16 files changed, 484 insertions, 31 deletions
diff --git a/include/Makefile.am b/include/Makefile.am
index 138005d..6bd0f7f 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -5,5 +5,6 @@ noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
 		 debug.h log.h hash.h mcast.h conntrack.h \
 		 network.h filter.h queue.h vector.h cidr.h \
 		 traffic_stats.h netlink.h fds.h event.h bitops.h channel.h \
-		 process.h origin.h internal.h external.h date.h nfct.h
+		 process.h origin.h internal.h external.h date.h nfct.h \
+		 helper.h myct.h stack.h
 
diff --git a/include/Makefile.in b/include/Makefile.in
index f02b393..e94f01e 100644
--- a/include/Makefile.in
+++ b/include/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -62,6 +79,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 HEADERS = $(noinst_HEADERS)
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
@@ -137,8 +159,12 @@ LIBMNL_CFLAGS = @LIBMNL_CFLAGS@
 LIBMNL_LIBS = @LIBMNL_LIBS@
 LIBNETFILTER_CONNTRACK_CFLAGS = @LIBNETFILTER_CONNTRACK_CFLAGS@
 LIBNETFILTER_CONNTRACK_LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
+LIBNETFILTER_CTHELPER_CFLAGS = @LIBNETFILTER_CTHELPER_CFLAGS@
+LIBNETFILTER_CTHELPER_LIBS = @LIBNETFILTER_CTHELPER_LIBS@
 LIBNETFILTER_CTTIMEOUT_CFLAGS = @LIBNETFILTER_CTTIMEOUT_CFLAGS@
 LIBNETFILTER_CTTIMEOUT_LIBS = @LIBNETFILTER_CTTIMEOUT_LIBS@
+LIBNETFILTER_QUEUE_CFLAGS = @LIBNETFILTER_QUEUE_CFLAGS@
+LIBNETFILTER_QUEUE_LIBS = @LIBNETFILTER_QUEUE_LIBS@
 LIBNFNETLINK_CFLAGS = @LIBNFNETLINK_CFLAGS@
 LIBNFNETLINK_LIBS = @LIBNFNETLINK_LIBS@
 LIBOBJS = @LIBOBJS@
@@ -209,6 +235,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
+libdl_LIBS = @libdl_LIBS@
 libexecdir = @libexecdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -233,7 +260,8 @@ noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
 		 debug.h log.h hash.h mcast.h conntrack.h \
 		 network.h filter.h queue.h vector.h cidr.h \
 		 traffic_stats.h netlink.h fds.h event.h bitops.h channel.h \
-		 process.h origin.h internal.h external.h date.h nfct.h
+		 process.h origin.h internal.h external.h date.h nfct.h \
+		 helper.h myct.h stack.h
 
 all: all-recursive
 
@@ -442,13 +470,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/include/channel.h b/include/channel.h
index 9b5fad8..46a354f 100644
--- a/include/channel.h
+++ b/include/channel.h
@@ -35,7 +35,8 @@ struct tcp_channel {
 #define CHANNEL_F_BUFFERED	(1 << 1)
 #define CHANNEL_F_STREAM	(1 << 2)
 #define CHANNEL_F_ERRORS	(1 << 3)
-#define CHANNEL_F_MAX		(1 << 4)
+#define CHANNEL_F_ACCEPT	(1 << 4)
+#define CHANNEL_F_MAX		(1 << 5)
 
 union channel_type_conf {
 	struct mcast_conf mcast;
@@ -52,8 +53,12 @@ struct channel_conf {
 
 struct nlif_handle;
 
+#define CHANNEL_T_DATAGRAM	0
+#define CHANNEL_T_STREAM	1
+
 struct channel_ops {
 	int	headersiz;
+	int	type;
 	void *	(*open)(void *conf);
 	void	(*close)(void *channel);
 	int	(*send)(void *channel, const void *data, int len);
@@ -97,6 +102,8 @@ void channel_stats(struct channel *c, int fd);
 void channel_stats_extended(struct channel *c, int active,
 			    struct nlif_handle *h, int fd);
 
+int channel_type(struct channel *c);
+
 #define MULTICHANNEL_MAX	4
 
 struct multichannel {
@@ -119,6 +126,6 @@ void multichannel_stats_extended(struct multichannel *m,
 int multichannel_get_ifindex(struct multichannel *m, int i);
 int multichannel_get_current_ifindex(struct multichannel *m);
 void multichannel_set_current_channel(struct multichannel *m, int i);
-void multichannel_change_current_channel(struct multichannel *m, int i);
+void multichannel_change_current_channel(struct multichannel *m, struct channel *c);
 
 #endif /* _CHANNEL_H_ */
diff --git a/include/conntrack.h b/include/conntrack.h
index 3882de7..fd6126b 100644
--- a/include/conntrack.h
+++ b/include/conntrack.h
@@ -9,7 +9,7 @@
 
 #include <netinet/in.h>
 
-#define NUMBER_OF_CMD   18
+#define NUMBER_OF_CMD   19
 #define NUMBER_OF_OPT   24
 
 struct ctproto_handler {
diff --git a/include/conntrackd.h b/include/conntrackd.h
index 9359dfa..19e613c 100644
--- a/include/conntrackd.h
+++ b/include/conntrackd.h
@@ -69,6 +69,7 @@
 #define CTD_SYNC_NOTRACK	(1UL << 4)
 #define CTD_POLL		(1UL << 5)
 #define CTD_EXPECT		(1UL << 6)
+#define CTD_HELPER		(1UL << 7)
 
 /* FILENAME_MAX is 4096 on my system, perhaps too much? */
 #ifndef FILENAME_MAXLEN
@@ -134,6 +135,9 @@ struct ct_conf {
 		int syslog_facility;
 		size_t buffer_size;
 	} stats;
+	struct {
+		struct list_head list;
+	} cthelper;
 };
 
 #define STATE(x) st.x
@@ -252,24 +256,41 @@ struct ct_stats_state {
 	struct cache *cache;            /* internal events cache (netlink) */
 };
 
-union ct_state {
+#define STATE_CTH(x) state.cthelper->x
+
+struct ct_helper_state {
+	struct mnl_socket *nl;
+	uint32_t portid;
+};
+
+struct ct_state {
 	struct ct_sync_state *sync;
 	struct ct_stats_state *stats;
+	struct ct_helper_state *cthelper;
 };
 
 extern struct ct_conf conf;
-extern union ct_state state;
+extern struct ct_state state;
 extern struct ct_general_state st;
 
 struct ct_mode {
 	struct internal_handler *internal;
 	int (*init)(void);
-	void (*run)(fd_set *readfds);
 	int (*local)(int fd, int type, void *data);
 	void (*kill)(void);
 };
 
-/* conntrackd modes */
+/* basic ctnl functions */
+void ctnl_kill(void);
+int ctnl_local(int fd, int type, void *data);
+int ctnl_init(void);
+
+/* basic cthelper functions */
+void cthelper_kill(void);
+int cthelper_local(int fd, int type, void *data);
+int cthelper_init(void);
+
+/* conntrackd ctnl modes */
 extern struct ct_mode sync_mode;
 extern struct ct_mode stats_mode;
 
@@ -278,7 +299,7 @@ extern struct ct_mode stats_mode;
 /* These live in run.c */
 void killer(int foo);
 int init(void);
-void run(void);
+void select_main_loop(void);
 
 /* from read_config_yy.c */
 int
diff --git a/include/fds.h b/include/fds.h
index f3728d7..ed0c8be 100644
--- a/include/fds.h
+++ b/include/fds.h
@@ -12,11 +12,13 @@ struct fds {
 struct fds_item {
 	struct list_head        head;
 	int                     fd;
+	void			(*cb)(void *data);
+	void			*data;
 };
 
 struct fds *create_fds(void);
 void destroy_fds(struct fds *);
-int register_fd(int fd, struct fds *fds);
+int register_fd(int fd, void (*cb)(void *data), void *data, struct fds *fds);
 int unregister_fd(int fd, struct fds *fds);
 
 #endif
diff --git a/include/helper.h b/include/helper.h
new file mode 100644
index 0000000..9d96fb7
--- /dev/null
+++ b/include/helper.h
@@ -0,0 +1,111 @@
+#ifndef _CTD_HELPER_H_
+#define _CTD_HELPER_H_
+
+#include <stdint.h>
+#include "linux_list.h"
+#include "myct.h"
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+struct pkt_buff;
+
+#define CTD_HELPER_NAME_LEN	16
+#define CTD_HELPER_POLICY_MAX	4
+
+struct ctd_helper_policy {
+	char		name[CTD_HELPER_NAME_LEN];
+	uint32_t	expect_timeout;
+	uint32_t	expect_max;
+};
+
+struct ctd_helper {
+	struct list_head	head;
+	char			name[CTD_HELPER_NAME_LEN];
+	uint8_t			l4proto;
+	int			(*cb)(struct pkt_buff *pkt,
+				      uint32_t protoff,
+				      struct myct *ct,
+				      u_int32_t ctinfo);
+
+	struct ctd_helper_policy policy[CTD_HELPER_POLICY_MAX];
+
+	int			priv_data_len;
+};
+
+struct ctd_helper_instance {
+	struct list_head	head;
+	uint32_t		queue_num;
+	uint32_t		queue_len;
+	uint16_t		l3proto;
+	uint8_t			l4proto;
+	struct ctd_helper	*helper;
+	struct ctd_helper_policy policy[CTD_HELPER_POLICY_MAX];
+};
+
+extern int cthelper_expect_init(struct nf_expect *exp, struct nf_conntrack *master, uint32_t class, union nfct_attr_grp_addr *saddr, union nfct_attr_grp_addr *daddr, uint8_t l4proto, uint16_t *sport, uint16_t *dport, uint32_t flags);
+extern int cthelper_add_expect(struct nf_expect *exp);
+extern int cthelper_del_expect(struct nf_expect *exp);
+
+extern void cthelper_get_addr_src(struct nf_conntrack *ct, int dir, union nfct_attr_grp_addr *addr);
+extern void cthelper_get_addr_dst(struct nf_conntrack *ct, int dir, union nfct_attr_grp_addr *addr);
+
+extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
+extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
+
+extern void helper_register(struct ctd_helper *helper);
+struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
+
+#define min_t(type, x, y) ({			\
+	type __min1 = (x);			\
+	type __min2 = (y);			\
+	__min1 < __min2 ? __min1: __min2; })
+
+#define max_t(type, x, y) ({			\
+	type __max1 = (x);			\
+	type __max2 = (y);			\
+	__max1 > __max2 ? __max1: __max2; })
+
+#define ARRAY_SIZE MNL_ARRAY_SIZE
+
+enum ip_conntrack_dir {
+	IP_CT_DIR_ORIGINAL,
+	IP_CT_DIR_REPLY,
+	IP_CT_DIR_MAX
+};
+
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info {
+	/* Part of an established connection (either direction). */
+	IP_CT_ESTABLISHED,
+
+	/* Like NEW, but related to an existing connection, or ICMP error
+	   (in either direction). */
+	IP_CT_RELATED,
+
+	/* Started a new connection to track (only
+	   IP_CT_DIR_ORIGINAL); may be a retransmission. */
+	IP_CT_NEW,
+
+	/* >= this indicates reply direction */
+	IP_CT_IS_REPLY,
+
+	IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
+	IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
+	IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
+	/* Number of distinct IP_CT types (no NEW in reply dirn). */
+	IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+
+#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
+
+#if 0
+#define pr_debug(fmt, arg...) \
+	printf(fmt, ##arg)
+#else
+#define pr_debug(fmt, arg...) \
+        ({ if (0) printf(fmt, ##arg); 0; })
+#endif
+
+#endif
diff --git a/include/linux/Makefile.in b/include/linux/Makefile.in
index b7cb37e..847147e 100644
--- a/include/linux/Makefile.in
+++ b/include/linux/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -15,6 +15,23 @@
 
 @SET_MAKE@
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -60,6 +77,11 @@ RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \
 	install-pdf-recursive install-ps-recursive install-recursive \
 	installcheck-recursive installdirs-recursive pdf-recursive \
 	ps-recursive uninstall-recursive
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive	\
   distclean-recursive maintainer-clean-recursive
 AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \
@@ -134,8 +156,12 @@ LIBMNL_CFLAGS = @LIBMNL_CFLAGS@
 LIBMNL_LIBS = @LIBMNL_LIBS@
 LIBNETFILTER_CONNTRACK_CFLAGS = @LIBNETFILTER_CONNTRACK_CFLAGS@
 LIBNETFILTER_CONNTRACK_LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
+LIBNETFILTER_CTHELPER_CFLAGS = @LIBNETFILTER_CTHELPER_CFLAGS@
+LIBNETFILTER_CTHELPER_LIBS = @LIBNETFILTER_CTHELPER_LIBS@
 LIBNETFILTER_CTTIMEOUT_CFLAGS = @LIBNETFILTER_CTTIMEOUT_CFLAGS@
 LIBNETFILTER_CTTIMEOUT_LIBS = @LIBNETFILTER_CTTIMEOUT_LIBS@
+LIBNETFILTER_QUEUE_CFLAGS = @LIBNETFILTER_QUEUE_CFLAGS@
+LIBNETFILTER_QUEUE_LIBS = @LIBNETFILTER_QUEUE_LIBS@
 LIBNFNETLINK_CFLAGS = @LIBNFNETLINK_CFLAGS@
 LIBNFNETLINK_LIBS = @LIBNFNETLINK_LIBS@
 LIBOBJS = @LIBOBJS@
@@ -206,6 +232,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
+libdl_LIBS = @libdl_LIBS@
 libexecdir = @libexecdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -432,13 +459,10 @@ distdir: $(DISTFILES)
 	done
 	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
 	  if test "$$subdir" = .; then :; else \
-	    test -d "$(distdir)/$$subdir" \
-	    || $(MKDIR_P) "$(distdir)/$$subdir" \
-	    || exit 1; \
-	  fi; \
-	done
-	@list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
-	  if test "$$subdir" = .; then :; else \
+	    $(am__make_dryrun) \
+	      || test -d "$(distdir)/$$subdir" \
+	      || $(MKDIR_P) "$(distdir)/$$subdir" \
+	      || exit 1; \
 	    dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
 	    $(am__relativize); \
 	    new_distdir=$$reldir; \
diff --git a/include/linux/netfilter/Makefile.am b/include/linux/netfilter/Makefile.am
index 84315e3..6574060 100644
--- a/include/linux/netfilter/Makefile.am
+++ b/include/linux/netfilter/Makefile.am
@@ -1 +1 @@
-noinst_HEADERS = nfnetlink.h nfnetlink_cttimeout.h
+noinst_HEADERS = nfnetlink.h nfnetlink_cttimeout.h nfnetlink_queue.h nfnetlink_cthelper.h
diff --git a/include/linux/netfilter/Makefile.in b/include/linux/netfilter/Makefile.in
index 346dd66..5ecc87a 100644
--- a/include/linux/netfilter/Makefile.in
+++ b/include/linux/netfilter/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -55,6 +72,11 @@ am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
 am__v_at_0 = @
 SOURCES =
 DIST_SOURCES =
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 HEADERS = $(noinst_HEADERS)
 ETAGS = etags
 CTAGS = ctags
@@ -99,8 +121,12 @@ LIBMNL_CFLAGS = @LIBMNL_CFLAGS@
 LIBMNL_LIBS = @LIBMNL_LIBS@
 LIBNETFILTER_CONNTRACK_CFLAGS = @LIBNETFILTER_CONNTRACK_CFLAGS@
 LIBNETFILTER_CONNTRACK_LIBS = @LIBNETFILTER_CONNTRACK_LIBS@
+LIBNETFILTER_CTHELPER_CFLAGS = @LIBNETFILTER_CTHELPER_CFLAGS@
+LIBNETFILTER_CTHELPER_LIBS = @LIBNETFILTER_CTHELPER_LIBS@
 LIBNETFILTER_CTTIMEOUT_CFLAGS = @LIBNETFILTER_CTTIMEOUT_CFLAGS@
 LIBNETFILTER_CTTIMEOUT_LIBS = @LIBNETFILTER_CTTIMEOUT_LIBS@
+LIBNETFILTER_QUEUE_CFLAGS = @LIBNETFILTER_QUEUE_CFLAGS@
+LIBNETFILTER_QUEUE_LIBS = @LIBNETFILTER_QUEUE_LIBS@
 LIBNFNETLINK_CFLAGS = @LIBNFNETLINK_CFLAGS@
 LIBNFNETLINK_LIBS = @LIBNFNETLINK_LIBS@
 LIBOBJS = @LIBOBJS@
@@ -171,6 +197,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 libdir = @libdir@
+libdl_LIBS = @libdl_LIBS@
 libexecdir = @libexecdir@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -189,7 +216,7 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
-noinst_HEADERS = nfnetlink.h nfnetlink_cttimeout.h
+noinst_HEADERS = nfnetlink.h nfnetlink_cttimeout.h nfnetlink_queue.h nfnetlink_cthelper.h
 all: all-am
 
 .SUFFIXES:
diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/linux/netfilter/nfnetlink_cthelper.h
new file mode 100644
index 0000000..33659f6
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_cthelper.h
@@ -0,0 +1,55 @@
+#ifndef _NFNL_CTHELPER_H_
+#define _NFNL_CTHELPER_H_
+
+#define NFCT_HELPER_STATUS_DISABLED	0
+#define NFCT_HELPER_STATUS_ENABLED	1
+
+enum nfnl_acct_msg_types {
+	NFNL_MSG_CTHELPER_NEW,
+	NFNL_MSG_CTHELPER_GET,
+	NFNL_MSG_CTHELPER_DEL,
+	NFNL_MSG_CTHELPER_MAX
+};
+
+enum nfnl_cthelper_type {
+	NFCTH_UNSPEC,
+	NFCTH_NAME,
+	NFCTH_TUPLE,
+	NFCTH_QUEUE_NUM,
+	NFCTH_POLICY,
+	NFCTH_PRIV_DATA_LEN,
+	NFCTH_STATUS,
+	__NFCTH_MAX
+};
+#define NFCTH_MAX (__NFCTH_MAX - 1)
+
+enum nfnl_cthelper_policy_type {
+	NFCTH_POLICY_SET_UNSPEC,
+	NFCTH_POLICY_SET_NUM,
+	NFCTH_POLICY_SET,
+	NFCTH_POLICY_SET1	= NFCTH_POLICY_SET,
+	NFCTH_POLICY_SET2,
+	NFCTH_POLICY_SET3,
+	NFCTH_POLICY_SET4,
+	__NFCTH_POLICY_SET_MAX
+};
+#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
+
+enum nfnl_cthelper_pol_type {
+	NFCTH_POLICY_UNSPEC,
+	NFCTH_POLICY_NAME,
+	NFCTH_POLICY_EXPECT_MAX,
+	NFCTH_POLICY_EXPECT_TIMEOUT,
+	__NFCTH_POLICY_MAX
+};
+#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
+
+enum nfnl_cthelper_tuple_type {
+	NFCTH_TUPLE_UNSPEC,
+	NFCTH_TUPLE_L3PROTONUM,
+	NFCTH_TUPLE_L4PROTONUM,
+	__NFCTH_TUPLE_MAX,
+};
+#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
+
+#endif /* _NFNL_CTHELPER_H */
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
new file mode 100644
index 0000000..e0d8fd8
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -0,0 +1,99 @@
+#ifndef _NFNETLINK_QUEUE_H
+#define _NFNETLINK_QUEUE_H
+
+#include <linux/types.h>
+#include <linux/netfilter/nfnetlink.h>
+
+enum nfqnl_msg_types {
+	NFQNL_MSG_PACKET,		/* packet from kernel to userspace */
+	NFQNL_MSG_VERDICT,		/* verdict from userspace to kernel */
+	NFQNL_MSG_CONFIG,		/* connect to a particular queue */
+	NFQNL_MSG_VERDICT_BATCH,	/* batchv from userspace to kernel */
+
+	NFQNL_MSG_MAX
+};
+
+struct nfqnl_msg_packet_hdr {
+	__be32		packet_id;	/* unique ID of packet in queue */
+	__be16		hw_protocol;	/* hw protocol (network order) */
+	__u8	hook;		/* netfilter hook */
+} __attribute__ ((packed));
+
+struct nfqnl_msg_packet_hw {
+	__be16		hw_addrlen;
+	__u16	_pad;
+	__u8	hw_addr[8];
+};
+
+struct nfqnl_msg_packet_timestamp {
+	__aligned_be64	sec;
+	__aligned_be64	usec;
+};
+
+enum nfqnl_attr_type {
+	NFQA_UNSPEC,
+	NFQA_PACKET_HDR,
+	NFQA_VERDICT_HDR,		/* nfqnl_msg_verdict_hrd */
+	NFQA_MARK,			/* __u32 nfmark */
+	NFQA_TIMESTAMP,			/* nfqnl_msg_packet_timestamp */
+	NFQA_IFINDEX_INDEV,		/* __u32 ifindex */
+	NFQA_IFINDEX_OUTDEV,		/* __u32 ifindex */
+	NFQA_IFINDEX_PHYSINDEV,		/* __u32 ifindex */
+	NFQA_IFINDEX_PHYSOUTDEV,	/* __u32 ifindex */
+	NFQA_HWADDR,			/* nfqnl_msg_packet_hw */
+	NFQA_PAYLOAD,			/* opaque data payload */
+	NFQA_CT,			/* nf_conntrack_netlink.h */
+	NFQA_CT_INFO,			/* enum ip_conntrack_info */
+
+	__NFQA_MAX
+};
+#define NFQA_MAX (__NFQA_MAX - 1)
+
+struct nfqnl_msg_verdict_hdr {
+	__be32 verdict;
+	__be32 id;
+};
+
+
+enum nfqnl_msg_config_cmds {
+	NFQNL_CFG_CMD_NONE,
+	NFQNL_CFG_CMD_BIND,
+	NFQNL_CFG_CMD_UNBIND,
+	NFQNL_CFG_CMD_PF_BIND,
+	NFQNL_CFG_CMD_PF_UNBIND,
+};
+
+struct nfqnl_msg_config_cmd {
+	__u8	command;	/* nfqnl_msg_config_cmds */
+	__u8	_pad;
+	__be16		pf;		/* AF_xxx for PF_[UN]BIND */
+};
+
+enum nfqnl_config_mode {
+	NFQNL_COPY_NONE,
+	NFQNL_COPY_META,
+	NFQNL_COPY_PACKET,
+};
+
+struct nfqnl_msg_config_params {
+	__be32		copy_range;
+	__u8	copy_mode;	/* enum nfqnl_config_mode */
+} __attribute__ ((packed));
+
+
+enum nfqnl_attr_config {
+	NFQA_CFG_UNSPEC,
+	NFQA_CFG_CMD,			/* nfqnl_msg_config_cmd */
+	NFQA_CFG_PARAMS,		/* nfqnl_msg_config_params */
+	NFQA_CFG_QUEUE_MAXLEN,		/* __u32 */
+	NFQA_CFG_MASK,			/* identify which flags to change */
+	NFQA_CFG_FLAGS,			/* value of these flags (__u32) */
+	__NFQA_CFG_MAX
+};
+#define NFQA_CFG_MAX (__NFQA_CFG_MAX-1)
+
+/* Flags for NFQA_CFG_FLAGS */
+#define NFQA_CFG_F_FAIL_OPEN			(1 << 0)
+#define NFQA_CFG_F_CONNTRACK			(1 << 1)
+
+#endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/myct.h b/include/myct.h
new file mode 100644
index 0000000..45d9f29
--- /dev/null
+++ b/include/myct.h
@@ -0,0 +1,43 @@
+#ifndef _MYCT_H_
+#define _MYCT_H_
+
+#include "linux_list.h"
+
+#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
+
+struct nf_conntrack;
+
+enum {
+	MYCT_NONE		= 0,
+	MYCT_ESTABLISHED	= (1 << 0),
+};
+
+enum {
+	MYCT_DIR_ORIG = 0,
+	MYCT_DIR_REPL,
+	MYCT_DIR_MAX,
+};
+
+union myct_proto {
+	uint16_t port;
+	uint16_t all;
+};
+
+struct myct_man {
+	union nfct_attr_grp_addr u3;
+	union myct_proto	u;
+	uint16_t		l3num;
+	uint8_t			protonum;
+};
+
+struct myct_tuple {
+	struct myct_man		src;
+	struct myct_man		dst;
+};
+
+struct myct {
+	struct nf_conntrack *ct;
+	void *priv_data;
+};
+
+#endif
diff --git a/include/netlink.h b/include/netlink.h
index 3bde30c..9a33083 100644
--- a/include/netlink.h
+++ b/include/netlink.h
@@ -12,7 +12,7 @@ struct nlif_handle *nl_init_interface_handler(void);
 int nl_send_resync(struct nfct_handle *h);
 void nl_resize_socket_buffer(struct nfct_handle *h);
 int nl_dump_conntrack_table(struct nfct_handle *h);
-int nl_flush_conntrack_table(struct nfct_handle *h);
+int nl_flush_conntrack_table_selective(void);
 int nl_get_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct);
 int nl_create_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct, int timeout);
 int nl_update_conntrack(struct nfct_handle *h, const struct nf_conntrack *ct, int timeout);
diff --git a/include/nfct.h b/include/nfct.h
index d6271cf..5548b03 100644
--- a/include/nfct.h
+++ b/include/nfct.h
@@ -4,6 +4,7 @@
 enum {
 	NFCT_SUBSYS_NONE = 0,
 	NFCT_SUBSYS_TIMEOUT,
+	NFCT_SUBSYS_HELPER,
 	NFCT_SUBSYS_VERSION,
 	NFCT_SUBSYS_HELP,
 };
@@ -15,6 +16,7 @@ enum {
 	NFCT_CMD_DELETE,
 	NFCT_CMD_GET,
 	NFCT_CMD_FLUSH,
+	NFCT_CMD_DISABLE,
 };
 
 void nfct_perror(const char *msg);
@@ -26,4 +28,12 @@ int nfct_cmd_timeout_delete(int argc, char *argv[]);
 int nfct_cmd_timeout_get(int argc, char *argv[]);
 int nfct_cmd_timeout_flush(int argc, char *argv[]);
 
+int nfct_cmd_helper_parse_params(int argc, char *argv[]);
+int nfct_cmd_helper_list(int argc, char *argv[]);
+int nfct_cmd_helper_add(int argc, char *argv[]);
+int nfct_cmd_helper_delete(int argc, char *argv[]);
+int nfct_cmd_helper_get(int argc, char *argv[]);
+int nfct_cmd_helper_flush(int argc, char *argv[]);
+int nfct_cmd_helper_disable(int argc, char *argv[]);
+
 #endif
diff --git a/include/stack.h b/include/stack.h
new file mode 100644
index 0000000..512a30f
--- /dev/null
+++ b/include/stack.h
@@ -0,0 +1,28 @@
+#ifndef _STACK_H_
+#define _STACK_H_
+
+#include "linux_list.h"
+
+struct stack {
+	struct list_head	list;
+	int			items;
+};
+
+static inline void stack_init(struct stack *s)
+{
+	INIT_LIST_HEAD(&s->list);
+}
+
+struct stack_item {
+	struct list_head	head;
+	int			type;
+	int			data_len;
+	char			data[0];
+};
+
+struct stack_item *stack_item_alloc(int type, size_t data_len);
+void stack_item_free(struct stack_item *e);
+void stack_item_push(struct stack *s, struct stack_item *e);
+struct stack_item *stack_item_pop(struct stack *s, int type);
+
+#endif