port(data, 3 + length + 1, dlen, delim, cmd);
+}
+
+/* Returns 0, or length of numbers: |||6446| */
+static int try_epsv_response(const char *data, size_t dlen,
+			     struct myct_man *cmd,
+			     uint16_t l3protonum, char term)
+{
+	char delim;
+
+	/* Three delimiters. */
+	if (dlen <= 3) return 0;
+	delim = data[0];
+	if (isdigit(delim) || delim < 33 || delim > 126 ||
+	    data[1] != delim || data[2] != delim)
+		return 0;
+
+	return get_port(data, 3, dlen, delim, cmd);
+}
+
+static struct ftp_search {
+	const char *pattern;
+	size_t plen;
+	char skip;
+	char term;
+	enum nf_ct_ftp_type ftptype;
+	int (*getnum)(const char *, size_t, struct myct_man *, uint16_t, char);
+} search[MYCT_DIR_MAX][2] = {
+	[MYCT_DIR_ORIG] = {
+		{
+			.pattern	= "PORT",
+			.plen		= sizeof("PORT") - 1,
+			.skip		= ' ',
+			.term		= '\r',
+			.ftptype	= NF_CT_FTP_PORT,
+			.getnum		= try_rfc959,
+		},
+		{
+			.pattern	= "EPRT",
+			.plen		= sizeof("EPRT") - 1,
+			.skip		= ' ',
+			.term		= '\r',
+			.ftptype	= NF_CT_FTP_EPRT,
+			.getnum		= try_eprt,
+		},
+	},
+	[MYCT_DIR_REPL] = {
+		{
+			.pattern	= "227 ",
+			.plen		= sizeof("227 ") - 1,
+			.skip		= '(',
+			.term		= ')',
+			.ftptype	= NF_CT_FTP_PASV,
+			.getnum		= try_rfc959,
+		},
+		{
+			.pattern	= "229 ",
+			.plen		= sizeof("229 ") - 1,
+			.skip		= '(',
+			.term		= ')',
+			.ftptype	= NF_CT_FTP_EPSV,
+			.getnum		= try_epsv_response,
+		},
+	},
+};
+
+static int ftp_find_pattern(struct pkt_buff *pkt,
+			    unsigned int dataoff, unsigned int dlen,
+			    const char *pattern, size_t plen,
+			    char skip, char term,
+			    unsigned int *matchoff, unsigned int *matchlen,
+			    struct myct_man *cmd,
+			    int (*getnum)(const char *, size_t,
+					  struct myct_man *cmd,
+					  uint16_t, char),
+			    int dir)
+{
+	char *data = (char *)pktb_network_header(pkt) + dataoff;
+	int numlen;
+	uint32_t i;
+
+	if (dlen == 0)
+		return 0;
+
+	/* short packet, skip partial matching. */
+	if (dlen <= plen)
+		return 0;
+
+	if (strncmp(data, pattern, plen) != 0)
+		return 0;
+
+	pr_debug("Pattern matches!\n");
+
+	/* Now we've found the constant string, try to skip
+	   to the 'skip' character */
+	for (i = plen; data[i] != skip; i++)
+		if (i == dlen - 1) return 0;
+
+	/* Skip over the last character */
+	i++;
+
+	pr_debug("Skipped up to `%c'!\n", skip);
+
+	numlen = getnum(data + i, dlen - i, cmd, PF_INET, term);
+	if (!numlen)
+		return 0;
+
+	pr_debug("Match succeded!\n");
+	return 1;
+}
+
+/* Look up to see if we're just after a \n. */
+static int find_nl_seq(uint32_t seq, struct ftp_info *info, int dir)
+{
+	int i;
+
+	for (i = 0; i < info->seq_aft_nl_num[dir]; i++)
+		if (info->seq_aft_nl[dir][i] == seq)
+			return 1;
+	return 0;
+}
+
+/* We don't update if it's older than what we have. */
+static void update_nl_seq(uint32_t nl_seq, struct ftp_info *info, int dir)
+{
+	int i, oldest;
+
+	/* Look for oldest: if we find exact match, we're done. */
+	for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
+		if (info->seq_aft_nl[dir][i] == nl_seq)
+			return;
+	}
+
+	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
+		info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
+	} else {
+		if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1]))
+			oldest = 0;
+		else
+			oldest = 1;
+
+		if (after(nl_seq, info->seq_aft_nl[dir][oldest]))
+			info->seq_aft_nl[dir][oldest] = nl_seq;
+	}
+}
+
+static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type,
+			      char *buffer, size_t buflen,
+			      uint32_t addr, uint16_t port)
+{
+	switch (type) {
+	case NF_CT_FTP_PORT:
+	case NF_CT_FTP_PASV:
+		return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u",
+				((unsigned char *)&addr)[0],
+				((unsigned char *)&addr)[1],
+				((unsigned char *)&addr)[2],
+				((unsigned char *)&addr)[3],
+				port >> 8,
+				port & 0xFF);
+	case NF_CT_FTP_EPRT:
+		return snprintf(buffer, buflen, "|1|%u.%u.%u.%u|%u|",
+				((unsigned char *)&addr)[0],
+				((unsigned char *)&addr)[1],
+				((unsigned char *)&addr)[2],
+				((unsigned char *)&addr)[3],
+				port);
+	case NF_CT_FTP_EPSV:
+		return snprintf(buffer, buflen, "|||%u|", port);
+	}
+
+	return 0;
+}
+
+/* So, this packet has hit the connection tracking matching code.
+   Mangle it, and change the expectation to match the new version. */
+static unsigned int nf_nat_ftp(struct pkt_buff *pkt,
+			       int dir,
+			       int ctinfo,
+			       enum nf_ct_ftp_type type,
+			       unsigned int matchoff,
+			       unsigned int matchlen,
+			       struct nf_conntrack *ct,
+			       struct nf_expect *exp)
+{
+	union nfct_attr_grp_addr newip;
+	uint16_t port;
+	char buffer[sizeof("|1|255.255.255.255|65535|")];
+	unsigned int buflen;
+	const struct nf_conntrack *expected;
+	struct nf_conntrack *nat_tuple;
+	uint16_t initial_port;
+
+	pr_debug("FTP_NAT: type %i, off %u len %u\n", type, matchoff, matchlen);
+
+	/* Connection will come from wherever this packet goes, hence !dir */
+	cthelper_get_addr_dst(ct, !dir, &newip);
+
+	expected = nfexp_get_attr(exp, ATTR_EXP_EXPECTED);
+
+	nat_tuple = nfct_new();
+	if (nat_tuple == NULL)
+		return NF_ACCEPT;
+
+	initial_port = nfct_get_attr_u16(expected, ATTR_PORT_DST);
+
+	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, !dir);
+
+	/* libnetfilter_conntrack needs this */
+	nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+	nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+	/* When you see the packet, we need to NAT it the same as the
+	 * this one. */
+	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+
+	/* Try to get same port: if not, try to change it. */
+	for (port = ntohs(initial_port); port != 0; port++) {
+		int ret;
+
+		nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC, htons(port));
+		nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+		ret = cthelper_add_expect(exp);
+		if (ret == 0)
+			break;
+		else if (ret != -EBUSY) {
+			port = 0;
+			break;
+		}
+	}
+
+	if (port == 0)
+		return NF_DROP;
+
+	buflen = nf_nat_ftp_fmt_cmd(type, buffer, sizeof(buffer),
+					newip.ip, port);
+	if (!buflen)
+		goto out;
+
+	if (!nfq_tcp_mangle_ipv4(pkt, matchoff, matchlen, buffer, buflen))
+		goto out;
+
+	return NF_ACCEPT;
+
+out:
+	cthelper_del_expect(exp);
+	return NF_DROP;
+}
+
+static int
+ftp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+	      struct myct *myct, uint32_t ctinfo)
+{
+	struct tcphdr *th;
+	unsigned int dataoff;
+	unsigned int matchoff = 0, matchlen = 0; /* makes gcc happy. */
+	unsigned int datalen;
+	unsigned int i;
+	int found = 0, ends_in_nl;
+	uint32_t seq;
+	int ret = NF_ACCEPT;
+	struct myct_man cmd;
+	union nfct_attr_grp_addr addr;
+	union nfct_attr_grp_addr daddr;
+	int dir = CTINFO2DIR(ctinfo);
+	struct ftp_info *ftp_info = myct->priv_data;
+	struct nf_expect *exp = NULL;
+
+	memset(&cmd, 0, sizeof(struct myct_man));
+	memset(&addr, 0, sizeof(union nfct_attr_grp_addr));
+
+	/* Until there's been traffic both ways, don't look in packets. */
+	if (ctinfo != IP_CT_ESTABLISHED &&
+	    ctinfo != IP_CT_ESTABLISHED_REPLY) {
+		pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);
+		goto out;
+	}
+
+	th = (struct tcphdr *) (pktb_network_header(pkt) + protoff);
+
+	dataoff = protoff + th->doff * 4;
+	datalen = pktb_len(pkt) - dataoff;
+
+	ends_in_nl = (pktb_network_header(pkt)[pktb_len(pkt) - 1] == '\n');
+	seq = ntohl(th->seq) + datalen;
+
+	/* Look up to see if we're just after a \n. */
+	if (!find_nl_seq(ntohl(th->seq), ftp_info, dir)) {
+		/* Now if this ends in \n, update ftp info. */
+		pr_debug("nf_conntrack_ftp: wrong seq pos %s(%u) or %s(%u)\n",
+		ftp_info->seq_aft_nl_num[dir] > 0 ? "" : "(UNSET)",
+		ftp_info->seq_aft_nl[dir][0],
+		ftp_info->seq_aft_nl_num[dir] > 1 ? "" : "(UNSET)",
+		ftp_info->seq_aft_nl[dir][1]);
+		goto out_update_nl;
+	}
+
+	/* Initialize IP/IPv6 addr to expected address (it's not mentioned
+	   in EPSV responses) */
+	cmd.l3num = nfct_get_attr_u16(myct->ct, ATTR_L3PROTO);
+	nfct_get_attr_grp(myct->ct, ATTR_GRP_ORIG_ADDR_SRC, &cmd.u3);
+
+	for (i = 0; i < ARRAY_SIZE(search[dir]); i++) {
+		found = ftp_find_pattern(pkt, dataoff, datalen,
+					 search[dir][i].pattern,
+					 search[dir][i].plen,
+					 search[dir][i].skip,
+					 search[dir][i].term,
+					 &matchoff, &matchlen,
+					 &cmd,
+					 search[dir][i].getnum,
+					 dir);
+		if (found) break;
+	}
+	if (found == 0) /* No match */
+		goto out_update_nl;
+
+	pr_debug("conntrack_ftp: match `%.*s' (%u bytes at %u)\n",
+		 matchlen, pktb_network_header(pkt) + matchoff,
+		 matchlen, ntohl(th->seq) + matchoff);
+
+	/* We refer to the reverse direction ("!dir") tuples here,
+	 * because we're expecting something in the other direction.
+	 * Doesn't matter unless NAT is happening.  */
+	cthelper_get_addr_dst(myct->ct, !dir, &daddr);
+
+	cthelper_get_addr_src(myct->ct, dir, &addr);
+
+	/* Update the ftp info */
+	if ((cmd.l3num == nfct_get_attr_u16(myct->ct, ATTR_L3PROTO)) &&
+	    memcmp(&cmd.u3, &addr, sizeof(addr)) != 0) {
+		/* Enrico Scholz's passive FTP to partially RNAT'd ftp
+		   server: it really wants us to connect to a
+		   different IP address.  Simply don't record it for
+		   NAT. */
+		if (cmd.l3num == PF_INET) {
+			pr_debug("conntrack_ftp: NOT RECORDING: %pI4 != %pI4\n",
+				 &cmd.u3.ip, &addr);
+		} else {
+			pr_debug("conntrack_ftp: NOT RECORDING: %pI6 != %pI6\n",
+				 cmd.u3.ip6, &addr);
+		}
+		/* Thanks to Cristiano Lincoln Mattos
+		   <lincoln@cesar.org.br> for reporting this potential
+		   problem (DMZ machines opening holes to internal
+		   networks, or the packet filter itself). */
+		if (!loose) {
+			ret = NF_ACCEPT;
+			goto out;
+		}
+		memcpy(&daddr, &cmd.u3, sizeof(cmd.u3));
+	}
+
+	exp = nfexp_new();
+	if (exp == NULL)
+		goto out_update_nl;
+
+	cthelper_get_addr_src(myct->ct, !dir, &addr);
+
+	if (cthelper_expect_init(exp, myct->ct, 0, &addr, &daddr, IPPROTO_TCP,
+				 NULL, &cmd.u.port, 0)) {
+		pr_debug("conntrack_ftp: failed to init expectation\n");
+		goto out_update_nl;
+	}
+
+	/* Now, NAT might want to mangle the packet, and register the
+	 * (possibly changed) expectation itself. */
+	if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK) {
+		ret = nf_nat_ftp(pkt, dir, ctinfo, search[dir][i].ftptype,
+				 matchoff, matchlen, myct->ct, exp);
+		goto out_update_nl;
+	}
+
+	/* Can't expect this?  Best to drop packet now. */
+	if (cthelper_add_expect(exp) < 0) {
+		pr_debug("conntrack_ftp: cannot add expectation: %s\n",
+			strerror(errno));
+		ret = NF_DROP;
+		goto out_update_nl;
+	}
+
+out_update_nl:
+	if (exp != NULL)
+		nfexp_destroy(exp);
+
+	/* Now if this ends in \n, update ftp info.  Seq may have been
+	 * adjusted by NAT code. */
+	if (ends_in_nl)
+		update_nl_seq(seq, ftp_info, dir);
+out:
+	return ret;
+}
+
+static struct ctd_helper ftp_helper = {
+	.name		= "ftp",
+	.l4proto	= IPPROTO_TCP,
+	.cb		= ftp_helper_cb,
+	.priv_data_len	= sizeof(struct ftp_info),
+	.policy		= {
+		[0] = {
+			.name			= "ftp",
+			.expect_max		= 1,
+			.expect_timeout		= 300,
+		},
+	},
+};
+
+void __attribute__ ((constructor)) ftp_init(void);
+
+void ftp_init(void)
+{
+	helper_register(&ftp_helper);
+}
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
new file mode 100644
index 0000000..82493c2
--- /dev/null
+++ b/src/helpers/rpc.c
@@ -0,0 +1,488 @@
+/*
+ * (C) 2012 by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Based on: RPC extension for conntrack.
+ *
+ * This port has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ *
+ * Original copyright notice:
+ *
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ * (C) 2004,2005 by David Stes <stes@pandora.be>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "network.h"	/* for before and after */
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <errno.h>
+
+#include <rpc/rpc_msg.h>
+#include <rpc/pmap_prot.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+/* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */
+/* RFC 1014: XDR: External Data Representation Standard */
+#define SUPPORTED_RPC_VERSION	2
+
+struct rpc_info {
+	/* XID */
+	uint32_t xid;
+	/* program */
+	uint32_t pm_prog;
+	/* program version */
+	uint32_t pm_vers;
+	/* transport protocol: TCP|UDP */
+	uint32_t pm_prot;
+};
+
+/* So, this packet has hit the connection tracking matching code.
+   Mangle it, and change the expectation to match the new version. */
+static unsigned int
+nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp,
+	   uint8_t proto, uint32_t *port_ptr)
+{
+	const struct nf_conntrack *expected;
+	struct nf_conntrack *nat_tuple;
+	uint16_t initial_port, port;
+
+	expected = nfexp_get_attr(exp, ATTR_EXP_EXPECTED);
+
+	nat_tuple = nfct_new();
+	if (nat_tuple == NULL)
+		return NF_ACCEPT;
+
+	initial_port = nfct_get_attr_u16(expected, ATTR_PORT_DST);
+
+	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, !dir);
+
+	/* libnetfilter_conntrack needs this */
+	nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+	nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, proto);
+	nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+	/* When you see the packet, we need to NAT it the same as the
+	 * this one. */
+	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+
+	/* Try to get same port: if not, try to change it. */
+	for (port = ntohs(initial_port); port != 0; port++) {
+		int ret;
+
+		nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC, htons(port));
+		nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+		ret = cthelper_add_expect(exp);
+		if (ret == 0)
+			break;
+		else if (ret != -EBUSY) {
+			port = 0;
+			break;
+		}
+	}
+	nfct_destroy(nat_tuple);
+
+	if (port == 0)
+		return NF_DROP;
+
+	*port_ptr = htonl(port);
+
+	return NF_ACCEPT;
+}
+
+#define OFFSET(o, n)	((o) += n)
+#define ROUNDUP(n)	((((n) + 3)/4)*4)
+
+static int
+rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
+	 struct rpc_info *rpc_info)
+{
+	uint32_t p, r;
+
+	/* RPC CALL message body */
+
+	/* call_body {
+	 *	rpcvers
+	 *	prog
+	 *	vers
+	 *	proc
+	 *	opaque_auth cred
+	 *	opaque_auth verf
+	 *	pmap
+	 * }
+	 *
+	 * opaque_auth {
+	 *	flavour
+	 *	opaque[len] <= MAX_AUTH_BYTES
+	 * }
+	 */
+	if (datalen < OFFSET(offset, 4*4 + 2*2*4)) {
+		pr_debug("RPC CALL: too short packet: %u < %u\n",
+			 datalen, offset);
+		return -1;
+	}
+	/* Check rpcversion */
+	p = IXDR_GET_INT32(data);
+	if (p != SUPPORTED_RPC_VERSION) {
+		pr_debug("RPC CALL: wrong rpcvers %u != %u\n",
+			 p, SUPPORTED_RPC_VERSION);
+		return -1;
+	}
+	/* Skip non-portmap requests */
+	p = IXDR_GET_INT32(data);
+	if (p != PMAPPROG) {
+		pr_debug("RPC CALL: not portmap %u != %lu\n",
+			 p, PMAPPROG);
+		return -1;
+	}
+	/* Check portmap version */
+	p = IXDR_GET_INT32(data);
+	if (p != PMAPVERS) {
+		pr_debug("RPC CALL: wrong portmap version %u != %lu\n",
+			 p, PMAPVERS);
+		return -1;
+	}
+	/* Skip non PMAPPROC_GETPORT requests */
+	p = IXDR_GET_INT32(data);
+	if (p != PMAPPROC_GETPORT) {
+		pr_debug("RPC CALL: not PMAPPROC_GETPORT %u != %lu\n",
+			 p, PMAPPROC_GETPORT);
+		return -1;
+	}
+	/* Check and skip credentials */
+	r = IXDR_GET_INT32(data);
+	p = IXDR_GET_INT32(data);
+	pr_debug("RPC CALL: cred: %u %u (%u, %u)\n",
+		 r, p, datalen, offset);
+	if (p > MAX_AUTH_BYTES) {
+		pr_debug("RPC CALL: invalid sized cred %u > %u\n",
+			 p, MAX_AUTH_BYTES);
+		return -1;
+	}
+	r = ROUNDUP(p);
+	if (datalen < OFFSET(offset, r)) {
+		pr_debug("RPC CALL: too short to carry cred: %u < %u, %u\n",
+			 datalen, offset, r);
+		return -1;
+	}
+	data += r/4;
+	/* Check and skip verifier */
+	r = IXDR_GET_INT32(data);
+	p = IXDR_GET_INT32(data);
+	pr_debug("RPC CALL: verf: %u %u (%u, %u)\n",
+		 r, p, datalen, offset);
+	if (p > MAX_AUTH_BYTES) {
+		pr_debug("RPC CALL: invalid sized verf %u > %u\n",
+			 p, MAX_AUTH_BYTES);
+		return -1;
+	}
+	r = ROUNDUP(p);
+	if (datalen < OFFSET(offset, r)) {
+		pr_debug("RPC CALL: too short to carry verf: %u < %u, %u\n",
+			 datalen, offset, r);
+		return -1;
+	}
+	data += r/4;
+	/* pmap {
+	 *	prog
+	 *	vers
+	 *	prot
+	 *	port
+	 * }
+	 */
+	/* Check CALL size */
+	if (datalen != offset + 4*4) {
+		pr_debug("RPC CALL: invalid size to carry pmap: %u != %u\n",
+			 datalen, offset + 4*4);
+		return -1;
+	}
+	rpc_info->pm_prog = IXDR_GET_INT32(data);
+	rpc_info->pm_vers = IXDR_GET_INT32(data);
+	rpc_info->pm_prot = IXDR_GET_INT32(data);
+	/* Check supported protocols */
+	if (!(rpc_info->pm_prot == IPPROTO_TCP
+	      || rpc_info->pm_prot == IPPROTO_UDP)) {
+		pr_debug("RPC CALL: unsupported protocol %u",
+			 rpc_info->pm_prot);
+		return -1;
+	}
+	p = IXDR_GET_INT32(data);
+	/* Check port: must be zero */
+	if (p != 0) {
+		pr_debug("RPC CALL: port is nonzero %u\n",
+			 ntohl(p));
+		return -1;
+	}
+	pr_debug("RPC CALL: processed: xid %u, prog %u, vers %u, prot %u\n",
+		 rpc_info->xid, rpc_info->pm_prog,
+		 rpc_info->pm_vers, rpc_info->pm_prot);
+
+	return 0;
+}
+
+static int
+rpc_reply(uint32_t *data, uint32_t offset, uint32_t datalen,
+	  struct rpc_info *rpc_info, uint32_t **port_ptr)
+{
+	uint16_t port;
+	uint32_t p, r;
+
+	/* RPC REPLY message body */
+
+	/* reply_body {
+	 *	reply_stat
+	 *	xdr_union {
+	 *		accepted_reply
+	 *		rejected_reply
+	 *	}
+	 * }
+	 * accepted_reply {
+	 *	opaque_auth verf
+	 *	accept_stat
+	 *	xdr_union {
+	 *		port
+	 *		struct mismatch_info
+	 *	}
+	 * }
+	 */
+
+	/* Check size: reply status */
+	if (datalen < OFFSET(offset, 4)) {
+		pr_debug("RPC REPL: too short, missing rp_stat: %u < %u\n",
+			 datalen, offset);
+		return -1;
+	}
+	p = IXDR_GET_INT32(data);
+	/* Check accepted request */
+	if (p != MSG_ACCEPTED) {
+		pr_debug("RPC REPL: not accepted %u != %u\n",
+			 p, MSG_ACCEPTED);
+		return -1;
+	}
+	/* Check and skip verifier */
+	if (datalen < OFFSET(offset, 2*4)) {
+		pr_debug("RPC REPL: too short, missing verf: %u < %u\n",
+			 datalen, offset);
+		return -1;
+	}
+	r = IXDR_GET_INT32(data);
+	p = IXDR_GET_INT32(data);
+	pr_debug("RPC REPL: verf: %u %u (%u, %u)\n",
+		 r, p, datalen, offset);
+	if (p > MAX_AUTH_BYTES) {
+		pr_debug("RPC REPL: invalid sized verf %u > %u\n",
+			 p, MAX_AUTH_BYTES);
+		return -1;
+	}
+	r = ROUNDUP(p);
+	/* verifier + ac_stat + port */
+	if (datalen != OFFSET(offset, r) + 2*4) {
+		pr_debug("RPC REPL: invalid size to carry verf and "
+			 "success: %u != %u\n",
+			 datalen, offset + 2*4);
+		return -1;
+	}
+	data += r/4;
+	/* Check success */
+	p = IXDR_GET_INT32(data);
+	if (p != SUCCESS) {
+		pr_debug("RPC REPL: not success %u != %u\n",
+			 p, SUCCESS);
+		return -1;
+	}
+	/* Get port */
+	*port_ptr = data;
+	port = IXDR_GET_INT32(data); /* -Wunused-but-set-parameter */
+	if (port == 0) {
+		pr_debug("RPC REPL: port is zero\n");
+		return -1;
+	}
+	pr_debug("RPC REPL: processed: xid %u, prog %u, vers %u, "
+		 "prot %u, port %u\n",
+		 rpc_info->xid, rpc_info->pm_prog, rpc_info->pm_vers,
+		 rpc_info->pm_prot, port);
+	return 0;
+}
+
+static int
+rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+	      struct myct *myct, uint32_t ctinfo)
+{
+	int dir = CTINFO2DIR(ctinfo);
+	unsigned int offset = protoff, datalen;
+	uint32_t *data, *port_ptr = NULL, xid;
+	uint16_t port;
+	uint8_t proto = nfct_get_attr_u8(myct->ct, ATTR_L4PROTO);
+	enum msg_type rm_dir;
+	struct rpc_info *rpc_info = myct->priv_data;
+	union nfct_attr_grp_addr addr, daddr;
+	struct nf_expect *exp = NULL;
+	int ret = NF_ACCEPT;
+
+	/* Until there's been traffic both ways, don't look into TCP packets. */
+	if (proto == IPPROTO_TCP
+	    && ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_ESTABLISHED_REPLY) {
+		pr_debug("TCP RPC: Conntrackinfo = %u\n", ctinfo);
+		return ret;
+	}
+	if (proto == IPPROTO_TCP) {
+		struct tcphdr *th =
+			(struct tcphdr *) (pktb_network_header(pkt) + protoff);
+		offset += th->doff * 4;
+	} else {
+		offset += sizeof(struct udphdr);
+	}
+	/* Skip broken headers */
+	if (offset % 4) {
+		pr_debug("RPC: broken header: offset %u%%4 != 0\n", offset);
+		return ret;
+	}
+
+	/* Take into Record Fragment header */
+	if (proto == IPPROTO_TCP)
+		offset += 4;
+
+	datalen = pktb_len(pkt);
+	data = (uint32_t *)(pktb_network_header(pkt) + offset);
+
+	/* rpc_msg {
+	 *	xid
+	 *	direction
+	 *	xdr_union {
+	 *		call_body
+	 *		reply_body
+	 *	}
+	 * }
+	 */
+
+	 /* Check minimal msg size: xid + direction */
+	if (datalen < OFFSET(offset, 2*4)) {
+		pr_debug("RPC: too short packet: %u < %u\n",
+			 datalen, offset);
+		return ret;
+	}
+	xid = IXDR_GET_INT32(data);
+	rm_dir = IXDR_GET_INT32(data);
+
+	/* Check direction */
+	if (!((rm_dir == CALL && dir == MYCT_DIR_ORIG)
+	      || (rm_dir == REPLY && dir == MYCT_DIR_REPL))) {
+		pr_debug("RPC: rm_dir != dir %u != %u\n", rm_dir, dir);
+		goto out;
+	}
+
+	if (rm_dir == CALL) {
+		if (rpc_call(data, offset, datalen, rpc_info) < 0)
+			goto out;
+
+		rpc_info->xid = xid;
+
+		return ret;
+	} else {
+		/* Check XID */
+		if (xid != rpc_info->xid) {
+			pr_debug("RPC REPL: XID does not match: %u != %u\n",
+				 xid, rpc_info->xid);
+			goto out;
+		}
+		if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0)
+			goto out;
+
+		port = IXDR_GET_INT32(port_ptr);
+		port = htons(port);
+
+		/* We refer to the reverse direction ("!dir") tuples here,
+		 * because we're expecting something in the other direction.
+		 * Doesn't matter unless NAT is happening.  */
+		cthelper_get_addr_dst(myct->ct, !dir, &daddr);
+		cthelper_get_addr_src(myct->ct, !dir, &addr);
+
+		exp = nfexp_new();
+		if (exp == NULL)
+			goto out;
+
+		if (cthelper_expect_init(exp, myct->ct, 0, &addr, &daddr,
+					 rpc_info->pm_prot,
+					 NULL, &port, NF_CT_EXPECT_PERMANENT)) {
+			pr_debug("RPC: failed to init expectation\n");
+			goto out_exp;
+		}
+
+		/* Now, NAT might want to mangle the packet, and register the
+		 * (possibly changed) expectation itself. */
+		if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK) {
+			ret = nf_nat_rpc(pkt, dir, exp, rpc_info->pm_prot,
+					 port_ptr);
+			goto out_exp;
+		}
+
+		/* Can't expect this?  Best to drop packet now. */
+		if (cthelper_add_expect(exp) < 0) {
+			pr_debug("RPC: cannot add expectation: %s\n",
+				 strerror(errno));
+			ret = NF_DROP;
+		}
+	}
+
+out_exp:
+	nfexp_destroy(exp);
+out:
+	rpc_info->xid = 0;
+	return ret;
+}
+
+static struct ctd_helper rpc_helper_tcp = {
+	.name		= "rpc",
+	.l4proto	= IPPROTO_TCP,
+	.cb		= rpc_helper_cb,
+	.priv_data_len	= sizeof(struct rpc_info),
+	.policy		= {
+		{
+			.name			= "rpc",
+			.expect_max		= 1,
+			.expect_timeout		= 300,
+		},
+	},
+};
+
+static struct ctd_helper rpc_helper_udp = {
+	.name		= "rpc",
+	.l4proto	= IPPROTO_UDP,
+	.cb		= rpc_helper_cb,
+	.priv_data_len	= sizeof(struct rpc_info),
+	.policy		= {
+		{
+			.name			= "rpc",
+			.expect_max		= 1,
+			.expect_timeout		= 300,
+		},
+	},
+};
+
+void __attribute__ ((constructor)) rpc_init(void);
+
+void rpc_init(void)
+{
+	helper_register(&rpc_helper_tcp);
+	helper_register(&rpc_helper_udp);
+}
diff --git a/src/helpers/tns.c b/src/helpers/tns.c
new file mode 100644
index 0000000..5833fea
--- /dev/null
+++ b/src/helpers/tns.c
@@ -0,0 +1,407 @@
+/*
+ * (C) 2012 by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Sponsored by Vyatta Inc. <http://www.vyatta.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "network.h"	/* for before and after */
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <ctype.h>	/* for isdigit */
+#include <errno.h>
+
+#include <netinet/tcp.h>
+
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+/* TNS SQL*Net Version 2 */
+enum tns_types {
+       TNS_TYPE_CONNECT        = 1,
+       TNS_TYPE_ACCEPT	       = 2,
+       TNS_TYPE_ACK	       = 3,
+       TNS_TYPE_REFUSE	       = 4,
+       TNS_TYPE_REDIRECT       = 5,
+       TNS_TYPE_DATA	       = 6,
+       TNS_TYPE_NULL	       = 7,
+       TNS_TYPE_ABORT	       = 9,
+       TNS_TYPE_RESEND	       = 11,
+       TNS_TYPE_MARKER	       = 12,
+       TNS_TYPE_ATTENTION      = 13,
+       TNS_TYPE_CONTROL        = 14,
+       TNS_TYPE_MAX	       = 19,
+};
+
+struct tns_header {
+       uint16_t len;
+       uint16_t csum;
+       uint8_t type;
+       uint8_t reserved;
+       uint16_t header_csum;
+};
+
+struct tns_redirect {
+       uint16_t data_len;
+};
+
+struct tns_info {
+       /* Scan next DATA|REDIRECT packet */
+       bool parse;
+};
+
+static int try_number(const char *data, size_t dlen, uint32_t array[],
+		      int array_size, char sep, char term)
+{
+	uint32_t len;
+	int i;
+
+	memset(array, 0, sizeof(array[0])*array_size);
+
+	/* Keep data pointing at next char. */
+	for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
+		if (*data >= '0' && *data <= '9') {
+			array[i] = array[i]*10 + *data - '0';
+		}
+		else if (*data == sep)
+			i++;
+		else {
+			/* Skip spaces. */
+			if (*data == ' ')
+				continue;
+			/* Unexpected character; true if it's the
+			   terminator and we're finished. */
+			if (*data == term && i == array_size - 1)
+				return len;
+			pr_debug("Char %u (got %u nums) `%c' unexpected\n",
+				 len, i, *data);
+			return 0;
+		}
+	}
+	pr_debug("Failed to fill %u numbers separated by %c\n",
+		 array_size, sep);
+	return 0;
+}
+
+/* Grab port: number up to delimiter */
+static int get_port(const char *data, size_t dlen, char delim,
+		    struct myct_man *cmd)
+{
+	uint16_t tmp_port = 0;
+	uint32_t i;
+
+	for (i = 0; i < dlen; i++) {
+		/* Finished? */
+		if (data[i] == delim) {
+			if (tmp_port == 0)
+				break;
+			cmd->u.port = htons(tmp_port);
+			pr_debug("get_port: return %d\n", tmp_port);
+			return i + 1;
+		}
+		else if (data[i] >= '0' && data[i] <= '9')
+			tmp_port = tmp_port*10 + data[i] - '0';
+		else if (data[i] == ' ') /* Skip spaces */
+			continue;
+		else { /* Some other crap */
+			pr_debug("get_port: invalid char `%c'\n", data[i]);
+			break;
+		}
+	}
+	return 0;
+}
+
+/* (ADDRESS=(PROTOCOL=tcp)(DEV=x)(HOST=a.b.c.d)(PORT=a)) */
+/* FIXME: handle hostnames */
+
+/* Returns 0, or length of port number */
+static unsigned int
+find_pattern(struct pkt_buff *pkt, unsigned int dataoff, size_t dlen,
+	     struct myct_man *cmd, unsigned int *numoff)
+{
+	const char *data = (const char *)pktb_network_header(pkt) + dataoff
+						+ sizeof(struct tns_header);
+	int length, offset, ret;
+	uint32_t array[4];
+	const char *p, *start;
+
+	p = strstr(data, "(");
+	if (!p)
+		return 0;
+
+	p = strstr(p+1, "HOST=");
+	if (!p) {
+		pr_debug("HOST= not found\n");
+		return 0;
+	}
+
+	start = p + strlen("HOST=");
+	offset = (int)(p - data) + strlen("HOST=");
+	*numoff = offset + sizeof(struct tns_header);
+	data += offset;
+
+	length = try_number(data, dlen - offset, array, 4, '.', ')');
+	if (length == 0)
+		return 0;
+
+	cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |
+			   (array[2] << 8) | array[3]);
+
+	p = strstr(data+length, "(");
+	if (!p)
+		return 0;
+
+	p = strstr(p, "PORT=");
+	if (!p) {
+		pr_debug("PORT= not found\n");
+		return 0;
+	}
+
+	p += strlen("PORT=");
+	ret = get_port(p, dlen - offset - length, ')', cmd);
+	if (ret == 0)
+		return 0;
+
+	p += ret;
+	return (int)(p - start);
+}
+
+static inline uint16_t
+nton(uint16_t len, unsigned int matchoff, unsigned int matchlen)
+{
+	uint32_t l = (uint32_t)ntohs(len) + matchoff - matchlen;
+
+	return htons(l);
+}
+
+/* So, this packet has hit the connection tracking matching code.
+   Mangle it, and change the expectation to match the new version. */
+static unsigned int
+nf_nat_tns(struct pkt_buff *pkt, struct tns_header *tns, struct nf_expect *exp,
+	   struct nf_conntrack *ct, int dir,
+	   unsigned int matchoff, unsigned int matchlen)
+{
+	union nfct_attr_grp_addr newip;
+	char buffer[sizeof("255.255.255.255)(PORT=65535)")];
+	unsigned int buflen;
+	const struct nf_conntrack *expected;
+	struct nf_conntrack *nat_tuple;
+	uint16_t initial_port, port;
+
+	/* Connection will come from wherever this packet goes, hence !dir */
+	cthelper_get_addr_dst(ct, !dir, &newip);
+
+	expected = nfexp_get_attr(exp, ATTR_EXP_EXPECTED);
+
+	nat_tuple = nfct_new();
+	if (nat_tuple == NULL)
+		return NF_ACCEPT;
+
+	initial_port = nfct_get_attr_u16(expected, ATTR_PORT_DST);
+
+	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, !dir);
+
+	/* libnetfilter_conntrack needs this */
+	nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+	nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+	/* When you see the packet, we need to NAT it the same as the
+	 * this one. */
+	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+
+	/* Try to get same port: if not, try to change it. */
+	for (port = ntohs(initial_port); port != 0; port++) {
+		int ret;
+
+		nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC, htons(port));
+		nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+		ret = cthelper_add_expect(exp);
+		if (ret == 0)
+			break;
+		else if (ret != -EBUSY) {
+			port = 0;
+			break;
+		}
+	}
+	nfct_destroy(nat_tuple);
+
+	if (port == 0)
+		return NF_DROP;
+
+	buflen = snprintf(buffer, sizeof(buffer),
+				"%u.%u.%u.%u)(PORT=%u)",
+                                ((unsigned char *)&newip.ip)[0],
+                                ((unsigned char *)&newip.ip)[1],
+                                ((unsigned char *)&newip.ip)[2],
+                                ((unsigned char *)&newip.ip)[3], port);
+	if (!buflen)
+		goto out;
+
+	if (!nfq_tcp_mangle_ipv4(pkt, matchoff, matchlen, buffer, buflen))
+		goto out;
+
+	if (buflen != matchlen) {
+		/* FIXME: recalculate checksum */
+		tns->csum = 0;
+		tns->header_csum = 0;
+
+		tns->len = nton(tns->len,  matchlen, buflen);
+		if (tns->type == TNS_TYPE_REDIRECT) {
+			struct tns_redirect *r;
+
+			r = (struct tns_redirect *)((char *)tns + sizeof(struct tns_header));
+
+			r->data_len = nton(r->data_len, matchlen, buflen);
+		}
+	}
+
+	return NF_ACCEPT;
+
+out:
+	cthelper_del_expect(exp);
+	return NF_DROP;
+}
+
+static int
+tns_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+	      struct myct *myct, uint32_t ctinfo)
+{
+	struct tcphdr *th;
+	struct tns_header *tns;
+	int dir = CTINFO2DIR(ctinfo);
+	unsigned int dataoff, datalen, numoff = 0, numlen;
+	struct tns_info *tns_info = myct->priv_data;
+	union nfct_attr_grp_addr addr;
+	struct nf_expect *exp = NULL;
+	struct myct_man cmd;
+	int ret = NF_ACCEPT;
+
+	memset(&cmd, 0, sizeof(struct myct_man));
+	memset(&addr, 0, sizeof(union nfct_attr_grp_addr));
+
+	/* Until there's been traffic both ways, don't look into TCP packets. */
+	if (ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_ESTABLISHED_REPLY) {
+		pr_debug("TNS: Conntrackinfo = %u\n", ctinfo);
+		goto out;
+	}
+	/* Parse server direction only */
+	if (dir != MYCT_DIR_REPL) {
+		pr_debug("TNS: skip client direction\n");
+		goto out;
+	}
+
+	th = (struct tcphdr *) (pktb_network_header(pkt) + protoff);
+
+	dataoff = protoff + th->doff * 4;
+	datalen = pktb_len(pkt);
+
+	if (datalen < sizeof(struct tns_header)) {
+		pr_debug("TNS: skip packet with short header\n");
+		goto out;
+	}
+
+	tns = (struct tns_header *)(pktb_network_header(pkt) + dataoff);
+
+	if (tns->type == TNS_TYPE_REDIRECT) {
+		struct tns_redirect *redirect;
+
+		dataoff += sizeof(struct tns_header);
+		datalen -= sizeof(struct tns_header);
+		redirect = (struct tns_redirect *)(pktb_network_header(pkt) + dataoff);
+		tns_info->parse = false;
+
+		if (ntohs(redirect->data_len) == 0) {
+			tns_info->parse = true;
+			goto out;
+		}
+		goto parse;
+	}
+
+	/* Parse only the very next DATA packet */
+	if (!(tns_info->parse && tns->type == TNS_TYPE_DATA)) {
+		tns_info->parse = false;
+		goto out;
+	}
+parse:
+	numlen = find_pattern(pkt, dataoff, datalen, &cmd, &numoff);
+	tns_info->parse = false;
+	if (!numlen)
+		goto out;
+
+	/* We refer to the reverse direction ("!dir") tuples here,
+	 * because we're expecting something in the other direction.
+	 * Doesn't matter unless NAT is happening.  */
+	cthelper_get_addr_src(myct->ct, !dir, &addr);
+
+	exp = nfexp_new();
+	if (exp == NULL)
+		goto out;
+
+	if (cthelper_expect_init(exp, myct->ct, 0,
+				 &addr, &cmd.u3,
+				 IPPROTO_TCP,
+				 NULL, &cmd.u.port, 0)) {
+		pr_debug("TNS: failed to init expectation\n");
+		goto out_exp;
+	}
+
+	/* Now, NAT might want to mangle the packet, and register the
+	 * (possibly changed) expectation itself.
+	 */
+	if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK) {
+		ret = nf_nat_tns(pkt, tns, exp, myct->ct, dir,
+				numoff + sizeof(struct tns_header), numlen);
+		goto out_exp;
+	}
+
+	/* Can't expect this?  Best to drop packet now. */
+	if (cthelper_add_expect(exp) < 0) {
+		pr_debug("TNS: cannot add expectation: %s\n",
+			 strerror(errno));
+		ret = NF_DROP;
+		goto out_exp;
+	}
+	goto out;
+
+out_exp:
+	nfexp_destroy(exp);
+out:
+	return ret;
+}
+
+static struct ctd_helper tns_helper = {
+	.name		= "tns",
+	.l4proto	= IPPROTO_TCP,
+	.cb		= tns_helper_cb,
+	.priv_data_len	= sizeof(struct tns_info),
+	.policy		= {
+		[0] = {
+			.name		= "tns",
+			.expect_max	= 1,
+			.expect_timeout	= 300,
+		},
+	},
+};
+
+void __attribute__ ((constructor)) tns_init(void);
+
+void tns_init(void)
+{
+	helper_register(&tns_helper);
+}