Merge branch 'cthelper9' of git://git.netfilter.org/conntrack-tools into user_space_helpers

Conflicts:
	.gitignore
	src/run.c

28 files changed, 4809 insertions, 656 deletions

diff --git a/src/.gitignore b/src/.gitignore
index 6e6763d..55a0d27 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -1,5 +1,6 @@
 /conntrack
 /conntrackd
+/nfct
 
 /read_config_lex.c
 /read_config_yy.c
diff --git a/src/Makefile.am b/src/Makefile.am
index 7d7b2ac..0b047e9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,19 +1,35 @@
 include $(top_srcdir)/Make_global.am
 
+SUBDIRS = helpers
+
 AM_YFLAGS = -d
 
 CLEANFILES = read_config_yy.c read_config_lex.c
 
-sbin_PROGRAMS = conntrack conntrackd
+sbin_PROGRAMS = conntrack conntrackd nfct
 
 conntrack_SOURCES = conntrack.c
 conntrack_LDADD = ../extensions/libct_proto_tcp.la ../extensions/libct_proto_udp.la ../extensions/libct_proto_udplite.la ../extensions/libct_proto_icmp.la ../extensions/libct_proto_icmpv6.la ../extensions/libct_proto_sctp.la ../extensions/libct_proto_dccp.la ../extensions/libct_proto_gre.la ../extensions/libct_proto_unknown.la ${LIBNETFILTER_CONNTRACK_LIBS}
 
+nfct_SOURCES = nfct.c			\
+	       helpers.c			\
+	       nfct-extensions/timeout.c	\
+	       nfct-extensions/helper.c
+
+nfct_LDADD = ${LIBMNL_LIBS} 			\
+	     ${LIBNETFILTER_CONNTRACK_LIBS}	\
+	     ${LIBNETFILTER_CTTIMEOUT_LIBS}	\
+	     ${LIBNETFILTER_CTHELPER_LIBS}	\
+	     ${libdl_LIBS}
+
+nfct_LDFLAGS = -export-dynamic
+
 conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \
 		    local.c log.c mcast.c udp.c netlink.c vector.c \
 		    filter.c fds.c event.c process.c origin.c date.c \
 		    cache.c cache-ct.c cache-exp.c \
 		    cache_timer.c \
+		    ctnl.c cthelper.c \
 		    sync-mode.c sync-alarm.c sync-ftfw.c sync-notrack.c \
 		    traffic_stats.c stats-mode.c \
 		    network.c cidr.c \
@@ -22,11 +38,16 @@ conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \
 		    tcp.c channel_tcp.c \
 		    external_cache.c external_inject.c \
 		    internal_cache.c internal_bypass.c \
-		    read_config_yy.y read_config_lex.l
+		    read_config_yy.y read_config_lex.l \
+		    stack.c helpers.c utils.c expect.c
 
 # yacc and lex generate dirty code
 read_config_yy.o read_config_lex.o: AM_CFLAGS += -Wno-missing-prototypes -Wno-missing-declarations -Wno-implicit-function-declaration -Wno-nested-externs -Wno-undef -Wno-redundant-decls
 
-conntrackd_LDADD = ${LIBNETFILTER_CONNTRACK_LIBS}
+conntrackd_LDADD = ${LIBMNL_LIBS} ${LIBNETFILTER_CONNTRACK_LIBS} \
+		   ${LIBNETFILTER_QUEUE_LIBS} ${LIBNETFILTER_CTHELPER_LIBS} \
+		   ${libdl_LIBS}
+
+conntrackd_LDFLAGS = -export-dynamic
 
 EXTRA_DIST = read_config_yy.h
diff --git a/src/channel.c b/src/channel.c
index 818bb01..8b7c319 100644
--- a/src/channel.c
+++ b/src/channel.c
@@ -310,3 +310,8 @@ int channel_accept(struct channel *c)
 {
 	return c->ops->accept(c);
 }
+
+int channel_type(struct channel *c)
+{
+	return c->ops->type;
+}
diff --git a/src/channel_tcp.c b/src/channel_tcp.c
index f132840..a84603c 100644
--- a/src/channel_tcp.c
+++ b/src/channel_tcp.c
@@ -137,6 +137,7 @@ channel_tcp_accept(struct channel *c)
 
 struct channel_ops channel_tcp = {
 	.headersiz	= 40, /* IP header (20 bytes) + TCP header 20 (bytes) */
+	.type		= CHANNEL_T_STREAM,
 	.open		= channel_tcp_open,
 	.close		= channel_tcp_close,
 	.send		= channel_tcp_send,
diff --git a/src/conntrack.c b/src/conntrack.c
index 61d595b..07cc2f9 100644
--- a/src/conntrack.c
+++ b/src/conntrack.c
@@ -1,5 +1,6 @@
 /*
- * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2012 by Intra2net AG <http://www.intra2net.com>
  *
  *      This program is free software; you can redistribute it and/or modify
  *      it under the terms of the GNU General Public License as published by
@@ -72,6 +73,9 @@ static struct {
 
 	/* Allows filtering/setting specific bits in the ctmark */
 	struct u32_mask mark;
+
+	/* Allow to filter by mark from kernel-space. */
+	struct nfct_filter_dump_mark filter_mark_kernel;
 } tmpl;
 
 static int alloc_tmpl_objects(void)
@@ -1374,6 +1378,7 @@ static int event_exp_cb(enum nf_conntrack_msg_type type,
 
 	nfexp_snprintf(buf,sizeof(buf), exp, type, op_type, op_flags);
 	printf("%s\n", buf);
+	fflush(stdout);
 	counter++;
 
 	return NFCT_CB_CONTINUE;
@@ -1630,6 +1635,8 @@ int main(int argc, char *argv[])
 		case 'm':
 			options |= opt2type[c];
 			parse_u32_mask(optarg, &tmpl.mark);
+			tmpl.filter_mark_kernel.val = tmpl.mark.value;
+			tmpl.filter_mark_kernel.mask = tmpl.mark.mask;
 			break;
 		case 'a':
 			fprintf(stderr, "WARNING: ignoring -%c, "
@@ -1703,6 +1710,7 @@ int main(int argc, char *argv[])
 		h->final_check(l4flags, cmd, tmpl.ct);
 
 	switch(command) {
+	struct nfct_filter_dump *filter_dump;
 
 	case CT_LIST:
 		cth = nfct_open(CONNTRACK, 0);
@@ -1716,10 +1724,23 @@ int main(int argc, char *argv[])
 
 		nfct_callback_register(cth, NFCT_T_ALL, dump_cb, tmpl.ct);
 
+		filter_dump = nfct_filter_dump_create();
+		if (filter_dump == NULL)
+			exit_error(OTHER_PROBLEM, "OOM");
+
+		nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+					  &tmpl.filter_mark_kernel);
+		nfct_filter_dump_set_attr_u8(filter_dump,
+					     NFCT_FILTER_DUMP_L3NUM,
+					     family);
+
 		if (options & CT_OPT_ZERO)
-			res = nfct_query(cth, NFCT_Q_DUMP_RESET, &family);
+			res = nfct_query(cth, NFCT_Q_DUMP_FILTER_RESET,
+					filter_dump);
 		else
-			res = nfct_query(cth, NFCT_Q_DUMP, &family);
+			res = nfct_query(cth, NFCT_Q_DUMP_FILTER, filter_dump);
+
+		nfct_filter_dump_destroy(filter_dump);
 
 		if (dump_xml_header_done == 0) {
 			printf("</conntrack>\n");
@@ -1798,7 +1819,20 @@ int main(int argc, char *argv[])
 
 		nfct_callback_register(cth, NFCT_T_ALL, delete_cb, tmpl.ct);
 
-		res = nfct_query(cth, NFCT_Q_DUMP, &family);
+		filter_dump = nfct_filter_dump_create();
+		if (filter_dump == NULL)
+			exit_error(OTHER_PROBLEM, "OOM");
+
+		nfct_filter_dump_set_attr(filter_dump, NFCT_FILTER_DUMP_MARK,
+					  &tmpl.filter_mark_kernel);
+		nfct_filter_dump_set_attr_u8(filter_dump,
+					     NFCT_FILTER_DUMP_L3NUM,
+					     family);
+
+		res = nfct_query(cth, NFCT_Q_DUMP_FILTER, filter_dump);
+
+		nfct_filter_dump_destroy(filter_dump);
+
 		nfct_close(ith);
 		nfct_close(cth);
 		break;
diff --git a/src/cthelper.c b/src/cthelper.c
new file mode 100644
index 0000000..7624dc0
--- /dev/null
+++ b/src/cthelper.c
@@ -0,0 +1,521 @@
+/*
+ * (C) 2006-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ */
+
+#include "conntrackd.h"
+#include "log.h"
+#include "fds.h"
+#include "helper.h"
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <time.h>
+#include <errno.h>
+
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+#include <net/ethernet.h>
+
+#ifndef __aligned_be64
+#define __aligned_be64 unsigned long long __attribute__((aligned(8)))
+#endif
+
+#include <linux/netfilter/nfnetlink_queue.h>
+
+#include <libmnl/libmnl.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_cthelper/libnetfilter_cthelper.h>
+#include <linux/netfilter.h>
+#include <libnetfilter_queue/pktbuff.h>
+
+void cthelper_kill(void)
+{
+	mnl_socket_close(STATE_CTH(nl));
+	free(state.cthelper);
+}
+
+int cthelper_local(int fd, int type, void *data)
+{
+	/* No services to obtain information on helpers yet, sorry */
+	return LOCAL_RET_OK;
+}
+
+static struct nlmsghdr *
+nfq_build_header(char *buf, int type, uint32_t queue_num)
+{
+	struct nlmsghdr *nlh = mnl_nlmsg_put_header(buf);
+	nlh->nlmsg_type = (NFNL_SUBSYS_QUEUE << 8) | type;
+	nlh->nlmsg_flags = NLM_F_REQUEST;
+
+	struct nfgenmsg *nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(*nfg));
+	nfg->nfgen_family = AF_UNSPEC;
+	nfg->version = NFNETLINK_V0;
+	nfg->res_id = htons(queue_num);
+
+	return nlh;
+}
+
+static int
+pkt_get(void *pkt, uint32_t pktlen, uint16_t proto, uint32_t *protoff)
+{
+	switch(proto) {
+	case ETHERTYPE_IP: {
+		struct iphdr *ip = (struct iphdr *) pkt;
+
+		/* No room for IPv4 header. */
+		if (pktlen < sizeof(struct iphdr)) {
+			dlog(LOG_ERR, "no room for IPv4 header");
+			return -1;
+		}
+
+		/* this is not IPv4, skip. */
+		if (ip->version != 4) {
+			dlog(LOG_ERR, "not IPv4, skipping");
+			return -1;
+		}
+
+		*protoff = 4 * ip->ihl;
+
+		switch (ip->protocol) {
+		case IPPROTO_TCP: {
+			struct tcphdr *tcph =
+				(struct tcphdr *) ((char *)pkt + *protoff);
+
+			/* No room for IPv4 header plus TCP header. */
+			if (pktlen < *protoff + sizeof(struct tcphdr)
+			    || pktlen < *protoff + tcph->doff * 4) {
+				dlog(LOG_ERR, "no room for IPv4 + TCP header, skip");
+				return -1;
+			}
+			return 0;
+		}
+		case IPPROTO_UDP:
+			/* No room for IPv4 header plus UDP header. */
+			if (pktlen < *protoff + sizeof(struct udphdr)) {
+				dlog(LOG_ERR, "no room for IPv4 + UDP header, skip");
+				return -1;
+			}
+			return 0;
+		default:
+			dlog(LOG_ERR, "not TCP/UDP, skipping");
+			return -1;
+		}
+		break;
+	}
+	case ETHERTYPE_IPV6:
+		dlog(LOG_ERR, "no IPv6 support sorry");
+		return 0;
+	default:
+		/* Unknown layer 3 protocol. */
+		dlog(LOG_ERR, "unknown layer 3 protocol (%d), skipping", proto);
+		return -1;
+	}
+	return 0;
+}
+
+static int
+pkt_verdict_issue(struct ctd_helper_instance *cur, struct myct *myct,
+		  uint16_t queue_num, uint32_t id, uint32_t verdict)
+{
+	struct nlmsghdr *nlh;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlattr *nest;
+
+	nlh = nfq_build_header(buf, NFQNL_MSG_VERDICT, queue_num);
+
+	/* save private data and send it back to kernel-space. */
+	nfct_set_attr_l(myct->ct, ATTR_HELPER_INFO, myct->priv_data,
+			cur->helper->priv_data_len);
+
+	nfq_nlmsg_verdict_build(nlh, id, verdict);
+
+	nest = mnl_attr_nest_start(nlh, NFQA_CT);
+	if (nest == NULL)
+		return -1;
+
+	nfct_nlmsg_build(nlh, myct->ct);
+	mnl_attr_nest_end(nlh, nest);
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "failed to send verdict: %s", strerror(errno));
+		return -1;
+	}
+
+	return 0;
+}
+
+static int
+pkt_verdict_error(uint16_t queue_num, uint32_t id)
+{
+	struct nlmsghdr *nlh;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+
+	nlh = nfq_build_header(buf, NFQNL_MSG_VERDICT, queue_num);
+	nfq_nlmsg_verdict_build(nlh, id, NF_ACCEPT);
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "failed to send verdict: %s", strerror(errno));
+		return -1;
+	}
+	return 0;
+}
+
+static struct ctd_helper_instance *
+helper_run(void *pkt, uint32_t pktlen, uint32_t protoff,
+	   struct myct *myct, uint32_t ctinfo, uint32_t queue_num,
+	   int *verdict)
+{
+	struct ctd_helper_instance *cur, *helper = NULL;
+
+	list_for_each_entry(cur, &CONFIG(cthelper).list, head) {
+		if (cur->queue_num == queue_num) {
+			const void *priv_data;
+			struct pkt_buff *pktb;
+
+			/* retrieve helper private data. */
+			priv_data = nfct_get_attr(myct->ct, ATTR_HELPER_INFO);
+			if (priv_data != NULL) {
+				myct->priv_data =
+					calloc(1, cur->helper->priv_data_len);
+
+				if (myct->priv_data == NULL)
+					continue;
+
+				memcpy(myct->priv_data, priv_data,
+					cur->helper->priv_data_len);
+			}
+
+			/* XXX: 256 bytes for extra allocation for all mangling
+			 * we do in helpers.
+			 */
+			pktb = pktb_alloc(AF_INET, pkt, pktlen, 256);
+			if (pktb == NULL)
+				break;
+
+			*verdict = cur->helper->cb(pktb, protoff, myct, ctinfo);
+
+			pktb_free(pktb);
+
+			helper = cur;
+			break;
+		}
+	}
+	return helper;
+}
+
+static int nfq_queue_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nfqnl_msg_packet_hdr *ph = NULL;
+	struct nlattr *attr[NFQA_MAX+1] = {};
+	struct nfgenmsg *nfg;
+	uint8_t *pkt;
+	uint16_t l3num;
+	uint32_t id, ctinfo, queue_num = 0, protoff = 0, pktlen;
+	struct nf_conntrack *ct = NULL;
+	struct myct *myct;
+	struct ctd_helper_instance *helper;
+	int verdict = NF_ACCEPT;
+
+	if (nfq_nlmsg_parse(nlh, attr) < 0) {
+		dlog(LOG_ERR, "problems parsing message from kernel");
+		return MNL_CB_ERROR;
+	}
+
+	ph = (struct nfqnl_msg_packet_hdr *)
+		mnl_attr_get_payload(attr[NFQA_PACKET_HDR]);
+	if (ph == NULL) {
+		dlog(LOG_ERR, "problems retrieving metaheader");
+		return MNL_CB_ERROR;
+	}
+
+	id = ntohl(ph->packet_id);
+
+	if (!attr[NFQA_PAYLOAD]) {
+		dlog(LOG_ERR, "packet with no payload");
+		goto err;
+	}
+	if (!attr[NFQA_CT] || !attr[NFQA_CT_INFO]) {
+		dlog(LOG_ERR, "no CT attached to this packet");
+		goto err;
+	}
+
+	pkt = mnl_attr_get_payload(attr[NFQA_PAYLOAD]);
+	pktlen = mnl_attr_get_payload_len(attr[NFQA_PAYLOAD]);
+
+	nfg = mnl_nlmsg_get_payload(nlh);
+	l3num = nfg->nfgen_family;
+	queue_num = ntohs(nfg->res_id);
+
+	if (pkt_get(pkt, pktlen, ntohs(ph->hw_protocol), &protoff))
+		goto err;
+
+	ct = nfct_new();
+	if (ct == NULL)
+		goto err;
+
+	if (nfct_payload_parse(mnl_attr_get_payload(attr[NFQA_CT]),
+			       mnl_attr_get_payload_len(attr[NFQA_CT]),
+			       l3num, ct) < 0) {
+		dlog(LOG_ERR, "cannot convert message to CT");
+		goto err;
+	}
+
+	myct = calloc(1, sizeof(struct myct));
+	if (myct == NULL)
+		goto err;
+
+	myct->ct = ct;
+	ctinfo = ntohl(mnl_attr_get_u32(attr[NFQA_CT_INFO]));
+
+	/* Misconfiguration: if no helper found, accept the packet. */
+	helper = helper_run(pkt, pktlen, protoff, myct, ctinfo, queue_num,
+			    &verdict);
+	if (!helper)
+		goto err;
+
+	if (pkt_verdict_issue(helper, myct, queue_num, id, verdict) < 0)
+		goto err;
+
+	if (ct != NULL)
+		nfct_destroy(ct);
+	if (myct && myct->priv_data != NULL)
+		free(myct->priv_data);
+	if (myct != NULL)
+		free(myct);
+
+	return MNL_CB_OK;
+err:
+	/* In case of error, we don't want to disrupt traffic. We accept all.
+	 * This is connection tracking after all. The policy is not to drop
+	 * packet unless we enter some inconsistent state.
+	 */
+	pkt_verdict_error(queue_num, id);
+
+	if (ct != NULL)
+		nfct_destroy(ct);
+
+	return MNL_CB_OK;
+}
+
+static void nfq_cb(void *data)
+{
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	int ret;
+
+	ret = mnl_socket_recvfrom(STATE_CTH(nl), buf, sizeof(buf));
+	if (ret == -1) {
+		dlog(LOG_ERR, "failed to receive message: %s", strerror(errno));
+		return;
+	}
+
+	ret = mnl_cb_run(buf, ret, 0, STATE_CTH(portid), nfq_queue_cb, NULL);
+	if (ret < 0){
+		dlog(LOG_ERR, "failed to process message");
+		return;
+	}
+}
+
+static int cthelper_setup(struct ctd_helper_instance *cur)
+{
+	struct nfct_helper *t;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t seq;
+	int j, ret;
+
+	t = nfct_helper_alloc();
+	if (t == NULL) {
+		dlog(LOG_ERR, "cannot allocate object for helper");
+		return -1;
+	}
+
+	nfct_helper_attr_set(t, NFCTH_ATTR_NAME, cur->helper->name);
+	nfct_helper_attr_set_u32(t, NFCTH_ATTR_QUEUE_NUM, cur->queue_num);
+	nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, cur->l3proto);
+	nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, cur->l4proto);
+	nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
+					NFCT_HELPER_STATUS_ENABLED);
+
+	dlog(LOG_NOTICE, "configuring helper `%s' with queuenum=%d",
+		cur->helper->name, cur->queue_num);
+
+	for (j=0; j<CTD_HELPER_POLICY_MAX; j++) {
+		struct nfct_helper_policy *p;
+
+		if (!cur->helper->policy[j].name[0])
+			break;
+
+		p = nfct_helper_policy_alloc();
+		if (p == NULL) {
+			dlog(LOG_ERR, "cannot allocate object for helper");
+			return -1;
+		}
+		/* FIXME: get existing policy values from the kernel first. */
+		nfct_helper_policy_attr_set(p, NFCTH_ATTR_POLICY_NAME,
+					cur->helper->policy[j].name);
+		nfct_helper_policy_attr_set_u32(p, NFCTH_ATTR_POLICY_TIMEOUT,
+					cur->helper->policy[j].expect_timeout);
+		nfct_helper_policy_attr_set_u32(p, NFCTH_ATTR_POLICY_MAX,
+					cur->helper->policy[j].expect_max);
+
+		dlog(LOG_NOTICE, "policy name=%s expect_timeout=%d expect_max=%d",
+			cur->helper->policy[j].name,
+			cur->helper->policy[j].expect_timeout,
+			cur->helper->policy[j].expect_max);
+
+		nfct_helper_attr_set(t, NFCTH_ATTR_POLICY+j, p);
+	}
+
+	if (j == 0) {
+		dlog(LOG_ERR, "you have to define one policy for helper");
+		return -1;
+	}
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_NEW,
+					  NLM_F_CREATE | NLM_F_ACK, seq);
+	nfct_helper_nlmsg_build_payload(nlh, t);
+
+	nfct_helper_free(t);
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "sending cthelper configuration");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(STATE_CTH(nl), buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, STATE_CTH(portid), NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(STATE_CTH(nl), buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		dlog(LOG_ERR, "trying to configure cthelper `%s': %s",
+			cur->helper->name, strerror(errno));
+		return -1;
+	}
+
+	return 0;
+}
+
+static int cthelper_nfqueue_setup(struct ctd_helper_instance *cur)
+{
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+
+	nlh = nfq_build_header(buf, NFQNL_MSG_CONFIG, cur->queue_num);
+	nfq_nlmsg_cfg_build_request(nlh, AF_INET, NFQNL_CFG_CMD_BIND);
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "failed to send bind command");
+		return -1;
+	}
+
+	nlh = nfq_build_header(buf, NFQNL_MSG_CONFIG, cur->queue_num);
+	nfq_nlmsg_cfg_add_copy(nlh, NFQNL_COPY_PACKET, 0xffff);
+	mnl_attr_put_u32(nlh, NFQA_CFG_FLAGS, htonl(NFQNL_F_CONNTRACK));
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "failed to send configuration");
+		return -1;
+	}
+
+	return 0;
+}
+
+static int cthelper_configure(struct ctd_helper_instance *cur)
+{
+	/* First, configure cthelper. */
+	if (cthelper_setup(cur) < 0)
+		return -1;
+
+	/* Now, we are ready to configure nfqueue attached to this helper. */
+	if (cthelper_nfqueue_setup(cur) < 0)
+		return -1;
+
+	dlog(LOG_NOTICE, "helper `%s' configured successfully",
+		cur->helper->name);
+
+	return 0;
+}
+
+static int nfq_configure(void)
+{
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+
+	nlh = nfq_build_header(buf, NFQNL_MSG_CONFIG, 0);
+	nfq_nlmsg_cfg_build_request(nlh, AF_INET, NFQNL_CFG_CMD_PF_UNBIND);
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "failed to send pf unbind command");
+		return -1;
+	}
+
+	nlh = nfq_build_header(buf, NFQNL_MSG_CONFIG, 0);
+	nfq_nlmsg_cfg_build_request(nlh, AF_INET, NFQNL_CFG_CMD_PF_BIND);
+
+	if (mnl_socket_sendto(STATE_CTH(nl), nlh, nlh->nlmsg_len) < 0) {
+		dlog(LOG_ERR, "failed to send pf bind command");
+		return -1;
+	}
+
+	return 0;
+}
+
+int cthelper_init(void)
+{
+	struct ctd_helper_instance *cur;
+	int ret;
+
+	state.cthelper = calloc(1, sizeof(struct ct_helper_state));
+	if (state.cthelper == NULL) {
+		dlog(LOG_ERR, "can't allocate memory for cthelper struct");
+		return -1;
+	}
+
+	STATE_CTH(nl) = mnl_socket_open(NETLINK_NETFILTER);
+	if (STATE_CTH(nl) == NULL) {
+		dlog(LOG_ERR, "cannot open nfq socket");
+		return -1;
+	}
+	fcntl(mnl_socket_get_fd(STATE_CTH(nl)), F_SETFL, O_NONBLOCK);
+
+	if (mnl_socket_bind(STATE_CTH(nl), 0, MNL_SOCKET_AUTOPID) < 0) {
+		dlog(LOG_ERR, "cannot bind nfq socket");
+		return -1;
+	}
+	STATE_CTH(portid) = mnl_socket_get_portid(STATE_CTH(nl));
+
+	if (nfq_configure())
+		return -1;
+
+	list_for_each_entry(cur, &CONFIG(cthelper).list, head) {
+		ret = cthelper_configure(cur);
+		if (ret < 0)
+			return ret;
+	}
+
+	register_fd(mnl_socket_get_fd(STATE_CTH(nl)), nfq_cb, NULL, STATE(fds));
+
+	return 0;
+}
diff --git a/src/ctnl.c b/src/ctnl.c
new file mode 100644
index 0000000..019c7e8
--- /dev/null
+++ b/src/ctnl.c
@@ -0,0 +1,522 @@
+/*
+ * (C) 2006-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * Part of this code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ */
+
+#include "conntrackd.h"
+#include "netlink.h"
+#include "filter.h"
+#include "log.h"
+#include "alarm.h"
+#include "fds.h"
+#include "traffic_stats.h"
+#include "process.h"
+#include "origin.h"
+#include "date.h"
+#include "internal.h"
+
+#include <errno.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/wait.h>
+#include <string.h>
+#include <time.h>
+#include <fcntl.h>
+
+void ctnl_kill(void)
+{
+	if (!(CONFIG(flags) & CTD_POLL))
+		nfct_close(STATE(event));
+
+	nfct_close(STATE(resync));
+	nfct_close(STATE(get));
+	origin_unregister(STATE(flush));
+	nfct_close(STATE(flush));
+
+	if (STATE(us_filter))
+		ct_filter_destroy(STATE(us_filter));
+	STATE(mode)->kill();
+
+	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
+		nfct_close(STATE(dump));
+	}
+}
+
+static void local_flush_master(void)
+{
+	STATE(stats).nl_kernel_table_flush++;
+	dlog(LOG_NOTICE, "flushing kernel conntrack table");
+
+	/* fork a child process that performs the flush operation,
+	 * meanwhile the parent process handles events. */
+	if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL,
+			     NULL, NULL) == 0) {
+		nl_flush_conntrack_table(STATE(flush));
+		exit(EXIT_SUCCESS);
+	}
+}
+
+static void local_resync_master(void)
+{
+	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
+		STATE(stats).nl_kernel_table_resync++;
+		dlog(LOG_NOTICE, "resync with master conntrack table");
+		nl_dump_conntrack_table(STATE(dump));
+	} else {
+		dlog(LOG_NOTICE, "resync is unsupported in this mode");
+	}
+}
+
+static void local_exp_flush_master(void)
+{
+	if (!(CONFIG(flags) & CTD_EXPECT))
+		return;
+
+	STATE(stats).nl_kernel_table_flush++;
+	dlog(LOG_NOTICE, "flushing kernel expect table");
+
+	/* fork a child process that performs the flush operation,
+	 * meanwhile the parent process handles events. */
+	if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL,
+			     NULL, NULL) == 0) {
+		nl_flush_expect_table(STATE(flush));
+		exit(EXIT_SUCCESS);
+	}
+}
+
+static void local_exp_resync_master(void)
+{
+	if (!(CONFIG(flags) & CTD_EXPECT))
+		return;
+
+	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
+		STATE(stats).nl_kernel_table_resync++;
+		dlog(LOG_NOTICE, "resync with master expect table");
+		nl_dump_expect_table(STATE(dump));
+	} else {
+		dlog(LOG_NOTICE, "resync is unsupported in this mode");
+	}
+}
+
+int ctnl_local(int fd, int type, void *data)
+{
+	int ret = LOCAL_RET_OK;
+
+	switch(type) {
+	case CT_FLUSH_MASTER:
+		local_flush_master();
+		break;
+	case CT_RESYNC_MASTER:
+		local_resync_master();
+		break;
+	case EXP_FLUSH_MASTER:
+		local_exp_flush_master();
+		break;
+	case EXP_RESYNC_MASTER:
+		local_exp_resync_master();
+		break;
+	case ALL_FLUSH_MASTER:
+		local_flush_master();
+		local_exp_flush_master();
+		break;
+	case ALL_RESYNC_MASTER:
+		local_resync_master();
+		local_exp_resync_master();
+		break;
+	}
+
+	ret = STATE(mode)->local(fd, type, data);
+	if (ret == LOCAL_RET_ERROR) {
+		STATE(stats).local_unknown_request++;
+		return LOCAL_RET_ERROR;
+	}
+	return ret;
+}
+
+static void do_overrun_resync_alarm(struct alarm_block *a, void *data)
+{
+	nl_send_resync(STATE(resync));
+	STATE(stats).nl_kernel_table_resync++;
+}
+
+static void do_polling_alarm(struct alarm_block *a, void *data)
+{
+	if (STATE(mode)->internal->ct.purge)
+		STATE(mode)->internal->ct.purge();
+
+	if (STATE(mode)->internal->exp.purge)
+		STATE(mode)->internal->exp.purge();
+
+	nl_send_resync(STATE(resync));
+	nl_send_expect_resync(STATE(resync));
+	add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0);
+}
+
+static int event_handler(const struct nlmsghdr *nlh,
+			 enum nf_conntrack_msg_type type,
+			 struct nf_conntrack *ct,
+			 void *data)
+{
+	int origin_type;
+
+	STATE(stats).nl_events_received++;
+
+	/* skip user-space filtering if already do it in the kernel */
+	if (ct_filter_conntrack(ct, !CONFIG(filter_from_kernelspace))) {
+		STATE(stats).nl_events_filtered++;
+		goto out;
+	}
+
+	origin_type = origin_find(nlh);
+
+	switch(type) {
+	case NFCT_T_NEW:
+		STATE(mode)->internal->ct.new(ct, origin_type);
+		break;
+	case NFCT_T_UPDATE:
+		STATE(mode)->internal->ct.upd(ct, origin_type);
+		break;
+	case NFCT_T_DESTROY:
+		if (STATE(mode)->internal->ct.del(ct, origin_type))
+			update_traffic_stats(ct);
+		break;
+	default:
+		STATE(stats).nl_events_unknown_type++;
+		break;
+	}
+
+out:
+	/* we reset the iteration limiter in the main select loop. */
+	if (STATE(event_iterations_limit)-- <= 0)
+		return NFCT_CB_STOP;
+	else
+		return NFCT_CB_CONTINUE;
+}
+
+static int exp_event_handler(const struct nlmsghdr *nlh,
+			     enum nf_conntrack_msg_type type,
+			     struct nf_expect *exp,
+			     void *data)
+{
+	int origin_type;
+	const struct nf_conntrack *master =
+		nfexp_get_attr(exp, ATTR_EXP_MASTER);
+
+	STATE(stats).nl_events_received++;
+
+	if (!exp_filter_find(STATE(exp_filter), exp)) {
+		STATE(stats).nl_events_filtered++;
+		goto out;
+	}
+	if (ct_filter_conntrack(master, 1))
+		return NFCT_CB_CONTINUE;
+
+	origin_type = origin_find(nlh);
+
+	switch(type) {
+	case NFCT_T_NEW:
+		STATE(mode)->internal->exp.new(exp, origin_type);
+		break;
+	case NFCT_T_UPDATE:
+		STATE(mode)->internal->exp.upd(exp, origin_type);
+		break;
+	case NFCT_T_DESTROY:
+		STATE(mode)->internal->exp.del(exp, origin_type);
+		break;
+	default:
+		STATE(stats).nl_events_unknown_type++;
+		break;
+	}
+
+out:
+	/* we reset the iteration limiter in the main select loop. */
+	if (STATE(event_iterations_limit)-- <= 0)
+		return NFCT_CB_STOP;
+	else
+		return NFCT_CB_CONTINUE;
+}
+
+static int dump_handler(enum nf_conntrack_msg_type type,
+			struct nf_conntrack *ct,
+			void *data)
+{
+	if (ct_filter_conntrack(ct, 1))
+		return NFCT_CB_CONTINUE;
+
+	switch(type) {
+	case NFCT_T_UPDATE:
+		STATE(mode)->internal->ct.populate(ct);
+		break;
+	default:
+		STATE(stats).nl_dump_unknown_type++;
+		break;
+	}
+	return NFCT_CB_CONTINUE;
+}
+
+static int exp_dump_handler(enum nf_conntrack_msg_type type,
+			    struct nf_expect *exp, void *data)
+{
+	const struct nf_conntrack *master =
+		nfexp_get_attr(exp, ATTR_EXP_MASTER);
+
+	if (!exp_filter_find(STATE(exp_filter), exp))
+		return NFCT_CB_CONTINUE;
+
+	if (ct_filter_conntrack(master, 1))
+		return NFCT_CB_CONTINUE;
+
+	switch(type) {
+	case NFCT_T_UPDATE:
+		STATE(mode)->internal->exp.populate(exp);
+		break;
+	default:
+		STATE(stats).nl_dump_unknown_type++;
+		break;
+	}
+	return NFCT_CB_CONTINUE;
+}
+
+static int get_handler(enum nf_conntrack_msg_type type,
+		       struct nf_conntrack *ct,
+		       void *data)
+{
+	if (ct_filter_conntrack(ct, 1))
+		return NFCT_CB_CONTINUE;
+
+	STATE(get_retval) = 1;
+	return NFCT_CB_CONTINUE;
+}
+
+static int exp_get_handler(enum nf_conntrack_msg_type type,
+			   struct nf_expect *exp, void *data)
+{
+	const struct nf_conntrack *master =
+		nfexp_get_attr(exp, ATTR_EXP_MASTER);
+
+	if (!exp_filter_find(STATE(exp_filter), exp))
+		return NFCT_CB_CONTINUE;
+
+	if (ct_filter_conntrack(master, 1))
+		return NFCT_CB_CONTINUE;
+
+	STATE(get_retval) = 1;
+	return NFCT_CB_CONTINUE;
+}
+
+/* we have received an event from ctnetlink */
+static void event_cb(void *data)
+{
+	int ret;
+
+	ret = nfct_catch(STATE(event));
+	/* reset event iteration limit counter */
+	STATE(event_iterations_limit) = CONFIG(event_iterations_limit);
+	if (ret == -1) {
+		switch(errno) {
+		case ENOBUFS:
+			/* We have hit ENOBUFS, it's likely that we are
+			 * losing events. Two possible situations may
+			 * trigger this error:
+			 *
+			 * 1) The netlink receiver buffer is too small:
+			 *    increasing the netlink buffer size should
+			 *    be enough. However, some event messages
+			 *    got lost. We have to resync ourselves
+			 *    with the kernel table conntrack table to
+			 *    resolve the inconsistency.
+			 *
+			 * 2) The receiver is too slow to process the
+			 *    netlink messages so that the queue gets
+			 *    full quickly. This generally happens
+			 *    if the system is under heavy workload
+			 *    (busy CPU). In this case, increasing the
+			 *    size of the netlink receiver buffer
+			 *    would not help anymore since we would
+			 *    be delaying the overrun. Moreover, we
+			 *    should avoid resynchronizations. We
+			 *    should do our best here and keep
+			 *    replicating as much states as possible.
+			 *    If workload lowers at some point,
+			 *    we resync ourselves.
+			 */
+			nl_resize_socket_buffer(STATE(event));
+			if (CONFIG(nl_overrun_resync) > 0 &&
+			    STATE(mode)->internal->flags & INTERNAL_F_RESYNC) {
+				add_alarm(&STATE(resync_alarm),
+					  CONFIG(nl_overrun_resync),0);
+			}
+			STATE(stats).nl_catch_event_failed++;
+			STATE(stats).nl_overrun++;
+			break;
+		case ENOENT:
+			/*
+			 * We received a message from another
+			 * netfilter subsystem that we are not
+			 * interested in. Just ignore it.
+			 */
+		break;
+		case EAGAIN:
+			/* No more events to receive, try later. */
+			break;
+		default:
+			STATE(stats).nl_catch_event_failed++;
+			break;
+		}
+	}
+}
+
+/* we previously requested a resync due to buffer overrun. */
+static void resync_cb(void *data)
+{
+	nfct_catch(STATE(resync));
+	if (STATE(mode)->internal->ct.purge)
+		STATE(mode)->internal->ct.purge();
+}
+
+static void poll_cb(void *data)
+{
+	nfct_catch(STATE(resync));
+}
+
+int ctnl_init(void)
+{
+	if (CONFIG(flags) & CTD_STATS_MODE)
+		STATE(mode) = &stats_mode;
+	else if (CONFIG(flags) & CTD_SYNC_MODE)
+		STATE(mode) = &sync_mode;
+	else {
+		fprintf(stderr, "WARNING: No running mode specified. "
+				"Defaulting to statistics mode.\n");
+		CONFIG(flags) |= CTD_STATS_MODE;
+		STATE(mode) = &stats_mode;
+	}
+
+	/* Initialization */
+	if (STATE(mode)->init() == -1) {
+		dlog(LOG_ERR, "initialization failed");
+		return -1;
+	}
+
+	/* resynchronize (like 'dump' socket) but it also purges old entries */
+	STATE(resync) = nfct_open(CONFIG(netlink).subsys_id, 0);
+	if (STATE(resync)== NULL) {
+		dlog(LOG_ERR, "can't open netlink handler: %s",
+		     strerror(errno));
+		dlog(LOG_ERR, "no ctnetlink kernel support?");
+		return -1;
+	}
+	nfct_callback_register(STATE(resync),
+			       NFCT_T_ALL,
+			       STATE(mode)->internal->ct.resync,
+			       NULL);
+	if (CONFIG(flags) & CTD_POLL) {
+		register_fd(nfct_fd(STATE(resync)), poll_cb,
+				NULL, STATE(fds));
+	} else {
+		register_fd(nfct_fd(STATE(resync)), resync_cb,
+				NULL, STATE(fds));
+	}
+	fcntl(nfct_fd(STATE(resync)), F_SETFL, O_NONBLOCK);
+
+	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
+		STATE(dump) = nfct_open(CONFIG(netlink).subsys_id, 0);
+		if (STATE(dump) == NULL) {
+			dlog(LOG_ERR, "can't open netlink handler: %s",
+			     strerror(errno));
+			dlog(LOG_ERR, "no ctnetlink kernel support?");
+			return -1;
+		}
+		nfct_callback_register(STATE(dump), NFCT_T_ALL,
+				       dump_handler, NULL);
+
+		if (CONFIG(flags) & CTD_EXPECT) {
+			nfexp_callback_register(STATE(dump), NFCT_T_ALL,
+						exp_dump_handler, NULL);
+		}
+
+		if (nl_dump_conntrack_table(STATE(dump)) == -1) {
+			dlog(LOG_ERR, "can't get kernel conntrack table");
+			return -1;
+		}
+
+		if (CONFIG(flags) & CTD_EXPECT) {
+			if (nl_dump_expect_table(STATE(dump)) == -1) {
+				dlog(LOG_ERR, "can't get kernel "
+					      "expect table");
+				return -1;
+			}
+		}
+	}
+
+	STATE(get) = nfct_open(CONFIG(netlink).subsys_id, 0);
+	if (STATE(get) == NULL) {
+		dlog(LOG_ERR, "can't open netlink handler: %s",
+		     strerror(errno));
+		dlog(LOG_ERR, "no ctnetlink kernel support?");
+		return -1;
+	}
+	nfct_callback_register(STATE(get), NFCT_T_ALL, get_handler, NULL);
+
+	if (CONFIG(flags) & CTD_EXPECT) {
+		nfexp_callback_register(STATE(get), NFCT_T_ALL,
+					exp_get_handler, NULL);
+	}
+
+	STATE(flush) = nfct_open(CONFIG(netlink).subsys_id, 0);
+	if (STATE(flush) == NULL) {
+		dlog(LOG_ERR, "cannot open flusher handler");
+		return -1;
+	}
+	/* register this handler as the origin of a flush operation */
+	origin_register(STATE(flush), CTD_ORIGIN_FLUSH);
+
+	if (CONFIG(flags) & CTD_POLL) {
+		init_alarm(&STATE(polling_alarm), NULL, do_polling_alarm);
+		add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0);
+		dlog(LOG_NOTICE, "running in polling mode");
+	} else {
+		init_alarm(&STATE(resync_alarm), NULL, do_overrun_resync_alarm);
+		/*
+		 * The last nfct handler that we register is the event handler.
+		 * The reason to do this is that we may receive events while
+		 * populating the internal cache. Thus, we hit ENOBUFS
+		 * prematurely. However, if we open the event handler before
+		 * populating the internal cache, we may still lose events
+		 * that have occured during the population.
+		 */
+		STATE(event) = nl_init_event_handler();
+		if (STATE(event) == NULL) {
+			dlog(LOG_ERR, "can't open netlink handler: %s",
+			     strerror(errno));
+			dlog(LOG_ERR, "no ctnetlink kernel support?");
+			return -1;
+		}
+		nfct_callback_register2(STATE(event), NFCT_T_ALL,
+				        event_handler, NULL);
+
+		if (CONFIG(flags) & CTD_EXPECT) {
+			nfexp_callback_register2(STATE(event), NFCT_T_ALL,
+						 exp_event_handler, NULL);
+		}
+		register_fd(nfct_fd(STATE(event)), event_cb, NULL, STATE(fds));
+	}
+
+	return 0;
+}
diff --git a/src/expect.c b/src/expect.c
new file mode 100644
index 0000000..eab9094
--- /dev/null
+++ b/src/expect.c
@@ -0,0 +1,212 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation (or any later at your option).
+ *
+ * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ */
+
+#include "helper.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <limits.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <dlfcn.h>
+
+int
+cthelper_expect_init(struct nf_expect *exp, struct nf_conntrack *master,
+		  uint32_t class,
+		  union nfct_attr_grp_addr *saddr,
+		  union nfct_attr_grp_addr *daddr,
+		  uint8_t l4proto, uint16_t *sport, uint16_t *dport)
+{
+	struct nf_conntrack *expected, *mask;
+
+	expected = nfct_new();
+	if (!expected)
+		return -1;
+
+	mask = nfct_new();
+	if (!mask)
+		return -1;
+
+	if (saddr) {
+		switch(nfct_get_attr_u8(master, ATTR_L3PROTO)) {
+		int i;
+		uint32_t addr[4] = {};
+
+		case AF_INET:
+			nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET);
+			nfct_set_attr_u32(expected, ATTR_IPV4_SRC, saddr->ip);
+
+			nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET);
+			nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0xffffffff);
+			break;
+		case AF_INET6:
+			nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET6);
+			nfct_set_attr(expected, ATTR_IPV6_SRC, saddr->ip6);
+
+			for (i=0; i<4; i++)
+				memset(addr, 0xffffffff, sizeof(uint32_t));
+
+			nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET6);
+			nfct_set_attr(mask, ATTR_IPV6_SRC, addr);
+			break;
+		default:
+			break;
+		}
+	} else {
+		switch(nfct_get_attr_u8(master, ATTR_L3PROTO)) {
+		int i;
+		uint32_t addr[4] = {};
+
+		case AF_INET:
+			nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET);
+			nfct_set_attr_u32(expected, ATTR_IPV4_SRC, 0x00000000);
+
+			nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET);
+			nfct_set_attr_u32(mask, ATTR_IPV4_SRC, 0x00000000);
+			break;
+		case AF_INET6:
+			for (i=0; i<4; i++)
+				memset(addr, 0x00000000, sizeof(uint32_t));
+
+			nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET6);
+			nfct_set_attr(expected, ATTR_IPV6_SRC, addr);
+
+			nfct_set_attr_u8(mask, ATTR_L3PROTO, AF_INET6);
+			nfct_set_attr(mask, ATTR_IPV6_SRC, addr);
+			break;
+		default:
+			break;
+		}
+	}
+
+	if (sport) {
+		switch(l4proto) {
+		case IPPROTO_TCP:
+		case IPPROTO_UDP:
+			nfct_set_attr_u8(expected, ATTR_L4PROTO, l4proto);
+			nfct_set_attr_u16(expected, ATTR_PORT_SRC, *sport);
+			nfct_set_attr_u8(mask, ATTR_L4PROTO, l4proto);
+			nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0xffff);
+			break;
+		default:
+			break;
+		}
+	} else {
+		switch(l4proto) {
+		case IPPROTO_TCP:
+		case IPPROTO_UDP:
+			nfct_set_attr_u8(expected, ATTR_L4PROTO, l4proto);
+			nfct_set_attr_u16(expected, ATTR_PORT_SRC, 0x0000);
+			nfct_set_attr_u8(mask, ATTR_L4PROTO, l4proto);
+			nfct_set_attr_u16(mask, ATTR_PORT_SRC, 0x0000);
+			break;
+		default:
+			break;
+		}
+	}
+
+	switch(nfct_get_attr_u8(master, ATTR_L3PROTO)) {
+	uint32_t addr[4] = {};
+	int i;
+
+	case AF_INET:
+		nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET);
+		nfct_set_attr_u32(expected, ATTR_IPV4_DST, daddr->ip);
+		nfct_set_attr_u32(mask, ATTR_IPV4_DST, 0xffffffff);
+		break;
+	case AF_INET6:
+		nfct_set_attr_u8(expected, ATTR_L3PROTO, AF_INET6);
+		nfct_set_attr(expected, ATTR_IPV6_DST, daddr->ip6);
+
+		for (i=0; i<4; i++)
+			memset(addr, 0xffffffff, sizeof(uint32_t));
+
+		nfct_set_attr(mask, ATTR_IPV6_DST, addr);
+		break;
+	default:
+		break;
+	}
+
+	switch(l4proto) {
+	case IPPROTO_TCP:
+	case IPPROTO_UDP:
+		nfct_set_attr_u8(expected, ATTR_L4PROTO, l4proto);
+		nfct_set_attr_u16(expected, ATTR_PORT_DST, *dport);
+		nfct_set_attr_u8(mask, ATTR_L4PROTO, l4proto);
+		nfct_set_attr_u16(mask, ATTR_PORT_DST, 0xffff);
+		break;
+	default:
+		break;
+	}
+
+	nfexp_set_attr(exp, ATTR_EXP_MASTER, master);
+	nfexp_set_attr(exp, ATTR_EXP_EXPECTED, expected);
+	nfexp_set_attr(exp, ATTR_EXP_MASK, mask);
+
+	nfct_destroy(expected);
+	nfct_destroy(mask);
+
+	return 0;
+}
+
+static int cthelper_expect_cmd(struct nf_expect *exp, int cmd)
+{
+	int ret;
+	struct nfct_handle *h;
+
+	h = nfct_open(EXPECT, 0);
+	if (!h)
+		return -1;
+
+	ret = nfexp_query(h, cmd, exp);
+
+	nfct_close(h);
+	return ret;
+}
+
+int cthelper_add_expect(struct nf_expect *exp)
+{
+	return cthelper_expect_cmd(exp, NFCT_Q_CREATE);
+}
+
+int cthelper_del_expect(struct nf_expect *exp)
+{
+	return cthelper_expect_cmd(exp, NFCT_Q_DESTROY);
+}
+
+void
+cthelper_get_addr_src(struct nf_conntrack *ct, int dir,
+		      union nfct_attr_grp_addr *addr)
+{
+	switch (dir) {
+	case MYCT_DIR_ORIG:
+		nfct_get_attr_grp(ct, ATTR_GRP_ORIG_ADDR_SRC, addr);
+		break;
+	case MYCT_DIR_REPL:
+		nfct_get_attr_grp(ct, ATTR_GRP_REPL_ADDR_SRC, addr);
+		break;
+	}
+}
+
+void
+cthelper_get_addr_dst(struct nf_conntrack *ct, int dir,
+		      union nfct_attr_grp_addr *addr)
+{
+	switch (dir) {
+	case MYCT_DIR_ORIG:
+		nfct_get_attr_grp(ct, ATTR_GRP_ORIG_ADDR_DST, addr);
+		break;
+	case MYCT_DIR_REPL:
+		nfct_get_attr_grp(ct, ATTR_GRP_REPL_ADDR_DST, addr);
+		break;
+	}
+}
diff --git a/src/fds.c b/src/fds.c
index 347eee1..0b95437 100644
--- a/src/fds.c
+++ b/src/fds.c
@@ -1,5 +1,5 @@
 /*
- * (C) 2006-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -14,9 +14,16 @@
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ * Part of this code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
  */
 #include <stdlib.h>
 #include <string.h>
+#include <errno.h>
+#include <signal.h>
+
+#include "conntrackd.h"
+#include "date.h"
 #include "fds.h"
 
 struct fds *create_fds(void)
@@ -44,7 +51,7 @@ void destroy_fds(struct fds *fds)
 	free(fds);
 }
 
-int register_fd(int fd, struct fds *fds)
+int register_fd(int fd, void (*cb)(void *data), void *data, struct fds *fds)
 {
 	struct fds_item *item;
 	
@@ -58,7 +65,10 @@ int register_fd(int fd, struct fds *fds)
 		return -1;
 
 	item->fd = fd;
-	list_add(&item->head, &fds->list);
+	item->cb = cb;
+	item->data = data;
+	/* Order matters: the descriptors are served in FIFO basis. */
+	list_add_tail(&item->head, &fds->list);
 
 	return 0;
 }
@@ -92,3 +102,48 @@ int unregister_fd(int fd, struct fds *fds)
 	return 0;
 }
 
+static void select_main_step(struct timeval *next_alarm)
+{
+	int ret;
+	fd_set readfds = STATE(fds)->readfds;
+	struct fds_item *cur, *tmp;
+
+	ret = select(STATE(fds)->maxfd + 1, &readfds, NULL, NULL, next_alarm);
+	if (ret == -1) {
+		/* interrupted syscall, retry */
+		if (errno == EINTR)
+			return;
+
+		STATE(stats).select_failed++;
+		return;
+	}
+
+	/* signals are racy */
+	sigprocmask(SIG_BLOCK, &STATE(block), NULL);
+
+	list_for_each_entry_safe(cur, tmp, &STATE(fds)->list, head) {
+		if (FD_ISSET(cur->fd, &readfds))
+			cur->cb(cur->data);
+	}
+
+	sigprocmask(SIG_UNBLOCK, &STATE(block), NULL);
+}
+
+void __attribute__((noreturn)) select_main_loop(void)
+{
+	struct timeval next_alarm;
+	struct timeval *next = NULL;
+
+	while(1) {
+		do_gettimeofday();
+
+		sigprocmask(SIG_BLOCK, &STATE(block), NULL);
+		if (next != NULL && !timerisset(next))
+			next = do_alarm_run(&next_alarm);
+		else
+			next = get_next_alarm_run(&next_alarm);
+		sigprocmask(SIG_UNBLOCK, &STATE(block), NULL);
+
+		select_main_step(next);
+	}
+}
diff --git a/src/filter.c b/src/filter.c
index afefbfa..39dd4ca 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -1,6 +1,7 @@
 /*
- * (C) 2006-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
- * 
+ * (C) 2006-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2011-2012 by Vyatta Inc <http://www.vyatta.com>
+ *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
@@ -449,7 +450,7 @@ int exp_filter_add(struct exp_filter *f, const char *helper_name)
 		return -1;
 
 	list_for_each_entry(item, &f->list, head) {
-		if (strncmp(item->helper_name, helper_name,
+		if (strncasecmp(item->helper_name, helper_name,
 				NFCT_HELPER_NAME_MAX) == 0) {
 			return -1;
 		}
@@ -475,7 +476,7 @@ int exp_filter_find(struct exp_filter *f, const struct nf_expect *exp)
 		const char *name = nfexp_get_attr(exp, ATTR_EXP_HELPER_NAME);
 
 		/* we allow partial matching to support things like sip-PORT. */
-		if (strncmp(item->helper_name, name,
+		if (strncasecmp(item->helper_name, name,
 				strlen(item->helper_name)) == 0) {
 			return 1;
 		}
diff --git a/src/helpers.c b/src/helpers.c
new file mode 100644
index 0000000..3e4e6c8
--- /dev/null
+++ b/src/helpers.c
@@ -0,0 +1,76 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation (or any later at your option).
+ *
+ * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ */
+
+#include "helper.h"
+
+#include <stdio.h>
+#include <string.h>
+#include <limits.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <dlfcn.h>
+
+static LIST_HEAD(helper_list);
+
+void helper_register(struct ctd_helper *helper)
+{
+	list_add(&helper->head, &helper_list);
+}
+
+static struct ctd_helper *
+__helper_find(const char *helper_name, uint8_t l4proto)
+{
+	struct ctd_helper *cur, *helper = NULL;
+
+	list_for_each_entry(cur, &helper_list, head) {
+		if (strncmp(cur->name, helper_name, CTD_HELPER_NAME_LEN) != 0)
+			continue;
+
+		if (cur->l4proto != l4proto)
+			continue;
+
+		helper = cur;
+		break;
+	}
+	return helper;
+}
+
+struct ctd_helper *
+helper_find(const char *libdir_path,
+	    const char *helper_name, uint8_t l4proto, int flag)
+{
+	char path[PATH_MAX];
+	struct ctd_helper *helper;
+	struct stat sb;
+
+	helper = __helper_find(helper_name, l4proto);
+	if (helper != NULL)
+		return helper;
+
+	snprintf(path, sizeof(path), "%s/ct_helper_%s.so",
+		libdir_path, helper_name);
+
+	if (stat(path, &sb) != 0) {
+		if (errno == ENOENT)
+			return NULL;
+		fprintf(stderr, "%s: %s\n", path,
+			strerror(errno));
+		return NULL;
+	}
+
+	if (dlopen(path, flag) == NULL) {
+		fprintf(stderr, "%s: %s\n", path, dlerror());
+		return NULL;
+	}
+
+	return __helper_find(helper_name, l4proto);
+}
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
new file mode 100644
index 0000000..589b4f3
--- /dev/null
+++ b/src/helpers/Makefile.am
@@ -0,0 +1,17 @@
+include $(top_srcdir)/Make_global.am
+
+pkglib_LTLIBRARIES = ct_helper_ftp.la	\
+		     ct_helper_rpc.la	\
+		     ct_helper_tns.la
+
+ct_helper_ftp_la_SOURCES = ftp.c
+ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+
+ct_helper_rpc_la_SOURCES = rpc.c
+ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
+
+ct_helper_tns_la_SOURCES = tns.c
+ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
+ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c
new file mode 100644
index 0000000..c6ad7da
--- /dev/null
+++ b/src/helpers/ftp.c
@@ -0,0 +1,599 @@
+/*
+ * (C) 2010-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Based on: kernel-space FTP extension for connection tracking.
+ *
+ * This port has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ *
+ * Original copyright notice:
+ *
+ * (C) 1999-2001 Paul `Rusty' Russell
+ * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
+ * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "network.h"	/* for before and after */
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <ctype.h>	/* for isdigit */
+#include <errno.h>
+
+#include <netinet/tcp.h>
+
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+static bool loose; /* XXX: export this as config option. */
+
+#define NUM_SEQ_TO_REMEMBER 2
+
+/* This structure exists only once per master */
+struct ftp_info {
+	/* Valid seq positions for cmd matching after newline */
+	uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
+	/* 0 means seq_match_aft_nl not set */
+	int seq_aft_nl_num[MYCT_DIR_MAX];
+};
+
+enum nf_ct_ftp_type {
+	/* PORT command from client */
+	NF_CT_FTP_PORT,
+	/* PASV response from server */
+	NF_CT_FTP_PASV,
+	/* EPRT command from client */
+	NF_CT_FTP_EPRT,
+	/* EPSV response from server */
+	NF_CT_FTP_EPSV,
+};
+
+static int
+get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term)
+{
+	const char *end;
+	int ret = in6_pton(src, min_t(size_t, dlen, 0xffff),
+				(uint8_t *)dst, term, &end);
+	if (ret > 0)
+		return (int)(end - src);
+	return 0;
+}
+
+static int try_number(const char *data, size_t dlen, uint32_t array[],
+		      int array_size, char sep, char term)
+{
+	uint32_t len;
+	int i;
+
+	memset(array, 0, sizeof(array[0])*array_size);
+
+	/* Keep data pointing at next char. */
+	for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
+		if (*data >= '0' && *data <= '9') {
+			array[i] = array[i]*10 + *data - '0';
+		}
+		else if (*data == sep)
+			i++;
+		else {
+			/* Unexpected character; true if it's the
+			   terminator and we're finished. */
+			if (*data == term && i == array_size - 1)
+				return len;
+			pr_debug("Char %u (got %u nums) `%u' unexpected\n",
+				 len, i, *data);
+			return 0;
+		}
+	}
+	pr_debug("Failed to fill %u numbers separated by %c\n",
+		 array_size, sep);
+	return 0;
+}
+
+/* Grab port: number up to delimiter */
+static int get_port(const char *data, int start, size_t dlen, char delim,
+		    struct myct_man *cmd)
+{
+	uint16_t tmp_port = 0;
+	uint32_t i;
+
+	for (i = start; i < dlen; i++) {
+		/* Finished? */
+		if (data[i] == delim) {
+			if (tmp_port == 0)
+				break;
+			cmd->u.port = htons(tmp_port);
+			pr_debug("get_port: return %d\n", tmp_port);
+			return i + 1;
+		}
+		else if (data[i] >= '0' && data[i] <= '9')
+			tmp_port = tmp_port*10 + data[i] - '0';
+		else { /* Some other crap */
+			pr_debug("get_port: invalid char.\n");
+			break;
+		}
+	}
+	return 0;
+}
+
+/* Returns 0, or length of numbers: 192,168,1,1,5,6 */
+static int try_rfc959(const char *data, size_t dlen, struct myct_man *cmd,
+		      uint16_t l3protonum, char term)
+{
+	int length;
+	uint32_t array[6];
+
+	length = try_number(data, dlen, array, 6, ',', term);
+	if (length == 0)
+		return 0;
+
+	cmd->u3.ip =  htonl((array[0] << 24) | (array[1] << 16) |
+			   (array[2] << 8) | array[3]);
+	cmd->u.port = htons((array[4] << 8) | array[5]);
+	return length;
+}
+
+/* Returns 0, or length of numbers: |1|132.235.1.2|6275| or |2|3ffe::1|6275| */
+static int try_eprt(const char *data, size_t dlen,
+		    struct myct_man *cmd, uint16_t l3protonum, char term)
+{
+	char delim;
+	int length;
+
+	/* First character is delimiter, then "1" for IPv4 or "2" for IPv6,
+	   then delimiter again. */
+	if (dlen <= 3) {
+		pr_debug("EPRT: too short\n");
+		return 0;
+	}
+	delim = data[0];
+	if (isdigit(delim) || delim < 33 || delim > 126 || data[2] != delim) {
+		pr_debug("try_eprt: invalid delimitter.\n");
+		return 0;
+	}
+
+	if ((l3protonum == PF_INET && data[1] != '1') ||
+	    (l3protonum == PF_INET6 && data[1] != '2')) {
+		pr_debug("EPRT: invalid protocol number.\n");
+		return 0;
+	}
+
+	pr_debug("EPRT: Got %c%c%c\n", delim, data[1], delim);
+	if (data[1] == '1') {
+		uint32_t array[4];
+
+		/* Now we have IP address. */
+		length = try_number(data + 3, dlen - 3, array, 4, '.', delim);
+		if (length != 0)
+			cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16)
+					   | (array[2] << 8) | array[3]);
+	} else {
+		/* Now we have IPv6 address. */
+		length = get_ipv6_addr(data + 3, dlen - 3,
+				       (struct in6_addr *)cmd->u3.ip6, delim);
+	}
+
+	if (length == 0)
+		return 0;
+	pr_debug("EPRT: Got IP address!\n");
+	/* Start offset includes initial "|1|", and trailing delimiter */
+	return get_port(data, 3 + length + 1, dlen, delim, cmd);
+}
+
+/* Returns 0, or length of numbers: |||6446| */
+static int try_epsv_response(const char *data, size_t dlen,
+			     struct myct_man *cmd,
+			     uint16_t l3protonum, char term)
+{
+	char delim;
+
+	/* Three delimiters. */
+	if (dlen <= 3) return 0;
+	delim = data[0];
+	if (isdigit(delim) || delim < 33 || delim > 126 ||
+	    data[1] != delim || data[2] != delim)
+		return 0;
+
+	return get_port(data, 3, dlen, delim, cmd);
+}
+
+static struct ftp_search {
+	const char *pattern;
+	size_t plen;
+	char skip;
+	char term;
+	enum nf_ct_ftp_type ftptype;
+	int (*getnum)(const char *, size_t, struct myct_man *, uint16_t, char);
+} search[MYCT_DIR_MAX][2] = {
+	[MYCT_DIR_ORIG] = {
+		{
+			.pattern	= "PORT",
+			.plen		= sizeof("PORT") - 1,
+			.skip		= ' ',
+			.term		= '\r',
+			.ftptype	= NF_CT_FTP_PORT,
+			.getnum		= try_rfc959,
+		},
+		{
+			.pattern	= "EPRT",
+			.plen		= sizeof("EPRT") - 1,
+			.skip		= ' ',
+			.term		= '\r',
+			.ftptype	= NF_CT_FTP_EPRT,
+			.getnum		= try_eprt,
+		},
+	},
+	[MYCT_DIR_REPL] = {
+		{
+			.pattern	= "227 ",
+			.plen		= sizeof("227 ") - 1,
+			.skip		= '(',
+			.term		= ')',
+			.ftptype	= NF_CT_FTP_PASV,
+			.getnum		= try_rfc959,
+		},
+		{
+			.pattern	= "229 ",
+			.plen		= sizeof("229 ") - 1,
+			.skip		= '(',
+			.term		= ')',
+			.ftptype	= NF_CT_FTP_EPSV,
+			.getnum		= try_epsv_response,
+		},
+	},
+};
+
+static int ftp_find_pattern(struct pkt_buff *pkt,
+			    unsigned int dataoff, unsigned int dlen,
+			    const char *pattern, size_t plen,
+			    char skip, char term,
+			    unsigned int *matchoff, unsigned int *matchlen,
+			    struct myct_man *cmd,
+			    int (*getnum)(const char *, size_t,
+					  struct myct_man *cmd,
+					  uint16_t, char),
+			    int dir)
+{
+	char *data = (char *)pktb_network_header(pkt) + dataoff;
+	int numlen;
+	uint32_t i;
+
+	if (dlen == 0)
+		return 0;
+
+	/* short packet, skip partial matching. */
+	if (dlen <= plen)
+		return 0;
+
+	if (strncmp(data, pattern, plen) != 0)
+		return 0;
+
+	pr_debug("Pattern matches!\n");
+
+	/* Now we've found the constant string, try to skip
+	   to the 'skip' character */
+	for (i = plen; data[i] != skip; i++)
+		if (i == dlen - 1) return 0;
+
+	/* Skip over the last character */
+	i++;
+
+	pr_debug("Skipped up to `%c'!\n", skip);
+
+	numlen = getnum(data + i, dlen - i, cmd, PF_INET, term);
+	if (!numlen)
+		return 0;
+
+	pr_debug("Match succeded!\n");
+	return 1;
+}
+
+/* Look up to see if we're just after a \n. */
+static int find_nl_seq(uint32_t seq, struct ftp_info *info, int dir)
+{
+	int i;
+
+	for (i = 0; i < info->seq_aft_nl_num[dir]; i++)
+		if (info->seq_aft_nl[dir][i] == seq)
+			return 1;
+	return 0;
+}
+
+/* We don't update if it's older than what we have. */
+static void update_nl_seq(uint32_t nl_seq, struct ftp_info *info, int dir)
+{
+	int i, oldest;
+
+	/* Look for oldest: if we find exact match, we're done. */
+	for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
+		if (info->seq_aft_nl[dir][i] == nl_seq)
+			return;
+	}
+
+	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
+		info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
+	} else {
+		if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1]))
+			oldest = 0;
+		else
+			oldest = 1;
+
+		if (after(nl_seq, info->seq_aft_nl[dir][oldest]))
+			info->seq_aft_nl[dir][oldest] = nl_seq;
+	}
+}
+
+static int nf_nat_ftp_fmt_cmd(enum nf_ct_ftp_type type,
+			      char *buffer, size_t buflen,
+			      uint32_t addr, uint16_t port)
+{
+	switch (type) {
+	case NF_CT_FTP_PORT:
+	case NF_CT_FTP_PASV:
+		return snprintf(buffer, buflen, "%u,%u,%u,%u,%u,%u",
+				((unsigned char *)&addr)[0],
+				((unsigned char *)&addr)[1],
+				((unsigned char *)&addr)[2],
+				((unsigned char *)&addr)[3],
+				port >> 8,
+				port & 0xFF);
+	case NF_CT_FTP_EPRT:
+		return snprintf(buffer, buflen, "|1|%pI4|%u|", &addr, port);
+	case NF_CT_FTP_EPSV:
+		return snprintf(buffer, buflen, "|||%u|", port);
+	}
+
+	return 0;
+}
+
+/* So, this packet has hit the connection tracking matching code.
+   Mangle it, and change the expectation to match the new version. */
+static unsigned int nf_nat_ftp(struct pkt_buff *pkt,
+			       int dir,
+			       int ctinfo,
+			       enum nf_ct_ftp_type type,
+			       unsigned int matchoff,
+			       unsigned int matchlen,
+			       struct nf_conntrack *ct,
+			       struct nf_expect *exp)
+{
+	union nfct_attr_grp_addr newip;
+	uint16_t port;
+	char buffer[sizeof("|1|255.255.255.255|65535|")];
+	unsigned int buflen;
+	const struct nf_conntrack *expected;
+	struct nf_conntrack *nat_tuple;
+	uint16_t initial_port;
+
+	pr_debug("FTP_NAT: type %i, off %u len %u\n", type, matchoff, matchlen);
+
+	/* Connection will come from wherever this packet goes, hence !dir */
+	cthelper_get_addr_dst(ct, !dir, &newip);
+
+	expected = nfexp_get_attr(exp, ATTR_EXP_EXPECTED);
+
+	nat_tuple = nfct_new();
+	if (nat_tuple == NULL)
+		return NF_ACCEPT;
+
+	initial_port = nfct_get_attr_u16(expected, ATTR_PORT_DST);
+
+	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, !dir);
+
+	/* libnetfilter_conntrack needs this */
+	nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+	nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+	/* When you see the packet, we need to NAT it the same as the
+	 * this one. */
+	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+
+	/* Try to get same port: if not, try to change it. */
+	for (port = ntohs(initial_port); port != 0; port++) {
+		int ret;
+
+		nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC, htons(port));
+		nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+		ret = cthelper_add_expect(exp);
+		if (ret == 0)
+			break;
+		else if (ret != -EBUSY) {
+			port = 0;
+			break;
+		}
+	}
+
+	if (port == 0)
+		return NF_DROP;
+
+	buflen = nf_nat_ftp_fmt_cmd(type, buffer, sizeof(buffer),
+					newip.ip, port);
+	if (!buflen)
+		goto out;
+
+	if (!nfq_tcp_mangle(pkt, matchoff, matchlen, buffer, buflen))
+		goto out;
+
+	return NF_ACCEPT;
+
+out:
+	cthelper_del_expect(exp);
+	return NF_DROP;
+}
+
+static int
+ftp_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+	      struct myct *myct, uint32_t ctinfo)
+{
+	struct tcphdr *th;
+	unsigned int dataoff;
+	unsigned int matchoff = 0, matchlen = 0; /* makes gcc happy. */
+	unsigned int datalen;
+	unsigned int i;
+	int found = 0, ends_in_nl;
+	uint32_t seq;
+	int ret = NF_ACCEPT;
+	struct myct_man cmd;
+	union nfct_attr_grp_addr addr;
+	union nfct_attr_grp_addr daddr;
+	int dir = CTINFO2DIR(ctinfo);
+	struct ftp_info *ftp_info = myct->priv_data;
+	struct nf_expect *exp = NULL;
+
+	memset(&cmd, 0, sizeof(struct myct_man));
+	memset(&addr, 0, sizeof(union nfct_attr_grp_addr));
+
+	/* Until there's been traffic both ways, don't look in packets. */
+	if (ctinfo != IP_CT_ESTABLISHED &&
+	    ctinfo != IP_CT_ESTABLISHED_REPLY) {
+		pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);
+		goto out;
+	}
+
+	th = (struct tcphdr *) (pktb_network_header(pkt) + protoff);
+
+	dataoff = protoff + th->doff * 4;
+	datalen = pktb_len(pkt) - dataoff;
+
+	ends_in_nl = (pktb_network_header(pkt)[pktb_len(pkt) - 1] == '\n');
+	seq = ntohl(th->seq) + datalen;
+
+	/* Look up to see if we're just after a \n. */
+	if (!find_nl_seq(ntohl(th->seq), ftp_info, dir)) {
+		/* Now if this ends in \n, update ftp info. */
+		pr_debug("nf_conntrack_ftp: wrong seq pos %s(%u) or %s(%u)\n",
+		ftp_info->seq_aft_nl_num[dir] > 0 ? "" : "(UNSET)",
+		ftp_info->seq_aft_nl[dir][0],
+		ftp_info->seq_aft_nl_num[dir] > 1 ? "" : "(UNSET)",
+		ftp_info->seq_aft_nl[dir][1]);
+		goto out_update_nl;
+	}
+
+	/* Initialize IP/IPv6 addr to expected address (it's not mentioned
+	   in EPSV responses) */
+	cmd.l3num = nfct_get_attr_u16(myct->ct, ATTR_L3PROTO);
+	nfct_get_attr_grp(myct->ct, ATTR_GRP_ORIG_ADDR_SRC, &cmd.u3);
+
+	for (i = 0; i < ARRAY_SIZE(search[dir]); i++) {
+		found = ftp_find_pattern(pkt, dataoff, datalen,
+					 search[dir][i].pattern,
+					 search[dir][i].plen,
+					 search[dir][i].skip,
+					 search[dir][i].term,
+					 &matchoff, &matchlen,
+					 &cmd,
+					 search[dir][i].getnum,
+					 dir);
+		if (found) break;
+	}
+	if (found == 0) /* No match */
+		goto out_update_nl;
+
+	pr_debug("conntrack_ftp: match `%.*s' (%u bytes at %u)\n",
+		 matchlen, pktb_network_header(pkt) + matchoff,
+		 matchlen, ntohl(th->seq) + matchoff);
+
+	/* We refer to the reverse direction ("!dir") tuples here,
+	 * because we're expecting something in the other direction.
+	 * Doesn't matter unless NAT is happening.  */
+	cthelper_get_addr_dst(myct->ct, !dir, &daddr);
+
+	cthelper_get_addr_src(myct->ct, dir, &addr);
+
+	/* Update the ftp info */
+	if ((cmd.l3num == nfct_get_attr_u16(myct->ct, ATTR_L3PROTO)) &&
+	    memcmp(&cmd.u3, &addr, sizeof(addr)) != 0) {
+		/* Enrico Scholz's passive FTP to partially RNAT'd ftp
+		   server: it really wants us to connect to a
+		   different IP address.  Simply don't record it for
+		   NAT. */
+		if (cmd.l3num == PF_INET) {
+			pr_debug("conntrack_ftp: NOT RECORDING: %pI4 != %pI4\n",
+				 &cmd.u3.ip, &addr);
+		} else {
+			pr_debug("conntrack_ftp: NOT RECORDING: %pI6 != %pI6\n",
+				 cmd.u3.ip6, &addr);
+		}
+		/* Thanks to Cristiano Lincoln Mattos
+		   <lincoln@cesar.org.br> for reporting this potential
+		   problem (DMZ machines opening holes to internal
+		   networks, or the packet filter itself). */
+		if (!loose) {
+			ret = NF_ACCEPT;
+			goto out;
+		}
+		memcpy(&daddr, &cmd.u3, sizeof(cmd.u3));
+	}
+
+	exp = nfexp_new();
+	if (exp == NULL)
+		goto out_update_nl;
+
+	cthelper_get_addr_src(myct->ct, !dir, &addr);
+
+	if (cthelper_expect_init(exp, myct->ct, 0, &addr, &daddr, IPPROTO_TCP,
+				 NULL, &cmd.u.port)) {
+		pr_debug("conntrack_ftp: failed to init expectation\n");
+		goto out_update_nl;
+	}
+
+	/* Now, NAT might want to mangle the packet, and register the
+	 * (possibly changed) expectation itself. */
+	if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK) {
+		ret = nf_nat_ftp(pkt, dir, ctinfo, search[dir][i].ftptype,
+				 matchoff, matchlen, myct->ct, exp);
+		goto out_update_nl;
+	}
+
+	/* Can't expect this?  Best to drop packet now. */
+	if (cthelper_add_expect(exp) < 0) {
+		pr_debug("conntrack_ftp: cannot add expectation: %s\n",
+			strerror(errno));
+		ret = NF_DROP;
+		goto out_update_nl;
+	}
+
+out_update_nl:
+	if (exp != NULL)
+		nfexp_destroy(exp);
+
+	/* Now if this ends in \n, update ftp info.  Seq may have been
+	 * adjusted by NAT code. */
+	if (ends_in_nl)
+		update_nl_seq(seq, ftp_info, dir);
+out:
+	return ret;
+}
+
+static struct ctd_helper ftp_helper = {
+	.name		= "ftp",
+	.l4proto	= IPPROTO_TCP,
+	.cb		= ftp_helper_cb,
+	.priv_data_len	= sizeof(struct ftp_info),
+	.policy		= {
+		[0] = {
+			.name			= "ftp",
+			.expect_max		= 1,
+			.expect_timeout		= 300,
+		},
+	},
+};
+
+void __attribute__ ((constructor)) ftp_init(void);
+
+void ftp_init(void)
+{
+	helper_register(&ftp_helper);
+}
diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c
new file mode 100644
index 0000000..97c1b35
--- /dev/null
+++ b/src/helpers/rpc.c
@@ -0,0 +1,488 @@
+/*
+ * (C) 2012 by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Based on: RPC extension for conntrack.
+ *
+ * This port has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ *
+ * Original copyright notice:
+ *
+ * (C) 2000 by Marcelo Barbosa Lima <marcelo.lima@dcc.unicamp.br>
+ * (C) 2001 by Rusty Russell <rusty@rustcorp.com.au>
+ * (C) 2002,2003 by Ian (Larry) Latter <Ian.Latter@mq.edu.au>
+ * (C) 2004,2005 by David Stes <stes@pandora.be>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "network.h"	/* for before and after */
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <errno.h>
+
+#include <rpc/rpc_msg.h>
+#include <rpc/pmap_prot.h>
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+/* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */
+/* RFC 1014: XDR: External Data Representation Standard */
+#define SUPPORTED_RPC_VERSION	2
+
+struct rpc_info {
+	/* XID */
+	uint32_t xid;
+	/* program */
+	uint32_t pm_prog;
+	/* program version */
+	uint32_t pm_vers;
+	/* transport protocol: TCP|UDP */
+	uint32_t pm_prot;
+};
+
+/* So, this packet has hit the connection tracking matching code.
+   Mangle it, and change the expectation to match the new version. */
+static unsigned int
+nf_nat_rpc(struct pkt_buff *pkt, int dir, struct nf_expect *exp,
+	   uint8_t proto, uint32_t *port_ptr)
+{
+	const struct nf_conntrack *expected;
+	struct nf_conntrack *nat_tuple;
+	uint16_t initial_port, port;
+
+	expected = nfexp_get_attr(exp, ATTR_EXP_EXPECTED);
+
+	nat_tuple = nfct_new();
+	if (nat_tuple == NULL)
+		return NF_ACCEPT;
+
+	initial_port = nfct_get_attr_u16(expected, ATTR_PORT_DST);
+
+	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, !dir);
+
+	/* libnetfilter_conntrack needs this */
+	nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+	nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, proto);
+	nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+	/* When you see the packet, we need to NAT it the same as the
+	 * this one. */
+	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+
+	/* Try to get same port: if not, try to change it. */
+	for (port = ntohs(initial_port); port != 0; port++) {
+		int ret;
+
+		nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC, htons(port));
+		nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+		ret = cthelper_add_expect(exp);
+		if (ret == 0)
+			break;
+		else if (ret != -EBUSY) {
+			port = 0;
+			break;
+		}
+	}
+	nfct_destroy(nat_tuple);
+
+	if (port == 0)
+		return NF_DROP;
+
+	*port_ptr = htonl(port);
+
+	return NF_ACCEPT;
+}
+
+#define OFFSET(o, n)	((o) += n)
+#define ROUNDUP(n)	((((n) + 3)/4)*4)
+
+static int
+rpc_call(const uint32_t *data, uint32_t offset, uint32_t datalen,
+	 struct rpc_info *rpc_info)
+{
+	uint32_t p, r;
+
+	/* RPC CALL message body */
+
+	/* call_body {
+	 *	rpcvers
+	 *	prog
+	 *	vers
+	 *	proc
+	 *	opaque_auth cred
+	 *	opaque_auth verf
+	 *	pmap
+	 * }
+	 *
+	 * opaque_auth {
+	 *	flavour
+	 *	opaque[len] <= MAX_AUTH_BYTES
+	 * }
+	 */
+	if (datalen < OFFSET(offset, 4*4 + 2*2*4)) {
+		pr_debug("RPC CALL: too short packet: %u < %u\n",
+			 datalen, offset);
+		return -1;
+	}
+	/* Check rpcversion */
+	p = IXDR_GET_INT32(data);
+	if (p != SUPPORTED_RPC_VERSION) {
+		pr_debug("RPC CALL: wrong rpcvers %u != %u\n",
+			 p, SUPPORTED_RPC_VERSION);
+		return -1;
+	}
+	/* Skip non-portmap requests */
+	p = IXDR_GET_INT32(data);
+	if (p != PMAPPROG) {
+		pr_debug("RPC CALL: not portmap %u != %lu\n",
+			 p, PMAPPROG);
+		return -1;
+	}
+	/* Check portmap version */
+	p = IXDR_GET_INT32(data);
+	if (p != PMAPVERS) {
+		pr_debug("RPC CALL: wrong portmap version %u != %lu\n",
+			 p, PMAPVERS);
+		return -1;
+	}
+	/* Skip non PMAPPROC_GETPORT requests */
+	p = IXDR_GET_INT32(data);
+	if (p != PMAPPROC_GETPORT) {
+		pr_debug("RPC CALL: not PMAPPROC_GETPORT %u != %lu\n",
+			 p, PMAPPROC_GETPORT);
+		return -1;
+	}
+	/* Check and skip credentials */
+	r = IXDR_GET_INT32(data);
+	p = IXDR_GET_INT32(data);
+	pr_debug("RPC CALL: cred: %u %u (%u, %u)\n",
+		 r, p, datalen, offset);
+	if (p > MAX_AUTH_BYTES) {
+		pr_debug("RPC CALL: invalid sized cred %u > %u\n",
+			 p, MAX_AUTH_BYTES);
+		return -1;
+	}
+	r = ROUNDUP(p);
+	if (datalen < OFFSET(offset, r)) {
+		pr_debug("RPC CALL: too short to carry cred: %u < %u, %u\n",
+			 datalen, offset, r);
+		return -1;
+	}
+	data += r/4;
+	/* Check and skip verifier */
+	r = IXDR_GET_INT32(data);
+	p = IXDR_GET_INT32(data);
+	pr_debug("RPC CALL: verf: %u %u (%u, %u)\n",
+		 r, p, datalen, offset);
+	if (p > MAX_AUTH_BYTES) {
+		pr_debug("RPC CALL: invalid sized verf %u > %u\n",
+			 p, MAX_AUTH_BYTES);
+		return -1;
+	}
+	r = ROUNDUP(p);
+	if (datalen < OFFSET(offset, r)) {
+		pr_debug("RPC CALL: too short to carry verf: %u < %u, %u\n",
+			 datalen, offset, r);
+		return -1;
+	}
+	data += r/4;
+	/* pmap {
+	 *	prog
+	 *	vers
+	 *	prot
+	 *	port
+	 * }
+	 */
+	/* Check CALL size */
+	if (datalen != offset + 4*4) {
+		pr_debug("RPC CALL: invalid size to carry pmap: %u != %u\n",
+			 datalen, offset + 4*4);
+		return -1;
+	}
+	rpc_info->pm_prog = IXDR_GET_INT32(data);
+	rpc_info->pm_vers = IXDR_GET_INT32(data);
+	rpc_info->pm_prot = IXDR_GET_INT32(data);
+	/* Check supported protocols */
+	if (!(rpc_info->pm_prot == IPPROTO_TCP
+	      || rpc_info->pm_prot == IPPROTO_UDP)) {
+		pr_debug("RPC CALL: unsupported protocol %u",
+			 rpc_info->pm_prot);
+		return -1;
+	}
+	p = IXDR_GET_INT32(data);
+	/* Check port: must be zero */
+	if (p != 0) {
+		pr_debug("RPC CALL: port is nonzero %u\n",
+			 ntohl(p));
+		return -1;
+	}
+	pr_debug("RPC CALL: processed: xid %u, prog %u, vers %u, prot %u\n",
+		 rpc_info->xid, rpc_info->pm_prog,
+		 rpc_info->pm_vers, rpc_info->pm_prot);
+
+	return 0;
+}
+
+static int
+rpc_reply(uint32_t *data, uint32_t offset, uint32_t datalen,
+	  struct rpc_info *rpc_info, uint32_t **port_ptr)
+{
+	uint16_t port;
+	uint32_t p, r;
+
+	/* RPC REPLY message body */
+
+	/* reply_body {
+	 *	reply_stat
+	 *	xdr_union {
+	 *		accepted_reply
+	 *		rejected_reply
+	 *	}
+	 * }
+	 * accepted_reply {
+	 *	opaque_auth verf
+	 *	accept_stat
+	 *	xdr_union {
+	 *		port
+	 *		struct mismatch_info
+	 *	}
+	 * }
+	 */
+
+	/* Check size: reply status */
+	if (datalen < OFFSET(offset, 4)) {
+		pr_debug("RPC REPL: too short, missing rp_stat: %u < %u\n",
+			 datalen, offset);
+		return -1;
+	}
+	p = IXDR_GET_INT32(data);
+	/* Check accepted request */
+	if (p != MSG_ACCEPTED) {
+		pr_debug("RPC REPL: not accepted %u != %u\n",
+			 p, MSG_ACCEPTED);
+		return -1;
+	}
+	/* Check and skip verifier */
+	if (datalen < OFFSET(offset, 2*4)) {
+		pr_debug("RPC REPL: too short, missing verf: %u < %u\n",
+			 datalen, offset);
+		return -1;
+	}
+	r = IXDR_GET_INT32(data);
+	p = IXDR_GET_INT32(data);
+	pr_debug("RPC REPL: verf: %u %u (%u, %u)\n",
+		 r, p, datalen, offset);
+	if (p > MAX_AUTH_BYTES) {
+		pr_debug("RPC REPL: invalid sized verf %u > %u\n",
+			 p, MAX_AUTH_BYTES);
+		return -1;
+	}
+	r = ROUNDUP(p);
+	/* verifier + ac_stat + port */
+	if (datalen != OFFSET(offset, r) + 2*4) {
+		pr_debug("RPC REPL: invalid size to carry verf and "
+			 "success: %u != %u\n",
+			 datalen, offset + 2*4);
+		return -1;
+	}
+	data += r/4;
+	/* Check success */
+	p = IXDR_GET_INT32(data);
+	if (p != SUCCESS) {
+		pr_debug("RPC REPL: not success %u != %u\n",
+			 p, SUCCESS);
+		return -1;
+	}
+	/* Get port */
+	*port_ptr = data;
+	port = IXDR_GET_INT32(data); /* -Wunused-but-set-parameter */
+	if (port == 0) {
+		pr_debug("RPC REPL: port is zero\n");
+		return -1;
+	}
+	pr_debug("RPC REPL: processed: xid %u, prog %u, vers %u, "
+		 "prot %u, port %u\n",
+		 rpc_info->xid, rpc_info->pm_prog, rpc_info->pm_vers,
+		 rpc_info->pm_prot, port);
+	return 0;
+}
+
+static int
+rpc_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+	      struct myct *myct, uint32_t ctinfo)
+{
+	int dir = CTINFO2DIR(ctinfo);
+	unsigned int offset = protoff, datalen;
+	uint32_t *data, *port_ptr = NULL, xid;
+	uint16_t port;
+	uint8_t proto = nfct_get_attr_u8(myct->ct, ATTR_L4PROTO);
+	enum msg_type rm_dir;
+	struct rpc_info *rpc_info = myct->priv_data;
+	union nfct_attr_grp_addr addr, daddr;
+	struct nf_expect *exp = NULL;
+	int ret = NF_ACCEPT;
+
+	/* Until there's been traffic both ways, don't look into TCP packets. */
+	if (proto == IPPROTO_TCP
+	    && ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_ESTABLISHED_REPLY) {
+		pr_debug("TCP RPC: Conntrackinfo = %u\n", ctinfo);
+		return ret;
+	}
+	if (proto == IPPROTO_TCP) {
+		struct tcphdr *th =
+			(struct tcphdr *) (pktb_network_header(pkt) + protoff);
+		offset += th->doff * 4;
+	} else {
+		offset += sizeof(struct udphdr);
+	}
+	/* Skip broken headers */
+	if (offset % 4) {
+		pr_debug("RPC: broken header: offset %u%%4 != 0\n", offset);
+		return ret;
+	}
+
+	/* Take into Record Fragment header */
+	if (proto == IPPROTO_TCP)
+		offset += 4;
+
+	datalen = pktb_len(pkt);
+	data = (uint32_t *)(pktb_network_header(pkt) + offset);
+
+	/* rpc_msg {
+	 *	xid
+	 *	direction
+	 *	xdr_union {
+	 *		call_body
+	 *		reply_body
+	 *	}
+	 * }
+	 */
+
+	 /* Check minimal msg size: xid + direction */
+	if (datalen < OFFSET(offset, 2*4)) {
+		pr_debug("RPC: too short packet: %u < %u\n",
+			 datalen, offset);
+		return ret;
+	}
+	xid = IXDR_GET_INT32(data);
+	rm_dir = IXDR_GET_INT32(data);
+
+	/* Check direction */
+	if (!((rm_dir == CALL && dir == MYCT_DIR_ORIG)
+	      || (rm_dir == REPLY && dir == MYCT_DIR_REPL))) {
+		pr_debug("RPC: rm_dir != dir %u != %u\n", rm_dir, dir);
+		goto out;
+	}
+
+	if (rm_dir == CALL) {
+		if (rpc_call(data, offset, datalen, rpc_info) < 0)
+			goto out;
+
+		rpc_info->xid = xid;
+
+		return ret;
+	} else {
+		/* Check XID */
+		if (xid != rpc_info->xid) {
+			pr_debug("RPC REPL: XID does not match: %u != %u\n",
+				 xid, rpc_info->xid);
+			goto out;
+		}
+		if (rpc_reply(data, offset, datalen, rpc_info, &port_ptr) < 0)
+			goto out;
+
+		port = IXDR_GET_INT32(port_ptr);
+		port = htons(port);
+
+		/* We refer to the reverse direction ("!dir") tuples here,
+		 * because we're expecting something in the other direction.
+		 * Doesn't matter unless NAT is happening.  */
+		cthelper_get_addr_dst(myct->ct, !dir, &daddr);
+		cthelper_get_addr_src(myct->ct, !dir, &addr);
+
+		exp = nfexp_new();
+		if (exp == NULL)
+			goto out;
+
+		if (cthelper_expect_init(exp, myct->ct, 0, &addr, &daddr,
+					 rpc_info->pm_prot,
+					 NULL, &port)) {
+			pr_debug("RPC: failed to init expectation\n");
+			goto out_exp;
+		}
+
+		/* Now, NAT might want to mangle the packet, and register the
+		 * (possibly changed) expectation itself. */
+		if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK) {
+			ret = nf_nat_rpc(pkt, dir, exp, rpc_info->pm_prot,
+					 port_ptr);
+			goto out_exp;
+		}
+
+		/* Can't expect this?  Best to drop packet now. */
+		if (cthelper_add_expect(exp) < 0) {
+			pr_debug("RPC: cannot add expectation: %s\n",
+				 strerror(errno));
+			ret = NF_DROP;
+		}
+	}
+
+out_exp:
+	nfexp_destroy(exp);
+out:
+	rpc_info->xid = 0;
+	return ret;
+}
+
+static struct ctd_helper rpc_helper_tcp = {
+	.name		= "rpc",
+	.l4proto	= IPPROTO_TCP,
+	.cb		= rpc_helper_cb,
+	.priv_data_len	= sizeof(struct rpc_info),
+	.policy		= {
+		{
+			.name			= "rpc",
+			.expect_max		= 1,
+			.expect_timeout		= 300,
+		},
+	},
+};
+
+static struct ctd_helper rpc_helper_udp = {
+	.name		= "rpc",
+	.l4proto	= IPPROTO_UDP,
+	.cb		= rpc_helper_cb,
+	.priv_data_len	= sizeof(struct rpc_info),
+	.policy		= {
+		{
+			.name			= "rpc",
+			.expect_max		= 1,
+			.expect_timeout		= 300,
+		},
+	},
+};
+
+void __attribute__ ((constructor)) rpc_init(void);
+
+void rpc_init(void)
+{
+	helper_register(&rpc_helper_tcp);
+	helper_register(&rpc_helper_udp);
+}
diff --git a/src/helpers/tns.c b/src/helpers/tns.c
new file mode 100644
index 0000000..77f01d9
--- /dev/null
+++ b/src/helpers/tns.c
@@ -0,0 +1,396 @@
+/*
+ * (C) 2012 by Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * Sponsored by Vyatta Inc. <http://www.vyatta.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include "conntrackd.h"
+#include "network.h"	/* for before and after */
+#include "helper.h"
+#include "myct.h"
+#include "log.h"
+
+#include <ctype.h>	/* for isdigit */
+#include <errno.h>
+
+#include <netinet/tcp.h>
+
+#include <libmnl/libmnl.h>
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+#include <libnetfilter_queue/libnetfilter_queue.h>
+#include <libnetfilter_queue/libnetfilter_queue_tcp.h>
+#include <libnetfilter_queue/pktbuff.h>
+#include <linux/netfilter.h>
+
+/* TNS SQL*Net Version 2 */
+enum tns_types {
+       TNS_TYPE_CONNECT        = 1,
+       TNS_TYPE_ACCEPT	       = 2,
+       TNS_TYPE_ACK	       = 3,
+       TNS_TYPE_REFUSE	       = 4,
+       TNS_TYPE_REDIRECT       = 5,
+       TNS_TYPE_DATA	       = 6,
+       TNS_TYPE_NULL	       = 7,
+       TNS_TYPE_ABORT	       = 9,
+       TNS_TYPE_RESEND	       = 11,
+       TNS_TYPE_MARKER	       = 12,
+       TNS_TYPE_ATTENTION      = 13,
+       TNS_TYPE_CONTROL        = 14,
+       TNS_TYPE_MAX	       = 19,
+};
+
+struct tns_header {
+       uint16_t len;
+       uint16_t csum;
+       uint8_t type;
+       uint8_t reserved;
+       uint16_t header_csum;
+};
+
+struct tns_redirect {
+       uint16_t data_len;
+};
+
+struct tns_info {
+       /* Scan next DATA|REDIRECT packet */
+       bool parse;
+};
+
+static int try_number(const char *data, size_t dlen, uint32_t array[],
+		      int array_size, char sep, char term)
+{
+	uint32_t len;
+	int i;
+
+	memset(array, 0, sizeof(array[0])*array_size);
+
+	/* Keep data pointing at next char. */
+	for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
+		if (*data >= '0' && *data <= '9') {
+			array[i] = array[i]*10 + *data - '0';
+		}
+		else if (*data == sep)
+			i++;
+		else {
+			/* Skip spaces. */
+			if (*data == ' ')
+				continue;
+			/* Unexpected character; true if it's the
+			   terminator and we're finished. */
+			if (*data == term && i == array_size - 1)
+				return len;
+			pr_debug("Char %u (got %u nums) `%c' unexpected\n",
+				 len, i, *data);
+			return 0;
+		}
+	}
+	pr_debug("Failed to fill %u numbers separated by %c\n",
+		 array_size, sep);
+	return 0;
+}
+
+/* Grab port: number up to delimiter */
+static int get_port(const char *data, size_t dlen, char delim,
+		    struct myct_man *cmd)
+{
+	uint16_t tmp_port = 0;
+	uint32_t i;
+
+	for (i = 0; i < dlen; i++) {
+		/* Finished? */
+		if (data[i] == delim) {
+			if (tmp_port == 0)
+				break;
+			cmd->u.port = htons(tmp_port);
+			pr_debug("get_port: return %d\n", tmp_port);
+			return i + 1;
+		}
+		else if (data[i] >= '0' && data[i] <= '9')
+			tmp_port = tmp_port*10 + data[i] - '0';
+		else if (data[i] == ' ') /* Skip spaces */
+			continue;
+		else { /* Some other crap */
+			pr_debug("get_port: invalid char `%c'\n", data[i]);
+			break;
+		}
+	}
+	return 0;
+}
+
+/* (ADDRESS=(PROTOCOL=tcp)(DEV=x)(HOST=a.b.c.d)(PORT=a)) */
+/* FIXME: handle hostnames */
+
+/* Returns 0, or length of port number */
+static unsigned int
+find_pattern(struct pkt_buff *pkt, unsigned int dataoff, size_t dlen,
+	     struct myct_man *cmd, unsigned int *numoff)
+{
+	const char *data = (const char *)pktb_network_header(pkt) + dataoff
+						+ sizeof(struct tns_header);
+	int length, offset;
+	uint32_t array[4];
+	const char *p;
+
+	p = strstr(data, "(");
+	if (!p)
+		return 0;
+
+	p = strstr(p+1, "HOST=");
+	if (!p) {
+		pr_debug("HOST= not found\n");
+		return 0;
+	}
+
+	offset = (int)(p - data) + strlen("HOST=");
+	*numoff = offset;
+	data += offset;
+
+	length = try_number(data, dlen - offset, array, 4, '.', ')');
+	if (length == 0)
+		return 0;
+
+	cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |
+			   (array[2] << 8) | array[3]);
+
+	p = strstr(data+length, "(");
+	if (!p)
+		return 0;
+
+	p = strstr(p, "PORT=");
+	if (!p) {
+		pr_debug("PORT= not found\n");
+		return 0;
+	}
+
+	p += strlen("PORT=");
+	return get_port(p, dlen - offset - length, ')', cmd);
+}
+
+static inline uint16_t
+nton(uint16_t len, unsigned int matchoff, unsigned int matchlen)
+{
+	uint32_t l = (uint32_t)ntohs(len) + matchoff - matchlen;
+
+	return htons(l);
+}
+
+/* So, this packet has hit the connection tracking matching code.
+   Mangle it, and change the expectation to match the new version. */
+static unsigned int
+nf_nat_tns(struct pkt_buff *pkt, struct tns_header *tns, struct nf_expect *exp,
+	   struct nf_conntrack *ct, int dir,
+	   unsigned int matchoff, unsigned int matchlen)
+{
+	union nfct_attr_grp_addr newip;
+	char buffer[sizeof("255.255.255.255)(PORT=65535)")];
+	unsigned int buflen;
+	const struct nf_conntrack *expected;
+	struct nf_conntrack *nat_tuple;
+	uint16_t initial_port, port;
+
+	/* Connection will come from wherever this packet goes, hence !dir */
+	cthelper_get_addr_dst(ct, !dir, &newip);
+
+	expected = nfexp_get_attr(exp, ATTR_EXP_EXPECTED);
+
+	nat_tuple = nfct_new();
+	if (nat_tuple == NULL)
+		return NF_ACCEPT;
+
+	initial_port = nfct_get_attr_u16(expected, ATTR_PORT_DST);
+
+	nfexp_set_attr_u32(exp, ATTR_EXP_NAT_DIR, !dir);
+
+	/* libnetfilter_conntrack needs this */
+	nfct_set_attr_u8(nat_tuple, ATTR_L3PROTO, AF_INET);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_SRC, 0);
+	nfct_set_attr_u32(nat_tuple, ATTR_IPV4_DST, 0);
+	nfct_set_attr_u8(nat_tuple, ATTR_L4PROTO, IPPROTO_TCP);
+	nfct_set_attr_u16(nat_tuple, ATTR_PORT_DST, 0);
+
+	/* When you see the packet, we need to NAT it the same as the
+	 * this one. */
+	nfexp_set_attr(exp, ATTR_EXP_FN, "nat-follow-master");
+
+	/* Try to get same port: if not, try to change it. */
+	for (port = ntohs(initial_port); port != 0; port++) {
+		int ret;
+
+		nfct_set_attr_u16(nat_tuple, ATTR_PORT_SRC, htons(port));
+		nfexp_set_attr(exp, ATTR_EXP_NAT_TUPLE, nat_tuple);
+
+		ret = cthelper_add_expect(exp);
+		if (ret == 0)
+			break;
+		else if (ret != -EBUSY) {
+			port = 0;
+			break;
+		}
+	}
+	nfct_destroy(nat_tuple);
+
+	if (port == 0)
+		return NF_DROP;
+
+	buflen = snprintf(buffer, sizeof(buffer),
+			  "%pI4)(PORT=%u)", &newip.ip, port);
+	if (!buflen)
+		goto out;
+
+	if (!nfq_tcp_mangle(pkt, matchoff, matchlen, buffer, buflen))
+		goto out;
+
+	if (buflen != matchlen) {
+		/* FIXME: recalculate checksum */
+		tns->csum = 0;
+		tns->header_csum = 0;
+
+		tns->len = nton(tns->len,  matchlen, buflen);
+		if (tns->type == TNS_TYPE_REDIRECT) {
+			struct tns_redirect *r;
+
+			r = (struct tns_redirect *)((char *)tns + sizeof(struct tns_header));
+
+			r->data_len = nton(r->data_len, matchlen, buflen);
+		}
+	}
+
+	return NF_ACCEPT;
+
+out:
+	cthelper_del_expect(exp);
+	return NF_DROP;
+}
+
+static int
+tns_helper_cb(struct pkt_buff *pkt, uint32_t protoff,
+	      struct myct *myct, uint32_t ctinfo)
+{
+	struct tcphdr *th;
+	struct tns_header *tns;
+	int dir = CTINFO2DIR(ctinfo);
+	unsigned int dataoff, datalen, numoff = 0, numlen;
+	struct tns_info *tns_info = myct->priv_data;
+	union nfct_attr_grp_addr addr;
+	struct nf_expect *exp = NULL;
+	struct myct_man cmd;
+	int ret = NF_ACCEPT;
+
+	memset(&cmd, 0, sizeof(struct myct_man));
+	memset(&addr, 0, sizeof(union nfct_attr_grp_addr));
+
+	/* Until there's been traffic both ways, don't look into TCP packets. */
+	if (ctinfo != IP_CT_ESTABLISHED
+	    && ctinfo != IP_CT_ESTABLISHED_REPLY) {
+		pr_debug("TNS: Conntrackinfo = %u\n", ctinfo);
+		goto out;
+	}
+	/* Parse server direction only */
+	if (dir != MYCT_DIR_REPL) {
+		pr_debug("TNS: skip client direction\n");
+		goto out;
+	}
+
+	th = (struct tcphdr *) (pktb_network_header(pkt) + protoff);
+
+	dataoff = protoff + th->doff * 4;
+	datalen = pktb_len(pkt);
+
+	if (datalen < sizeof(struct tns_header)) {
+		pr_debug("TNS: skip packet with short header\n");
+		goto out;
+	}
+
+	tns = (struct tns_header *)(pktb_network_header(pkt) + dataoff);
+
+	if (tns->type == TNS_TYPE_REDIRECT) {
+		struct tns_redirect *redirect;
+
+		dataoff += sizeof(struct tns_header);
+		datalen -= sizeof(struct tns_header);
+		redirect = (struct tns_redirect *)(pktb_network_header(pkt) + dataoff);
+		tns_info->parse = false;
+
+		if (ntohs(redirect->data_len) == 0) {
+			tns_info->parse = true;
+			goto out;
+		}
+		goto parse;
+	}
+
+	/* Parse only the very next DATA packet */
+	if (!(tns_info->parse && tns->type == TNS_TYPE_DATA)) {
+		tns_info->parse = false;
+		goto out;
+	}
+parse:
+	numlen = find_pattern(pkt, dataoff, datalen, &cmd, &numoff);
+	tns_info->parse = false;
+	if (!numlen)
+		goto out;
+
+	/* We refer to the reverse direction ("!dir") tuples here,
+	 * because we're expecting something in the other direction.
+	 * Doesn't matter unless NAT is happening.  */
+	cthelper_get_addr_src(myct->ct, !dir, &addr);
+
+	exp = nfexp_new();
+	if (exp == NULL)
+		goto out;
+
+	if (cthelper_expect_init(exp, myct->ct, 0,
+				 &addr, &cmd.u3,
+				 IPPROTO_TCP,
+				 NULL, &cmd.u.port)) {
+		pr_debug("TNS: failed to init expectation\n");
+		goto out_exp;
+	}
+
+	/* Now, NAT might want to mangle the packet, and register the
+	 * (possibly changed) expectation itself.
+	 */
+	if (nfct_get_attr_u32(myct->ct, ATTR_STATUS) & IPS_NAT_MASK) {
+		ret = nf_nat_tns(pkt, tns, exp, myct->ct, dir, numoff, numlen);
+		goto out_exp;
+	}
+
+	/* Can't expect this?  Best to drop packet now. */
+	if (cthelper_add_expect(exp) < 0) {
+		pr_debug("TNS: cannot add expectation: %s\n",
+			 strerror(errno));
+		ret = NF_DROP;
+		goto out_exp;
+	}
+	goto out;
+
+out_exp:
+	nfexp_destroy(exp);
+out:
+	return ret;
+}
+
+static struct ctd_helper tns_helper = {
+	.name		= "tns",
+	.l4proto	= IPPROTO_TCP,
+	.cb		= tns_helper_cb,
+	.priv_data_len	= sizeof(struct tns_info),
+	.policy		= {
+		[0] = {
+			.name		= "tns",
+			.expect_max	= 1,
+			.expect_timeout	= 300,
+		},
+	},
+};
+
+void __attribute__ ((constructor)) tns_init(void);
+
+void tns_init(void)
+{
+	helper_register(&tns_helper);
+}
diff --git a/src/main.c b/src/main.c
index 0850a29..831a3c2 100644
--- a/src/main.c
+++ b/src/main.c
@@ -19,6 +19,7 @@
 
 #include "conntrackd.h"
 #include "log.h"
+#include "helper.h"
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -31,7 +32,7 @@
 #include <limits.h>
 
 struct ct_general_state st;
-union ct_state state;
+struct ct_state state;
 
 static const char usage_daemon_commands[] =
 	"Daemon mode commands:\n"
@@ -49,6 +50,7 @@ static const char usage_client_commands[] =
 		"dump statistics\n"
 	"  -R [ct|expect], resync with kernel conntrack table\n"
 	"  -n, request resync with other node (only FT-FW and NOTRACK modes)\n"
+	"  -B, force a bulk send to other replica firewalls\n"
 	"  -x, dump cache in XML format (requires -i or -e)\n"
 	"  -t, reset the kernel timeout (see PurgeTimeout clause)\n"
 	"  -v, display conntrackd version\n"
@@ -405,6 +407,6 @@ int main(int argc, char *argv[])
 	/*
 	 * run main process
 	 */
-	run();
+	select_main_loop();
 	return 0;
 }
diff --git a/src/multichannel.c b/src/multichannel.c
index de69d5c..952b567 100644
--- a/src/multichannel.c
+++ b/src/multichannel.c
@@ -109,8 +109,9 @@ void multichannel_set_current_channel(struct multichannel *m, int i)
 	m->current = m->channel[i];
 }
 
-void multichannel_change_current_channel(struct multichannel *m, int i)
+void
+multichannel_change_current_channel(struct multichannel *m, struct channel *c)
 {
-	if (m->current != m->channel[i])
-		m->current = m->channel[i];
+	if (m->current != c)
+		m->current = c;
 }
diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
new file mode 100644
index 0000000..e8f85bb
--- /dev/null
+++ b/src/nfct-extensions/helper.c
@@ -0,0 +1,619 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+#include <netinet/in.h>
+#include <errno.h>
+#include <dlfcn.h>
+
+#include <libmnl/libmnl.h>
+#include <linux/netfilter/nfnetlink_cthelper.h>
+#include <libnetfilter_cthelper/libnetfilter_cthelper.h>
+
+#include "nfct.h"
+#include "helper.h"
+
+static void
+nfct_cmd_helper_usage(char *argv[])
+{
+	fprintf(stderr, "nfct v%s: Missing command\n"
+			"%s helper list|add|delete|get|flush "
+			"[parameters...]\n", VERSION, argv[0]);
+}
+
+int
+nfct_cmd_helper_parse_params(int argc, char *argv[])
+{
+	int cmd = NFCT_CMD_NONE, ret = 0;
+
+	if (argc < 3) {
+		fprintf(stderr, "nfct v%s: Missing command\n"
+				"%s helper list|add|delete|get|flush "
+				"[parameters...]\n", VERSION, argv[0]);
+		exit(EXIT_FAILURE);
+	}
+	if (strncmp(argv[2], "list", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_LIST;
+	else if (strncmp(argv[2], "add", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_ADD;
+	else if (strncmp(argv[2], "delete", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_DELETE;
+	else if (strncmp(argv[2], "get", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_GET;
+	else if (strncmp(argv[2], "flush", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_FLUSH;
+	else if (strncmp(argv[2], "disable", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_DISABLE;
+	else {
+		fprintf(stderr, "nfct v%s: Unknown command: %s\n",
+			VERSION, argv[2]);
+		nfct_cmd_helper_usage(argv);
+		exit(EXIT_FAILURE);
+	}
+	switch(cmd) {
+	case NFCT_CMD_LIST:
+		ret = nfct_cmd_helper_list(argc, argv);
+		break;
+	case NFCT_CMD_ADD:
+		ret = nfct_cmd_helper_add(argc, argv);
+		break;
+	case NFCT_CMD_DELETE:
+		ret = nfct_cmd_helper_delete(argc, argv);
+		break;
+	case NFCT_CMD_GET:
+		ret = nfct_cmd_helper_get(argc, argv);
+		break;
+	case NFCT_CMD_FLUSH:
+		ret = nfct_cmd_helper_flush(argc, argv);
+		break;
+	case NFCT_CMD_DISABLE:
+		ret = nfct_cmd_helper_disable(argc, argv);
+		break;
+	}
+
+	return ret;
+}
+
+static int nfct_helper_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nfct_helper *t;
+	char buf[4096];
+
+	t = nfct_helper_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		goto err;
+	}
+
+	if (nfct_helper_nlmsg_parse_payload(nlh, t) < 0) {
+		nfct_perror("nfct_helper_nlmsg_parse_payload");
+		goto err_free;
+	}
+
+	nfct_helper_snprintf(buf, sizeof(buf), t, 0, 0);
+	printf("%s\n", buf);
+
+err_free:
+	nfct_helper_free(t);
+err:
+	return MNL_CB_OK;
+}
+
+int nfct_cmd_helper_list(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	unsigned int seq, portid;
+	int ret;
+
+	if (argc > 3) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_GET,
+						NLM_F_DUMP, seq);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, nfct_helper_cb, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_helper_add(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nfct_helper *t;
+	uint16_t l3proto;
+	uint8_t l4proto;
+	struct ctd_helper *helper;
+	int ret, j;
+
+	if (argc < 6) {
+		nfct_perror("missing parameters\n"
+			    "syntax: nfct helper add name "
+			    "family protocol");
+		return -1;
+	}
+
+	if (strcmp(argv[4], "inet") == 0)
+		l3proto = AF_INET;
+	else if (strcmp(argv[4], "inet6") == 0)
+		l3proto = AF_INET6;
+	else {
+		nfct_perror("unknown layer 3 protocol");
+		return -1;
+	}
+
+	if (strcmp(argv[5], "tcp") == 0)
+		l4proto = IPPROTO_TCP;
+	else if (strcmp(argv[5], "udp") == 0)
+		l4proto = IPPROTO_UDP;
+	else {
+		nfct_perror("unsupported layer 4 protocol");
+		return -1;
+	}
+
+	/* XXX use prefix defined in configure.ac. */
+	helper = helper_find("/usr/lib/conntrack-tools",
+				argv[3], l4proto, RTLD_LAZY);
+	if (helper == NULL) {
+		nfct_perror("that helper is not supported");
+		return -1;
+	}
+
+	t = nfct_helper_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		return -1;
+	}
+	nfct_helper_attr_set(t, NFCTH_ATTR_NAME, argv[3]);
+	nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, l3proto);
+	nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
+	nfct_helper_attr_set_u32(t, NFCTH_ATTR_PRIV_DATA_LEN,
+				 helper->priv_data_len);
+
+	for (j=0; j<CTD_HELPER_POLICY_MAX; j++) {
+		struct nfct_helper_policy *p;
+
+		if (!helper->policy[j].name[0])
+			break;
+
+		p = nfct_helper_policy_alloc();
+		if (p == NULL) {
+			nfct_perror("OOM");
+			return -1;
+		}
+
+		nfct_helper_policy_attr_set(p, NFCTH_ATTR_POLICY_NAME,
+					helper->policy[j].name);
+		nfct_helper_policy_attr_set_u32(p, NFCTH_ATTR_POLICY_TIMEOUT,
+					helper->policy[j].expect_timeout);
+		nfct_helper_policy_attr_set_u32(p, NFCTH_ATTR_POLICY_MAX,
+					helper->policy[j].expect_max);
+
+		nfct_helper_attr_set(t, NFCTH_ATTR_POLICY+j, p);
+	}
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_NEW,
+					  NLM_F_CREATE | NLM_F_ACK, seq);
+	nfct_helper_nlmsg_build_payload(nlh, t);
+
+	nfct_helper_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_helper_delete(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nfct_helper *t;
+	int ret;
+
+	if (argc < 4) {
+		nfct_perror("missing helper policy name");
+		return -1;
+	} else if (argc > 6) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	t = nfct_helper_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		return -1;
+	}
+
+	nfct_helper_attr_set(t, NFCTH_ATTR_NAME, argv[3]);
+
+	if (argc >= 5) {
+		uint16_t l3proto;
+
+		if (strcmp(argv[4], "inet") == 0)
+			l3proto = AF_INET;
+		else if (strcmp(argv[4], "inet6") == 0)
+			l3proto = AF_INET6;
+		else {
+			nfct_perror("unknown layer 3 protocol");
+			return -1;
+		}
+		nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, l3proto);
+	}
+
+	if (argc == 6) {
+		uint8_t l4proto;
+
+		if (strcmp(argv[5], "tcp") == 0)
+			l4proto = IPPROTO_TCP;
+		else if (strcmp(argv[5], "udp") == 0)
+			l4proto = IPPROTO_UDP;
+		else {
+			nfct_perror("unsupported layer 4 protocol");
+			return -1;
+		}
+		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
+	}
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_DEL,
+					  NLM_F_ACK, seq);
+	nfct_helper_nlmsg_build_payload(nlh, t);
+
+	nfct_helper_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_helper_get(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nfct_helper *t;
+	int ret;
+
+	if (argc < 4) {
+		nfct_perror("missing helper policy name");
+		return -1;
+	} else if (argc > 6) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	t = nfct_helper_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		return -1;
+	}
+	nfct_helper_attr_set(t, NFCTH_ATTR_NAME, argv[3]);
+
+	if (argc >= 5) {
+		uint16_t l3proto;
+
+		if (strcmp(argv[4], "inet") == 0)
+			l3proto = AF_INET;
+		else if (strcmp(argv[4], "inet6") == 0)
+			l3proto = AF_INET6;
+		else {
+			nfct_perror("unknown layer 3 protocol");
+			return -1;
+		}
+		nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, l3proto);
+	}
+
+	if (argc == 6) {
+		uint8_t l4proto;
+
+		if (strcmp(argv[5], "tcp") == 0)
+			l4proto = IPPROTO_TCP;
+		else if (strcmp(argv[5], "udp") == 0)
+			l4proto = IPPROTO_UDP;
+		else {
+			nfct_perror("unsupported layer 4 protocol");
+			return -1;
+		}
+		nfct_helper_attr_set_u32(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
+	}
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_GET,
+					  NLM_F_ACK, seq);
+
+	nfct_helper_nlmsg_build_payload(nlh, t);
+
+	nfct_helper_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, nfct_helper_cb, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_helper_flush(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	int ret;
+
+	if (argc > 3) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_DEL,
+					   NLM_F_ACK, seq);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_helper_disable(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nfct_helper *t;
+	uint16_t l3proto;
+	uint8_t l4proto;
+	struct ctd_helper *helper;
+	int ret;
+
+	if (argc < 6) {
+		nfct_perror("missing parameters\n"
+			    "syntax: nfct helper add name "
+			    "family protocol");
+		return -1;
+	}
+
+	if (strcmp(argv[4], "inet") == 0)
+		l3proto = AF_INET;
+	else if (strcmp(argv[4], "inet6") == 0)
+		l3proto = AF_INET6;
+	else {
+		nfct_perror("unknown layer 3 protocol");
+		return -1;
+	}
+
+	if (strcmp(argv[5], "tcp") == 0)
+		l4proto = IPPROTO_TCP;
+	else if (strcmp(argv[5], "udp") == 0)
+		l4proto = IPPROTO_UDP;
+	else {
+		nfct_perror("unsupported layer 4 protocol");
+		return -1;
+	}
+
+	/* XXX use prefix defined in configure.ac. */
+	helper = helper_find("/usr/lib/conntrack-tools",
+				argv[3], l4proto, RTLD_LAZY);
+	if (helper == NULL) {
+		nfct_perror("that helper is not supported");
+		return -1;
+	}
+
+	t = nfct_helper_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		return -1;
+	}
+	nfct_helper_attr_set(t, NFCTH_ATTR_NAME, argv[3]);
+	nfct_helper_attr_set_u16(t, NFCTH_ATTR_PROTO_L3NUM, l3proto);
+	nfct_helper_attr_set_u8(t, NFCTH_ATTR_PROTO_L4NUM, l4proto);
+	nfct_helper_attr_set_u32(t, NFCTH_ATTR_STATUS,
+					NFCT_HELPER_STATUS_DISABLED);
+
+	seq = time(NULL);
+	nlh = nfct_helper_nlmsg_build_hdr(buf, NFNL_MSG_CTHELPER_NEW,
+					  NLM_F_CREATE | NLM_F_ACK, seq);
+	nfct_helper_nlmsg_build_payload(nlh, t);
+
+	nfct_helper_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
diff --git a/src/nfct-extensions/timeout.c b/src/nfct-extensions/timeout.c
new file mode 100644
index 0000000..5b32023
--- /dev/null
+++ b/src/nfct-extensions/timeout.c
@@ -0,0 +1,486 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+#include <netinet/in.h>
+#include <errno.h>
+
+#include <libmnl/libmnl.h>
+#include <linux/netfilter/nfnetlink_cttimeout.h>
+#include <libnetfilter_cttimeout/libnetfilter_cttimeout.h>
+
+#include "nfct.h"
+
+static void
+nfct_cmd_timeout_usage(char *argv[])
+{
+	fprintf(stderr, "nfct v%s: Missing command\n"
+			"%s timeout list|add|delete|get|flush "
+			"[parameters...]\n", VERSION, argv[0]);
+}
+
+int nfct_cmd_timeout_parse_params(int argc, char *argv[])
+{
+	int cmd = NFCT_CMD_NONE, ret;
+
+	if (argc < 3) {
+		nfct_cmd_timeout_usage(argv);
+		return -1;
+	}
+	if (strncmp(argv[2], "list", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_LIST;
+	else if (strncmp(argv[2], "add", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_ADD;
+	else if (strncmp(argv[2], "delete", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_DELETE;
+	else if (strncmp(argv[2], "get", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_GET;
+	else if (strncmp(argv[2], "flush", strlen(argv[2])) == 0)
+		cmd = NFCT_CMD_FLUSH;
+	else {
+		fprintf(stderr, "nfct v%s: Unknown command: %s\n",
+			VERSION, argv[2]);
+		nfct_cmd_timeout_usage(argv);
+		return -1;
+	}
+	switch(cmd) {
+	case NFCT_CMD_LIST:
+		ret = nfct_cmd_timeout_list(argc, argv);
+		break;
+	case NFCT_CMD_ADD:
+		ret = nfct_cmd_timeout_add(argc, argv);
+		break;
+	case NFCT_CMD_DELETE:
+		ret = nfct_cmd_timeout_delete(argc, argv);
+		break;
+	case NFCT_CMD_GET:
+		ret = nfct_cmd_timeout_get(argc, argv);
+		break;
+	case NFCT_CMD_FLUSH:
+		ret = nfct_cmd_timeout_flush(argc, argv);
+		break;
+	}
+
+	return ret;
+}
+
+static int nfct_timeout_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nfct_timeout *t;
+	char buf[4096];
+
+	t = nfct_timeout_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		goto err;
+	}
+
+	if (nfct_timeout_nlmsg_parse_payload(nlh, t) < 0) {
+		nfct_perror("nfct_timeout_nlmsg_parse_payload");
+		goto err_free;
+	}
+
+	nfct_timeout_snprintf(buf, sizeof(buf), t, NFCT_TIMEOUT_O_DEFAULT, 0);
+	printf("%s\n", buf);
+
+err_free:
+	nfct_timeout_free(t);
+err:
+	return MNL_CB_OK;
+}
+
+int nfct_cmd_timeout_list(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	unsigned int seq, portid;
+	int ret;
+
+	if (argc > 3) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	seq = time(NULL);
+	nlh = nfct_timeout_nlmsg_build_hdr(buf, IPCTNL_MSG_TIMEOUT_GET,
+						NLM_F_DUMP, seq);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, nfct_timeout_cb, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+static uint32_t nfct_timeout_attr_max[IPPROTO_MAX] = {
+	[IPPROTO_ICMP]		= NFCT_TIMEOUT_ATTR_ICMP_MAX,
+	[IPPROTO_TCP]		= NFCT_TIMEOUT_ATTR_TCP_MAX,
+	[IPPROTO_UDP]		= NFCT_TIMEOUT_ATTR_UDP_MAX,
+	[IPPROTO_UDPLITE]	= NFCT_TIMEOUT_ATTR_UDPLITE_MAX,
+	[IPPROTO_SCTP]		= NFCT_TIMEOUT_ATTR_SCTP_MAX,
+	[IPPROTO_DCCP]		= NFCT_TIMEOUT_ATTR_DCCP_MAX,
+	[IPPROTO_ICMPV6]	= NFCT_TIMEOUT_ATTR_ICMPV6_MAX,
+	[IPPROTO_GRE]		= NFCT_TIMEOUT_ATTR_GRE_MAX,
+	[IPPROTO_RAW]		= NFCT_TIMEOUT_ATTR_GENERIC_MAX,
+};
+
+int nfct_cmd_timeout_add(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nfct_timeout *t;
+	uint16_t l3proto;
+	uint8_t l4proto;
+	int ret, i;
+	unsigned int j;
+
+	if (argc < 6) {
+		nfct_perror("missing parameters\n"
+			    "syntax: nfct timeout add name "
+			    "family protocol state1 "
+			    "timeout1 state2 timeout2...");
+		return -1;
+	}
+
+	t = nfct_timeout_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		return -1;
+	}
+
+	nfct_timeout_attr_set(t, NFCT_TIMEOUT_ATTR_NAME, argv[3]);
+
+	if (strcmp(argv[4], "inet") == 0)
+		l3proto = AF_INET;
+	else if (strcmp(argv[4], "inet6") == 0)
+		l3proto = AF_INET6;
+	else {
+		nfct_perror("unknown layer 3 protocol");
+		return -1;
+	}
+	nfct_timeout_attr_set_u16(t, NFCT_TIMEOUT_ATTR_L3PROTO, l3proto);
+
+	if (strcmp(argv[5], "tcp") == 0)
+		l4proto = IPPROTO_TCP;
+	else if (strcmp(argv[5], "udp") == 0)
+		l4proto = IPPROTO_UDP;
+	else if (strcmp(argv[5], "udplite") == 0)
+		l4proto = IPPROTO_UDPLITE;
+	else if (strcmp(argv[5], "sctp") == 0)
+		l4proto = IPPROTO_SCTP;
+	else if (strcmp(argv[5], "dccp") == 0)
+		l4proto = IPPROTO_DCCP;
+	else if (strcmp(argv[5], "icmp") == 0)
+		l4proto = IPPROTO_ICMP;
+	else if (strcmp(argv[5], "icmpv6") == 0)
+		l4proto = IPPROTO_ICMPV6;
+	else if (strcmp(argv[5], "gre") == 0)
+		l4proto = IPPROTO_GRE;
+	else if (strcmp(argv[5], "generic") == 0)
+		l4proto = IPPROTO_RAW;
+	else {
+		nfct_perror("unknown layer 4 protocol");
+		return -1;
+	}
+	nfct_timeout_attr_set_u8(t, NFCT_TIMEOUT_ATTR_L4PROTO, l4proto);
+
+	for (i=6; i<argc; i+=2) {
+		int matching = -1;
+
+		for (j=0; j<nfct_timeout_attr_max[l4proto]; j++) {
+			const char *state_name;
+
+			state_name =
+				nfct_timeout_policy_attr_to_name(l4proto, j);
+			if (state_name == NULL) {
+				nfct_perror("state name is NULL");
+				return -1;
+			}
+			if (strcasecmp(argv[i], state_name) != 0)
+				continue;
+
+			matching = j;
+			break;
+		}
+		if (matching != -1) {
+			if (i+1 >= argc) {
+				nfct_perror("missing value for this timeout");
+				return -1;
+			}
+			nfct_timeout_policy_attr_set_u32(t, matching,
+							 atoi(argv[i+1]));
+			matching = -1;
+		} else {
+			fprintf(stderr, "nfct v%s: Wrong state name: `%s' "
+					"for protocol `%s'\n",
+					VERSION, argv[i], argv[5]);
+			return -1;
+		}
+	}
+
+	seq = time(NULL);
+	nlh = nfct_timeout_nlmsg_build_hdr(buf, IPCTNL_MSG_TIMEOUT_NEW,
+				     NLM_F_CREATE | NLM_F_ACK, seq);
+	nfct_timeout_nlmsg_build_payload(nlh, t);
+
+	nfct_timeout_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_timeout_delete(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nfct_timeout *t;
+	int ret;
+
+	if (argc < 4) {
+		nfct_perror("missing timeout policy name");
+		return -1;
+	} else if (argc > 4) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	t = nfct_timeout_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		return -1;
+	}
+
+	nfct_timeout_attr_set(t, NFCT_TIMEOUT_ATTR_NAME, argv[3]);
+
+	seq = time(NULL);
+	nlh = nfct_timeout_nlmsg_build_hdr(buf, IPCTNL_MSG_TIMEOUT_DELETE,
+				     NLM_F_ACK, seq);
+	nfct_timeout_nlmsg_build_payload(nlh, t);
+
+	nfct_timeout_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_timeout_get(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	struct nfct_timeout *t;
+	int ret;
+
+	if (argc < 4) {
+		nfct_perror("missing timeout policy name");
+		return -1;
+	} else if (argc > 4) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	t = nfct_timeout_alloc();
+	if (t == NULL) {
+		nfct_perror("OOM");
+		return -1;
+	}
+	nfct_timeout_attr_set(t, NFCT_TIMEOUT_ATTR_NAME, argv[3]);
+
+	seq = time(NULL);
+	nlh = nfct_timeout_nlmsg_build_hdr(buf, IPCTNL_MSG_TIMEOUT_GET,
+				     NLM_F_ACK, seq);
+
+	nfct_timeout_nlmsg_build_payload(nlh, t);
+
+	nfct_timeout_free(t);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, nfct_timeout_cb, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+	mnl_socket_close(nl);
+
+	return 0;
+}
+
+int nfct_cmd_timeout_flush(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	struct nlmsghdr *nlh;
+	uint32_t portid, seq;
+	int ret;
+
+	if (argc > 3) {
+		nfct_perror("too many arguments");
+		return -1;
+	}
+
+	seq = time(NULL);
+	nlh = nfct_timeout_nlmsg_build_hdr(buf, IPCTNL_MSG_TIMEOUT_DELETE,
+					   NLM_F_ACK, seq);
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		nfct_perror("mnl_socket_open");
+		return -1;
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		nfct_perror("mnl_socket_bind");
+		return -1;
+	}
+	portid = mnl_socket_get_portid(nl);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		nfct_perror("mnl_socket_send");
+		return -1;
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, NULL, NULL);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		nfct_perror("error");
+		return -1;
+	}
+
+	mnl_socket_close(nl);
+
+	return 0;
+}
diff --git a/src/nfct.c b/src/nfct.c
new file mode 100644
index 0000000..b5c9654
--- /dev/null
+++ b/src/nfct.c
@@ -0,0 +1,122 @@
+/*
+ * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <time.h>
+#include <netinet/in.h>
+#include <errno.h>
+
+#include <libmnl/libmnl.h>
+#include <linux/netfilter/nfnetlink_cttimeout.h>
+#include <libnetfilter_cttimeout/libnetfilter_cttimeout.h>
+
+#include "nfct.h"
+
+static int nfct_cmd_version(int argc, char *argv[]);
+static int nfct_cmd_help(int argc, char *argv[]);
+
+static void usage(char *argv[])
+{
+	fprintf(stderr, "Usage: %s subsystem command [parameters]...\n",
+		argv[0]);
+}
+
+void nfct_perror(const char *msg)
+{
+	if (errno == 0) {
+		fprintf(stderr, "nfct v%s: %s\n", VERSION, msg);
+	} else {
+		fprintf(stderr, "nfct v%s: %s: %s\n",
+			VERSION, msg, strerror(errno));
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	int subsys = NFCT_SUBSYS_NONE, ret = 0;
+
+	if (argc < 2) {
+		usage(argv);
+		exit(EXIT_FAILURE);
+	}
+	if (strncmp(argv[1], "timeout", strlen(argv[1])) == 0) {
+		subsys = NFCT_SUBSYS_TIMEOUT;
+	} else if (strncmp(argv[1], "helper", strlen(argv[1])) == 0) {
+		subsys = NFCT_SUBSYS_HELPER;
+	} else if (strncmp(argv[1], "version", strlen(argv[1])) == 0)
+		subsys = NFCT_SUBSYS_VERSION;
+	else if (strncmp(argv[1], "help", strlen(argv[1])) == 0)
+		subsys = NFCT_SUBSYS_HELP;
+	else {
+		fprintf(stderr, "nfct v%s: Unknown subsystem: %s\n",
+			VERSION, argv[1]);
+		usage(argv);
+		exit(EXIT_FAILURE);
+	}
+
+	switch(subsys) {
+	case NFCT_SUBSYS_TIMEOUT:
+		ret = nfct_cmd_timeout_parse_params(argc, argv);
+		break;
+	case NFCT_SUBSYS_HELPER:
+		ret = nfct_cmd_helper_parse_params(argc, argv);
+		break;
+	case NFCT_SUBSYS_VERSION:
+		ret = nfct_cmd_version(argc, argv);
+		break;
+	case NFCT_SUBSYS_HELP:
+		ret = nfct_cmd_help(argc, argv);
+		break;
+	}
+	return ret < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}
+
+static const char version_msg[] =
+	"nfct v%s: utility for the Netfilter's Connection Tracking System\n"
+	"Copyright (C) 2012 Pablo Neira Ayuso <pablo@netfilter.org>\n"
+	"This program comes with ABSOLUTELY NO WARRANTY.\n"
+	"This is free software, and you are welcome to redistribute it under "
+	"certain \nconditions; see LICENSE file distributed in this package "
+	"for details.\n";
+
+static int nfct_cmd_version(int argc, char *argv[])
+{
+	printf(version_msg, VERSION);
+	return 0;
+}
+
+static const char help_msg[] =
+	"nfct v%s: utility for the Netfilter's Connection Tracking System\n"
+	"Usage: %s command [parameters]...\n\n"
+	"Subsystem:\n"
+	"  helper\t\tAllows to configure user-space helper\n"
+	"  timeout\t\tAllows definition of fine-grain timeout policies\n"
+	"  version\t\tDisplay version and disclaimer\n"
+	"  help\t\t\tDisplay this help message\n"
+	"Commands:\n"
+	"  list [reset]\t\tList the accounting object table (and reset)\n"
+	"  add object-name\tAdd new accounting object to table\n"
+	"  delete object-name\tDelete existing accounting object\n"
+	"  get object-name\tGet existing accounting object\n"
+	"  flush\t\t\tFlush accounting object table\n";
+
+static int nfct_cmd_help(int argc, char *argv[])
+{
+	printf(help_msg, VERSION, argv[0]);
+	return 0;
+}
diff --git a/src/read_config_lex.l b/src/read_config_lex.l
index 01fe4fc..31fa32e 100644
--- a/src/read_config_lex.l
+++ b/src/read_config_lex.l
@@ -142,6 +142,11 @@ notrack		[N|n][O|o][T|t][R|r][A|a][C|c][K|k]
 "TCPWindowTracking"		{ return T_TCP_WINDOW_TRACKING; }
 "ExpectationSync"		{ return T_EXPECT_SYNC; }
 "ErrorQueueLength"		{ return T_ERROR_QUEUE_LENGTH; }
+"Helper"			{ return T_HELPER; }
+"QueueNum"			{ return T_HELPER_QUEUE_NUM; }
+"Policy"			{ return T_HELPER_POLICY; }
+"ExpectMax"			{ return T_HELPER_EXPECT_MAX; }
+"ExpectTimeout"			{ return T_HELPER_EXPECT_TIMEOUT; }
 
 {is_on}			{ return T_ON; }
 {is_off}		{ return T_OFF; }
diff --git a/src/read_config_yy.y b/src/read_config_yy.y
index d94bd85..623b79d 100644
--- a/src/read_config_yy.y
+++ b/src/read_config_yy.y
@@ -28,8 +28,11 @@
 #include "conntrackd.h"
 #include "bitops.h"
 #include "cidr.h"
+#include "helper.h"
+#include "stack.h"
 #include <syslog.h>
 #include <sched.h>
+#include <dlfcn.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
 #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
 
@@ -48,6 +51,15 @@ static void print_err(int err, const char *msg, ...);
 static void __kernel_filter_start(void);
 static void __kernel_filter_add_state(int value);
 static void __max_dedicated_links_reached(void);
+
+struct stack symbol_stack;
+
+enum {
+	SYMBOL_HELPER_QUEUE_NUM,
+	SYMBOL_HELPER_POLICY_EXPECT_ROOT,
+	SYMBOL_HELPER_EXPECT_POLICY_LEAF,
+};
+
 %}
 
 %union {
@@ -74,6 +86,8 @@ static void __max_dedicated_links_reached(void);
 %token T_SCHEDULER T_TYPE T_PRIO T_NETLINK_EVENTS_RELIABLE
 %token T_DISABLE_INTERNAL_CACHE T_DISABLE_EXTERNAL_CACHE T_ERROR_QUEUE_LENGTH
 %token T_OPTIONS T_TCP_WINDOW_TRACKING T_EXPECT_SYNC
+%token T_HELPER T_HELPER_QUEUE_NUM T_HELPER_POLICY T_HELPER_EXPECT_MAX
+%token T_HELPER_EXPECT_TIMEOUT
 
 %token <string> T_IP T_PATH_VAL
 %token <val> T_NUMBER
@@ -96,6 +110,7 @@ line : ignore_protocol
      | general
      | sync
      | stats
+     | helper
      ;
 
 logfile_bool : T_LOG T_ON
@@ -1580,6 +1595,186 @@ buffer_size: T_STAT_BUFFER_SIZE T_NUMBER
 	print_err(CTD_CFG_WARN, "`LogFileBufferSize' is deprecated");
 };
 
+helper: T_HELPER '{' helper_list '}'
+{
+	conf.flags |= CTD_HELPER;
+};
+
+helper_list:
+	    | helper_list helper_line
+	    ;
+
+helper_line: helper_type
+	    ;
+
+helper_type: T_TYPE T_STRING T_STRING T_STRING '{' helper_type_list  '}'
+{
+	struct ctd_helper_instance *helper_inst;
+	struct ctd_helper *helper;
+	struct stack_item *e;
+	uint16_t l3proto;
+	uint8_t l4proto;
+
+	if (strcmp($3, "inet") == 0)
+		l3proto = AF_INET;
+	else if (strcmp($3, "inet6") == 0)
+		l3proto = AF_INET6;
+	else {
+		print_err(CTD_CFG_ERROR, "unknown layer 3 protocol");
+		exit(EXIT_FAILURE);
+	}
+
+	if (strcmp($4, "tcp") == 0)
+		l4proto = IPPROTO_TCP;
+	else if (strcmp($4, "udp") == 0)
+		l4proto = IPPROTO_UDP;
+	else {
+		print_err(CTD_CFG_ERROR, "unknown layer 4 protocol");
+		exit(EXIT_FAILURE);
+	}
+
+	/* XXX use configure.ac definitions. */
+	helper = helper_find("/usr/lib/conntrack-tools", $2, l4proto, RTLD_NOW);
+	if (helper == NULL) {
+		print_err(CTD_CFG_ERROR, "Unknown `%s' helper", $2);
+		exit(EXIT_FAILURE);
+	}
+
+	helper_inst = calloc(1, sizeof(struct ctd_helper_instance));
+	if (helper_inst == NULL)
+		break;
+
+	helper_inst->l3proto = l3proto;
+	helper_inst->l4proto = l4proto;
+	helper_inst->helper = helper;
+
+	while ((e = stack_item_pop(&symbol_stack, -1)) != NULL) {
+
+		switch(e->type) {
+		case SYMBOL_HELPER_QUEUE_NUM: {
+			int *qnum = (int *) &e->data;
+
+			helper_inst->queue_num = *qnum;
+			stack_item_free(e);
+			break;
+		}
+		case SYMBOL_HELPER_POLICY_EXPECT_ROOT: {
+			struct ctd_helper_policy *pol =
+				(struct ctd_helper_policy *) &e->data;
+			struct ctd_helper_policy *matching = NULL;
+			int i;
+
+			for (i=0; i<CTD_HELPER_POLICY_MAX; i++) {
+				if (strcmp(helper->policy[i].name,
+					   pol->name) != 0)
+					continue;
+
+				matching = pol;
+				break;
+			}
+			if (matching == NULL) {
+				print_err(CTD_CFG_ERROR,
+					  "Unknown policy `%s' in helper "
+					  "configuration", pol->name);
+				exit(EXIT_FAILURE);
+			}
+			/* FIXME: First set default policy, then change only
+			 * tuned fields, not everything.
+			 */
+			memcpy(&helper->policy[i], pol,
+				sizeof(struct ctd_helper_policy));
+
+			stack_item_free(e);
+			break;
+		}
+		default:
+			print_err(CTD_CFG_ERROR,
+				  "Unexpected symbol parsing helper policy");
+				exit(EXIT_FAILURE);
+			break;
+		}
+	}
+	list_add(&helper_inst->head, &CONFIG(cthelper).list);
+};
+
+helper_type_list:
+		| helper_type_list helper_type_line
+		;
+
+helper_type_line: helper_type
+		;
+
+helper_type: T_HELPER_QUEUE_NUM T_NUMBER
+{
+	int *qnum;
+	struct stack_item *e;
+
+	e = stack_item_alloc(SYMBOL_HELPER_QUEUE_NUM, sizeof(int));
+	qnum = (int *) e->data;
+	*qnum = $2;
+	stack_item_push(&symbol_stack, e);
+};
+
+helper_type: T_HELPER_POLICY T_STRING '{' helper_policy_list '}'
+{
+	struct stack_item *e;
+	struct ctd_helper_policy *policy;
+
+	e = stack_item_pop(&symbol_stack, SYMBOL_HELPER_EXPECT_POLICY_LEAF);
+	if (e == NULL) {
+		print_err(CTD_CFG_ERROR,
+			  "Helper policy configuration empty, fix your "
+			  "configuration file, please");
+		exit(EXIT_FAILURE);
+		break;
+	}
+
+	policy = (struct ctd_helper_policy *) &e->data;
+	strncpy(policy->name, $2, CTD_HELPER_NAME_LEN);
+	policy->name[CTD_HELPER_NAME_LEN-1] = '\0';
+	/* Now object is complete. */
+	e->type = SYMBOL_HELPER_POLICY_EXPECT_ROOT;
+	stack_item_push(&symbol_stack, e);
+};
+
+helper_policy_list:
+		  | helper_policy_list helper_policy_line
+		  ;
+
+helper_policy_line: helper_policy_expect_max
+		  | helper_policy_expect_timeout
+		  ;
+
+helper_policy_expect_max: T_HELPER_EXPECT_MAX T_NUMBER
+{
+	struct stack_item *e;
+	struct ctd_helper_policy *policy;
+
+	e = stack_item_pop(&symbol_stack, SYMBOL_HELPER_EXPECT_POLICY_LEAF);
+	if (e == NULL) {
+		e = stack_item_alloc(SYMBOL_HELPER_EXPECT_POLICY_LEAF,
+				     sizeof(struct ctd_helper_policy));
+	}
+	policy = (struct ctd_helper_policy *) &e->data;
+	policy->expect_max = $2;
+	stack_item_push(&symbol_stack, e);
+};
+
+helper_policy_expect_timeout: T_HELPER_EXPECT_TIMEOUT T_NUMBER
+{
+	struct stack_item *e;
+	struct ctd_helper_policy *policy;
+
+	e = stack_item_pop(&symbol_stack, SYMBOL_HELPER_EXPECT_POLICY_LEAF);
+	if (e == NULL) {
+		e = stack_item_alloc(SYMBOL_HELPER_EXPECT_POLICY_LEAF,
+				     sizeof(struct ctd_helper_policy));
+	}
+	policy = (struct ctd_helper_policy *) &e->data;
+	policy->expect_timeout = $2;
+	stack_item_push(&symbol_stack, e);
+};
+
 %%
 
 int __attribute__((noreturn))
@@ -1659,6 +1854,11 @@ init_config(char *filename)
 	CONFIG(stats).syslog_facility = -1;
 	CONFIG(netlink).subsys_id = -1;
 
+	/* Initialize list of user-space helpers */
+	INIT_LIST_HEAD(&CONFIG(cthelper).list);
+
+	stack_init(&symbol_stack);
+
 	yyrestart(fp);
 	yyparse();
 	fclose(fp);
diff --git a/src/run.c b/src/run.c
index 159ef30..3337694 100644
--- a/src/run.c
+++ b/src/run.c
@@ -1,5 +1,5 @@
 /*
- * (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
  * (C) 2011 by Vyatta Inc. <http://www.vyatta.com>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -16,7 +16,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  *
- * Description: run and init functions
+ * Part of this code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
  */
 
 #include "conntrackd.h"
@@ -45,24 +45,15 @@ void killer(int foo)
 	/* no signals while handling signals */
 	sigprocmask(SIG_BLOCK, &STATE(block), NULL);
 
-	if (!(CONFIG(flags) & CTD_POLL))
-		nfct_close(STATE(event));
-
-	nfct_close(STATE(resync));
-	nfct_close(STATE(get));
-	origin_unregister(STATE(flush));
-	nfct_close(STATE(flush));
-
-	if (STATE(us_filter))
-		ct_filter_destroy(STATE(us_filter));
 	local_server_destroy(&STATE(local));
-	STATE(mode)->kill();
 
-	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
-		nfct_close(STATE(dump));
-	}
-	destroy_fds(STATE(fds)); 
+	if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
+		ctnl_kill();
 
+	if (CONFIG(flags) & CTD_HELPER)
+		cthelper_kill();
+
+	destroy_fds(STATE(fds));
 	unlink(CONFIG(lockfile));
 	dlog(LOG_NOTICE, "---- shutdown received ----");
 	close_log();
@@ -187,62 +178,6 @@ static void dump_stats_runtime(int fd)
 	send(fd, buf, size, 0);
 }
 
-static void local_flush_master(void)
-{
-	STATE(stats).nl_kernel_table_flush++;
-	dlog(LOG_NOTICE, "flushing kernel conntrack table");
-
-	/* fork a child process that performs the flush operation,
-	 * meanwhile the parent process handles events. */
-	if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL,
-			     NULL, NULL) == 0) {
-		nl_flush_conntrack_table(STATE(flush));
-		exit(EXIT_SUCCESS);
-	}
-}
-
-static void local_resync_master(void)
-{
-	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
-		STATE(stats).nl_kernel_table_resync++;
-		dlog(LOG_NOTICE, "resync with master conntrack table");
-		nl_dump_conntrack_table(STATE(dump));
-	} else {
-		dlog(LOG_NOTICE, "resync is unsupported in this mode");
-	}
-}
-
-static void local_exp_flush_master(void)
-{
-	if (!(CONFIG(flags) & CTD_EXPECT))
-		return;
-
-	STATE(stats).nl_kernel_table_flush++;
-	dlog(LOG_NOTICE, "flushing kernel expect table");
-
-	/* fork a child process that performs the flush operation,
-	 * meanwhile the parent process handles events. */
-	if (fork_process_new(CTD_PROC_FLUSH, CTD_PROC_F_EXCL,
-			     NULL, NULL) == 0) {
-		nl_flush_expect_table(STATE(flush));
-		exit(EXIT_SUCCESS);
-	}
-}
-
-static void local_exp_resync_master(void)
-{
-	if (!(CONFIG(flags) & CTD_EXPECT))
-		return;
-
-	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
-		STATE(stats).nl_kernel_table_resync++;
-		dlog(LOG_NOTICE, "resync with master expect table");
-		nl_dump_expect_table(STATE(dump));
-	} else {
-		dlog(LOG_NOTICE, "resync is unsupported in this mode");
-	}
-}
-
 static int local_handler(int fd, void *data)
 {
 	int ret = LOCAL_RET_OK;
@@ -253,26 +188,9 @@ static int local_handler(int fd, void *data)
 		return LOCAL_RET_OK;
 	}
 	switch(type) {
-	case CT_FLUSH_MASTER:
-		local_flush_master();
-		break;
-	case CT_RESYNC_MASTER:
-		local_resync_master();
-		break;
-	case EXP_FLUSH_MASTER:
-		local_exp_flush_master();
-		break;
-	case EXP_RESYNC_MASTER:
-		local_exp_resync_master();
-		break;
-	case ALL_FLUSH_MASTER:
-		local_flush_master();
-		local_exp_flush_master();
-		break;
-	case ALL_RESYNC_MASTER:
-		local_resync_master();
-		local_exp_resync_master();
-		break;
+        case KILL:
+                killer(0);
+                break;
 	case STATS_RUNTIME:
 		dump_stats_runtime(fd);
 		break;
@@ -281,182 +199,19 @@ static int local_handler(int fd, void *data)
 		break;
 	}
 
-	ret = STATE(mode)->local(fd, type, data);
-	if (ret == LOCAL_RET_ERROR) {
-		STATE(stats).local_unknown_request++;
-		return LOCAL_RET_ERROR;
-	}
-	return ret;
-}
-
-static void do_overrun_resync_alarm(struct alarm_block *a, void *data)
-{
-	nl_send_resync(STATE(resync));
-	STATE(stats).nl_kernel_table_resync++;
-}
-
-static void do_polling_alarm(struct alarm_block *a, void *data)
-{
-	if (STATE(mode)->internal->ct.purge)
-		STATE(mode)->internal->ct.purge();
-
-	if (STATE(mode)->internal->exp.purge)
-		STATE(mode)->internal->exp.purge();
-
-	nl_send_resync(STATE(resync));
-	nl_send_expect_resync(STATE(resync));
-	add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0);
-}
-
-static int event_handler(const struct nlmsghdr *nlh,
-			 enum nf_conntrack_msg_type type,
-			 struct nf_conntrack *ct,
-			 void *data)
-{
-	int origin_type;
-
-	STATE(stats).nl_events_received++;
-
-	/* skip user-space filtering if already do it in the kernel */
-	if (ct_filter_conntrack(ct, !CONFIG(filter_from_kernelspace))) {
-		STATE(stats).nl_events_filtered++;
-		goto out;
-	}
-
-	origin_type = origin_find(nlh);
-
-	switch(type) {
-	case NFCT_T_NEW:
-		STATE(mode)->internal->ct.new(ct, origin_type);
-		break;
-	case NFCT_T_UPDATE:
-		STATE(mode)->internal->ct.upd(ct, origin_type);
-		break;
-	case NFCT_T_DESTROY:
-		if (STATE(mode)->internal->ct.del(ct, origin_type))
-			update_traffic_stats(ct);
-		break;
-	default:
-		STATE(stats).nl_events_unknown_type++;
-		break;
-	}
-
-out:
-	if (STATE(event_iterations_limit)-- <= 0)
-		return NFCT_CB_STOP;
-	else
-		return NFCT_CB_CONTINUE;
-}
-
-static int exp_event_handler(const struct nlmsghdr *nlh,
-			     enum nf_conntrack_msg_type type,
-			     struct nf_expect *exp,
-			     void *data)
-{
-	int origin_type;
-	const struct nf_conntrack *master =
-		nfexp_get_attr(exp, ATTR_EXP_MASTER);
+	if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
+		return ctnl_local(fd, type, data);
 
-	STATE(stats).nl_events_received++;
+	if (CONFIG(flags) & CTD_HELPER)
+		return cthelper_local(fd, type, data);
 
-	if (!exp_filter_find(STATE(exp_filter), exp)) {
-		STATE(stats).nl_events_filtered++;
-		goto out;
-	}
-	if (ct_filter_conntrack(master, 1))
-		return NFCT_CB_CONTINUE;
-
-	origin_type = origin_find(nlh);
-
-	switch(type) {
-	case NFCT_T_NEW:
-		STATE(mode)->internal->exp.new(exp, origin_type);
-		break;
-	case NFCT_T_UPDATE:
-		STATE(mode)->internal->exp.upd(exp, origin_type);
-		break;
-	case NFCT_T_DESTROY:
-		STATE(mode)->internal->exp.del(exp, origin_type);
-		break;
-	default:
-		STATE(stats).nl_events_unknown_type++;
-		break;
-	}
-
-out:
-	/* we reset the iteration limiter in the main select loop. */
-	if (STATE(event_iterations_limit)-- <= 0)
-		return NFCT_CB_STOP;
-	else
-		return NFCT_CB_CONTINUE;
-}
-
-static int dump_handler(enum nf_conntrack_msg_type type,
-			struct nf_conntrack *ct,
-			void *data)
-{
-	if (ct_filter_conntrack(ct, 1))
-		return NFCT_CB_CONTINUE;
-
-	switch(type) {
-	case NFCT_T_UPDATE:
-		STATE(mode)->internal->ct.populate(ct);
-		break;
-	default:
-		STATE(stats).nl_dump_unknown_type++;
-		break;
-	}
-	return NFCT_CB_CONTINUE;
-}
-
-static int exp_dump_handler(enum nf_conntrack_msg_type type,
-			    struct nf_expect *exp, void *data)
-{
-	const struct nf_conntrack *master =
-		nfexp_get_attr(exp, ATTR_EXP_MASTER);
-
-	if (!exp_filter_find(STATE(exp_filter), exp))
-		return NFCT_CB_CONTINUE;
-
-	if (ct_filter_conntrack(master, 1))
-		return NFCT_CB_CONTINUE;
-
-	switch(type) {
-	case NFCT_T_UPDATE:
-		STATE(mode)->internal->exp.populate(exp);
-		break;
-	default:
-		STATE(stats).nl_dump_unknown_type++;
-		break;
-	}
-	return NFCT_CB_CONTINUE;
-}
-
-static int get_handler(enum nf_conntrack_msg_type type,
-		       struct nf_conntrack *ct,
-		       void *data)
-{
-	if (ct_filter_conntrack(ct, 1))
-		return NFCT_CB_CONTINUE;
-
-	STATE(get_retval) = 1;
-	return NFCT_CB_CONTINUE;
+	return ret;
 }
 
-static int exp_get_handler(enum nf_conntrack_msg_type type,
-			   struct nf_expect *exp, void *data)
+/* order received via UNIX socket */
+static void local_cb(void *data)
 {
-	const struct nf_conntrack *master =
-		nfexp_get_attr(exp, ATTR_EXP_MASTER);
-
-	if (!exp_filter_find(STATE(exp_filter), exp))
-		return NFCT_CB_CONTINUE;
-
-	if (ct_filter_conntrack(master, 1))
-		return NFCT_CB_CONTINUE;
-
-	STATE(get_retval) = 1;
-	return NFCT_CB_CONTINUE;
+	do_local_server_step(&STATE(local), NULL, local_handler);
 }
 
 int
@@ -464,133 +219,18 @@ init(void)
 {
 	do_gettimeofday();
 
-	if (CONFIG(flags) & CTD_STATS_MODE)
-		STATE(mode) = &stats_mode;
-	else if (CONFIG(flags) & CTD_SYNC_MODE)
-		STATE(mode) = &sync_mode;
-	else {
-		fprintf(stderr, "WARNING: No running mode specified. "
-				"Defaulting to statistics mode.\n");
-		CONFIG(flags) |= CTD_STATS_MODE;
-		STATE(mode) = &stats_mode;
-	}
-
 	STATE(fds) = create_fds();
 	if (STATE(fds) == NULL) {
 		dlog(LOG_ERR, "can't create file descriptor pool");
 		return -1;
 	}
 
-	/* Initialization */
-	if (STATE(mode)->init() == -1) {
-		dlog(LOG_ERR, "initialization failed");
-		return -1;
-	}
-
 	/* local UNIX socket */
 	if (local_server_create(&STATE(local), &CONFIG(local)) == -1) {
 		dlog(LOG_ERR, "can't open unix socket!");
 		return -1;
 	}
-	register_fd(STATE(local).fd, STATE(fds));
-
-	/* resynchronize (like 'dump' socket) but it also purges old entries */
-	STATE(resync) = nfct_open(CONFIG(netlink).subsys_id, 0);
-	if (STATE(resync)== NULL) {
-		dlog(LOG_ERR, "can't open netlink handler: %s",
-		     strerror(errno));
-		dlog(LOG_ERR, "no ctnetlink kernel support?");
-		return -1;
-	}
-	nfct_callback_register(STATE(resync),
-			       NFCT_T_ALL,
-			       STATE(mode)->internal->ct.resync,
-			       NULL);
-	register_fd(nfct_fd(STATE(resync)), STATE(fds));
-	fcntl(nfct_fd(STATE(resync)), F_SETFL, O_NONBLOCK);
-
-	if (STATE(mode)->internal->flags & INTERNAL_F_POPULATE) {
-		STATE(dump) = nfct_open(CONFIG(netlink).subsys_id, 0);
-		if (STATE(dump) == NULL) {
-			dlog(LOG_ERR, "can't open netlink handler: %s",
-			     strerror(errno));
-			dlog(LOG_ERR, "no ctnetlink kernel support?");
-			return -1;
-		}
-		nfct_callback_register(STATE(dump), NFCT_T_ALL,
-				       dump_handler, NULL);
-
-		if (CONFIG(flags) & CTD_EXPECT) {
-			nfexp_callback_register(STATE(dump), NFCT_T_ALL,
-						exp_dump_handler, NULL);
-		}
-
-		if (nl_dump_conntrack_table(STATE(dump)) == -1) {
-			dlog(LOG_ERR, "can't get kernel conntrack table");
-			return -1;
-		}
-
-		if (CONFIG(flags) & CTD_EXPECT) {
-			if (nl_dump_expect_table(STATE(dump)) == -1) {
-				dlog(LOG_ERR, "can't get kernel "
-					      "expect table");
-				return -1;
-			}
-		}
-	}
-
-	STATE(get) = nfct_open(CONFIG(netlink).subsys_id, 0);
-	if (STATE(get) == NULL) {
-		dlog(LOG_ERR, "can't open netlink handler: %s",
-		     strerror(errno));
-		dlog(LOG_ERR, "no ctnetlink kernel support?");
-		return -1;
-	}
-	nfct_callback_register(STATE(get), NFCT_T_ALL, get_handler, NULL);
-
-	if (CONFIG(flags) & CTD_EXPECT) {
-		nfexp_callback_register(STATE(get), NFCT_T_ALL,
-					exp_get_handler, NULL);
-	}
-
-	STATE(flush) = nfct_open(CONFIG(netlink).subsys_id, 0);
-	if (STATE(flush) == NULL) {
-		dlog(LOG_ERR, "cannot open flusher handler");
-		return -1;
-	}
-	/* register this handler as the origin of a flush operation */
-	origin_register(STATE(flush), CTD_ORIGIN_FLUSH);
-
-	if (CONFIG(flags) & CTD_POLL) {
-		init_alarm(&STATE(polling_alarm), NULL, do_polling_alarm);
-		add_alarm(&STATE(polling_alarm), CONFIG(poll_kernel_secs), 0);
-		dlog(LOG_NOTICE, "running in polling mode");
-	} else {
-		init_alarm(&STATE(resync_alarm), NULL, do_overrun_resync_alarm);
-		/*
-		 * The last nfct handler that we register is the event handler.
-		 * The reason to do this is that we may receive events while
-		 * populating the internal cache. Thus, we hit ENOBUFS
-		 * prematurely. However, if we open the event handler before
-		 * populating the internal cache, we may still lose events
-		 * that have occured during the population.
-		 */
-		STATE(event) = nl_init_event_handler();
-		if (STATE(event) == NULL) {
-			dlog(LOG_ERR, "can't open netlink handler: %s",
-			     strerror(errno));
-			dlog(LOG_ERR, "no ctnetlink kernel support?");
-			return -1;
-		}
-		nfct_callback_register2(STATE(event), NFCT_T_ALL,
-				        event_handler, NULL);
-
-		if (CONFIG(flags) & CTD_EXPECT) {
-			nfexp_callback_register2(STATE(event), NFCT_T_ALL,
-						 exp_event_handler, NULL);
-		}
-		register_fd(nfct_fd(STATE(event)), STATE(fds));
-	}
+	register_fd(STATE(local).fd, local_cb, NULL, STATE(fds));
 
 	/* Signals handling */
 	sigemptyset(&STATE(block));
@@ -611,163 +251,19 @@ init(void)
 	if (signal(SIGCHLD, child) == SIG_ERR)
 		return -1;
 
-	time(&STATE(stats).daemon_start_time);
-
-	dlog(LOG_NOTICE, "initialization completed");
-
-	return 0;
-}
-
-static void run_events(struct timeval *next_alarm)
-{
-	int ret;
-	fd_set readfds = STATE(fds)->readfds;
-
-	ret = select(STATE(fds)->maxfd + 1, &readfds, NULL, NULL, next_alarm);
-	if (ret == -1) {
-		/* interrupted syscall, retry */
-		if (errno == EINTR)
-			return;
-
-		STATE(stats).select_failed++;
-		return;
-	}
-
-	/* signals are racy */
-	sigprocmask(SIG_BLOCK, &STATE(block), NULL);
-
-	/* order received via UNIX socket */
-	if (FD_ISSET(STATE(local).fd, &readfds))
-		do_local_server_step(&STATE(local), NULL, local_handler);
-
-	/* we have receive an event from ctnetlink */
-	if (FD_ISSET(nfct_fd(STATE(event)), &readfds)) {
-		ret = nfct_catch(STATE(event));
-		/* reset event iteration limit counter */
-		STATE(event_iterations_limit) = CONFIG(event_iterations_limit);
-		if (ret == -1) {
-		switch(errno) {
-		case ENOBUFS:
-			/* We have hit ENOBUFS, it's likely that we are
-			 * losing events. Two possible situations may
-			 * trigger this error:
-			 *
-			 * 1) The netlink receiver buffer is too small:
-			 *    increasing the netlink buffer size should
-			 *    be enough. However, some event messages
-			 *    got lost. We have to resync ourselves
-			 *    with the kernel table conntrack table to
-			 *    resolve the inconsistency. 
-			 *
-			 * 2) The receiver is too slow to process the
-			 *    netlink messages so that the queue gets
-			 *    full quickly. This generally happens
-			 *    if the system is under heavy workload
-			 *    (busy CPU). In this case, increasing the
-			 *    size of the netlink receiver buffer
-			 *    would not help anymore since we would
-			 *    be delaying the overrun. Moreover, we
-			 *    should avoid resynchronizations. We 
-			 *    should do our best here and keep
-			 *    replicating as much states as possible.
-			 *    If workload lowers at some point,
-			 *    we resync ourselves.
-			 */
-			nl_resize_socket_buffer(STATE(event));
-			if (CONFIG(nl_overrun_resync) > 0 &&
-			    STATE(mode)->internal->flags & INTERNAL_F_RESYNC) {
-				add_alarm(&STATE(resync_alarm),
-					  CONFIG(nl_overrun_resync),0);
-			}
-			STATE(stats).nl_catch_event_failed++;
-			STATE(stats).nl_overrun++;
-			break;
-		case ENOENT:
-			/*
-			 * We received a message from another
-			 * netfilter subsystem that we are not
-			 * interested in. Just ignore it.
-			 */
-			break;
-		case EAGAIN:
-			/* No more events to receive, try later. */
-			break;
-		default:
-			STATE(stats).nl_catch_event_failed++;
-			break;
-		}
-		}
-	}
-	/* we previously requested a resync due to buffer overrun. */
-	if (FD_ISSET(nfct_fd(STATE(resync)), &readfds)) {
-		nfct_catch(STATE(resync));
-		if (STATE(mode)->internal->ct.purge)
-			STATE(mode)->internal->ct.purge();
-	}
-
-	if (STATE(mode)->run)
-		STATE(mode)->run(&readfds);
-
-	sigprocmask(SIG_UNBLOCK, &STATE(block), NULL);
-}
-
-static void run_polling(struct timeval *next_alarm)
-{
-	int ret;
-	fd_set readfds = STATE(fds)->readfds;
-
-	ret = select(STATE(fds)->maxfd + 1, &readfds, NULL, NULL, next_alarm);
-	if (ret == -1) {
-		/* interrupted syscall, retry */
-		if (errno == EINTR)
-			return;
+	/* Initialization */
+	if (CONFIG(flags) & (CTD_SYNC_MODE | CTD_STATS_MODE))
+		if (ctnl_init() < 0)
+			return -1;
 
-		STATE(stats).select_failed++;
-		return;
+	if (CONFIG(flags) & CTD_HELPER) {
+		if (cthelper_init() < 0)
+			return -1;
 	}
 
-	/* signals are racy */
-	sigprocmask(SIG_BLOCK, &STATE(block), NULL);
-
-	/* order received via UNIX socket */
-	if (FD_ISSET(STATE(local).fd, &readfds))
-		do_local_server_step(&STATE(local), NULL, local_handler);
-
-	/* we requested a dump from the kernel via polling_alarm */
-	if (FD_ISSET(nfct_fd(STATE(resync)), &readfds))
-		nfct_catch(STATE(resync));
-
-	if (STATE(mode)->run)
-		STATE(mode)->run(&readfds);
-
-	sigprocmask(SIG_UNBLOCK, &STATE(block), NULL);
-}
-
-static void __attribute__((noreturn))
-do_run(void (*run_step)(struct timeval *next_alarm))
-{
-	struct timeval next_alarm; 
-	struct timeval *next = NULL;
-
-	while(1) {
-		do_gettimeofday();
-
-		sigprocmask(SIG_BLOCK, &STATE(block), NULL);
-		if (next != NULL && !timerisset(next))
-			next = do_alarm_run(&next_alarm);
-		else
-			next = get_next_alarm_run(&next_alarm);
-		sigprocmask(SIG_UNBLOCK, &STATE(block), NULL);
+	time(&STATE(stats).daemon_start_time);
 
-		run_step(next);
-	}
-}
+	dlog(LOG_NOTICE, "initialization completed");
 
-void run(void)
-{
-	if (CONFIG(flags) & CTD_POLL) {
-		do_run(run_polling);
-	} else {
-		do_run(run_events);
-	}
+	return 0;
 }
diff --git a/src/stack.c b/src/stack.c
new file mode 100644
index 0000000..104b7ba
--- /dev/null
+++ b/src/stack.c
@@ -0,0 +1,56 @@
+/*
+ * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include "stack.h"
+
+struct stack_item *
+stack_item_alloc(int type, size_t data_len)
+{
+	struct stack_item *e;
+
+	e = calloc(1, sizeof(struct stack_item) + data_len);
+	if (e == NULL)
+		return NULL;
+
+	e->data_len = data_len;
+	e->type = type;
+
+	return e;
+}
+
+void stack_item_free(struct stack_item *e)
+{
+	free(e);
+}
+
+void stack_item_push(struct stack *s, struct stack_item *e)
+{
+	list_add(&e->head, &s->list);
+}
+
+struct stack_item *stack_item_pop(struct stack *s, int type)
+{
+	struct stack_item *cur, *tmp, *found = NULL;
+
+	list_for_each_entry_safe(cur, tmp, &s->list, head) {
+		if (cur->type != type && type != -1)
+			continue;
+
+		list_del(&cur->head);
+		found = cur;
+		break;
+	}
+
+	return found;
+}
diff --git a/src/stats-mode.c b/src/stats-mode.c
index b768033..6b7f08d 100644
--- a/src/stats-mode.c
+++ b/src/stats-mode.c
@@ -201,7 +201,6 @@ static struct internal_handler internal_cache_stats = {
 
 struct ct_mode stats_mode = {
 	.init 			= init_stats,
-	.run			= NULL,
 	.local			= local_handler_stats,
 	.kill			= kill_stats,
 	.internal		= &internal_cache_stats,
diff --git a/src/sync-mode.c b/src/sync-mode.c
index 10fdb9e..b5707d5 100644
--- a/src/sync-mode.c
+++ b/src/sync-mode.c
@@ -1,5 +1,5 @@
 /*
- * (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2006-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
  * (C) 2011 by Vyatta Inc. <http://www.vyatta.com>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -78,7 +78,7 @@ static struct nf_expect *msg2exp_alloc(struct nethdr *net, size_t remain)
 }
 
 static void
-do_channel_handler_step(int i, struct nethdr *net, size_t remain)
+do_channel_handler_step(struct channel *c, struct nethdr *net, size_t remain)
 {
 	struct nf_conntrack *ct = NULL;
 	struct nf_expect *exp = NULL;
@@ -91,10 +91,10 @@ do_channel_handler_step(int i, struct nethdr *net, size_t remain)
 
 	switch (STATE_SYNC(sync)->recv(net)) {
 	case MSG_DATA:
-		multichannel_change_current_channel(STATE_SYNC(channel), i);
+		multichannel_change_current_channel(STATE_SYNC(channel), c);
 		break;
 	case MSG_CTL:
-		multichannel_change_current_channel(STATE_SYNC(channel), i);
+		multichannel_change_current_channel(STATE_SYNC(channel), c);
 		return;
 	case MSG_BAD:
 		STATE_SYNC(error).msg_rcv_malformed++;
@@ -175,7 +175,7 @@ static int channel_stream(struct channel *m, const char *ptr, ssize_t remain)
 }
 
 /* handler for messages received */
-static int channel_handler_routine(struct channel *m, int i)
+static int channel_handler_routine(struct channel *m)
 {
 	ssize_t numbytes;
 	ssize_t remain, pending = cur - __net;
@@ -242,7 +242,7 @@ static int channel_handler_routine(struct channel *m, int i)
 
 		HDR_NETWORK2HOST(net);
 
-		do_channel_handler_step(i, net, remain);
+		do_channel_handler_step(m, net, remain);
 		ptr += net->len;
 		remain -= net->len;
 	}
@@ -250,12 +250,13 @@ static int channel_handler_routine(struct channel *m, int i)
 }
 
 /* handler for messages received */
-static void channel_handler(struct channel *m, int i)
+static void channel_handler(void *data)
 {
+	struct channel *c = data;
 	int k;
 
 	for (k=0; k<CONFIG(event_iterations_limit); k++) {
-		if (channel_handler_routine(m, i) == -1) {
+		if (channel_handler_routine(c) == -1) {
 			break;
 		}
 	}
@@ -284,7 +285,7 @@ static void interface_candidate(void)
 	dlog(LOG_ERR, "no dedicated links available!");
 }
 
-static void interface_handler(void)
+static void interface_handler(void *data)
 {
 	int idx = multichannel_get_current_ifindex(STATE_SYNC(channel));
 	unsigned int flags;
@@ -311,6 +312,53 @@ static void do_reset_cache_alarm(struct alarm_block *a, void *data)
 	STATE(mode)->internal->ct.flush();
 }
 
+static void commit_cb(void *data)
+{
+	int ret;
+
+	read_evfd(STATE_SYNC(commit).evfd);
+
+	ret = STATE_SYNC(commit).rq[0].cb(STATE_SYNC(commit).h, 0);
+	if (ret == 0) {
+		/* we still have things in the callback queue. */
+		if (STATE_SYNC(commit).rq[1].cb) {
+			int fd = STATE_SYNC(commit).clientfd;
+
+			STATE_SYNC(commit).rq[0].cb =
+				STATE_SYNC(commit).rq[1].cb;
+
+			STATE_SYNC(commit).rq[1].cb = NULL;
+
+			STATE_SYNC(commit).clientfd = -1;
+			STATE_SYNC(commit).rq[0].cb(STATE_SYNC(commit).h, fd);
+		} else {
+			/* Close the client socket now, we're done. */
+			close(STATE_SYNC(commit).clientfd);
+			STATE_SYNC(commit).clientfd = -1;
+		}
+	}
+}
+
+static void channel_accept_cb(void *data)
+{
+	struct channel *c = data;
+	int fd;
+
+	fd = channel_accept(data);
+	if (fd < 0)
+		return;
+
+	register_fd(fd, channel_handler, c, STATE(fds));
+}
+
+static void tx_queue_cb(void *data)
+{
+	STATE_SYNC(sync)->xmit();
+
+	/* flush pending messages */
+	multichannel_send_flush(STATE_SYNC(channel));
+}
+
 static int init_sync(void)
 {
 	int i;
@@ -370,8 +418,19 @@ static int init_sync(void)
 	for (i=0; i<STATE_SYNC(channel)->channel_num; i++) {
 		int fd = channel_get_fd(STATE_SYNC(channel)->channel[i]);
 		fcntl(fd, F_SETFL, O_NONBLOCK);
-		if (register_fd(fd, STATE(fds)) == -1)
-			return -1;
+
+		switch(channel_type(STATE_SYNC(channel)->channel[i])) {
+		case CHANNEL_T_STREAM:
+			register_fd(fd, channel_accept_cb,
+					STATE_SYNC(channel)->channel[i],
+					STATE(fds));
+			break;
+		case CHANNEL_T_DATAGRAM:
+			register_fd(fd, channel_handler,
+					STATE_SYNC(channel)->channel[i],
+					STATE(fds));
+			break;
+		}
 	}
 
 	STATE_SYNC(interface) = nl_init_interface_handler();
@@ -379,7 +438,8 @@ static int init_sync(void)
 		dlog(LOG_ERR, "can't open interface watcher");
 		return -1;
 	}
-	if (register_fd(nlif_fd(STATE_SYNC(interface)), STATE(fds)) == -1)
+	if (register_fd(nlif_fd(STATE_SYNC(interface)),
+			interface_handler, NULL, STATE(fds)) == -1)
 		return -1;
 
 	STATE_SYNC(tx_queue) = queue_create("txqueue", INT_MAX, QUEUE_F_EVFD);
@@ -387,8 +447,8 @@ static int init_sync(void)
 		dlog(LOG_ERR, "cannot create tx queue");
 		return -1;
 	}
-	if (register_fd(queue_get_eventfd(STATE_SYNC(tx_queue)), 
-							STATE(fds)) == -1)
+	if (register_fd(queue_get_eventfd(STATE_SYNC(tx_queue)),
+			tx_queue_cb, NULL, STATE(fds)) == -1)
 		return -1;
 
 	STATE_SYNC(commit).h = nfct_open(CONFIG(netlink).subsys_id, 0);
@@ -404,7 +464,7 @@ static int init_sync(void)
 		return -1;
 	}
 	if (register_fd(get_read_evfd(STATE_SYNC(commit).evfd),
-							STATE(fds)) == -1) {
+				commit_cb, NULL, STATE(fds)) == -1) {
 		return -1;
 	}
 	STATE_SYNC(commit).clientfd = -1;
@@ -417,61 +477,6 @@ static int init_sync(void)
 	return 0;
 }
 
-static void channel_check(struct channel *c, int i, fd_set *readfds)
-{
-	/* In case that this channel is connection-oriented. */
-	if (channel_accept_isset(c, readfds))
-		channel_accept(c);
-
-	/* For data handling. */
-	if (channel_isset(c, readfds))
-		channel_handler(c, i);
-}
-
-static void run_sync(fd_set *readfds)
-{
-	int i;
-
-	for (i=0; i<STATE_SYNC(channel)->channel_num; i++)
-		channel_check(STATE_SYNC(channel)->channel[i], i, readfds);
-
-	if (FD_ISSET(queue_get_eventfd(STATE_SYNC(tx_queue)), readfds))
-		STATE_SYNC(sync)->xmit();
-
-	if (FD_ISSET(nlif_fd(STATE_SYNC(interface)), readfds))
-		interface_handler();
-
-	if (FD_ISSET(get_read_evfd(STATE_SYNC(commit).evfd), readfds)) {
-		int ret;
-
-		read_evfd(STATE_SYNC(commit).evfd);
-
-		ret = STATE_SYNC(commit).rq[0].cb(STATE_SYNC(commit).h, 0);
-		if (ret == 0) {
-			/* we still have things in the callback queue. */
-			if (STATE_SYNC(commit).rq[1].cb) {
-				int fd = STATE_SYNC(commit).clientfd;
-
-				STATE_SYNC(commit).rq[0].cb =
-					STATE_SYNC(commit).rq[1].cb;
-
-				STATE_SYNC(commit).rq[1].cb = NULL;
-
-				STATE_SYNC(commit).clientfd = -1;
-				STATE_SYNC(commit).rq[0].cb(
-					STATE_SYNC(commit).h, fd);
-			} else {
-				/* Close the client socket now, we're done. */
-				close(STATE_SYNC(commit).clientfd);
-				STATE_SYNC(commit).clientfd = -1;
-			}
-		}
-	}
-
-	/* flush pending messages */
-	multichannel_send_flush(STATE_SYNC(channel));
-}
-
 static void kill_sync(void)
 {
 	STATE(mode)->internal->close();
@@ -624,9 +629,6 @@ static int local_handler_sync(int fd, int type, void *data)
 		dlog(LOG_NOTICE, "flushing external cache");
 		STATE_SYNC(external)->ct.flush();
 		break;
-	case KILL:
-		killer(0);
-		break;
 	case STATS:
 		STATE(mode)->internal->ct.stats(fd);
 		STATE_SYNC(external)->ct.stats(fd);
@@ -729,7 +731,6 @@ static int local_handler_sync(int fd, int type, void *data)
 
 struct ct_mode sync_mode = {
 	.init 			= init_sync,
-	.run			= run_sync,
 	.local			= local_handler_sync,
 	.kill			= kill_sync,
 	/* the internal handler is set in run-time. */
diff --git a/src/tcp.c b/src/tcp.c
index c551c54..af27c46 100644
--- a/src/tcp.c
+++ b/src/tcp.c
@@ -27,7 +27,7 @@
 
 struct tcp_sock *tcp_server_create(struct tcp_conf *c)
 {
-	int yes = 1, ret;
+	int yes = 1;
 	struct tcp_sock *m;
 	socklen_t socklen = sizeof(int);
 
@@ -109,30 +109,7 @@ struct tcp_sock *tcp_server_create(struct tcp_conf *c)
 		return NULL;
 	}
 
-	/* now we accept new connections ... */
-	ret = accept(m->fd, NULL, NULL);
-	if (ret == -1) {
-		if (errno != EAGAIN) {
-			/* unexpected error, give up. */
-			close(m->fd);
-			free(m);
-			m = NULL;
-		} else {
-			/* still in progress ... we'll do it in tcp_recv() */
-			m->state = TCP_SERVER_ACCEPTING;
-		}
-	} else {
-		/* very unlikely at this stage. */
-		if (fcntl(ret, F_SETFL, O_NONBLOCK) == -1) {
-			/* unexpected error, give up. */
-			close(m->fd);
-			free(m);
-			return NULL;
-		}
-		m->client_fd = ret;
-		m->state = TCP_SERVER_CONNECTED;
-		register_fd(m->client_fd, STATE(fds));
-	}
+	m->state = TCP_SERVER_ACCEPTING;
 
 	return m;
 }
@@ -287,7 +264,6 @@ int tcp_accept(struct tcp_sock *m)
 
 		m->client_fd = ret;
 		m->state = TCP_SERVER_CONNECTED;
-		register_fd(m->client_fd, STATE(fds));
 	}
 	return m->client_fd;
 }
@@ -367,7 +343,6 @@ ssize_t tcp_recv(struct tcp_sock *m, void *data, int size)
 			close(m->client_fd);
 			m->client_fd = -1;
 			m->state = TCP_SERVER_ACCEPTING;
-			tcp_accept(m);
 		} else if (errno != EAGAIN) {
 			m->stats.error++;
 		}
@@ -377,7 +352,6 @@ ssize_t tcp_recv(struct tcp_sock *m, void *data, int size)
 		close(m->client_fd);
 		m->client_fd = -1;
 		m->state = TCP_SERVER_ACCEPTING;
-		tcp_accept(m);
 	}
 
 	if (ret >= 0) {
diff --git a/src/utils.c b/src/utils.c
new file mode 100644
index 0000000..fabec24
--- /dev/null
+++ b/src/utils.c
@@ -0,0 +1,243 @@
+/* The following code has been extracted from the kenrel sources, if there is
+ * any problem, blame for mangling it. --pablo */
+
+/*
+ *	Generic address resultion entity
+ *
+ *	Authors:
+ *	net_random Alan Cox
+ *	net_ratelimit Andi Kleen
+ *	in{4,6}_pton YOSHIFUJI Hideaki, Copyright (C)2006 USAGI/WIDE Project
+ *
+ *	Created by Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+ *
+ *	This program is free software; you can redistribute it and/or
+ *	modify it under the terms of the GNU General Public License
+ *	as published by the Free Software Foundation; either version
+ *	2 of the License, or (at your option) any later version.
+ */
+
+/*
+ * lib/hexdump.c
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation. See README and COPYING for
+ * more details.
+ */
+
+#include <stdint.h>
+#include <ctype.h>
+#include <string.h>	/* for memcpy */
+
+#include "helper.h"
+
+static int hex_to_bin(char ch)
+{
+	if ((ch >= '0') && (ch <= '9'))
+		return ch - '0';
+	ch = tolower(ch);
+	if ((ch >= 'a') && (ch <= 'f'))
+		return ch - 'a' + 10;
+	return -1;
+}
+
+#define IN6PTON_XDIGIT		0x00010000
+#define IN6PTON_DIGIT		0x00020000
+#define IN6PTON_COLON_MASK	0x00700000
+#define IN6PTON_COLON_1		0x00100000	/* single : requested */
+#define IN6PTON_COLON_2		0x00200000	/* second : requested */
+#define IN6PTON_COLON_1_2	0x00400000	/* :: requested */
+#define IN6PTON_DOT		0x00800000	/* . */
+#define IN6PTON_DELIM		0x10000000
+#define IN6PTON_NULL		0x20000000	/* first/tail */
+#define IN6PTON_UNKNOWN		0x40000000
+
+static inline int xdigit2bin(char c, int delim)
+{
+	int val;
+
+	if (c == delim || c == '\0')
+		return IN6PTON_DELIM;
+	if (c == ':')
+		return IN6PTON_COLON_MASK;
+	if (c == '.')
+		return IN6PTON_DOT;
+
+	val = hex_to_bin(c);
+	if (val >= 0)
+		return val | IN6PTON_XDIGIT | (val < 10 ? IN6PTON_DIGIT : 0);
+
+	if (delim == -1)
+		return IN6PTON_DELIM;
+	return IN6PTON_UNKNOWN;
+}
+
+int in4_pton(const char *src, int srclen,
+	     uint8_t *dst,
+	     int delim, const char **end)
+{
+	const char *s;
+	uint8_t *d;
+	uint8_t dbuf[4];
+	int ret = 0;
+	int i;
+	int w = 0;
+
+	if (srclen < 0)
+		srclen = strlen(src);
+	s = src;
+	d = dbuf;
+	i = 0;
+	while(1) {
+		int c;
+		c = xdigit2bin(srclen > 0 ? *s : '\0', delim);
+		if (!(c & (IN6PTON_DIGIT | IN6PTON_DOT | IN6PTON_DELIM | IN6PTON_COLON_MASK))) {
+			goto out;
+		}
+		if (c & (IN6PTON_DOT | IN6PTON_DELIM | IN6PTON_COLON_MASK)) {
+			if (w == 0)
+				goto out;
+			*d++ = w & 0xff;
+			w = 0;
+			i++;
+			if (c & (IN6PTON_DELIM | IN6PTON_COLON_MASK)) {
+				if (i != 4)
+					goto out;
+				break;
+			}
+			goto cont;
+		}
+		w = (w * 10) + c;
+		if ((w & 0xffff) > 255) {
+			goto out;
+		}
+cont:
+		if (i >= 4)
+			goto out;
+		s++;
+		srclen--;
+	}
+	ret = 1;
+	memcpy(dst, dbuf, sizeof(dbuf));
+out:
+	if (end)
+		*end = s;
+	return ret;
+}
+
+int in6_pton(const char *src, int srclen,
+	     uint8_t *dst,
+	     int delim, const char **end)
+{
+	const char *s, *tok = NULL;
+	uint8_t *d, *dc = NULL;
+	uint8_t dbuf[16];
+	int ret = 0;
+	int i;
+	int state = IN6PTON_COLON_1_2 | IN6PTON_XDIGIT | IN6PTON_NULL;
+	int w = 0;
+
+	memset(dbuf, 0, sizeof(dbuf));
+
+	s = src;
+	d = dbuf;
+	if (srclen < 0)
+		srclen = strlen(src);
+
+	while (1) {
+		int c;
+
+		c = xdigit2bin(srclen > 0 ? *s : '\0', delim);
+		if (!(c & state))
+			goto out;
+		if (c & (IN6PTON_DELIM | IN6PTON_COLON_MASK)) {
+			/* process one 16-bit word */
+			if (!(state & IN6PTON_NULL)) {
+				*d++ = (w >> 8) & 0xff;
+				*d++ = w & 0xff;
+			}
+			w = 0;
+			if (c & IN6PTON_DELIM) {
+				/* We've processed last word */
+				break;
+			}
+			/*
+			 * COLON_1 => XDIGIT
+			 * COLON_2 => XDIGIT|DELIM
+			 * COLON_1_2 => COLON_2
+			 */
+			switch (state & IN6PTON_COLON_MASK) {
+			case IN6PTON_COLON_2:
+				dc = d;
+				state = IN6PTON_XDIGIT | IN6PTON_DELIM;
+				if (dc - dbuf >= (int)sizeof(dbuf))
+					state |= IN6PTON_NULL;
+				break;
+			case IN6PTON_COLON_1|IN6PTON_COLON_1_2:
+				state = IN6PTON_XDIGIT | IN6PTON_COLON_2;
+				break;
+			case IN6PTON_COLON_1:
+				state = IN6PTON_XDIGIT;
+				break;
+			case IN6PTON_COLON_1_2:
+				state = IN6PTON_COLON_2;
+				break;
+			default:
+				state = 0;
+			}
+			tok = s + 1;
+			goto cont;
+		}
+
+		if (c & IN6PTON_DOT) {
+			ret = in4_pton(tok ? tok : s, srclen + (int)(s - tok), d, delim, &s);
+			if (ret > 0) {
+				d += 4;
+				break;
+			}
+			goto out;
+		}
+
+		w = (w << 4) | (0xff & c);
+		state = IN6PTON_COLON_1 | IN6PTON_DELIM;
+		if (!(w & 0xf000)) {
+			state |= IN6PTON_XDIGIT;
+		}
+		if (!dc && d + 2 < dbuf + sizeof(dbuf)) {
+			state |= IN6PTON_COLON_1_2;
+			state &= ~IN6PTON_DELIM;
+		}
+		if (d + 2 >= dbuf + sizeof(dbuf)) {
+			state &= ~(IN6PTON_COLON_1|IN6PTON_COLON_1_2);
+		}
+cont:
+		if ((dc && d + 4 < dbuf + sizeof(dbuf)) ||
+		    d + 4 == dbuf + sizeof(dbuf)) {
+			state |= IN6PTON_DOT;
+		}
+		if (d >= dbuf + sizeof(dbuf)) {
+			state &= ~(IN6PTON_XDIGIT|IN6PTON_COLON_MASK);
+		}
+		s++;
+		srclen--;
+	}
+
+	i = 15; d--;
+
+	if (dc) {
+		while(d >= dc)
+			dst[i--] = *d--;
+		while(i >= dc - dbuf)
+			dst[i--] = 0;
+		while(i >= 0)
+			dst[i--] = *d--;
+	} else
+		memcpy(dst, dbuf, sizeof(dbuf));
+
+	ret = 1;
+out:
+	if (end)
+		*end = s;
+	return ret;
+}