[NETFILTER]: Remove IPv4 only connection tracking/NAT
Patrick McHardy [Wed, 14 Mar 2007 23:37:25 +0000 (16:37 -0700)]
Remove the obsolete IPv4 only connection tracking/NAT as scheduled in
feature-removal-schedule.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

80 files changed:
Documentation/feature-removal-schedule.txt
include/linux/netfilter_ipv4/Kbuild
include/linux/netfilter_ipv4/ip_conntrack.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_amanda.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_core.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_ftp.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_h323.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_helper.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_icmp.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_irc.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_pptp.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_protocol.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_sctp.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_sip.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_tcp.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_tftp.h [deleted file]
include/linux/netfilter_ipv4/ip_conntrack_tuple.h [deleted file]
include/linux/netfilter_ipv4/ip_nat.h [deleted file]
include/linux/netfilter_ipv4/ip_nat_core.h [deleted file]
include/linux/netfilter_ipv4/ip_nat_helper.h [deleted file]
include/linux/netfilter_ipv4/ip_nat_pptp.h [deleted file]
include/linux/netfilter_ipv4/ip_nat_protocol.h [deleted file]
include/linux/netfilter_ipv4/ip_nat_rule.h [deleted file]
include/linux/netfilter_ipv4/ipt_SAME.h
include/net/netfilter/nf_conntrack.h
include/net/netfilter/nf_conntrack_compat.h [deleted file]
include/net/netfilter/nf_nat_rule.h
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/ip_conntrack_amanda.c [deleted file]
net/ipv4/netfilter/ip_conntrack_core.c [deleted file]
net/ipv4/netfilter/ip_conntrack_ftp.c [deleted file]
net/ipv4/netfilter/ip_conntrack_helper_h323.c [deleted file]
net/ipv4/netfilter/ip_conntrack_helper_pptp.c [deleted file]
net/ipv4/netfilter/ip_conntrack_irc.c [deleted file]
net/ipv4/netfilter/ip_conntrack_netbios_ns.c [deleted file]
net/ipv4/netfilter/ip_conntrack_netlink.c [deleted file]
net/ipv4/netfilter/ip_conntrack_proto_generic.c [deleted file]
net/ipv4/netfilter/ip_conntrack_proto_gre.c [deleted file]
net/ipv4/netfilter/ip_conntrack_proto_icmp.c [deleted file]
net/ipv4/netfilter/ip_conntrack_proto_sctp.c [deleted file]
net/ipv4/netfilter/ip_conntrack_proto_tcp.c [deleted file]
net/ipv4/netfilter/ip_conntrack_proto_udp.c [deleted file]
net/ipv4/netfilter/ip_conntrack_sip.c [deleted file]
net/ipv4/netfilter/ip_conntrack_standalone.c [deleted file]
net/ipv4/netfilter/ip_conntrack_tftp.c [deleted file]
net/ipv4/netfilter/ip_nat_amanda.c [deleted file]
net/ipv4/netfilter/ip_nat_core.c [deleted file]
net/ipv4/netfilter/ip_nat_ftp.c [deleted file]
net/ipv4/netfilter/ip_nat_helper.c [deleted file]
net/ipv4/netfilter/ip_nat_helper_h323.c [deleted file]
net/ipv4/netfilter/ip_nat_helper_pptp.c [deleted file]
net/ipv4/netfilter/ip_nat_irc.c [deleted file]
net/ipv4/netfilter/ip_nat_proto_gre.c [deleted file]
net/ipv4/netfilter/ip_nat_proto_icmp.c [deleted file]
net/ipv4/netfilter/ip_nat_proto_tcp.c [deleted file]
net/ipv4/netfilter/ip_nat_proto_udp.c [deleted file]
net/ipv4/netfilter/ip_nat_proto_unknown.c [deleted file]
net/ipv4/netfilter/ip_nat_rule.c [deleted file]
net/ipv4/netfilter/ip_nat_sip.c [deleted file]
net/ipv4/netfilter/ip_nat_snmp_basic.c [deleted file]
net/ipv4/netfilter/ip_nat_standalone.c [deleted file]
net/ipv4/netfilter/ip_nat_tftp.c [deleted file]
net/ipv4/netfilter/ipt_CLUSTERIP.c
net/ipv4/netfilter/ipt_MASQUERADE.c
net/ipv4/netfilter/ipt_NETMAP.c
net/ipv4/netfilter/ipt_REDIRECT.c
net/ipv4/netfilter/ipt_SAME.c
net/ipv4/netfilter/nf_nat_h323.c
net/ipv4/netfilter/nf_nat_pptp.c
net/netfilter/Kconfig
net/netfilter/xt_CONNMARK.c
net/netfilter/xt_CONNSECMARK.c
net/netfilter/xt_NOTRACK.c
net/netfilter/xt_connbytes.c
net/netfilter/xt_connmark.c
net/netfilter/xt_conntrack.c
net/netfilter/xt_helper.c
net/netfilter/xt_state.c

index 19b4c96..9817b60 100644 (file)
@@ -211,15 +211,6 @@ Who:   Adrian Bunk <bunk@stusta.de>
 
 ---------------------------
 
-What:  IPv4 only connection tracking/NAT/helpers
-When:  2.6.22
-Why:   The new layer 3 independant connection tracking replaces the old
-       IPv4 only version. After some stabilization of the new code the
-       old one will be removed.
-Who:   Patrick McHardy <kaber@trash.net>
-
----------------------------
-
 What:  ACPI hooks (X86_SPEEDSTEP_CENTRINO_ACPI) in speedstep-centrino driver
 When:  December 2006
 Why:   Speedstep-centrino driver with ACPI hooks and acpi-cpufreq driver are
index 1803378..7185792 100644 (file)
@@ -1,9 +1,3 @@
-header-y += ip_conntrack_helper.h
-header-y += ip_conntrack_protocol.h
-header-y += ip_conntrack_sctp.h
-header-y += ip_conntrack_tcp.h
-header-y += ip_conntrack_tftp.h
-header-y += ip_nat_pptp.h
 header-y += ipt_addrtype.h
 header-y += ipt_ah.h
 header-y += ipt_CLASSIFY.h
@@ -49,13 +43,5 @@ header-y += ipt_ttl.h
 header-y += ipt_TTL.h
 header-y += ipt_ULOG.h
 
-unifdef-y += ip_conntrack.h
-unifdef-y += ip_conntrack_h323.h
-unifdef-y += ip_conntrack_irc.h
-unifdef-y += ip_conntrack_pptp.h
-unifdef-y += ip_conntrack_proto_gre.h
-unifdef-y += ip_conntrack_tuple.h
-unifdef-y += ip_nat.h
-unifdef-y += ip_nat_rule.h
 unifdef-y += ip_queue.h
 unifdef-y += ip_tables.h
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
deleted file mode 100644 (file)
index da9274e..0000000
+++ /dev/null
@@ -1,402 +0,0 @@
-#ifndef _IP_CONNTRACK_H
-#define _IP_CONNTRACK_H
-
-#include <linux/netfilter/nf_conntrack_common.h>
-
-#ifdef __KERNEL__
-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-#include <linux/bitops.h>
-#include <linux/compiler.h>
-#include <asm/atomic.h>
-
-#include <linux/timer.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
-#include <linux/netfilter_ipv4/ip_conntrack_sctp.h>
-
-/* per conntrack: protocol private data */
-union ip_conntrack_proto {
-       /* insert conntrack proto private data here */
-       struct ip_ct_gre gre;
-       struct ip_ct_sctp sctp;
-       struct ip_ct_tcp tcp;
-       struct ip_ct_icmp icmp;
-};
-
-union ip_conntrack_expect_proto {
-       /* insert expect proto private data here */
-};
-
-/* Add protocol helper include file here */
-#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
-#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
-#include <linux/netfilter_ipv4/ip_conntrack_irc.h>
-
-/* per conntrack: application helper private data */
-union ip_conntrack_help {
-       /* insert conntrack helper private data (master) here */
-       struct ip_ct_h323_master ct_h323_info;
-       struct ip_ct_pptp_master ct_pptp_info;
-       struct ip_ct_ftp_master ct_ftp_info;
-       struct ip_ct_irc_master ct_irc_info;
-};
-
-#ifdef CONFIG_IP_NF_NAT_NEEDED
-#include <linux/netfilter_ipv4/ip_nat.h>
-#include <linux/netfilter_ipv4/ip_nat_pptp.h>
-
-/* per conntrack: nat application helper private data */
-union ip_conntrack_nat_help {
-       /* insert nat helper private data here */
-       struct ip_nat_pptp nat_pptp_info;
-};
-#endif
-
-#include <linux/types.h>
-#include <linux/skbuff.h>
-
-#ifdef CONFIG_NETFILTER_DEBUG
-#define IP_NF_ASSERT(x)                                                        \
-do {                                                                   \
-       if (!(x))                                                       \
-               /* Wooah!  I'm tripping my conntrack in a frenzy of     \
-                  netplay... */                                        \
-               printk("NF_IP_ASSERT: %s:%i(%s)\n",                     \
-                      __FILE__, __LINE__, __FUNCTION__);               \
-} while(0)
-#else
-#define IP_NF_ASSERT(x)
-#endif
-
-struct ip_conntrack_helper;
-
-struct ip_conntrack
-{
-       /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
-           plus 1 for any connection(s) we are `master' for */
-       struct nf_conntrack ct_general;
-
-       /* Have we seen traffic both ways yet? (bitset) */
-       unsigned long status;
-
-       /* Timer function; drops refcnt when it goes off. */
-       struct timer_list timeout;
-
-#ifdef CONFIG_IP_NF_CT_ACCT
-       /* Accounting Information (same cache line as other written members) */
-       struct ip_conntrack_counter counters[IP_CT_DIR_MAX];
-#endif
-       /* If we were expected by an expectation, this will be it */
-       struct ip_conntrack *master;
-
-       /* Current number of expected connections */
-       unsigned int expecting;
-
-       /* Unique ID that identifies this conntrack*/
-       unsigned int id;
-
-       /* Helper, if any. */
-       struct ip_conntrack_helper *helper;
-
-       /* Storage reserved for other modules: */
-       union ip_conntrack_proto proto;
-
-       union ip_conntrack_help help;
-
-#ifdef CONFIG_IP_NF_NAT_NEEDED
-       struct {
-               struct ip_nat_info info;
-               union ip_conntrack_nat_help help;
-#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
-       defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
-               int masq_index;
-#endif
-       } nat;
-#endif /* CONFIG_IP_NF_NAT_NEEDED */
-
-#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
-       u_int32_t mark;
-#endif
-
-#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
-       u_int32_t secmark;
-#endif
-
-       /* Traversed often, so hopefully in different cacheline to top */
-       /* These are my tuples; original and reply */
-       struct ip_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
-};
-
-struct ip_conntrack_expect
-{
-       /* Internal linked list (global expectation list) */
-       struct list_head list;
-
-       /* We expect this tuple, with the following mask */
-       struct ip_conntrack_tuple tuple, mask;
-       /* Function to call after setup and insertion */
-       void (*expectfn)(struct ip_conntrack *new,
-                        struct ip_conntrack_expect *this);
-
-       /* The conntrack of the master connection */
-       struct ip_conntrack *master;
-
-       /* Timer function; deletes the expectation. */
-       struct timer_list timeout;
-
-       /* Usage count. */
-       atomic_t use;
-
-       /* Unique ID */
-       unsigned int id;
-
-       /* Flags */
-       unsigned int flags;
-
-#ifdef CONFIG_IP_NF_NAT_NEEDED
-       __be32 saved_ip;
-       /* This is the original per-proto part, used to map the
-        * expected connection the way the recipient expects. */
-       union ip_conntrack_manip_proto saved_proto;
-       /* Direction relative to the master connection. */
-       enum ip_conntrack_dir dir;
-#endif
-};
-
-#define IP_CT_EXPECT_PERMANENT 0x1
-
-static inline struct ip_conntrack *
-tuplehash_to_ctrack(const struct ip_conntrack_tuple_hash *hash)
-{
-       return container_of(hash, struct ip_conntrack,
-                           tuplehash[hash->tuple.dst.dir]);
-}
-
-/* get master conntrack via master expectation */
-#define master_ct(conntr) (conntr->master)
-
-/* Alter reply tuple (maybe alter helper). */
-extern void
-ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
-                        const struct ip_conntrack_tuple *newreply);
-
-/* Is this tuple taken? (ignoring any belonging to the given
-   conntrack). */
-extern int
-ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
-                        const struct ip_conntrack *ignored_conntrack);
-
-/* Return conntrack_info and tuple hash for given skb. */
-static inline struct ip_conntrack *
-ip_conntrack_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
-{
-       *ctinfo = skb->nfctinfo;
-       return (struct ip_conntrack *)skb->nfct;
-}
-
-/* decrement reference count on a conntrack */
-static inline void
-ip_conntrack_put(struct ip_conntrack *ct)
-{
-       IP_NF_ASSERT(ct);
-       nf_conntrack_put(&ct->ct_general);
-}
-
-extern int invert_tuplepr(struct ip_conntrack_tuple *inverse,
-                         const struct ip_conntrack_tuple *orig);
-
-extern void __ip_ct_refresh_acct(struct ip_conntrack *ct,
-                                enum ip_conntrack_info ctinfo,
-                                const struct sk_buff *skb,
-                                unsigned long extra_jiffies,
-                                int do_acct);
-
-/* Refresh conntrack for this many jiffies and do accounting */
-static inline void ip_ct_refresh_acct(struct ip_conntrack *ct, 
-                                     enum ip_conntrack_info ctinfo,
-                                     const struct sk_buff *skb,
-                                     unsigned long extra_jiffies)
-{
-       __ip_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, 1);
-}
-
-/* Refresh conntrack for this many jiffies */
-static inline void ip_ct_refresh(struct ip_conntrack *ct,
-                                const struct sk_buff *skb,
-                                unsigned long extra_jiffies)
-{
-       __ip_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0);
-}
-
-/* These are for NAT.  Icky. */
-/* Update TCP window tracking data when NAT mangles the packet */
-extern void ip_conntrack_tcp_update(struct sk_buff *skb,
-                                   struct ip_conntrack *conntrack,
-                                   enum ip_conntrack_dir dir);
-
-/* Call me when a conntrack is destroyed. */
-extern void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack);
-
-/* Fake conntrack entry for untracked connections */
-extern struct ip_conntrack ip_conntrack_untracked;
-
-/* Returns new sk_buff, or NULL */
-struct sk_buff *
-ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user);
-
-/* Iterate over all conntracks: if iter returns true, it's deleted. */
-extern void
-ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *data),
-                     void *data);
-
-extern struct ip_conntrack_helper *
-__ip_conntrack_helper_find_byname(const char *);
-extern struct ip_conntrack_helper *
-ip_conntrack_helper_find_get(const struct ip_conntrack_tuple *tuple);
-extern void ip_conntrack_helper_put(struct ip_conntrack_helper *helper);
-
-extern struct ip_conntrack_protocol *
-__ip_conntrack_proto_find(u_int8_t protocol);
-extern struct ip_conntrack_protocol *
-ip_conntrack_proto_find_get(u_int8_t protocol);
-extern void ip_conntrack_proto_put(struct ip_conntrack_protocol *proto);
-
-extern void ip_ct_remove_expectations(struct ip_conntrack *ct);
-
-extern struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *,
-                                              struct ip_conntrack_tuple *);
-
-extern void ip_conntrack_free(struct ip_conntrack *ct);
-
-extern void ip_conntrack_hash_insert(struct ip_conntrack *ct);
-
-extern struct ip_conntrack_expect *
-__ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple);
-
-extern struct ip_conntrack_expect *
-ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple);
-
-extern struct ip_conntrack_tuple_hash *
-__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
-                    const struct ip_conntrack *ignored_conntrack);
-
-extern void ip_conntrack_flush(void);
-
-/* It's confirmed if it is, or has been in the hash table. */
-static inline int is_confirmed(struct ip_conntrack *ct)
-{
-       return test_bit(IPS_CONFIRMED_BIT, &ct->status);
-}
-
-static inline int is_dying(struct ip_conntrack *ct)
-{
-       return test_bit(IPS_DYING_BIT, &ct->status);
-}
-
-extern unsigned int ip_conntrack_htable_size;
-extern int ip_conntrack_checksum;
-#define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
-#define CONNTRACK_STAT_INC_ATOMIC(count)               \
-do {                                                   \
-       local_bh_disable();                             \
-       __get_cpu_var(ip_conntrack_stat).count++;       \
-       local_bh_enable();                              \
-} while (0)
-
-#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
-#include <linux/notifier.h>
-#include <linux/interrupt.h>
-
-struct ip_conntrack_ecache {
-       struct ip_conntrack *ct;
-       unsigned int events;
-};
-DECLARE_PER_CPU(struct ip_conntrack_ecache, ip_conntrack_ecache);
-
-#define CONNTRACK_ECACHE(x)    (__get_cpu_var(ip_conntrack_ecache).x)
-extern struct atomic_notifier_head ip_conntrack_chain;
-extern struct atomic_notifier_head ip_conntrack_expect_chain;
-
-static inline int ip_conntrack_register_notifier(struct notifier_block *nb)
-{
-       return atomic_notifier_chain_register(&ip_conntrack_chain, nb);
-}
-
-static inline int ip_conntrack_unregister_notifier(struct notifier_block *nb)
-{
-       return atomic_notifier_chain_unregister(&ip_conntrack_chain, nb);
-}
-
-static inline int 
-ip_conntrack_expect_register_notifier(struct notifier_block *nb)
-{
-       return atomic_notifier_chain_register(&ip_conntrack_expect_chain, nb);
-}
-
-static inline int
-ip_conntrack_expect_unregister_notifier(struct notifier_block *nb)
-{
-       return atomic_notifier_chain_unregister(&ip_conntrack_expect_chain,
-                       nb);
-}
-
-extern void ip_ct_deliver_cached_events(const struct ip_conntrack *ct);
-extern void __ip_ct_event_cache_init(struct ip_conntrack *ct);
-
-static inline void 
-ip_conntrack_event_cache(enum ip_conntrack_events event,
-                        const struct sk_buff *skb)
-{
-       struct ip_conntrack *ct = (struct ip_conntrack *)skb->nfct;
-       struct ip_conntrack_ecache *ecache;
-       
-       local_bh_disable();
-       ecache = &__get_cpu_var(ip_conntrack_ecache);
-       if (ct != ecache->ct)
-               __ip_ct_event_cache_init(ct);
-       ecache->events |= event;
-       local_bh_enable();
-}
-
-static inline void ip_conntrack_event(enum ip_conntrack_events event,
-                                     struct ip_conntrack *ct)
-{
-       if (is_confirmed(ct) && !is_dying(ct))
-               atomic_notifier_call_chain(&ip_conntrack_chain, event, ct);
-}
-
-static inline void 
-ip_conntrack_expect_event(enum ip_conntrack_expect_events event,
-                         struct ip_conntrack_expect *exp)
-{
-       atomic_notifier_call_chain(&ip_conntrack_expect_chain, event, exp);
-}
-#else /* CONFIG_IP_NF_CONNTRACK_EVENTS */
-static inline void ip_conntrack_event_cache(enum ip_conntrack_events event, 
-                                           const struct sk_buff *skb) {}
-static inline void ip_conntrack_event(enum ip_conntrack_events event, 
-                                     struct ip_conntrack *ct) {}
-static inline void ip_ct_deliver_cached_events(const struct ip_conntrack *ct) {}
-static inline void 
-ip_conntrack_expect_event(enum ip_conntrack_expect_events event, 
-                         struct ip_conntrack_expect *exp) {}
-#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
-
-#ifdef CONFIG_IP_NF_NAT_NEEDED
-static inline int ip_nat_initialized(struct ip_conntrack *conntrack,
-                                    enum ip_nat_manip_type manip)
-{
-       if (manip == IP_NAT_MANIP_SRC)
-               return test_bit(IPS_SRC_NAT_DONE_BIT, &conntrack->status);
-       return test_bit(IPS_DST_NAT_DONE_BIT, &conntrack->status);
-}
-#endif /* CONFIG_IP_NF_NAT_NEEDED */
-
-#endif /* __KERNEL__ */
-#endif /* _IP_CONNTRACK_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_amanda.h b/include/linux/netfilter_ipv4/ip_conntrack_amanda.h
deleted file mode 100644 (file)
index de3e41f..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _IP_CONNTRACK_AMANDA_H
-#define _IP_CONNTRACK_AMANDA_H
-/* AMANDA tracking. */
-
-struct ip_conntrack_expect;
-extern unsigned int (*ip_nat_amanda_hook)(struct sk_buff **pskb,
-                                         enum ip_conntrack_info ctinfo,
-                                         unsigned int matchoff,
-                                         unsigned int matchlen,
-                                         struct ip_conntrack_expect *exp);
-#endif /* _IP_CONNTRACK_AMANDA_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h
deleted file mode 100644 (file)
index e3a6df0..0000000
+++ /dev/null
@@ -1,61 +0,0 @@
-#ifndef _IP_CONNTRACK_CORE_H
-#define _IP_CONNTRACK_CORE_H
-#include <linux/netfilter.h>
-
-#define MAX_IP_CT_PROTO 256
-extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
-
-/* This header is used to share core functionality between the
-   standalone connection tracking module, and the compatibility layer's use
-   of connection tracking. */
-extern unsigned int ip_conntrack_in(unsigned int hooknum,
-                                   struct sk_buff **pskb,
-                                   const struct net_device *in,
-                                   const struct net_device *out,
-                                   int (*okfn)(struct sk_buff *));
-
-extern int ip_conntrack_init(void);
-extern void ip_conntrack_cleanup(void);
-
-struct ip_conntrack_protocol;
-
-extern int
-ip_ct_get_tuple(const struct iphdr *iph,
-               const struct sk_buff *skb,
-               unsigned int dataoff,
-               struct ip_conntrack_tuple *tuple,
-               const struct ip_conntrack_protocol *protocol);
-
-extern int
-ip_ct_invert_tuple(struct ip_conntrack_tuple *inverse,
-                  const struct ip_conntrack_tuple *orig,
-                  const struct ip_conntrack_protocol *protocol);
-
-/* Find a connection corresponding to a tuple. */
-struct ip_conntrack_tuple_hash *
-ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
-                     const struct ip_conntrack *ignored_conntrack);
-
-extern int __ip_conntrack_confirm(struct sk_buff **pskb);
-
-/* Confirm a connection: returns NF_DROP if packet must be dropped. */
-static inline int ip_conntrack_confirm(struct sk_buff **pskb)
-{
-       struct ip_conntrack *ct = (struct ip_conntrack *)(*pskb)->nfct;
-       int ret = NF_ACCEPT;
-
-       if (ct) {
-               if (!is_confirmed(ct) && !is_dying(ct))
-                       ret = __ip_conntrack_confirm(pskb);
-               ip_ct_deliver_cached_events(ct);
-       }
-       return ret;
-}
-
-extern void ip_ct_unlink_expect(struct ip_conntrack_expect *exp);
-
-extern struct list_head *ip_conntrack_hash;
-extern struct list_head ip_conntrack_expect_list;
-extern rwlock_t ip_conntrack_lock;
-#endif /* _IP_CONNTRACK_CORE_H */
-
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_ftp.h b/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
deleted file mode 100644 (file)
index 2129fc3..0000000
+++ /dev/null
@@ -1,44 +0,0 @@
-#ifndef _IP_CONNTRACK_FTP_H
-#define _IP_CONNTRACK_FTP_H
-/* FTP tracking. */
-
-/* This enum is exposed to userspace */
-enum ip_ct_ftp_type
-{
-       /* PORT command from client */
-       IP_CT_FTP_PORT,
-       /* PASV response from server */
-       IP_CT_FTP_PASV,
-       /* EPRT command from client */
-       IP_CT_FTP_EPRT,
-       /* EPSV response from server */
-       IP_CT_FTP_EPSV,
-};
-
-#ifdef __KERNEL__
-
-#define FTP_PORT       21
-
-#define NUM_SEQ_TO_REMEMBER 2
-/* This structure exists only once per master */
-struct ip_ct_ftp_master {
-       /* Valid seq positions for cmd matching after newline */
-       u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
-       /* 0 means seq_match_aft_nl not set */
-       int seq_aft_nl_num[IP_CT_DIR_MAX];
-};
-
-struct ip_conntrack_expect;
-
-/* For NAT to hook in when we find a packet which describes what other
- * connection we should expect. */
-extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
-                                      enum ip_conntrack_info ctinfo,
-                                      enum ip_ct_ftp_type type,
-                                      unsigned int matchoff,
-                                      unsigned int matchlen,
-                                      struct ip_conntrack_expect *exp,
-                                      u32 *seq);
-#endif /* __KERNEL__ */
-
-#endif /* _IP_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_h323.h b/include/linux/netfilter_ipv4/ip_conntrack_h323.h
deleted file mode 100644 (file)
index 18f7698..0000000
+++ /dev/null
@@ -1,89 +0,0 @@
-#ifndef _IP_CONNTRACK_H323_H
-#define _IP_CONNTRACK_H323_H
-
-#ifdef __KERNEL__
-
-#include <linux/netfilter/nf_conntrack_h323_asn1.h>
-
-#define RAS_PORT 1719
-#define Q931_PORT 1720
-#define H323_RTP_CHANNEL_MAX 4 /* Audio, video, FAX and other */
-
-/* This structure exists only once per master */
-struct ip_ct_h323_master {
-
-       /* Original and NATed Q.931 or H.245 signal ports */
-       u_int16_t sig_port[IP_CT_DIR_MAX];
-
-       /* Original and NATed RTP ports */
-       u_int16_t rtp_port[H323_RTP_CHANNEL_MAX][IP_CT_DIR_MAX];
-
-       union {
-               /* RAS connection timeout */
-               u_int32_t timeout;
-
-               /* Next TPKT length (for separate TPKT header and data) */
-               u_int16_t tpkt_len[IP_CT_DIR_MAX];
-       };
-};
-
-struct ip_conntrack_expect;
-
-extern int get_h225_addr(unsigned char *data, TransportAddress * addr,
-                        __be32 * ip, u_int16_t * port);
-extern void ip_conntrack_h245_expect(struct ip_conntrack *new,
-                                    struct ip_conntrack_expect *this);
-extern void ip_conntrack_q931_expect(struct ip_conntrack *new,
-                                    struct ip_conntrack_expect *this);
-extern int (*set_h245_addr_hook) (struct sk_buff ** pskb,
-                                 unsigned char **data, int dataoff,
-                                 H245_TransportAddress * addr,
-                                 __be32 ip, u_int16_t port);
-extern int (*set_h225_addr_hook) (struct sk_buff ** pskb,
-                                 unsigned char **data, int dataoff,
-                                 TransportAddress * addr,
-                                 __be32 ip, u_int16_t port);
-extern int (*set_sig_addr_hook) (struct sk_buff ** pskb,
-                                struct ip_conntrack * ct,
-                                enum ip_conntrack_info ctinfo,
-                                unsigned char **data,
-                                TransportAddress * addr, int count);
-extern int (*set_ras_addr_hook) (struct sk_buff ** pskb,
-                                struct ip_conntrack * ct,
-                                enum ip_conntrack_info ctinfo,
-                                unsigned char **data,
-                                TransportAddress * addr, int count);
-extern int (*nat_rtp_rtcp_hook) (struct sk_buff ** pskb,
-                                struct ip_conntrack * ct,
-                                enum ip_conntrack_info ctinfo,
-                                unsigned char **data, int dataoff,
-                                H245_TransportAddress * addr,
-                                u_int16_t port, u_int16_t rtp_port,
-                                struct ip_conntrack_expect * rtp_exp,
-                                struct ip_conntrack_expect * rtcp_exp);
-extern int (*nat_t120_hook) (struct sk_buff ** pskb, struct ip_conntrack * ct,
-                            enum ip_conntrack_info ctinfo,
-                            unsigned char **data, int dataoff,
-                            H245_TransportAddress * addr, u_int16_t port,
-                            struct ip_conntrack_expect * exp);
-extern int (*nat_h245_hook) (struct sk_buff ** pskb, struct ip_conntrack * ct,
-                            enum ip_conntrack_info ctinfo,
-                            unsigned char **data, int dataoff,
-                            TransportAddress * addr, u_int16_t port,
-                            struct ip_conntrack_expect * exp);
-extern int (*nat_callforwarding_hook) (struct sk_buff ** pskb,
-                                      struct ip_conntrack * ct,
-                                      enum ip_conntrack_info ctinfo,
-                                      unsigned char **data, int dataoff,
-                                      TransportAddress * addr,
-                                      u_int16_t port,
-                                      struct ip_conntrack_expect * exp);
-extern int (*nat_q931_hook) (struct sk_buff ** pskb, struct ip_conntrack * ct,
-                            enum ip_conntrack_info ctinfo,
-                            unsigned char **data, TransportAddress * addr,
-                            int idx, u_int16_t port,
-                            struct ip_conntrack_expect * exp);
-
-#endif
-
-#endif
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/include/linux/netfilter_ipv4/ip_conntrack_helper.h
deleted file mode 100644 (file)
index 77fe868..0000000
+++ /dev/null
@@ -1,46 +0,0 @@
-/* IP connection tracking helpers. */
-#ifndef _IP_CONNTRACK_HELPER_H
-#define _IP_CONNTRACK_HELPER_H
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-
-struct module;
-
-struct ip_conntrack_helper
-{      
-       struct list_head list;          /* Internal use. */
-
-       const char *name;               /* name of the module */
-       struct module *me;              /* pointer to self */
-       unsigned int max_expected;      /* Maximum number of concurrent 
-                                        * expected connections */
-       unsigned int timeout;           /* timeout for expecteds */
-
-       /* Mask of things we will help (compared against server response) */
-       struct ip_conntrack_tuple tuple;
-       struct ip_conntrack_tuple mask;
-       
-       /* Function to call when data passes; return verdict, or -1 to
-           invalidate. */
-       int (*help)(struct sk_buff **pskb,
-                   struct ip_conntrack *ct,
-                   enum ip_conntrack_info conntrackinfo);
-
-       void (*destroy)(struct ip_conntrack *ct);
-
-       int (*to_nfattr)(struct sk_buff *skb, const struct ip_conntrack *ct);
-};
-
-extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);
-extern void ip_conntrack_helper_unregister(struct ip_conntrack_helper *);
-
-/* Allocate space for an expectation: this is mandatory before calling 
-   ip_conntrack_expect_related.  You will have to call put afterwards. */
-extern struct ip_conntrack_expect *
-ip_conntrack_expect_alloc(struct ip_conntrack *master);
-extern void ip_conntrack_expect_put(struct ip_conntrack_expect *exp);
-
-/* Add an expected connection: can have more than one per connection */
-extern int ip_conntrack_expect_related(struct ip_conntrack_expect *exp);
-extern void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp);
-
-#endif /*_IP_CONNTRACK_HELPER_H*/
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_icmp.h b/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
deleted file mode 100644 (file)
index eed5ee3..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef _IP_CONNTRACK_ICMP_H
-#define _IP_CONNTRACK_ICMP_H
-
-#include <net/netfilter/ipv4/nf_conntrack_icmp.h>
-
-#endif /* _IP_CONNTRACK_ICMP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_irc.h b/include/linux/netfilter_ipv4/ip_conntrack_irc.h
deleted file mode 100644 (file)
index 16601e0..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-/* IRC extension for IP connection tracking.
- * (C) 2000 by Harald Welte <laforge@gnumonks.org>
- * based on RR's ip_conntrack_ftp.h
- *
- * ip_conntrack_irc.h,v 1.6 2000/11/07 18:26:42 laforge Exp
- *
- *      This program is free software; you can redistribute it and/or
- *      modify it under the terms of the GNU General Public License
- *      as published by the Free Software Foundation; either version
- *      2 of the License, or (at your option) any later version.
- *
- *
- */
-#ifndef _IP_CONNTRACK_IRC_H
-#define _IP_CONNTRACK_IRC_H
-
-/* This structure exists only once per master */
-struct ip_ct_irc_master {
-};
-
-#ifdef __KERNEL__
-extern unsigned int (*ip_nat_irc_hook)(struct sk_buff **pskb,
-                                      enum ip_conntrack_info ctinfo,
-                                      unsigned int matchoff,
-                                      unsigned int matchlen,
-                                      struct ip_conntrack_expect *exp);
-
-#define IRC_PORT       6667
-
-#endif /* __KERNEL__ */
-
-#endif /* _IP_CONNTRACK_IRC_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_pptp.h b/include/linux/netfilter_ipv4/ip_conntrack_pptp.h
deleted file mode 100644 (file)
index 2644b1f..0000000
+++ /dev/null
@@ -1,326 +0,0 @@
-/* PPTP constants and structs */
-#ifndef _CONNTRACK_PPTP_H
-#define _CONNTRACK_PPTP_H
-
-/* state of the control session */
-enum pptp_ctrlsess_state {
-       PPTP_SESSION_NONE,                      /* no session present */
-       PPTP_SESSION_ERROR,                     /* some session error */
-       PPTP_SESSION_STOPREQ,                   /* stop_sess request seen */
-       PPTP_SESSION_REQUESTED,                 /* start_sess request seen */
-       PPTP_SESSION_CONFIRMED,                 /* session established */
-};
-
-/* state of the call inside the control session */
-enum pptp_ctrlcall_state {
-       PPTP_CALL_NONE,
-       PPTP_CALL_ERROR,
-       PPTP_CALL_OUT_REQ,
-       PPTP_CALL_OUT_CONF,
-       PPTP_CALL_IN_REQ,
-       PPTP_CALL_IN_REP,
-       PPTP_CALL_IN_CONF,
-       PPTP_CALL_CLEAR_REQ,
-};
-
-
-/* conntrack private data */
-struct ip_ct_pptp_master {
-       enum pptp_ctrlsess_state sstate;        /* session state */
-
-       /* everything below is going to be per-expectation in newnat,
-        * since there could be more than one call within one session */
-       enum pptp_ctrlcall_state cstate;        /* call state */
-       __be16 pac_call_id;                     /* call id of PAC, host byte order */
-       __be16 pns_call_id;                     /* call id of PNS, host byte order */
-
-       /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
-        * and therefore imposes a fixed limit on the number of maps */
-       struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
-};
-
-/* conntrack_expect private member */
-struct ip_ct_pptp_expect {
-       enum pptp_ctrlcall_state cstate;        /* call state */
-       __be16 pac_call_id;                     /* call id of PAC */
-       __be16 pns_call_id;                     /* call id of PNS */
-};
-
-
-#ifdef __KERNEL__
-
-#define IP_CONNTR_PPTP         PPTP_CONTROL_PORT
-
-#define PPTP_CONTROL_PORT      1723
-
-#define PPTP_PACKET_CONTROL    1
-#define PPTP_PACKET_MGMT       2
-
-#define PPTP_MAGIC_COOKIE      0x1a2b3c4d
-
-struct pptp_pkt_hdr {
-       __u16   packetLength;
-       __be16  packetType;
-       __be32  magicCookie;
-};
-
-/* PptpControlMessageType values */
-#define PPTP_START_SESSION_REQUEST     1
-#define PPTP_START_SESSION_REPLY       2
-#define PPTP_STOP_SESSION_REQUEST      3
-#define PPTP_STOP_SESSION_REPLY                4
-#define PPTP_ECHO_REQUEST              5
-#define PPTP_ECHO_REPLY                        6
-#define PPTP_OUT_CALL_REQUEST          7
-#define PPTP_OUT_CALL_REPLY            8
-#define PPTP_IN_CALL_REQUEST           9
-#define PPTP_IN_CALL_REPLY             10
-#define PPTP_IN_CALL_CONNECT           11
-#define PPTP_CALL_CLEAR_REQUEST                12
-#define PPTP_CALL_DISCONNECT_NOTIFY    13
-#define PPTP_WAN_ERROR_NOTIFY          14
-#define PPTP_SET_LINK_INFO             15
-
-#define PPTP_MSG_MAX                   15
-
-/* PptpGeneralError values */
-#define PPTP_ERROR_CODE_NONE           0
-#define PPTP_NOT_CONNECTED             1
-#define PPTP_BAD_FORMAT                        2
-#define PPTP_BAD_VALUE                 3
-#define PPTP_NO_RESOURCE               4
-#define PPTP_BAD_CALLID                        5
-#define PPTP_REMOVE_DEVICE_ERROR       6
-
-struct PptpControlHeader {
-       __be16  messageType;
-       __u16   reserved;
-};
-
-/* FramingCapability Bitmap Values */
-#define PPTP_FRAME_CAP_ASYNC           0x1
-#define PPTP_FRAME_CAP_SYNC            0x2
-
-/* BearerCapability Bitmap Values */
-#define PPTP_BEARER_CAP_ANALOG         0x1
-#define PPTP_BEARER_CAP_DIGITAL                0x2
-
-struct PptpStartSessionRequest {
-       __be16  protocolVersion;
-       __u16   reserved1;
-       __be32  framingCapability;
-       __be32  bearerCapability;
-       __be16  maxChannels;
-       __be16  firmwareRevision;
-       __u8    hostName[64];
-       __u8    vendorString[64];
-};
-
-/* PptpStartSessionResultCode Values */
-#define PPTP_START_OK                  1
-#define PPTP_START_GENERAL_ERROR       2
-#define PPTP_START_ALREADY_CONNECTED   3
-#define PPTP_START_NOT_AUTHORIZED      4
-#define PPTP_START_UNKNOWN_PROTOCOL    5
-
-struct PptpStartSessionReply {
-       __be16  protocolVersion;
-       __u8    resultCode;
-       __u8    generalErrorCode;
-       __be32  framingCapability;
-       __be32  bearerCapability;
-       __be16  maxChannels;
-       __be16  firmwareRevision;
-       __u8    hostName[64];
-       __u8    vendorString[64];
-};
-
-/* PptpStopReasons */
-#define PPTP_STOP_NONE                 1
-#define PPTP_STOP_PROTOCOL             2
-#define PPTP_STOP_LOCAL_SHUTDOWN       3
-
-struct PptpStopSessionRequest {
-       __u8    reason;
-       __u8    reserved1;
-       __u16   reserved2;
-};
-
-/* PptpStopSessionResultCode */
-#define PPTP_STOP_OK                   1
-#define PPTP_STOP_GENERAL_ERROR                2
-
-struct PptpStopSessionReply {
-       __u8    resultCode;
-       __u8    generalErrorCode;
-       __u16   reserved1;
-};
-
-struct PptpEchoRequest {
-       __be32 identNumber;
-};
-
-/* PptpEchoReplyResultCode */
-#define PPTP_ECHO_OK                   1
-#define PPTP_ECHO_GENERAL_ERROR                2
-
-struct PptpEchoReply {
-       __be32  identNumber;
-       __u8    resultCode;
-       __u8    generalErrorCode;
-       __u16   reserved;
-};
-
-/* PptpFramingType */
-#define PPTP_ASYNC_FRAMING             1
-#define PPTP_SYNC_FRAMING              2
-#define PPTP_DONT_CARE_FRAMING         3
-
-/* PptpCallBearerType */
-#define PPTP_ANALOG_TYPE               1
-#define PPTP_DIGITAL_TYPE              2
-#define PPTP_DONT_CARE_BEARER_TYPE     3
-
-struct PptpOutCallRequest {
-       __be16  callID;
-       __be16  callSerialNumber;
-       __be32  minBPS;
-       __be32  maxBPS;
-       __be32  bearerType;
-       __be32  framingType;
-       __be16  packetWindow;
-       __be16  packetProcDelay;
-       __be16  phoneNumberLength;
-       __u16   reserved1;
-       __u8    phoneNumber[64];
-       __u8    subAddress[64];
-};
-
-/* PptpCallResultCode */
-#define PPTP_OUTCALL_CONNECT           1
-#define PPTP_OUTCALL_GENERAL_ERROR     2
-#define PPTP_OUTCALL_NO_CARRIER                3
-#define PPTP_OUTCALL_BUSY              4
-#define PPTP_OUTCALL_NO_DIAL_TONE      5
-#define PPTP_OUTCALL_TIMEOUT           6
-#define PPTP_OUTCALL_DONT_ACCEPT       7
-
-struct PptpOutCallReply {
-       __be16  callID;
-       __be16  peersCallID;
-       __u8    resultCode;
-       __u8    generalErrorCode;
-       __be16  causeCode;
-       __be32  connectSpeed;
-       __be16  packetWindow;
-       __be16  packetProcDelay;
-       __be32  physChannelID;
-};
-
-struct PptpInCallRequest {
-       __be16  callID;
-       __be16  callSerialNumber;
-       __be32  callBearerType;
-       __be32  physChannelID;
-       __be16  dialedNumberLength;
-       __be16  dialingNumberLength;
-       __u8    dialedNumber[64];
-       __u8    dialingNumber[64];
-       __u8    subAddress[64];
-};
-
-/* PptpInCallResultCode */
-#define PPTP_INCALL_ACCEPT             1
-#define PPTP_INCALL_GENERAL_ERROR      2
-#define PPTP_INCALL_DONT_ACCEPT                3
-
-struct PptpInCallReply {
-       __be16  callID;
-       __be16  peersCallID;
-       __u8    resultCode;
-       __u8    generalErrorCode;
-       __be16  packetWindow;
-       __be16  packetProcDelay;
-       __u16   reserved;
-};
-
-struct PptpInCallConnected {
-       __be16  peersCallID;
-       __u16   reserved;
-       __be32  connectSpeed;
-       __be16  packetWindow;
-       __be16  packetProcDelay;
-       __be32  callFramingType;
-};
-
-struct PptpClearCallRequest {
-       __be16  callID;
-       __u16   reserved;
-};
-
-struct PptpCallDisconnectNotify {
-       __be16  callID;
-       __u8    resultCode;
-       __u8    generalErrorCode;
-       __be16  causeCode;
-       __u16   reserved;
-       __u8    callStatistics[128];
-};
-
-struct PptpWanErrorNotify {
-       __be16  peersCallID;
-       __u16   reserved;
-       __be32  crcErrors;
-       __be32  framingErrors;
-       __be32  hardwareOverRuns;
-       __be32  bufferOverRuns;
-       __be32  timeoutErrors;
-       __be32  alignmentErrors;
-};
-
-struct PptpSetLinkInfo {
-       __be16  peersCallID;
-       __u16   reserved;
-       __be32  sendAccm;
-       __be32  recvAccm;
-};
-
-union pptp_ctrl_union {
-       struct PptpStartSessionRequest  sreq;
-       struct PptpStartSessionReply    srep;
-       struct PptpStopSessionRequest   streq;
-       struct PptpStopSessionReply     strep;
-       struct PptpOutCallRequest       ocreq;
-       struct PptpOutCallReply         ocack;
-       struct PptpInCallRequest        icreq;
-       struct PptpInCallReply          icack;
-       struct PptpInCallConnected      iccon;
-       struct PptpClearCallRequest     clrreq;
-       struct PptpCallDisconnectNotify disc;
-       struct PptpWanErrorNotify       wanerr;
-       struct PptpSetLinkInfo          setlink;
-};
-
-extern int
-(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb,
-                         struct ip_conntrack *ct,
-                         enum ip_conntrack_info ctinfo,
-                         struct PptpControlHeader *ctlh,
-                         union pptp_ctrl_union *pptpReq);
-
-extern int
-(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb,
-                         struct ip_conntrack *ct,
-                         enum ip_conntrack_info ctinfo,
-                         struct PptpControlHeader *ctlh,
-                         union pptp_ctrl_union *pptpReq);
-
-extern void
-(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *exp_orig,
-                           struct ip_conntrack_expect *exp_reply);
-
-extern void
-(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct,
-                            struct ip_conntrack_expect *exp);
-#endif /* __KERNEL__ */
-#endif /* _CONNTRACK_PPTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h b/include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
deleted file mode 100644 (file)
index e371e0f..0000000
+++ /dev/null
@@ -1,114 +0,0 @@
-#ifndef _CONNTRACK_PROTO_GRE_H
-#define _CONNTRACK_PROTO_GRE_H
-#include <asm/byteorder.h>
-
-/* GRE PROTOCOL HEADER */
-
-/* GRE Version field */
-#define GRE_VERSION_1701       0x0
-#define GRE_VERSION_PPTP       0x1
-
-/* GRE Protocol field */
-#define GRE_PROTOCOL_PPTP      0x880B
-
-/* GRE Flags */
-#define GRE_FLAG_C             0x80
-#define GRE_FLAG_R             0x40
-#define GRE_FLAG_K             0x20
-#define GRE_FLAG_S             0x10
-#define GRE_FLAG_A             0x80
-
-#define GRE_IS_C(f)    ((f)&GRE_FLAG_C)
-#define GRE_IS_R(f)    ((f)&GRE_FLAG_R)
-#define GRE_IS_K(f)    ((f)&GRE_FLAG_K)
-#define GRE_IS_S(f)    ((f)&GRE_FLAG_S)
-#define GRE_IS_A(f)    ((f)&GRE_FLAG_A)
-
-/* GRE is a mess: Four different standards */
-struct gre_hdr {
-#if defined(__LITTLE_ENDIAN_BITFIELD)
-       __u16   rec:3,
-               srr:1,
-               seq:1,
-               key:1,
-               routing:1,
-               csum:1,
-               version:3,
-               reserved:4,
-               ack:1;
-#elif defined(__BIG_ENDIAN_BITFIELD)
-       __u16   csum:1,
-               routing:1,
-               key:1,
-               seq:1,
-               srr:1,
-               rec:3,
-               ack:1,
-               reserved:4,
-               version:3;
-#else
-#error "Adjust your <asm/byteorder.h> defines"
-#endif
-       __be16  protocol;
-};
-
-/* modified GRE header for PPTP */
-struct gre_hdr_pptp {
-       __u8   flags;           /* bitfield */
-       __u8   version;         /* should be GRE_VERSION_PPTP */
-       __be16 protocol;        /* should be GRE_PROTOCOL_PPTP */
-       __be16 payload_len;     /* size of ppp payload, not inc. gre header */
-       __be16 call_id;         /* peer's call_id for this session */
-       __be32 seq;             /* sequence number.  Present if S==1 */
-       __be32 ack;             /* seq number of highest packet recieved by */
-                               /*  sender in this session */
-};
-
-
-/* this is part of ip_conntrack */
-struct ip_ct_gre {
-       unsigned int stream_timeout;
-       unsigned int timeout;
-};
-
-#ifdef __KERNEL__
-struct ip_conntrack_expect;
-struct ip_conntrack;
-
-/* structure for original <-> reply keymap */
-struct ip_ct_gre_keymap {
-       struct list_head list;
-
-       struct ip_conntrack_tuple tuple;
-};
-
-/* add new tuple->key_reply pair to keymap */
-int ip_ct_gre_keymap_add(struct ip_conntrack *ct,
-                        struct ip_conntrack_tuple *t,
-                        int reply);
-
-/* delete keymap entries */
-void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
-
-
-/* get pointer to gre key, if present */
-static inline __be32 *gre_key(struct gre_hdr *greh)
-{
-       if (!greh->key)
-               return NULL;
-       if (greh->csum || greh->routing)
-               return (__be32 *) (greh+sizeof(*greh)+4);
-       return (__be32 *) (greh+sizeof(*greh));
-}
-
-/* get pointer ot gre csum, if present */
-static inline __sum16 *gre_csum(struct gre_hdr *greh)
-{
-       if (!greh->csum)
-               return NULL;
-       return (__sum16 *) (greh+sizeof(*greh));
-}
-
-#endif /* __KERNEL__ */
-
-#endif /* _CONNTRACK_PROTO_GRE_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
deleted file mode 100644 (file)
index 2c76b87..0000000
+++ /dev/null
@@ -1,98 +0,0 @@
-/* Header for use in defining a given protocol for connection tracking. */
-#ifndef _IP_CONNTRACK_PROTOCOL_H
-#define _IP_CONNTRACK_PROTOCOL_H
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter/nfnetlink_conntrack.h>
-
-struct seq_file;
-
-struct ip_conntrack_protocol
-{
-       /* Protocol number. */
-       u_int8_t proto;
-
-       /* Protocol name */
-       const char *name;
-
-       /* Try to fill in the third arg: dataoff is offset past IP
-           hdr.  Return true if possible. */
-       int (*pkt_to_tuple)(const struct sk_buff *skb,
-                          unsigned int dataoff,
-                          struct ip_conntrack_tuple *tuple);
-
-       /* Invert the per-proto part of the tuple: ie. turn xmit into reply.
-        * Some packets can't be inverted: return 0 in that case.
-        */
-       int (*invert_tuple)(struct ip_conntrack_tuple *inverse,
-                           const struct ip_conntrack_tuple *orig);
-
-       /* Print out the per-protocol part of the tuple. Return like seq_* */
-       int (*print_tuple)(struct seq_file *,
-                          const struct ip_conntrack_tuple *);
-
-       /* Print out the private part of the conntrack. */
-       int (*print_conntrack)(struct seq_file *, const struct ip_conntrack *);
-
-       /* Returns verdict for packet, or -1 for invalid. */
-       int (*packet)(struct ip_conntrack *conntrack,
-                     const struct sk_buff *skb,
-                     enum ip_conntrack_info ctinfo);
-
-       /* Called when a new connection for this protocol found;
-        * returns TRUE if it's OK.  If so, packet() called next. */
-       int (*new)(struct ip_conntrack *conntrack, const struct sk_buff *skb);
-
-       /* Called when a conntrack entry is destroyed */
-       void (*destroy)(struct ip_conntrack *conntrack);
-
-       int (*error)(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
-                    unsigned int hooknum);
-
-       /* convert protoinfo to nfnetink attributes */
-       int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa,
-                        const struct ip_conntrack *ct);
-
-       /* convert nfnetlink attributes to protoinfo */
-       int (*from_nfattr)(struct nfattr *tb[], struct ip_conntrack *ct);
-
-       int (*tuple_to_nfattr)(struct sk_buff *skb,
-                              const struct ip_conntrack_tuple *t);
-       int (*nfattr_to_tuple)(struct nfattr *tb[],
-                              struct ip_conntrack_tuple *t);
-
-       /* Module (if any) which this is connected to. */
-       struct module *me;
-};
-
-/* Protocol registration. */
-extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto);
-extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto);
-/* Existing built-in protocols */
-extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp;
-extern struct ip_conntrack_protocol ip_conntrack_protocol_udp;
-extern struct ip_conntrack_protocol ip_conntrack_protocol_icmp;
-extern struct ip_conntrack_protocol ip_conntrack_generic_protocol;
-extern int ip_conntrack_protocol_tcp_init(void);
-
-/* Log invalid packets */
-extern unsigned int ip_ct_log_invalid;
-
-extern int ip_ct_port_tuple_to_nfattr(struct sk_buff *,
-                                     const struct ip_conntrack_tuple *);
-extern int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
-                                     struct ip_conntrack_tuple *);
-
-#ifdef CONFIG_SYSCTL
-#ifdef DEBUG_INVALID_PACKETS
-#define LOG_INVALID(proto) \
-       (ip_ct_log_invalid == (proto) || ip_ct_log_invalid == IPPROTO_RAW)
-#else
-#define LOG_INVALID(proto) \
-       ((ip_ct_log_invalid == (proto) || ip_ct_log_invalid == IPPROTO_RAW) \
-        && net_ratelimit())
-#endif
-#else
-#define LOG_INVALID(proto) 0
-#endif /* CONFIG_SYSCTL */
-
-#endif /*_IP_CONNTRACK_PROTOCOL_H*/
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_sctp.h b/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
deleted file mode 100644 (file)
index 4099a04..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef _IP_CONNTRACK_SCTP_H
-#define _IP_CONNTRACK_SCTP_H
-
-#include <linux/netfilter/nf_conntrack_sctp.h>
-
-#endif /* _IP_CONNTRACK_SCTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_sip.h b/include/linux/netfilter_ipv4/ip_conntrack_sip.h
deleted file mode 100644 (file)
index bef6c64..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-#ifndef __IP_CONNTRACK_SIP_H__
-#define __IP_CONNTRACK_SIP_H__
-#ifdef __KERNEL__
-
-#define SIP_PORT       5060
-#define SIP_TIMEOUT    3600
-
-enum sip_header_pos {
-       POS_REG_REQ_URI,
-       POS_REQ_URI,
-       POS_FROM,
-       POS_TO,
-       POS_VIA,
-       POS_CONTACT,
-       POS_CONTENT,
-       POS_MEDIA,
-       POS_OWNER,
-       POS_CONNECTION,
-       POS_SDP_HEADER,
-};
-
-extern unsigned int (*ip_nat_sip_hook)(struct sk_buff **pskb,
-                                      enum ip_conntrack_info ctinfo,
-                                      struct ip_conntrack *ct,
-                                      const char **dptr);
-extern unsigned int (*ip_nat_sdp_hook)(struct sk_buff **pskb,
-                                      enum ip_conntrack_info ctinfo,
-                                      struct ip_conntrack_expect *exp,
-                                      const char *dptr);
-
-extern int ct_sip_get_info(const char *dptr, size_t dlen,
-                          unsigned int *matchoff,
-                          unsigned int *matchlen,
-                          enum sip_header_pos pos);
-extern int ct_sip_lnlen(const char *line, const char *limit);
-extern const char *ct_sip_search(const char *needle, const char *haystack,
-                                size_t needle_len, size_t haystack_len,
-                                int case_sensitive);
-#endif /* __KERNEL__ */
-#endif /* __IP_CONNTRACK_SIP_H__ */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
deleted file mode 100644 (file)
index 876b8fb..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-#ifndef _IP_CONNTRACK_TCP_H
-#define _IP_CONNTRACK_TCP_H
-
-#include <linux/netfilter/nf_conntrack_tcp.h>
-
-#endif /* _IP_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tftp.h b/include/linux/netfilter_ipv4/ip_conntrack_tftp.h
deleted file mode 100644 (file)
index a404fc0..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef _IP_CT_TFTP
-#define _IP_CT_TFTP
-
-#define TFTP_PORT 69
-
-struct tftphdr {
-       __be16 opcode;
-};
-
-#define TFTP_OPCODE_READ       1
-#define TFTP_OPCODE_WRITE      2
-#define TFTP_OPCODE_DATA       3
-#define TFTP_OPCODE_ACK                4
-#define TFTP_OPCODE_ERROR      5
-
-extern unsigned int (*ip_nat_tftp_hook)(struct sk_buff **pskb,
-                                enum ip_conntrack_info ctinfo,
-                                struct ip_conntrack_expect *exp);
-
-#endif /* _IP_CT_TFTP */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
deleted file mode 100644 (file)
index c228bde..0000000
+++ /dev/null
@@ -1,146 +0,0 @@
-#ifndef _IP_CONNTRACK_TUPLE_H
-#define _IP_CONNTRACK_TUPLE_H
-
-#include <linux/types.h>
-#include <linux/netfilter/nf_conntrack_tuple_common.h>
-
-/* A `tuple' is a structure containing the information to uniquely
-  identify a connection.  ie. if two packets have the same tuple, they
-  are in the same connection; if not, they are not.
-
-  We divide the structure along "manipulatable" and
-  "non-manipulatable" lines, for the benefit of the NAT code.
-*/
-
-/* The protocol-specific manipulable parts of the tuple: always in
-   network order! */
-union ip_conntrack_manip_proto
-{
-       /* Add other protocols here. */
-       u_int16_t all;
-
-       struct {
-               __be16 port;
-       } tcp;
-       struct {
-               __be16 port;
-       } udp;
-       struct {
-               __be16 id;
-       } icmp;
-       struct {
-               __be16 port;
-       } sctp;
-       struct {
-               __be16 key;     /* key is 32bit, pptp only uses 16 */
-       } gre;
-};
-
-/* The manipulable part of the tuple. */
-struct ip_conntrack_manip
-{
-       __be32 ip;
-       union ip_conntrack_manip_proto u;
-};
-
-/* This contains the information to distinguish a connection. */
-struct ip_conntrack_tuple
-{
-       struct ip_conntrack_manip src;
-
-       /* These are the parts of the tuple which are fixed. */
-       struct {
-               __be32 ip;
-               union {
-                       /* Add other protocols here. */
-                       u_int16_t all;
-
-                       struct {
-                               __be16 port;
-                       } tcp;
-                       struct {
-                               __be16 port;
-                       } udp;
-                       struct {
-                               u_int8_t type, code;
-                       } icmp;
-                       struct {
-                               __be16 port;
-                       } sctp;
-                       struct {
-                               __be16 key;     /* key is 32bit, 
-                                                * pptp only uses 16 */
-                       } gre;
-               } u;
-
-               /* The protocol. */
-               u_int8_t protonum;
-
-               /* The direction (for tuplehash) */
-               u_int8_t dir;
-       } dst;
-};
-
-/* This is optimized opposed to a memset of the whole structure.  Everything we
- * really care about is the  source/destination unions */
-#define IP_CT_TUPLE_U_BLANK(tuple)                             \
-       do {                                                    \
-               (tuple)->src.u.all = 0;                         \
-               (tuple)->dst.u.all = 0;                         \
-       } while (0)
-
-#ifdef __KERNEL__
-
-#define DUMP_TUPLE(tp)                                         \
-DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n",    \
-       (tp), (tp)->dst.protonum,                               \
-       NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all),          \
-       NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all))
-
-/* If we're the first tuple, it's the original dir. */
-#define DIRECTION(h) ((enum ip_conntrack_dir)(h)->tuple.dst.dir)
-
-/* Connections have two entries in the hash table: one for each way */
-struct ip_conntrack_tuple_hash
-{
-       struct list_head list;
-
-       struct ip_conntrack_tuple tuple;
-};
-
-#endif /* __KERNEL__ */
-
-static inline int ip_ct_tuple_src_equal(const struct ip_conntrack_tuple *t1,
-                                       const struct ip_conntrack_tuple *t2)
-{
-       return t1->src.ip == t2->src.ip
-               && t1->src.u.all == t2->src.u.all;
-}
-
-static inline int ip_ct_tuple_dst_equal(const struct ip_conntrack_tuple *t1,
-                                       const struct ip_conntrack_tuple *t2)
-{
-       return t1->dst.ip == t2->dst.ip
-               && t1->dst.u.all == t2->dst.u.all
-               && t1->dst.protonum == t2->dst.protonum;
-}
-
-static inline int ip_ct_tuple_equal(const struct ip_conntrack_tuple *t1,
-                                   const struct ip_conntrack_tuple *t2)
-{
-       return ip_ct_tuple_src_equal(t1, t2) && ip_ct_tuple_dst_equal(t1, t2);
-}
-
-static inline int ip_ct_tuple_mask_cmp(const struct ip_conntrack_tuple *t,
-                                      const struct ip_conntrack_tuple *tuple,
-                                      const struct ip_conntrack_tuple *mask)
-{
-       return !(((t->src.ip ^ tuple->src.ip) & mask->src.ip)
-                || ((t->dst.ip ^ tuple->dst.ip) & mask->dst.ip)
-                || ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all)
-                || ((t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all)
-                || ((t->dst.protonum ^ tuple->dst.protonum)
-                    & mask->dst.protonum));
-}
-
-#endif /* _IP_CONNTRACK_TUPLE_H */
diff --git a/include/linux/netfilter_ipv4/ip_nat.h b/include/linux/netfilter_ipv4/ip_nat.h
deleted file mode 100644 (file)
index bbca89a..0000000
+++ /dev/null
@@ -1,79 +0,0 @@
-#ifndef _IP_NAT_H
-#define _IP_NAT_H
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-
-#define IP_NAT_MAPPING_TYPE_MAX_NAMELEN 16
-
-enum ip_nat_manip_type
-{
-       IP_NAT_MANIP_SRC,
-       IP_NAT_MANIP_DST
-};
-
-/* SRC manip occurs POST_ROUTING or LOCAL_IN */
-#define HOOK2MANIP(hooknum) ((hooknum) != NF_IP_POST_ROUTING && (hooknum) != NF_IP_LOCAL_IN)
-
-#define IP_NAT_RANGE_MAP_IPS 1
-#define IP_NAT_RANGE_PROTO_SPECIFIED 2
-#define IP_NAT_RANGE_PROTO_RANDOM 4 /* add randomness to "port" selection */
-
-/* NAT sequence number modifications */
-struct ip_nat_seq {
-       /* position of the last TCP sequence number 
-        * modification (if any) */
-       u_int32_t correction_pos;
-       /* sequence number offset before and after last modification */
-       int16_t offset_before, offset_after;
-};
-
-/* Single range specification. */
-struct ip_nat_range
-{
-       /* Set to OR of flags above. */
-       unsigned int flags;
-
-       /* Inclusive: network order. */
-       __be32 min_ip, max_ip;
-
-       /* Inclusive: network order */
-       union ip_conntrack_manip_proto min, max;
-};
-
-/* For backwards compat: don't use in modern code. */
-struct ip_nat_multi_range_compat
-{
-       unsigned int rangesize; /* Must be 1. */
-
-       /* hangs off end. */
-       struct ip_nat_range range[1];
-};
-
-#ifdef __KERNEL__
-#include <linux/list.h>
-
-/* Protects NAT hash tables, and NAT-private part of conntracks. */
-extern rwlock_t ip_nat_lock;
-
-/* The structure embedded in the conntrack structure. */
-struct ip_nat_info
-{
-       struct list_head bysource;
-       struct ip_nat_seq seq[IP_CT_DIR_MAX];
-};
-
-struct ip_conntrack;
-
-/* Set up the info structure to map into this range. */
-extern unsigned int ip_nat_setup_info(struct ip_conntrack *conntrack,
-                                     const struct ip_nat_range *range,
-                                     unsigned int hooknum);
-
-/* Is this tuple already taken? (not by us)*/
-extern int ip_nat_used_tuple(const struct ip_conntrack_tuple *tuple,
-                            const struct ip_conntrack *ignored_conntrack);
-
-#else  /* !__KERNEL__: iptables wants this to compile. */
-#define ip_nat_multi_range ip_nat_multi_range_compat
-#endif /*__KERNEL__*/
-#endif
diff --git a/include/linux/netfilter_ipv4/ip_nat_core.h b/include/linux/netfilter_ipv4/ip_nat_core.h
deleted file mode 100644 (file)
index 60566f9..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-#ifndef _IP_NAT_CORE_H
-#define _IP_NAT_CORE_H
-#include <linux/list.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-
-/* This header used to share core functionality between the standalone
-   NAT module, and the compatibility layer's use of NAT for masquerading. */
-
-extern unsigned int ip_nat_packet(struct ip_conntrack *ct,
-                              enum ip_conntrack_info conntrackinfo,
-                              unsigned int hooknum,
-                              struct sk_buff **pskb);
-
-extern int ip_nat_icmp_reply_translation(struct ip_conntrack *ct,
-                                        enum ip_conntrack_info ctinfo,
-                                        unsigned int hooknum,
-                                        struct sk_buff **pskb);
-#endif /* _IP_NAT_CORE_H */
diff --git a/include/linux/netfilter_ipv4/ip_nat_helper.h b/include/linux/netfilter_ipv4/ip_nat_helper.h
deleted file mode 100644 (file)
index bf9cb10..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-#ifndef _IP_NAT_HELPER_H
-#define _IP_NAT_HELPER_H
-/* NAT protocol helper routines. */
-
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/module.h>
-
-struct sk_buff;
-
-/* These return true or false. */
-extern int ip_nat_mangle_tcp_packet(struct sk_buff **skb,
-                               struct ip_conntrack *ct,
-                               enum ip_conntrack_info ctinfo,
-                               unsigned int match_offset,
-                               unsigned int match_len,
-                               const char *rep_buffer,
-                               unsigned int rep_len);
-extern int ip_nat_mangle_udp_packet(struct sk_buff **skb,
-                               struct ip_conntrack *ct,
-                               enum ip_conntrack_info ctinfo,
-                               unsigned int match_offset,
-                               unsigned int match_len,
-                               const char *rep_buffer,
-                               unsigned int rep_len);
-extern int ip_nat_seq_adjust(struct sk_buff **pskb, 
-                            struct ip_conntrack *ct, 
-                            enum ip_conntrack_info ctinfo);
-
-/* Setup NAT on this expected conntrack so it follows master, but goes
- * to port ct->master->saved_proto. */
-extern void ip_nat_follow_master(struct ip_conntrack *ct,
-                                struct ip_conntrack_expect *this);
-#endif
diff --git a/include/linux/netfilter_ipv4/ip_nat_pptp.h b/include/linux/netfilter_ipv4/ip_nat_pptp.h
deleted file mode 100644 (file)
index 36668bf..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
-/* PPTP constants and structs */
-#ifndef _NAT_PPTP_H
-#define _NAT_PPTP_H
-
-/* conntrack private data */
-struct ip_nat_pptp {
-       __be16 pns_call_id;             /* NAT'ed PNS call id */
-       __be16 pac_call_id;             /* NAT'ed PAC call id */
-};
-
-#endif /* _NAT_PPTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_nat_protocol.h b/include/linux/netfilter_ipv4/ip_nat_protocol.h
deleted file mode 100644 (file)
index 612a436..0000000
+++ /dev/null
@@ -1,74 +0,0 @@
-/* Header for use in defining a given protocol. */
-#ifndef _IP_NAT_PROTOCOL_H
-#define _IP_NAT_PROTOCOL_H
-#include <linux/init.h>
-#include <linux/list.h>
-
-#include <linux/netfilter_ipv4/ip_nat.h>
-#include <linux/netfilter/nfnetlink_conntrack.h>
-
-struct iphdr;
-struct ip_nat_range;
-
-struct ip_nat_protocol
-{
-       /* Protocol name */
-       const char *name;
-
-       /* Protocol number. */
-       unsigned int protonum;
-
-       struct module *me;
-
-       /* Translate a packet to the target according to manip type.
-          Return true if succeeded. */
-       int (*manip_pkt)(struct sk_buff **pskb,
-                        unsigned int iphdroff,
-                        const struct ip_conntrack_tuple *tuple,
-                        enum ip_nat_manip_type maniptype);
-
-       /* Is the manipable part of the tuple between min and max incl? */
-       int (*in_range)(const struct ip_conntrack_tuple *tuple,
-                       enum ip_nat_manip_type maniptype,
-                       const union ip_conntrack_manip_proto *min,
-                       const union ip_conntrack_manip_proto *max);
-
-       /* Alter the per-proto part of the tuple (depending on
-          maniptype), to give a unique tuple in the given range if
-          possible; return false if not.  Per-protocol part of tuple
-          is initialized to the incoming packet. */
-       int (*unique_tuple)(struct ip_conntrack_tuple *tuple,
-                           const struct ip_nat_range *range,
-                           enum ip_nat_manip_type maniptype,
-                           const struct ip_conntrack *conntrack);
-
-       int (*range_to_nfattr)(struct sk_buff *skb,
-                              const struct ip_nat_range *range);
-
-       int (*nfattr_to_range)(struct nfattr *tb[],
-                              struct ip_nat_range *range);
-};
-
-/* Protocol registration. */
-extern int ip_nat_protocol_register(struct ip_nat_protocol *proto);
-extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto);
-
-extern struct ip_nat_protocol *ip_nat_proto_find_get(u_int8_t protocol);
-extern void ip_nat_proto_put(struct ip_nat_protocol *proto);
-
-/* Built-in protocols. */
-extern struct ip_nat_protocol ip_nat_protocol_tcp;
-extern struct ip_nat_protocol ip_nat_protocol_udp;
-extern struct ip_nat_protocol ip_nat_protocol_icmp;
-extern struct ip_nat_protocol ip_nat_unknown_protocol;
-
-extern int init_protocols(void) __init;
-extern void cleanup_protocols(void);
-extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum);
-
-extern int ip_nat_port_range_to_nfattr(struct sk_buff *skb,
-                                      const struct ip_nat_range *range);
-extern int ip_nat_port_nfattr_to_range(struct nfattr *tb[],
-                                      struct ip_nat_range *range);
-
-#endif /*_IP_NAT_PROTO_H*/
diff --git a/include/linux/netfilter_ipv4/ip_nat_rule.h b/include/linux/netfilter_ipv4/ip_nat_rule.h
deleted file mode 100644 (file)
index 73b9552..0000000
+++ /dev/null
@@ -1,28 +0,0 @@
-#ifndef _IP_NAT_RULE_H
-#define _IP_NAT_RULE_H
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_tables.h>
-#include <linux/netfilter_ipv4/ip_nat.h>
-
-#ifdef __KERNEL__
-
-extern int ip_nat_rule_init(void) __init;
-extern void ip_nat_rule_cleanup(void);
-extern int ip_nat_rule_find(struct sk_buff **pskb,
-                           unsigned int hooknum,
-                           const struct net_device *in,
-                           const struct net_device *out,
-                           struct ip_conntrack *ct,
-                           struct ip_nat_info *info);
-
-extern unsigned int
-alloc_null_binding(struct ip_conntrack *conntrack,
-                  struct ip_nat_info *info,
-                  unsigned int hooknum);
-
-extern unsigned int
-alloc_null_binding_confirmed(struct ip_conntrack *conntrack,
-                            struct ip_nat_info *info,
-                            unsigned int hooknum);
-#endif
-#endif /* _IP_NAT_RULE_H */
index cc4c0b2..be6e682 100644 (file)
@@ -13,7 +13,7 @@ struct ipt_same_info
        u_int32_t *iparray;
 
        /* hangs off end. */
-       struct ip_nat_range range[IPT_SAME_MAX_RANGE];
+       struct nf_nat_range range[IPT_SAME_MAX_RANGE];
 };
 
 #endif /*_IPT_SAME_H*/
index 0e690e3..1c6b8bd 100644 (file)
@@ -250,6 +250,11 @@ static inline int nf_ct_is_dying(struct nf_conn *ct)
        return test_bit(IPS_DYING_BIT, &ct->status);
 }
 
+static inline int nf_ct_is_untracked(const struct sk_buff *skb)
+{
+       return (skb->nfct == &nf_conntrack_untracked.ct_general);
+}
+
 extern unsigned int nf_conntrack_htable_size;
 extern int nf_conntrack_checksum;
 extern atomic_t nf_conntrack_count;
diff --git a/include/net/netfilter/nf_conntrack_compat.h b/include/net/netfilter/nf_conntrack_compat.h
deleted file mode 100644 (file)
index 6f84c1f..0000000
+++ /dev/null
@@ -1,145 +0,0 @@
-#ifndef _NF_CONNTRACK_COMPAT_H
-#define _NF_CONNTRACK_COMPAT_H
-
-#ifdef __KERNEL__
-
-#if defined(CONFIG_IP_NF_CONNTRACK) || defined(CONFIG_IP_NF_CONNTRACK_MODULE)
-
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/socket.h>
-
-#ifdef CONFIG_IP_NF_CONNTRACK_MARK
-static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
-                                       u_int32_t *ctinfo)
-{
-       struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
-
-       if (ct)
-               return &ct->mark;
-       else
-               return NULL;
-}
-#endif /* CONFIG_IP_NF_CONNTRACK_MARK */
-
-#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
-static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
-                                          u_int32_t *ctinfo)
-{
-       struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
-
-       if (ct)
-               return &ct->secmark;
-       else
-               return NULL;
-}
-#endif /* CONFIG_IP_NF_CONNTRACK_SECMARK */
-
-#ifdef CONFIG_IP_NF_CT_ACCT
-static inline struct ip_conntrack_counter *
-nf_ct_get_counters(const struct sk_buff *skb)
-{
-       enum ip_conntrack_info ctinfo;
-       struct ip_conntrack *ct = ip_conntrack_get(skb, &ctinfo);
-
-       if (ct)
-               return ct->counters;
-       else
-               return NULL;
-}
-#endif /* CONFIG_IP_NF_CT_ACCT */
-
-static inline int nf_ct_is_untracked(const struct sk_buff *skb)
-{
-       return (skb->nfct == &ip_conntrack_untracked.ct_general);
-}
-
-static inline void nf_ct_untrack(struct sk_buff *skb)
-{
-       skb->nfct = &ip_conntrack_untracked.ct_general;
-}
-
-static inline int nf_ct_get_ctinfo(const struct sk_buff *skb,
-                                  enum ip_conntrack_info *ctinfo)
-{
-       struct ip_conntrack *ct = ip_conntrack_get(skb, ctinfo);
-       return (ct != NULL);
-}
-
-static inline int nf_ct_l3proto_try_module_get(unsigned short l3proto)
-{
-       need_conntrack();
-       return l3proto == PF_INET ? 0 : -1;
-}
-
-static inline void nf_ct_l3proto_module_put(unsigned short l3proto)
-{
-}
-
-#else /* CONFIG_IP_NF_CONNTRACK */
-
-#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
-#include <net/netfilter/nf_conntrack.h>
-
-#ifdef CONFIG_NF_CONNTRACK_MARK
-
-static inline u_int32_t *nf_ct_get_mark(const struct sk_buff *skb,
-                                       u_int32_t *ctinfo)
-{
-       struct nf_conn *ct = nf_ct_get(skb, ctinfo);
-
-       if (ct)
-               return &ct->mark;
-       else
-               return NULL;
-}
-#endif /* CONFIG_NF_CONNTRACK_MARK */
-
-#ifdef CONFIG_NF_CONNTRACK_SECMARK
-static inline u_int32_t *nf_ct_get_secmark(const struct sk_buff *skb,
-                                          u_int32_t *ctinfo)
-{
-       struct nf_conn *ct = nf_ct_get(skb, ctinfo);
-
-       if (ct)
-               return &ct->secmark;
-       else
-               return NULL;
-}
-#endif /* CONFIG_NF_CONNTRACK_MARK */
-
-#ifdef CONFIG_NF_CT_ACCT
-static inline struct ip_conntrack_counter *
-nf_ct_get_counters(const struct sk_buff *skb)
-{
-       enum ip_conntrack_info ctinfo;
-       struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
-
-       if (ct)
-               return ct->counters;
-       else
-               return NULL;
-}
-#endif /* CONFIG_NF_CT_ACCT */
-
-static inline int nf_ct_is_untracked(const struct sk_buff *skb)
-{
-       return (skb->nfct == &nf_conntrack_untracked.ct_general);
-}
-
-static inline void nf_ct_untrack(struct sk_buff *skb)
-{
-       skb->nfct = &nf_conntrack_untracked.ct_general;
-}
-
-static inline int nf_ct_get_ctinfo(const struct sk_buff *skb,
-                                  enum ip_conntrack_info *ctinfo)
-{
-       struct nf_conn *ct = nf_ct_get(skb, ctinfo);
-       return (ct != NULL);
-}
-
-#endif /* CONFIG_IP_NF_CONNTRACK */
-
-#endif /* __KERNEL__ */
-
-#endif /* _NF_CONNTRACK_COMPAT_H */
index f191c67..e765654 100644 (file)
@@ -4,16 +4,6 @@
 #include <net/netfilter/nf_nat.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
-/* Compatibility definitions for ipt_FOO modules */
-#define ip_nat_range                   nf_nat_range
-#define ip_conntrack_tuple             nf_conntrack_tuple
-#define ip_conntrack_get               nf_ct_get
-#define ip_conntrack                   nf_conn
-#define ip_nat_setup_info              nf_nat_setup_info
-#define ip_nat_multi_range_compat      nf_nat_multi_range_compat
-#define ip_ct_iterate_cleanup          nf_ct_iterate_cleanup
-#define        IP_NF_ASSERT                    NF_CT_ASSERT
-
 extern int nf_nat_rule_init(void) __init;
 extern void nf_nat_rule_cleanup(void);
 extern int nf_nat_rule_find(struct sk_buff **pskb,
index 601808c..46509fa 100644 (file)
@@ -30,188 +30,6 @@ config NF_CONNTRACK_PROC_COMPAT
 
          If unsure, say Y.
 
-# connection tracking, helpers and protocols
-config IP_NF_CT_ACCT
-       bool "Connection tracking flow accounting"
-       depends on IP_NF_CONNTRACK
-       help
-         If this option is enabled, the connection tracking code will
-         keep per-flow packet and byte counters.
-
-         Those counters can be used for flow-based accounting or the
-         `connbytes' match.
-
-         If unsure, say `N'.
-
-config IP_NF_CONNTRACK_MARK
-       bool  'Connection mark tracking support'
-       depends on IP_NF_CONNTRACK
-       help
-         This option enables support for connection marks, used by the
-         `CONNMARK' target and `connmark' match. Similar to the mark value
-         of packets, but this mark value is kept in the conntrack session
-         instead of the individual packets.
-       
-config IP_NF_CONNTRACK_SECMARK
-       bool  'Connection tracking security mark support'
-       depends on IP_NF_CONNTRACK && NETWORK_SECMARK
-       help
-         This option enables security markings to be applied to
-         connections.  Typically they are copied to connections from
-         packets using the CONNSECMARK target and copied back from
-         connections to packets with the same target, with the packets
-         being originally labeled via SECMARK.
-
-         If unsure, say 'N'.
-
-config IP_NF_CONNTRACK_EVENTS
-       bool "Connection tracking events (EXPERIMENTAL)"
-       depends on EXPERIMENTAL && IP_NF_CONNTRACK
-       help
-         If this option is enabled, the connection tracking code will
-         provide a notifier chain that can be used by other kernel code
-         to get notified about changes in the connection tracking state.
-         
-         IF unsure, say `N'.
-
-config IP_NF_CONNTRACK_NETLINK
-       tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
-       depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
-       depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
-       depends on IP_NF_NAT=n || IP_NF_NAT
-       help
-         This option enables support for a netlink-based userspace interface
-
-
-config IP_NF_CT_PROTO_SCTP
-       tristate  'SCTP protocol connection tracking support (EXPERIMENTAL)'
-       depends on IP_NF_CONNTRACK && EXPERIMENTAL
-       help
-         With this option enabled, the connection tracking code will
-         be able to do state tracking on SCTP connections.
-
-         If you want to compile it as a module, say M here and read
-         <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-config IP_NF_FTP
-       tristate "FTP protocol support"
-       depends on IP_NF_CONNTRACK
-       help
-         Tracking FTP connections is problematic: special helpers are
-         required for tracking them, and doing masquerading and other forms
-         of Network Address Translation on them.
-
-         To compile it as a module, choose M here.  If unsure, say Y.
-
-config IP_NF_IRC
-       tristate "IRC protocol support"
-       depends on IP_NF_CONNTRACK
-       ---help---
-         There is a commonly-used extension to IRC called
-         Direct Client-to-Client Protocol (DCC).  This enables users to send
-         files to each other, and also chat to each other without the need
-         of a server.  DCC Sending is used anywhere you send files over IRC,
-         and DCC Chat is most commonly used by Eggdrop bots.  If you are
-         using NAT, this extension will enable you to send files and initiate
-         chats.  Note that you do NOT need this extension to get files or
-         have others initiate chats, or everything else in IRC.
-
-         To compile it as a module, choose M here.  If unsure, say Y.
-
-config IP_NF_NETBIOS_NS
-       tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
-       depends on IP_NF_CONNTRACK && EXPERIMENTAL
-       help
-         NetBIOS name service requests are sent as broadcast messages from an
-         unprivileged port and responded to with unicast messages to the
-         same port. This make them hard to firewall properly because connection
-         tracking doesn't deal with broadcasts. This helper tracks locally
-         originating NetBIOS name service requests and the corresponding
-         responses. It relies on correct IP address configuration, specifically
-         netmask and broadcast address. When properly configured, the output
-         of "ip address show" should look similar to this:
-
-         $ ip -4 address show eth0
-         4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
-             inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
-         
-         To compile it as a module, choose M here.  If unsure, say N.
-
-config IP_NF_TFTP
-       tristate "TFTP protocol support"
-       depends on IP_NF_CONNTRACK
-       help
-         TFTP connection tracking helper, this is required depending
-         on how restrictive your ruleset is.
-         If you are using a tftp client behind -j SNAT or -j MASQUERADING
-         you will need this.
-
-         To compile it as a module, choose M here.  If unsure, say Y.
-
-config IP_NF_AMANDA
-       tristate "Amanda backup protocol support"
-       depends on IP_NF_CONNTRACK
-       select TEXTSEARCH
-       select TEXTSEARCH_KMP
-       help
-         If you are running the Amanda backup package <http://www.amanda.org/>
-         on this machine or machines that will be MASQUERADED through this
-         machine, then you may want to enable this feature.  This allows the
-         connection tracking and natting code to allow the sub-channels that
-         Amanda requires for communication of the backup data, messages and
-         index.
-
-         To compile it as a module, choose M here.  If unsure, say Y.
-
-config IP_NF_PPTP
-       tristate  'PPTP protocol support'
-       depends on IP_NF_CONNTRACK
-       help
-         This module adds support for PPTP (Point to Point Tunnelling
-         Protocol, RFC2637) connection tracking and NAT. 
-       
-         If you are running PPTP sessions over a stateful firewall or NAT
-         box, you may want to enable this feature.  
-       
-         Please note that not all PPTP modes of operation are supported yet.
-         For more info, read top of the file
-         net/ipv4/netfilter/ip_conntrack_pptp.c
-       
-         If you want to compile it as a module, say M here and read
-         Documentation/modules.txt.  If unsure, say `N'.
-
-config IP_NF_H323
-       tristate  'H.323 protocol support (EXPERIMENTAL)'
-       depends on IP_NF_CONNTRACK && EXPERIMENTAL
-       help
-         H.323 is a VoIP signalling protocol from ITU-T. As one of the most
-         important VoIP protocols, it is widely used by voice hardware and
-         software including voice gateways, IP phones, Netmeeting, OpenPhone,
-         Gnomemeeting, etc.
-
-         With this module you can support H.323 on a connection tracking/NAT
-         firewall.
-
-         This module supports RAS, Fast Start, H.245 Tunnelling, Call
-         Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
-         whiteboard, file transfer, etc. For more information, please
-         visit http://nath323.sourceforge.net/.
-
-         If you want to compile it as a module, say 'M' here and read
-         Documentation/modules.txt.  If unsure, say 'N'.
-
-config IP_NF_SIP
-       tristate "SIP protocol support (EXPERIMENTAL)"
-       depends on IP_NF_CONNTRACK && EXPERIMENTAL
-       help
-         SIP is an application-layer control protocol that can establish,
-         modify, and terminate multimedia sessions (conferences) such as
-         Internet telephony calls. With the ip_conntrack_sip and
-         the ip_nat_sip modules you can support the protocol on a connection
-         tracking/NATing firewall.
-
-         To compile it as a module, choose M here.  If unsure, say Y.
-
 config IP_NF_QUEUE
        tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
        help
@@ -361,17 +179,6 @@ config IP_NF_TARGET_ULOG
 
          To compile it as a module, choose M here.  If unsure, say N.
 
-# NAT + specific targets: ip_conntrack
-config IP_NF_NAT
-       tristate "Full NAT"
-       depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
-       help
-         The Full NAT option allows masquerading, port forwarding and other
-         forms of full Network Address Port Translation.  It is controlled by
-         the `nat' table in iptables: see the man page for iptables(8).
-
-         To compile it as a module, choose M here.  If unsure, say N.
-
 # NAT + specific targets: nf_conntrack
 config NF_NAT
        tristate "Full NAT"
@@ -383,11 +190,6 @@ config NF_NAT
 
          To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_NAT_NEEDED
-       bool
-       depends on IP_NF_NAT
-       default y
-
 config NF_NAT_NEEDED
        bool
        depends on NF_NAT
@@ -395,7 +197,7 @@ config NF_NAT_NEEDED
 
 config IP_NF_TARGET_MASQUERADE
        tristate "MASQUERADE target support"
-       depends on (NF_NAT || IP_NF_NAT)
+       depends on NF_NAT
        help
          Masquerading is a special case of NAT: all outgoing connections are
          changed to seem to come from a particular interface's address, and
@@ -407,7 +209,7 @@ config IP_NF_TARGET_MASQUERADE
 
 config IP_NF_TARGET_REDIRECT
        tristate "REDIRECT target support"
-       depends on (NF_NAT || IP_NF_NAT)
+       depends on NF_NAT
        help
          REDIRECT is a special case of NAT: all incoming connections are
          mapped onto the incoming interface's address, causing the packets to
@@ -418,7 +220,7 @@ config IP_NF_TARGET_REDIRECT
 
 config IP_NF_TARGET_NETMAP
        tristate "NETMAP target support"
-       depends on (NF_NAT || IP_NF_NAT)
+       depends on NF_NAT
        help
          NETMAP is an implementation of static 1:1 NAT mapping of network
          addresses. It maps the network address part, while keeping the host
@@ -429,28 +231,13 @@ config IP_NF_TARGET_NETMAP
 
 config IP_NF_TARGET_SAME
        tristate "SAME target support"
-       depends on (NF_NAT || IP_NF_NAT)
+       depends on NF_NAT
        help
          This option adds a `SAME' target, which works like the standard SNAT
          target, but attempts to give clients the same IP for all connections.
 
          To compile it as a module, choose M here.  If unsure, say N.
 
-config IP_NF_NAT_SNMP_BASIC
-       tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
-       depends on EXPERIMENTAL && IP_NF_NAT
-       ---help---
-
-         This module implements an Application Layer Gateway (ALG) for
-         SNMP payloads.  In conjunction with NAT, it allows a network
-         management system to access multiple private networks with
-         conflicting addresses.  It works by modifying IP addresses
-         inside SNMP payloads to match IP-layer NAT mapping.
-
-         This is the "basic" form of SNMP-ALG, as described in RFC 2962
-
-         To compile it as a module, choose M here.  If unsure, say N.
-
 config NF_NAT_SNMP_BASIC
        tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
        depends on EXPERIMENTAL && NF_NAT
@@ -477,78 +264,37 @@ config NF_NAT_PROTO_GRE
        tristate
        depends on NF_NAT && NF_CT_PROTO_GRE
 
-config IP_NF_NAT_FTP
-       tristate
-       depends on IP_NF_IPTABLES && IP_NF_CONNTRACK && IP_NF_NAT
-       default IP_NF_NAT && IP_NF_FTP
-
 config NF_NAT_FTP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_FTP
 
-config IP_NF_NAT_IRC
-       tristate
-       depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
-       default IP_NF_NAT if IP_NF_IRC=y
-       default m if IP_NF_IRC=m
-
 config NF_NAT_IRC
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_IRC
 
-config IP_NF_NAT_TFTP
-       tristate
-       depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
-       default IP_NF_NAT if IP_NF_TFTP=y
-       default m if IP_NF_TFTP=m
-
 config NF_NAT_TFTP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_TFTP
 
-config IP_NF_NAT_AMANDA
-       tristate
-       depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
-       default IP_NF_NAT if IP_NF_AMANDA=y
-       default m if IP_NF_AMANDA=m
-
 config NF_NAT_AMANDA
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_AMANDA
 
-config IP_NF_NAT_PPTP
-       tristate
-       depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
-       default IP_NF_NAT if IP_NF_PPTP=y
-       default m if IP_NF_PPTP=m
-
 config NF_NAT_PPTP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_PPTP
        select NF_NAT_PROTO_GRE
 
-config IP_NF_NAT_H323
-       tristate
-       depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
-       default IP_NF_NAT if IP_NF_H323=y
-       default m if IP_NF_H323=m
-
 config NF_NAT_H323
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_H323
 
-config IP_NF_NAT_SIP
-       tristate
-       depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
-       default IP_NF_NAT if IP_NF_SIP=y
-       default m if IP_NF_SIP=m
-
 config NF_NAT_SIP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
@@ -606,9 +352,8 @@ config IP_NF_TARGET_TTL
 config IP_NF_TARGET_CLUSTERIP
        tristate "CLUSTERIP target support (EXPERIMENTAL)"
        depends on IP_NF_MANGLE && EXPERIMENTAL
-       depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4
-       select IP_NF_CONNTRACK_MARK if IP_NF_CONNTRACK
-       select NF_CONNTRACK_MARK if NF_CONNTRACK_IPV4
+       depends on NF_CONNTRACK_IPV4
+       select NF_CONNTRACK_MARK
        help
          The CLUSTERIP target allows you to build load-balancing clusters of
          network servers without having a dedicated load-balancing
index 6625ec6..409d273 100644 (file)
@@ -2,8 +2,6 @@
 # Makefile for the netfilter modules on top of IPv4.
 #
 
-# objects for the standalone - connection tracking / NAT
-ip_conntrack-objs      := ip_conntrack_standalone.o ip_conntrack_core.o ip_conntrack_proto_generic.o ip_conntrack_proto_tcp.o ip_conntrack_proto_udp.o ip_conntrack_proto_icmp.o
 # objects for l3 independent conntrack
 nf_conntrack_ipv4-objs  :=  nf_conntrack_l3proto_ipv4.o nf_conntrack_proto_icmp.o
 ifeq ($(CONFIG_NF_CONNTRACK_PROC_COMPAT),y)
@@ -12,53 +10,14 @@ nf_conntrack_ipv4-objs      += nf_conntrack_l3proto_ipv4_compat.o
 endif
 endif
 
-ip_nat-objs    := ip_nat_core.o ip_nat_helper.o ip_nat_proto_unknown.o ip_nat_proto_tcp.o ip_nat_proto_udp.o ip_nat_proto_icmp.o
-nf_nat-objs    := nf_nat_core.o nf_nat_helper.o nf_nat_proto_unknown.o nf_nat_proto_tcp.o nf_nat_proto_udp.o nf_nat_proto_icmp.o
-ifneq ($(CONFIG_NF_NAT),)
+nf_nat-objs            := nf_nat_core.o nf_nat_helper.o nf_nat_proto_unknown.o nf_nat_proto_tcp.o nf_nat_proto_udp.o nf_nat_proto_icmp.o
 iptable_nat-objs       := nf_nat_rule.o nf_nat_standalone.o
-else
-iptable_nat-objs       := ip_nat_rule.o ip_nat_standalone.o
-endif
-
-ip_conntrack_pptp-objs := ip_conntrack_helper_pptp.o ip_conntrack_proto_gre.o
-ip_nat_pptp-objs       := ip_nat_helper_pptp.o ip_nat_proto_gre.o
-
-ip_conntrack_h323-objs := ip_conntrack_helper_h323.o ../../netfilter/nf_conntrack_h323_asn1.o
-ip_nat_h323-objs := ip_nat_helper_h323.o
 
 # connection tracking
-obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
 obj-$(CONFIG_NF_CONNTRACK_IPV4) += nf_conntrack_ipv4.o
 
-obj-$(CONFIG_IP_NF_NAT) += ip_nat.o
 obj-$(CONFIG_NF_NAT) += nf_nat.o
 
-# conntrack netlink interface
-obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += ip_conntrack_netlink.o
-
-
-# SCTP protocol connection tracking
-obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o
-
-# connection tracking helpers
-obj-$(CONFIG_IP_NF_H323) += ip_conntrack_h323.o
-obj-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp.o
-obj-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda.o
-obj-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp.o
-obj-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp.o
-obj-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc.o
-obj-$(CONFIG_IP_NF_SIP) += ip_conntrack_sip.o
-obj-$(CONFIG_IP_NF_NETBIOS_NS) += ip_conntrack_netbios_ns.o
-
-# NAT helpers (ip_conntrack)
-obj-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323.o
-obj-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp.o
-obj-$(CONFIG_IP_NF_NAT_AMANDA) += ip_nat_amanda.o
-obj-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp.o
-obj-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp.o
-obj-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc.o
-obj-$(CONFIG_IP_NF_NAT_SIP) += ip_nat_sip.o
-
 # NAT helpers (nf_conntrack)
 obj-$(CONFIG_NF_NAT_AMANDA) += nf_nat_amanda.o
 obj-$(CONFIG_NF_NAT_FTP) += nf_nat_ftp.o
@@ -78,7 +37,6 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
 # the three instances of ip_tables
 obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
 obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
-obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
 obj-$(CONFIG_NF_NAT) += iptable_nat.o
 obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 
@@ -100,7 +58,6 @@ obj-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE.o
 obj-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT.o
 obj-$(CONFIG_IP_NF_TARGET_NETMAP) += ipt_NETMAP.o
 obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o
-obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o
 obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o
 obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o
 obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o
diff --git a/net/ipv4/netfilter/ip_conntrack_amanda.c b/net/ipv4/netfilter/ip_conntrack_amanda.c
deleted file mode 100644 (file)
index c40762c..0000000
+++ /dev/null
@@ -1,229 +0,0 @@
-/* Amanda extension for IP connection tracking, Version 0.2
- * (C) 2002 by Brian J. Murrell <netfilter@interlinx.bc.ca>
- * based on HW's ip_conntrack_irc.c as well as other modules
- *
- *      This program is free software; you can redistribute it and/or
- *      modify it under the terms of the GNU General Public License
- *      as published by the Free Software Foundation; either version
- *      2 of the License, or (at your option) any later version.
- *
- *     Module load syntax:
- *     insmod ip_conntrack_amanda.o [master_timeout=n]
- *
- *     Where master_timeout is the timeout (in seconds) of the master
- *     connection (port 10080).  This defaults to 5 minutes but if
- *     your clients take longer than 5 minutes to do their work
- *     before getting back to the Amanda server, you can increase
- *     this value.
- *
- */
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/moduleparam.h>
-#include <linux/textsearch.h>
-#include <linux/skbuff.h>
-#include <linux/in.h>
-#include <linux/ip.h>
-#include <linux/udp.h>
-
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
-
-static unsigned int master_timeout = 300;
-static char *ts_algo = "kmp";
-
-MODULE_AUTHOR("Brian J. Murrell <netfilter@interlinx.bc.ca>");
-MODULE_DESCRIPTION("Amanda connection tracking module");
-MODULE_LICENSE("GPL");
-module_param(master_timeout, uint, 0600);
-MODULE_PARM_DESC(master_timeout, "timeout for the master connection");
-module_param(ts_algo, charp, 0400);
-MODULE_PARM_DESC(ts_algo, "textsearch algorithm to use (default kmp)");
-
-unsigned int (*ip_nat_amanda_hook)(struct sk_buff **pskb,
-                                  enum ip_conntrack_info ctinfo,
-                                  unsigned int matchoff,
-                                  unsigned int matchlen,
-                                  struct ip_conntrack_expect *exp);
-EXPORT_SYMBOL_GPL(ip_nat_amanda_hook);
-
-enum amanda_strings {
-       SEARCH_CONNECT,
-       SEARCH_NEWLINE,
-       SEARCH_DATA,
-       SEARCH_MESG,
-       SEARCH_INDEX,
-};
-
-static struct {
-       char                    *string;
-       size_t                  len;
-       struct ts_config        *ts;
-} search[] = {
-       [SEARCH_CONNECT] = {
-               .string = "CONNECT ",
-               .len    = 8,
-       },
-       [SEARCH_NEWLINE] = {
-               .string = "\n",
-               .len    = 1,
-       },
-       [SEARCH_DATA] = {
-               .string = "DATA ",
-               .len    = 5,
-       },
-       [SEARCH_MESG] = {
-               .string = "MESG ",
-               .len    = 5,
-       },
-       [SEARCH_INDEX] = {
-               .string = "INDEX ",
-               .len    = 6,
-       },
-};
-
-static int help(struct sk_buff **pskb,
-               struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
-{
-       struct ts_state ts;
-       struct ip_conntrack_expect *exp;
-       unsigned int dataoff, start, stop, off, i;
-       char pbuf[sizeof("65535")], *tmp;
-       u_int16_t port, len;
-       int ret = NF_ACCEPT;
-       typeof(ip_nat_amanda_hook) ip_nat_amanda;
-
-       /* Only look at packets from the Amanda server */
-       if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
-               return NF_ACCEPT;
-
-       /* increase the UDP timeout of the master connection as replies from
-        * Amanda clients to the server can be quite delayed */
-       ip_ct_refresh(ct, *pskb, master_timeout * HZ);
-
-       /* No data? */
-       dataoff = ip_hdrlen(*pskb) + sizeof(struct udphdr);
-       if (dataoff >= (*pskb)->len) {
-               if (net_ratelimit())
-                       printk("amanda_help: skblen = %u\n", (*pskb)->len);
-               return NF_ACCEPT;
-       }
-
-       memset(&ts, 0, sizeof(ts));
-       start = skb_find_text(*pskb, dataoff, (*pskb)->len,
-                             search[SEARCH_CONNECT].ts, &ts);
-       if (start == UINT_MAX)
-               goto out;
-       start += dataoff + search[SEARCH_CONNECT].len;
-
-       memset(&ts, 0, sizeof(ts));
-       stop = skb_find_text(*pskb, start, (*pskb)->len,
-                            search[SEARCH_NEWLINE].ts, &ts);
-       if (stop == UINT_MAX)
-               goto out;
-       stop += start;
-
-       for (i = SEARCH_DATA; i <= SEARCH_INDEX; i++) {
-               memset(&ts, 0, sizeof(ts));
-               off = skb_find_text(*pskb, start, stop, search[i].ts, &ts);
-               if (off == UINT_MAX)
-                       continue;
-               off += start + search[i].len;
-
-               len = min_t(unsigned int, sizeof(pbuf) - 1, stop - off);
-               if (skb_copy_bits(*pskb, off, pbuf, len))
-                       break;
-               pbuf[len] = '\0';
-
-               port = simple_strtoul(pbuf, &tmp, 10);
-               len = tmp - pbuf;
-               if (port == 0 || len > 5)
-                       break;
-
-               exp = ip_conntrack_expect_alloc(ct);
-               if (exp == NULL) {
-                       ret = NF_DROP;
-                       goto out;
-               }
-
-               exp->expectfn = NULL;
-               exp->flags = 0;
-
-               exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
-               exp->tuple.src.u.tcp.port = 0;
-               exp->tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
-               exp->tuple.dst.protonum = IPPROTO_TCP;
-               exp->tuple.dst.u.tcp.port = htons(port);
-
-               exp->mask.src.ip = htonl(0xFFFFFFFF);
-               exp->mask.src.u.tcp.port = 0;
-               exp->mask.dst.ip = htonl(0xFFFFFFFF);
-               exp->mask.dst.protonum = 0xFF;
-               exp->mask.dst.u.tcp.port = htons(0xFFFF);
-
-               /* RCU read locked by nf_hook_slow */
-               ip_nat_amanda = rcu_dereference(ip_nat_amanda_hook);
-               if (ip_nat_amanda)
-                       ret = ip_nat_amanda(pskb, ctinfo, off - dataoff,
-                                           len, exp);
-               else if (ip_conntrack_expect_related(exp) != 0)
-                       ret = NF_DROP;
-               ip_conntrack_expect_put(exp);
-       }
-
-out:
-       return ret;
-}
-
-static struct ip_conntrack_helper amanda_helper = {
-       .max_expected = 3,
-       .timeout = 180,
-       .me = THIS_MODULE,
-       .help = help,
-       .name = "amanda",
-
-       .tuple = { .src = { .u = { .udp = {.port = __constant_htons(10080) } } },
-                  .dst = { .protonum = IPPROTO_UDP },
-       },
-       .mask = { .src = { .u = { 0xFFFF } },
-                .dst = { .protonum = 0xFF },
-       },
-};
-
-static void __exit ip_conntrack_amanda_fini(void)
-{
-       int i;
-
-       ip_conntrack_helper_unregister(&amanda_helper);
-       for (i = 0; i < ARRAY_SIZE(search); i++)
-               textsearch_destroy(search[i].ts);
-}
-
-static int __init ip_conntrack_amanda_init(void)
-{
-       int ret, i;
-
-       ret = -ENOMEM;
-       for (i = 0; i < ARRAY_SIZE(search); i++) {
-               search[i].ts = textsearch_prepare(ts_algo, search[i].string,
-                                                 search[i].len,
-                                                 GFP_KERNEL, TS_AUTOLOAD);
-               if (search[i].ts == NULL)
-                       goto err;
-       }
-       ret = ip_conntrack_helper_register(&amanda_helper);
-       if (ret < 0)
-               goto err;
-       return 0;
-
-err:
-       for (; i >= 0; i--) {
-               if (search[i].ts)
-                       textsearch_destroy(search[i].ts);
-       }
-       return ret;
-}
-
-module_init(ip_conntrack_amanda_init);
-module_exit(ip_conntrack_amanda_fini);
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
deleted file mode 100644 (file)
index 986c0c8..0000000
+++ /dev/null
@@ -1,1549 +0,0 @@
-/* Connection state tracking for netfilter.  This is separated from,
-   but required by, the NAT layer; it can also be used by an iptables
-   extension. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * 23 Apr 2001: Harald Welte <laforge@gnumonks.org>
- *     - new API and handling of conntrack/nat helpers
- *     - now capable of multiple expectations for one master
- * 16 Jul 2002: Harald Welte <laforge@gnumonks.org>
- *     - add usage/reference counts to ip_conntrack_expect
- *     - export ip_conntrack[_expect]_{find_get,put} functions
- * */
-
-#include <linux/types.h>
-#include <linux/icmp.h>
-#include <linux/ip.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/proc_fs.h>
-#include <linux/vmalloc.h>
-#include <net/checksum.h>
-#include <net/ip.h>
-#include <linux/stddef.h>
-#include <linux/sysctl.h>
-#include <linux/slab.h>
-#include <linux/random.h>
-#include <linux/jhash.h>
-#include <linux/err.h>
-#include <linux/percpu.h>
-#include <linux/moduleparam.h>
-#include <linux/notifier.h>
-
-/* ip_conntrack_lock protects the main hash table, protocol/helper/expected
-   registrations, conntrack timers*/
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_core.h>
-
-#define IP_CONNTRACK_VERSION   "2.4"
-
-#if 0
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-
-DEFINE_RWLOCK(ip_conntrack_lock);
-
-/* ip_conntrack_standalone needs this */
-atomic_t ip_conntrack_count = ATOMIC_INIT(0);
-
-void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack) = NULL;
-LIST_HEAD(ip_conntrack_expect_list);
-struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO] __read_mostly;
-static LIST_HEAD(helpers);
-unsigned int ip_conntrack_htable_size __read_mostly = 0;
-int ip_conntrack_max __read_mostly;
-struct list_head *ip_conntrack_hash __read_mostly;
-static struct kmem_cache *ip_conntrack_cachep __read_mostly;
-static struct kmem_cache *ip_conntrack_expect_cachep __read_mostly;
-struct ip_conntrack ip_conntrack_untracked;
-unsigned int ip_ct_log_invalid __read_mostly;
-static LIST_HEAD(unconfirmed);
-static int ip_conntrack_vmalloc __read_mostly;
-
-static unsigned int ip_conntrack_next_id;
-static unsigned int ip_conntrack_expect_next_id;
-#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
-ATOMIC_NOTIFIER_HEAD(ip_conntrack_chain);
-ATOMIC_NOTIFIER_HEAD(ip_conntrack_expect_chain);
-
-DEFINE_PER_CPU(struct ip_conntrack_ecache, ip_conntrack_ecache);
-
-/* deliver cached events and clear cache entry - must be called with locally
- * disabled softirqs */
-static inline void
-__ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ecache)
-{
-       DEBUGP("ecache: delivering events for %p\n", ecache->ct);
-       if (is_confirmed(ecache->ct) && !is_dying(ecache->ct) && ecache->events)
-               atomic_notifier_call_chain(&ip_conntrack_chain, ecache->events,
-                                   ecache->ct);
-       ecache->events = 0;
-       ip_conntrack_put(ecache->ct);
-       ecache->ct = NULL;
-}
-
-/* Deliver all cached events for a particular conntrack. This is called
- * by code prior to async packet handling or freeing the skb */
-void ip_ct_deliver_cached_events(const struct ip_conntrack *ct)
-{
-       struct ip_conntrack_ecache *ecache;
-
-       local_bh_disable();
-       ecache = &__get_cpu_var(ip_conntrack_ecache);
-       if (ecache->ct == ct)
-               __ip_ct_deliver_cached_events(ecache);
-       local_bh_enable();
-}
-
-void __ip_ct_event_cache_init(struct ip_conntrack *ct)
-{
-       struct ip_conntrack_ecache *ecache;
-
-       /* take care of delivering potentially old events */
-       ecache = &__get_cpu_var(ip_conntrack_ecache);
-       BUG_ON(ecache->ct == ct);
-       if (ecache->ct)
-               __ip_ct_deliver_cached_events(ecache);
-       /* initialize for this conntrack/packet */
-       ecache->ct = ct;
-       nf_conntrack_get(&ct->ct_general);
-}
-
-/* flush the event cache - touches other CPU's data and must not be called while
- * packets are still passing through the code */
-static void ip_ct_event_cache_flush(void)
-{
-       struct ip_conntrack_ecache *ecache;
-       int cpu;
-
-       for_each_possible_cpu(cpu) {
-               ecache = &per_cpu(ip_conntrack_ecache, cpu);
-               if (ecache->ct)
-                       ip_conntrack_put(ecache->ct);
-       }
-}
-#else
-static inline void ip_ct_event_cache_flush(void) {}
-#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
-
-DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
-
-static int ip_conntrack_hash_rnd_initted;
-static unsigned int ip_conntrack_hash_rnd;
-
-static u_int32_t __hash_conntrack(const struct ip_conntrack_tuple *tuple,
-                           unsigned int size, unsigned int rnd)
-{
-       return (jhash_3words((__force u32)tuple->src.ip,
-                            ((__force u32)tuple->dst.ip ^ tuple->dst.protonum),
-                            (tuple->src.u.all | (tuple->dst.u.all << 16)),
-                            rnd) % size);
-}
-
-static u_int32_t
-hash_conntrack(const struct ip_conntrack_tuple *tuple)
-{
-       return __hash_conntrack(tuple, ip_conntrack_htable_size,
-                               ip_conntrack_hash_rnd);
-}
-
-int
-ip_ct_get_tuple(const struct iphdr *iph,
-               const struct sk_buff *skb,
-               unsigned int dataoff,
-               struct ip_conntrack_tuple *tuple,
-               const struct ip_conntrack_protocol *protocol)
-{
-       /* Never happen */
-       if (iph->frag_off & htons(IP_OFFSET)) {
-               printk("ip_conntrack_core: Frag of proto %u.\n",
-                      iph->protocol);
-               return 0;
-       }
-
-       tuple->src.ip = iph->saddr;
-       tuple->dst.ip = iph->daddr;
-       tuple->dst.protonum = iph->protocol;
-       tuple->dst.dir = IP_CT_DIR_ORIGINAL;
-
-       return protocol->pkt_to_tuple(skb, dataoff, tuple);
-}
-
-int
-ip_ct_invert_tuple(struct ip_conntrack_tuple *inverse,
-                  const struct ip_conntrack_tuple *orig,
-                  const struct ip_conntrack_protocol *protocol)
-{
-       inverse->src.ip = orig->dst.ip;
-       inverse->dst.ip = orig->src.ip;
-       inverse->dst.protonum = orig->dst.protonum;
-       inverse->dst.dir = !orig->dst.dir;
-
-       return protocol->invert_tuple(inverse, orig);
-}
-
-
-/* ip_conntrack_expect helper functions */
-void ip_ct_unlink_expect(struct ip_conntrack_expect *exp)
-{
-       IP_NF_ASSERT(!timer_pending(&exp->timeout));
-       list_del(&exp->list);
-       CONNTRACK_STAT_INC(expect_delete);
-       exp->master->expecting--;
-       ip_conntrack_expect_put(exp);
-}
-
-static void expectation_timed_out(unsigned long ul_expect)
-{
-       struct ip_conntrack_expect *exp = (void *)ul_expect;
-
-       write_lock_bh(&ip_conntrack_lock);
-       ip_ct_unlink_expect(exp);
-       write_unlock_bh(&ip_conntrack_lock);
-       ip_conntrack_expect_put(exp);
-}
-
-struct ip_conntrack_expect *
-__ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple)
-{
-       struct ip_conntrack_expect *i;
-
-       list_for_each_entry(i, &ip_conntrack_expect_list, list) {
-               if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
-                       return i;
-       }
-       return NULL;
-}
-
-/* Just find a expectation corresponding to a tuple. */
-struct ip_conntrack_expect *
-ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple)
-{
-       struct ip_conntrack_expect *i;
-
-       read_lock_bh(&ip_conntrack_lock);
-       i = __ip_conntrack_expect_find(tuple);
-       if (i)
-               atomic_inc(&i->use);
-       read_unlock_bh(&ip_conntrack_lock);
-
-       return i;
-}
-
-/* If an expectation for this connection is found, it gets delete from
- * global list then returned. */
-static struct ip_conntrack_expect *
-find_expectation(const struct ip_conntrack_tuple *tuple)
-{
-       struct ip_conntrack_expect *i;
-
-       list_for_each_entry(i, &ip_conntrack_expect_list, list) {
-               /* If master is not in hash table yet (ie. packet hasn't left
-                  this machine yet), how can other end know about expected?
-                  Hence these are not the droids you are looking for (if
-                  master ct never got confirmed, we'd hold a reference to it
-                  and weird things would happen to future packets). */
-               if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)
-                   && is_confirmed(i->master)) {
-                       if (i->flags & IP_CT_EXPECT_PERMANENT) {
-                               atomic_inc(&i->use);
-                               return i;
-                       } else if (del_timer(&i->timeout)) {
-                               ip_ct_unlink_expect(i);
-                               return i;
-                       }
-               }
-       }
-       return NULL;
-}
-
-/* delete all expectations for this conntrack */
-void ip_ct_remove_expectations(struct ip_conntrack *ct)
-{
-       struct ip_conntrack_expect *i, *tmp;
-
-       /* Optimization: most connection never expect any others. */
-       if (ct->expecting == 0)
-               return;
-
-       list_for_each_entry_safe(i, tmp, &ip_conntrack_expect_list, list) {
-               if (i->master == ct && del_timer(&i->timeout)) {
-                       ip_ct_unlink_expect(i);
-                       ip_conntrack_expect_put(i);
-               }
-       }
-}
-
-static void
-clean_from_lists(struct ip_conntrack *ct)
-{
-       DEBUGP("clean_from_lists(%p)\n", ct);
-       list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
-       list_del(&ct->tuplehash[IP_CT_DIR_REPLY].list);
-
-       /* Destroy all pending expectations */
-       ip_ct_remove_expectations(ct);
-}
-
-static void
-destroy_conntrack(struct nf_conntrack *nfct)
-{
-       struct ip_conntrack *ct = (struct ip_conntrack *)nfct;
-       struct ip_conntrack_protocol *proto;
-       struct ip_conntrack_helper *helper;
-       typeof(ip_conntrack_destroyed) destroyed;
-
-       DEBUGP("destroy_conntrack(%p)\n", ct);
-       IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
-       IP_NF_ASSERT(!timer_pending(&ct->timeout));
-
-       ip_conntrack_event(IPCT_DESTROY, ct);
-       set_bit(IPS_DYING_BIT, &ct->status);
-
-       helper = ct->helper;
-       if (helper && helper->destroy)
-               helper->destroy(ct);
-
-       /* To make sure we don't get any weird locking issues here:
-        * destroy_conntrack() MUST NOT be called with a write lock
-        * to ip_conntrack_lock!!! -HW */
-       rcu_read_lock();
-       proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
-       if (proto && proto->destroy)
-               proto->destroy(ct);
-
-       destroyed = rcu_dereference(ip_conntrack_destroyed);
-       if (destroyed)
-               destroyed(ct);
-
-       rcu_read_unlock();
-
-       write_lock_bh(&ip_conntrack_lock);
-       /* Expectations will have been removed in clean_from_lists,
-        * except TFTP can create an expectation on the first packet,
-        * before connection is in the list, so we need to clean here,
-        * too. */
-       ip_ct_remove_expectations(ct);
-
-       /* We overload first tuple to link into unconfirmed list. */
-       if (!is_confirmed(ct)) {
-               BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
-               list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
-       }
-
-       CONNTRACK_STAT_INC(delete);
-       write_unlock_bh(&ip_conntrack_lock);
-
-       if (ct->master)
-               ip_conntrack_put(ct->master);
-
-       DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
-       ip_conntrack_free(ct);
-}
-
-static void death_by_timeout(unsigned long ul_conntrack)
-{
-       struct ip_conntrack *ct = (void *)ul_conntrack;
-
-       write_lock_bh(&ip_conntrack_lock);
-       /* Inside lock so preempt is disabled on module removal path.
-        * Otherwise we can get spurious warnings. */
-       CONNTRACK_STAT_INC(delete_list);
-       clean_from_lists(ct);
-       write_unlock_bh(&ip_conntrack_lock);
-       ip_conntrack_put(ct);
-}
-
-struct ip_conntrack_tuple_hash *
-__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
-                   const struct ip_conntrack *ignored_conntrack)
-{
-       struct ip_conntrack_tuple_hash *h;
-       unsigned int hash = hash_conntrack(tuple);
-
-       list_for_each_entry(h, &ip_conntrack_hash[hash], list) {
-               if (tuplehash_to_ctrack(h) != ignored_conntrack &&
-                   ip_ct_tuple_equal(tuple, &h->tuple)) {
-                       CONNTRACK_STAT_INC(found);
-                       return h;
-               }
-               CONNTRACK_STAT_INC(searched);
-       }
-
-       return NULL;
-}
-
-/* Find a connection corresponding to a tuple. */
-struct ip_conntrack_tuple_hash *
-ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
-                     const struct ip_conntrack *ignored_conntrack)
-{
-       struct ip_conntrack_tuple_hash *h;
-
-       read_lock_bh(&ip_conntrack_lock);
-       h = __ip_conntrack_find(tuple, ignored_conntrack);
-       if (h)
-               atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
-       read_unlock_bh(&ip_conntrack_lock);
-
-       return h;
-}
-
-static void __ip_conntrack_hash_insert(struct ip_conntrack *ct,
-                                       unsigned int hash,
-                                       unsigned int repl_hash)
-{
-       ct->id = ++ip_conntrack_next_id;
-       list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list,
-                &ip_conntrack_hash[hash]);
-       list_add(&ct->tuplehash[IP_CT_DIR_REPLY].list,
-                &ip_conntrack_hash[repl_hash]);
-}
-
-void ip_conntrack_hash_insert(struct ip_conntrack *ct)
-{
-       unsigned int hash, repl_hash;
-
-       hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
-       repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-
-       write_lock_bh(&ip_conntrack_lock);
-       __ip_conntrack_hash_insert(ct, hash, repl_hash);
-       write_unlock_bh(&ip_conntrack_lock);
-}
-
-/* Confirm a connection given skb; places it in hash table */
-int
-__ip_conntrack_confirm(struct sk_buff **pskb)
-{
-       unsigned int hash, repl_hash;
-       struct ip_conntrack_tuple_hash *h;
-       struct ip_conntrack *ct;
-       enum ip_conntrack_info ctinfo;
-
-       ct = ip_conntrack_get(*pskb, &ctinfo);
-
-       /* ipt_REJECT uses ip_conntrack_attach to attach related
-          ICMP/TCP RST packets in other direction.  Actual packet
-          which created connection will be IP_CT_NEW or for an
-          expected connection, IP_CT_RELATED. */
-       if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
-               return NF_ACCEPT;
-
-       hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
-       repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-
-       /* We're not in hash table, and we refuse to set up related
-          connections for unconfirmed conns.  But packet copies and
-          REJECT will give spurious warnings here. */
-       /* IP_NF_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
-
-       /* No external references means noone else could have
-          confirmed us. */
-       IP_NF_ASSERT(!is_confirmed(ct));
-       DEBUGP("Confirming conntrack %p\n", ct);
-
-       write_lock_bh(&ip_conntrack_lock);
-
-       /* See if there's one in the list already, including reverse:
-          NAT could have grabbed it without realizing, since we're
-          not in the hash.  If there is, we lost race. */
-       list_for_each_entry(h, &ip_conntrack_hash[hash], list)
-               if (ip_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
-                                     &h->tuple))
-                       goto out;
-       list_for_each_entry(h, &ip_conntrack_hash[repl_hash], list)
-               if (ip_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple,
-                                     &h->tuple))
-                       goto out;
-
-       /* Remove from unconfirmed list */
-       list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
-
-       __ip_conntrack_hash_insert(ct, hash, repl_hash);
-       /* Timer relative to confirmation time, not original
-          setting time, otherwise we'd get timer wrap in
-          weird delay cases. */
-       ct->timeout.expires += jiffies;
-       add_timer(&ct->timeout);
-       atomic_inc(&ct->ct_general.use);
-       set_bit(IPS_CONFIRMED_BIT, &ct->status);
-       CONNTRACK_STAT_INC(insert);
-       write_unlock_bh(&ip_conntrack_lock);
-       if (ct->helper)
-               ip_conntrack_event_cache(IPCT_HELPER, *pskb);
-#ifdef CONFIG_IP_NF_NAT_NEEDED
-       if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
-           test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
-               ip_conntrack_event_cache(IPCT_NATINFO, *pskb);
-#endif
-       ip_conntrack_event_cache(master_ct(ct) ?
-                                IPCT_RELATED : IPCT_NEW, *pskb);
-
-       return NF_ACCEPT;
-
-out:
-       CONNTRACK_STAT_INC(insert_failed);
-       write_unlock_bh(&ip_conntrack_lock);
-       return NF_DROP;
-}
-
-/* Returns true if a connection correspondings to the tuple (required
-   for NAT). */
-int
-ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
-                        const struct ip_conntrack *ignored_conntrack)
-{
-       struct ip_conntrack_tuple_hash *h;
-
-       read_lock_bh(&ip_conntrack_lock);
-       h = __ip_conntrack_find(tuple, ignored_conntrack);
-       read_unlock_bh(&ip_conntrack_lock);
-
-       return h != NULL;
-}
-
-/* There's a small race here where we may free a just-assured
-   connection.  Too bad: we're in trouble anyway. */
-static int early_drop(struct list_head *chain)
-{
-       /* Traverse backwards: gives us oldest, which is roughly LRU */
-       struct ip_conntrack_tuple_hash *h;
-       struct ip_conntrack *ct = NULL, *tmp;
-       int dropped = 0;
-
-       read_lock_bh(&ip_conntrack_lock);
-       list_for_each_entry_reverse(h, chain, list) {
-               tmp = tuplehash_to_ctrack(h);
-               if (!test_bit(IPS_ASSURED_BIT, &tmp->status)) {
-                       ct = tmp;
-                       atomic_inc(&ct->ct_general.use);
-                       break;
-               }
-       }
-       read_unlock_bh(&ip_conntrack_lock);
-
-       if (!ct)
-               return dropped;
-
-       if (del_timer(&ct->timeout)) {
-               death_by_timeout((unsigned long)ct);
-               dropped = 1;
-               CONNTRACK_STAT_INC_ATOMIC(early_drop);
-       }
-       ip_conntrack_put(ct);
-       return dropped;
-}
-
-static struct ip_conntrack_helper *
-__ip_conntrack_helper_find( const struct ip_conntrack_tuple *tuple)
-{
-       struct ip_conntrack_helper *h;
-
-       list_for_each_entry(h, &helpers, list) {
-               if (ip_ct_tuple_mask_cmp(tuple, &h->tuple, &h->mask))
-                       return h;
-       }
-       return NULL;
-}
-
-struct ip_conntrack_helper *
-ip_conntrack_helper_find_get( const struct ip_conntrack_tuple *tuple)
-{
-       struct ip_conntrack_helper *helper;
-
-       /* need ip_conntrack_lock to assure that helper exists until
-        * try_module_get() is called */
-       read_lock_bh(&ip_conntrack_lock);
-
-       helper = __ip_conntrack_helper_find(tuple);
-       if (helper) {
-               /* need to increase module usage count to assure helper will
-                * not go away while the caller is e.g. busy putting a
-                * conntrack in the hash that uses the helper */
-               if (!try_module_get(helper->me))
-                       helper = NULL;
-       }
-
-       read_unlock_bh(&ip_conntrack_lock);
-
-       return helper;
-}
-
-void ip_conntrack_helper_put(struct ip_conntrack_helper *helper)
-{
-       module_put(helper->me);
-}
-
-struct ip_conntrack_protocol *
-__ip_conntrack_proto_find(u_int8_t protocol)
-{
-       return ip_ct_protos[protocol];
-}
-
-/* this is guaranteed to always return a valid protocol helper, since
- * it falls back to generic_protocol */
-struct ip_conntrack_protocol *
-ip_conntrack_proto_find_get(u_int8_t protocol)
-{
-       struct ip_conntrack_protocol *p;
-
-       rcu_read_lock();
-       p = __ip_conntrack_proto_find(protocol);
-       if (p) {
-               if (!try_module_get(p->me))
-                       p = &ip_conntrack_generic_protocol;
-       }
-       rcu_read_unlock();
-
-       return p;
-}
-
-void ip_conntrack_proto_put(struct ip_conntrack_protocol *p)
-{
-       module_put(p->me);
-}
-
-struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *orig,
-                                       struct ip_conntrack_tuple *repl)
-{
-       struct ip_conntrack *conntrack;
-
-       if (!ip_conntrack_hash_rnd_initted) {
-               get_random_bytes(&ip_conntrack_hash_rnd, 4);
-               ip_conntrack_hash_rnd_initted = 1;
-       }
-
-       /* We don't want any race condition at early drop stage */
-       atomic_inc(&ip_conntrack_count);
-
-       if (ip_conntrack_max
-           && atomic_read(&ip_conntrack_count) > ip_conntrack_max) {
-               unsigned int hash = hash_conntrack(orig);
-               /* Try dropping from this hash chain. */
-               if (!early_drop(&ip_conntrack_hash[hash])) {
-                       atomic_dec(&ip_conntrack_count);
-                       if (net_ratelimit())
-                               printk(KERN_WARNING
-                                      "ip_conntrack: table full, dropping"
-                                      " packet.\n");
-                       return ERR_PTR(-ENOMEM);
-               }
-       }
-
-       conntrack = kmem_cache_zalloc(ip_conntrack_cachep, GFP_ATOMIC);
-       if (!conntrack) {
-               DEBUGP("Can't allocate conntrack.\n");
-               atomic_dec(&ip_conntrack_count);
-               return ERR_PTR(-ENOMEM);
-       }
-
-       atomic_set(&conntrack->ct_general.use, 1);
-       conntrack->ct_general.destroy = destroy_conntrack;
-       conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
-       conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
-       /* Don't set timer yet: wait for confirmation */
-       init_timer(&conntrack->timeout);
-       conntrack->timeout.data = (unsigned long)conntrack;
-       conntrack->timeout.function = death_by_timeout;
-
-       return conntrack;
-}
-
-void
-ip_conntrack_free(struct ip_conntrack *conntrack)
-{
-       atomic_dec(&ip_conntrack_count);
-       kmem_cache_free(ip_conntrack_cachep, conntrack);
-}
-
-/* Allocate a new conntrack: we return -ENOMEM if classification
- * failed due to stress.   Otherwise it really is unclassifiable */
-static struct ip_conntrack_tuple_hash *
-init_conntrack(struct ip_conntrack_tuple *tuple,
-              struct ip_conntrack_protocol *protocol,
-              struct sk_buff *skb)
-{
-       struct ip_conntrack *conntrack;
-       struct ip_conntrack_tuple repl_tuple;
-       struct ip_conntrack_expect *exp;
-
-       if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
-               DEBUGP("Can't invert tuple.\n");
-               return NULL;
-       }
-
-       conntrack = ip_conntrack_alloc(tuple, &repl_tuple);
-       if (conntrack == NULL || IS_ERR(conntrack))
-               return (struct ip_conntrack_tuple_hash *)conntrack;
-
-       if (!protocol->new(conntrack, skb)) {
-               ip_conntrack_free(conntrack);
-               return NULL;
-       }
-
-       write_lock_bh(&ip_conntrack_lock);
-       exp = find_expectation(tuple);
-
-       if (exp) {
-               DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
-                       conntrack, exp);
-               /* Welcome, Mr. Bond.  We've been expecting you... */
-               __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
-               conntrack->master = exp->master;
-#ifdef CONFIG_IP_NF_CONNTRACK_MARK
-               conntrack->mark = exp->master->mark;
-#endif
-#if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
-    defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
-               /* this is ugly, but there is no other place where to put it */
-               conntrack->nat.masq_index = exp->master->nat.masq_index;
-#endif
-#ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
-               conntrack->secmark = exp->master->secmark;
-#endif
-               nf_conntrack_get(&conntrack->master->ct_general);
-               CONNTRACK_STAT_INC(expect_new);
-       } else {
-               conntrack->helper = __ip_conntrack_helper_find(&repl_tuple);
-
-               CONNTRACK_STAT_INC(new);
-       }
-
-       /* Overload tuple linked list to put us in unconfirmed list. */
-       list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
-
-       write_unlock_bh(&ip_conntrack_lock);
-
-       if (exp) {
-               if (exp->expectfn)
-                       exp->expectfn(conntrack, exp);
-               ip_conntrack_expect_put(exp);
-       }
-
-       return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
-}
-
-/* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
-static inline struct ip_conntrack *
-resolve_normal_ct(struct sk_buff *skb,
-                 struct ip_conntrack_protocol *proto,
-                 int *set_reply,
-                 unsigned int hooknum,
-                 enum ip_conntrack_info *ctinfo)
-{
-       struct ip_conntrack_tuple tuple;
-       struct ip_conntrack_tuple_hash *h;
-       struct ip_conntrack *ct;
-
-       IP_NF_ASSERT((ip_hdr(skb)->frag_off & htons(IP_OFFSET)) == 0);
-
-       if (!ip_ct_get_tuple(ip_hdr(skb), skb, ip_hdrlen(skb), &tuple,proto))
-               return NULL;
-
-       /* look for tuple match */
-       h = ip_conntrack_find_get(&tuple, NULL);
-       if (!h) {
-               h = init_conntrack(&tuple, proto, skb);
-               if (!h)
-                       return NULL;
-               if (IS_ERR(h))
-                       return (void *)h;
-       }
-       ct = tuplehash_to_ctrack(h);
-
-       /* It exists; we have (non-exclusive) reference. */
-       if (DIRECTION(h) == IP_CT_DIR_REPLY) {
-               *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
-               /* Please set reply bit if this packet OK */
-               *set_reply = 1;
-       } else {
-               /* Once we've had two way comms, always ESTABLISHED. */
-               if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
-                       DEBUGP("ip_conntrack_in: normal packet for %p\n",
-                              ct);
-                       *ctinfo = IP_CT_ESTABLISHED;
-               } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {
-                       DEBUGP("ip_conntrack_in: related packet for %p\n",
-                              ct);
-                       *ctinfo = IP_CT_RELATED;
-               } else {
-                       DEBUGP("ip_conntrack_in: new packet for %p\n",
-                              ct);
-                       *ctinfo = IP_CT_NEW;
-               }
-               *set_reply = 0;
-       }
-       skb->nfct = &ct->ct_general;
-       skb->nfctinfo = *ctinfo;
-       return ct;
-}
-
-/* Netfilter hook itself. */
-unsigned int ip_conntrack_in(unsigned int hooknum,
-                            struct sk_buff **pskb,
-                            const struct net_device *in,
-                            const struct net_device *out,
-                            int (*okfn)(struct sk_buff *))
-{
-       struct ip_conntrack *ct;
-       enum ip_conntrack_info ctinfo;
-       struct ip_conntrack_protocol *proto;
-       int set_reply = 0;
-       int ret;
-
-       /* Previously seen (loopback or untracked)?  Ignore. */
-       if ((*pskb)->nfct) {
-               CONNTRACK_STAT_INC_ATOMIC(ignore);
-               return NF_ACCEPT;
-       }
-
-       /* Never happen */
-       if (ip_hdr(*pskb)->frag_off & htons(IP_OFFSET)) {
-               if (net_ratelimit()) {
-               printk(KERN_ERR "ip_conntrack_in: Frag of proto %u (hook=%u)\n",
-                      ip_hdr(*pskb)->protocol, hooknum);
-               }
-               return NF_DROP;
-       }
-
-/* Doesn't cover locally-generated broadcast, so not worth it. */
-#if 0
-       /* Ignore broadcast: no `connection'. */
-       if ((*pskb)->pkt_type == PACKET_BROADCAST) {
-               printk("Broadcast packet!\n");
-               return NF_ACCEPT;
-       } else if ((ip_hdr(*pskb)->daddr & htonl(0x000000FF))
-                  == htonl(0x000000FF)) {
-               printk("Should bcast: %u.%u.%u.%u->%u.%u.%u.%u (sk=%p, ptype=%u)\n",
-                      NIPQUAD(ip_hdr(*pskb)->saddr),
-                      NIPQUAD(ip_hdr(*pskb)->daddr),
-                      (*pskb)->sk, (*pskb)->pkt_type);
-       }
-#endif
-
-       /* rcu_read_lock()ed by nf_hook_slow */
-       proto = __ip_conntrack_proto_find(ip_hdr(*pskb)->protocol);
-
-       /* It may be an special packet, error, unclean...
-        * inverse of the return code tells to the netfilter
-        * core what to do with the packet. */
-       if (proto->error != NULL
-           && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
-               CONNTRACK_STAT_INC_ATOMIC(error);
-               CONNTRACK_STAT_INC_ATOMIC(invalid);
-               return -ret;
-       }
-
-       if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
-               /* Not valid part of a connection */
-               CONNTRACK_STAT_INC_ATOMIC(invalid);
-               return NF_ACCEPT;
-       }
-
-       if (IS_ERR(ct)) {
-               /* Too stressed to deal. */
-               CONNTRACK_STAT_INC_ATOMIC(drop);
-               return NF_DROP;
-       }
-
-       IP_NF_ASSERT((*pskb)->nfct);
-
-       ret = proto->packet(ct, *pskb, ctinfo);
-       if (ret < 0) {
-               /* Invalid: inverse of the return code tells
-                * the netfilter core what to do*/
-               nf_conntrack_put((*pskb)->nfct);
-               (*pskb)->nfct = NULL;
-               CONNTRACK_STAT_INC_ATOMIC(invalid);
-               return -ret;
-       }
-
-       if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
-               ip_conntrack_event_cache(IPCT_STATUS, *pskb);
-
-       return ret;
-}
-
-int invert_tuplepr(struct ip_conntrack_tuple *inverse,
-                  const struct ip_conntrack_tuple *orig)
-{
-       struct ip_conntrack_protocol *proto;
-       int ret;
-
-       rcu_read_lock();
-       proto = __ip_conntrack_proto_find(orig->dst.protonum);
-       ret = ip_ct_invert_tuple(inverse, orig, proto);
-       rcu_read_unlock();
-
-       return ret;
-}
-
-/* Would two expected things clash? */
-static inline int expect_clash(const struct ip_conntrack_expect *a,
-                              const struct ip_conntrack_expect *b)
-{
-       /* Part covered by intersection of masks must be unequal,
-          otherwise they clash */
-       struct ip_conntrack_tuple intersect_mask
-               = { { a->mask.src.ip & b->mask.src.ip,
-                     { a->mask.src.u.all & b->mask.src.u.all } },
-                   { a->mask.dst.ip & b->mask.dst.ip,
-                     { a->mask.dst.u.all & b->mask.dst.u.all },
-                     a->mask.dst.protonum & b->mask.dst.protonum } };
-
-       return ip_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
-}
-
-static inline int expect_matches(const struct ip_conntrack_expect *a,
-                                const struct ip_conntrack_expect *b)
-{
-       return a->master == b->master
-               && ip_ct_tuple_equal(&a->tuple, &b->tuple)
-               && ip_ct_tuple_equal(&a->mask, &b->mask);
-}
-
-/* Generally a bad idea to call this: could have matched already. */
-void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp)
-{
-       struct ip_conntrack_expect *i;
-
-       write_lock_bh(&ip_conntrack_lock);
-       /* choose the the oldest expectation to evict */
-       list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
-               if (expect_matches(i, exp) && del_timer(&i->timeout)) {
-                       ip_ct_unlink_expect(i);
-                       write_unlock_bh(&ip_conntrack_lock);
-                       ip_conntrack_expect_put(i);
-                       return;
-               }
-       }
-       write_unlock_bh(&ip_conntrack_lock);
-}
-
-/* We don't increase the master conntrack refcount for non-fulfilled
- * conntracks. During the conntrack destruction, the expectations are
- * always killed before the conntrack itself */
-struct ip_conntrack_expect *ip_conntrack_expect_alloc(struct ip_conntrack *me)
-{
-       struct ip_conntrack_expect *new;
-
-       new = kmem_cache_alloc(ip_conntrack_expect_cachep, GFP_ATOMIC);
-       if (!new) {
-               DEBUGP("expect_related: OOM allocating expect\n");
-               return NULL;
-       }
-       new->master = me;
-       atomic_set(&new->use, 1);
-       return new;
-}
-
-void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
-{
-       if (atomic_dec_and_test(&exp->use))
-               kmem_cache_free(ip_conntrack_expect_cachep, exp);
-}
-
-static void ip_conntrack_expect_insert(struct ip_conntrack_expect *exp)
-{
-       atomic_inc(&exp->use);
-       exp->master->expecting++;
-       list_add(&exp->list, &ip_conntrack_expect_list);
-
-       init_timer(&exp->timeout);
-       exp->timeout.data = (unsigned long)exp;
-       exp->timeout.function = expectation_timed_out;
-       exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ;
-       add_timer(&exp->timeout);
-
-       exp->id = ++ip_conntrack_expect_next_id;
-       atomic_inc(&exp->use);
-       CONNTRACK_STAT_INC(expect_create);
-}
-
-/* Race with expectations being used means we could have none to find; OK. */
-static void evict_oldest_expect(struct ip_conntrack *master)
-{
-       struct ip_conntrack_expect *i;
-
-       list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
-               if (i->master == master) {
-                       if (del_timer(&i->timeout)) {
-                               ip_ct_unlink_expect(i);
-                               ip_conntrack_expect_put(i);
-                       }
-                       break;
-               }
-       }
-}
-
-static inline int refresh_timer(struct ip_conntrack_expect *i)
-{
-       if (!del_timer(&i->timeout))
-               return 0;
-
-       i->timeout.expires = jiffies + i->master->helper->timeout*HZ;
-       add_timer(&i->timeout);
-       return 1;
-}
-
-int ip_conntrack_expect_related(struct ip_conntrack_expect *expect)
-{
-       struct ip_conntrack_expect *i;
-       int ret;
-
-       DEBUGP("ip_conntrack_expect_related %p\n", related_to);
-       DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple);
-       DEBUGP("mask:  "); DUMP_TUPLE(&expect->mask);
-
-       write_lock_bh(&ip_conntrack_lock);
-       list_for_each_entry(i, &ip_conntrack_expect_list, list) {
-               if (expect_matches(i, expect)) {
-                       /* Refresh timer: if it's dying, ignore.. */
-                       if (refresh_timer(i)) {
-                               ret = 0;
-                               goto out;
-                       }
-               } else if (expect_clash(i, expect)) {
-                       ret = -EBUSY;
-                       goto out;
-               }
-       }
-
-       /* Will be over limit? */
-       if (expect->master->helper->max_expected &&
-           expect->master->expecting >= expect->master->helper->max_expected)
-               evict_oldest_expect(expect->master);
-
-       ip_conntrack_expect_insert(expect);
-       ip_conntrack_expect_event(IPEXP_NEW, expect);
-       ret = 0;
-out:
-       write_unlock_bh(&ip_conntrack_lock);
-       return ret;
-}
-
-/* Alter reply tuple (maybe alter helper).  This is for NAT, and is
-   implicitly racy: see __ip_conntrack_confirm */
-void ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
-                             const struct ip_conntrack_tuple *newreply)
-{
-       write_lock_bh(&ip_conntrack_lock);
-       /* Should be unconfirmed, so not in hash table yet */
-       IP_NF_ASSERT(!is_confirmed(conntrack));
-
-       DEBUGP("Altering reply tuple of %p to ", conntrack);
-       DUMP_TUPLE(newreply);
-
-       conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
-       if (!conntrack->master && conntrack->expecting == 0)
-               conntrack->helper = __ip_conntrack_helper_find(newreply);
-       write_unlock_bh(&ip_conntrack_lock);
-}
-
-int ip_conntrack_helper_register(struct ip_conntrack_helper *me)
-{
-       BUG_ON(me->timeout == 0);
-       write_lock_bh(&ip_conntrack_lock);
-       list_add(&me->list, &helpers);
-       write_unlock_bh(&ip_conntrack_lock);
-
-       return 0;
-}
-
-struct ip_conntrack_helper *
-__ip_conntrack_helper_find_byname(const char *name)
-{
-       struct ip_conntrack_helper *h;
-
-       list_for_each_entry(h, &helpers, list) {
-               if (!strcmp(h->name, name))
-                       return h;
-       }
-
-       return NULL;
-}
-
-static inline void unhelp(struct ip_conntrack_tuple_hash *i,
-                         const struct ip_conntrack_helper *me)
-{
-       if (tuplehash_to_ctrack(i)->helper == me) {
-               ip_conntrack_event(IPCT_HELPER, tuplehash_to_ctrack(i));
-               tuplehash_to_ctrack(i)->helper = NULL;
-       }
-}
-
-void ip_conntrack_helper_unregister(struct ip_conntrack_helper *me)
-{
-       unsigned int i;
-       struct ip_conntrack_tuple_hash *h;
-       struct ip_conntrack_expect *exp, *tmp;
-
-       /* Need write lock here, to delete helper. */
-       write_lock_bh(&ip_conntrack_lock);
-       list_del(&me->list);
-
-       /* Get rid of expectations */
-       list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list, list) {
-               if (exp->master->helper == me && del_timer(&exp->timeout)) {
-                       ip_ct_unlink_expect(exp);
-                       ip_conntrack_expect_put(exp);
-               }
-       }
-       /* Get rid of expecteds, set helpers to NULL. */
-       list_for_each_entry(h, &unconfirmed, list)
-               unhelp(h, me);
-       for (i = 0; i < ip_conntrack_htable_size; i++) {
-               list_for_each_entry(h, &ip_conntrack_hash[i], list)
-                       unhelp(h, me);
-       }
-       write_unlock_bh(&ip_conntrack_lock);
-
-       /* Someone could be still looking at the helper in a bh. */
-       synchronize_net();
-}
-
-/* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */
-void __ip_ct_refresh_acct(struct ip_conntrack *ct,
-                       enum ip_conntrack_info ctinfo,
-                       const struct sk_buff *skb,
-                       unsigned long extra_jiffies,
-                       int do_acct)
-{
-       int event = 0;
-
-       IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
-       IP_NF_ASSERT(skb);
-
-       write_lock_bh(&ip_conntrack_lock);
-
-       /* Only update if this is not a fixed timeout */
-       if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) {
-               write_unlock_bh(&ip_conntrack_lock);
-               return;
-       }
-
-       /* If not in hash table, timer will not be active yet */
-       if (!is_confirmed(ct)) {
-               ct->timeout.expires = extra_jiffies;
-               event = IPCT_REFRESH;
-       } else {
-               /* Need del_timer for race avoidance (may already be dying). */
-               if (del_timer(&ct->timeout)) {
-                       ct->timeout.expires = jiffies + extra_jiffies;
-                       add_timer(&ct->timeout);
-                       event = IPCT_REFRESH;
-               }
-       }
-
-#ifdef CONFIG_IP_NF_CT_ACCT
-       if (do_acct) {
-               ct->counters[CTINFO2DIR(ctinfo)].packets++;
-               ct->counters[CTINFO2DIR(ctinfo)].bytes +=
-                                               ntohs(ip_hdr(skb)->tot_len);
-               if ((ct->counters[CTINFO2DIR(ctinfo)].packets & 0x80000000)
-                   || (ct->counters[CTINFO2DIR(ctinfo)].bytes & 0x80000000))
-                       event |= IPCT_COUNTER_FILLING;
-       }
-#endif
-
-       write_unlock_bh(&ip_conntrack_lock);
-
-       /* must be unlocked when calling event cache */
-       if (event)
-               ip_conntrack_event_cache(event, skb);
-}
-
-#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
-    defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
-/* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
- * in ip_conntrack_core, since we don't want the protocols to autoload
- * or depend on ctnetlink */
-int ip_ct_port_tuple_to_nfattr(struct sk_buff *skb,
-                              const struct ip_conntrack_tuple *tuple)
-{
-       NFA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(__be16),
-               &tuple->src.u.tcp.port);
-       NFA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(__be16),
-               &tuple->dst.u.tcp.port);
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-
-int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
-                              struct ip_conntrack_tuple *t)
-{
-       if (!tb[CTA_PROTO_SRC_PORT-1] || !tb[CTA_PROTO_DST_PORT-1])
-               return -EINVAL;
-
-       t->src.u.tcp.port =
-               *(__be16 *)NFA_DATA(tb[CTA_PROTO_SRC_PORT-1]);
-       t->dst.u.tcp.port =
-               *(__be16 *)NFA_DATA(tb[CTA_PROTO_DST_PORT-1]);
-
-       return 0;
-}
-#endif
-
-/* Returns new sk_buff, or NULL */
-struct sk_buff *
-ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
-{
-       skb_orphan(skb);
-
-       local_bh_disable();
-       skb = ip_defrag(skb, user);
-       local_bh_enable();
-
-       if (skb)
-               ip_send_check(ip_hdr(skb));
-       return skb;
-}
-
-/* Used by ipt_REJECT. */
-static void ip_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
-{
-       struct ip_conntrack *ct;
-       enum ip_conntrack_info ctinfo;
-
-       /* This ICMP is in reverse direction to the packet which caused it */
-       ct = ip_conntrack_get(skb, &ctinfo);
-
-       if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
-               ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
-       else
-               ctinfo = IP_CT_RELATED;
-
-       /* Attach to new skbuff, and increment count */
-       nskb->nfct = &ct->ct_general;
-       nskb->nfctinfo = ctinfo;
-       nf_conntrack_get(nskb->nfct);
-}
-
-/* Bring out ya dead! */
-static struct ip_conntrack *
-get_next_corpse(int (*iter)(struct ip_conntrack *i, void *data),
-               void *data, unsigned int *bucket)
-{
-       struct ip_conntrack_tuple_hash *h;
-       struct ip_conntrack *ct;
-
-       write_lock_bh(&ip_conntrack_lock);
-       for (; *bucket < ip_conntrack_htable_size; (*bucket)++) {
-               list_for_each_entry(h, &ip_conntrack_hash[*bucket], list) {
-                       ct = tuplehash_to_ctrack(h);
-                       if (iter(ct, data))
-                               goto found;
-               }
-       }
-       list_for_each_entry(h, &unconfirmed, list) {
-               ct = tuplehash_to_ctrack(h);
-               if (iter(ct, data))
-                       set_bit(IPS_DYING_BIT, &ct->status);
-       }
-       write_unlock_bh(&ip_conntrack_lock);
-       return NULL;
-
-found:
-       atomic_inc(&ct->ct_general.use);
-       write_unlock_bh(&ip_conntrack_lock);
-       return ct;
-}
-
-void
-ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *), void *data)
-{
-       struct ip_conntrack *ct;
-       unsigned int bucket = 0;
-
-       while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) {
-               /* Time to push up daises... */
-               if (del_timer(&ct->timeout))
-                       death_by_timeout((unsigned long)ct);
-               /* ... else the timer will get him soon. */
-
-               ip_conntrack_put(ct);
-       }
-}
-
-/* Fast function for those who don't want to parse /proc (and I don't
-   blame them). */
-/* Reversing the socket's dst/src point of view gives us the reply
-   mapping. */
-static int
-getorigdst(struct sock *sk, int optval, void __user *user, int *len)
-{
-       struct inet_sock *inet = inet_sk(sk);
-       struct ip_conntrack_tuple_hash *h;
-       struct ip_conntrack_tuple tuple;
-
-       IP_CT_TUPLE_U_BLANK(&tuple);
-       tuple.src.ip = inet->rcv_saddr;
-       tuple.src.u.tcp.port = inet->sport;
-       tuple.dst.ip = inet->daddr;
-       tuple.dst.u.tcp.port = inet->dport;
-       tuple.dst.protonum = IPPROTO_TCP;
-
-       /* We only do TCP at the moment: is there a better way? */
-       if (strcmp(sk->sk_prot->name, "TCP")) {
-               DEBUGP("SO_ORIGINAL_DST: Not a TCP socket\n");
-               return -ENOPROTOOPT;
-       }
-
-       if ((unsigned int) *len < sizeof(struct sockaddr_in)) {
-               DEBUGP("SO_ORIGINAL_DST: len %u not %u\n",
-                      *len, sizeof(struct sockaddr_in));
-               return -EINVAL;
-       }
-
-       h = ip_conntrack_find_get(&tuple, NULL);
-       if (h) {
-               struct sockaddr_in sin;
-               struct ip_conntrack *ct = tuplehash_to_ctrack(h);
-
-               sin.sin_family = AF_INET;
-               sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]
-                       .tuple.dst.u.tcp.port;
-               sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
-                       .tuple.dst.ip;
-               memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
-
-               DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
-                      NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
-               ip_conntrack_put(ct);
-               if (copy_to_user(user, &sin, sizeof(sin)) != 0)
-                       return -EFAULT;
-               else
-                       return 0;
-       }
-       DEBUGP("SO_ORIGINAL_DST: Can't find %u.%u.%u.%u/%u-%u.%u.%u.%u/%u.\n",
-              NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
-              NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
-       return -ENOENT;
-}
-
-static struct nf_sockopt_ops so_getorigdst = {
-       .pf             = PF_INET,
-       .get_optmin     = SO_ORIGINAL_DST,
-       .get_optmax     = SO_ORIGINAL_DST+1,
-       .get            = &getorigdst,
-};
-
-static int kill_all(struct ip_conntrack *i, void *data)
-{
-       return 1;
-}
-
-void ip_conntrack_flush(void)
-{
-       ip_ct_iterate_cleanup(kill_all, NULL);
-}
-
-static void free_conntrack_hash(struct list_head *hash, int vmalloced,int size)
-{
-       if (vmalloced)
-               vfree(hash);
-       else
-               free_pages((unsigned long)hash,
-                          get_order(sizeof(struct list_head) * size));
-}
-
-/* Mishearing the voices in his head, our hero wonders how he's
-   supposed to kill the mall. */
-void ip_conntrack_cleanup(void)
-{
-       rcu_assign_pointer(ip_ct_attach, NULL);
-
-       /* This makes sure all current packets have passed through
-          netfilter framework.  Roll on, two-stage module
-          delete... */
-       synchronize_net();
-
-       ip_ct_event_cache_flush();
- i_see_dead_people:
-       ip_conntrack_flush();
-       if (atomic_read(&ip_conntrack_count) != 0) {
-               schedule();
-               goto i_see_dead_people;
-       }
-       /* wait until all references to ip_conntrack_untracked are dropped */
-       while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
-               schedule();
-
-       kmem_cache_destroy(ip_conntrack_cachep);
-       kmem_cache_destroy(ip_conntrack_expect_cachep);
-       free_conntrack_hash(ip_conntrack_hash, ip_conntrack_vmalloc,
-                           ip_conntrack_htable_size);
-       nf_unregister_sockopt(&so_getorigdst);
-}
-
-static struct list_head *alloc_hashtable(int size, int *vmalloced)
-{
-       struct list_head *hash;
-       unsigned int i;
-
-       *vmalloced = 0;
-       hash = (void*)__get_free_pages(GFP_KERNEL,
-                                      get_order(sizeof(struct list_head)
-                                                * size));
-       if (!hash) {
-               *vmalloced = 1;
-               printk(KERN_WARNING"ip_conntrack: falling back to vmalloc.\n");
-               hash = vmalloc(sizeof(struct list_head) * size);
-       }
-
-       if (hash)
-               for (i = 0; i < size; i++)
-                       INIT_LIST_HEAD(&hash[i]);
-
-       return hash;
-}
-
-static int set_hashsize(const char *val, struct kernel_param *kp)
-{
-       int i, bucket, hashsize, vmalloced;
-       int old_vmalloced, old_size;
-       int rnd;
-       struct list_head *hash, *old_hash;
-       struct ip_conntrack_tuple_hash *h;
-
-       /* On boot, we can set this without any fancy locking. */
-       if (!ip_conntrack_htable_size)
-               return param_set_int(val, kp);
-
-       hashsize = simple_strtol(val, NULL, 0);
-       if (!hashsize)
-               return -EINVAL;
-
-       hash = alloc_hashtable(hashsize, &vmalloced);
-       if (!hash)
-               return -ENOMEM;
-
-       /* We have to rehash for the new table anyway, so we also can
-        * use a new random seed */
-       get_random_bytes(&rnd, 4);
-
-       write_lock_bh(&ip_conntrack_lock);
-       for (i = 0; i < ip_conntrack_htable_size; i++) {
-               while (!list_empty(&ip_conntrack_hash[i])) {
-                       h = list_entry(ip_conntrack_hash[i].next,
-                                      struct ip_conntrack_tuple_hash, list);
-                       list_del(&h->list);
-                       bucket = __hash_conntrack(&h->tuple, hashsize, rnd);
-                       list_add_tail(&h->list, &hash[bucket]);
-               }
-       }
-       old_size = ip_conntrack_htable_size;
-       old_vmalloced = ip_conntrack_vmalloc;
-       old_hash = ip_conntrack_hash;
-
-       ip_conntrack_htable_size = hashsize;
-       ip_conntrack_vmalloc = vmalloced;
-       ip_conntrack_hash = hash;
-       ip_conntrack_hash_rnd = rnd;
-       write_unlock_bh(&ip_conntrack_lock);
-
-       free_conntrack_hash(old_hash, old_vmalloced, old_size);
-       return 0;
-}
-
-module_param_call(hashsize, set_hashsize, param_get_uint,
-                 &ip_conntrack_htable_size, 0600);
-
-int __init ip_conntrack_init(void)
-{
-       unsigned int i;
-       int ret;
-
-       /* Idea from tcp.c: use 1/16384 of memory.  On i386: 32MB
-        * machine has 256 buckets.  >= 1GB machines have 8192 buckets. */
-       if (!ip_conntrack_htable_size) {
-               ip_conntrack_htable_size
-                       = (((num_physpages << PAGE_SHIFT) / 16384)
-                          / sizeof(struct list_head));
-               if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE))
-                       ip_conntrack_htable_size = 8192;
-               if (ip_conntrack_htable_size < 16)
-                       ip_conntrack_htable_size = 16;
-       }
-       ip_conntrack_max = 8 * ip_conntrack_htable_size;
-
-       printk("ip_conntrack version %s (%u buckets, %d max)"
-              " - %Zd bytes per conntrack\n", IP_CONNTRACK_VERSION,
-              ip_conntrack_htable_size, ip_conntrack_max,
-              sizeof(struct ip_conntrack));
-
-       ret = nf_register_sockopt(&so_getorigdst);
-       if (ret != 0) {
-               printk(KERN_ERR "Unable to register netfilter socket option\n");
-               return ret;
-       }
-
-       ip_conntrack_hash = alloc_hashtable(ip_conntrack_htable_size,
-                                           &ip_conntrack_vmalloc);
-       if (!ip_conntrack_hash) {
-               printk(KERN_ERR "Unable to create ip_conntrack_hash\n");
-               goto err_unreg_sockopt;
-       }
-
-       ip_conntrack_cachep = kmem_cache_create("ip_conntrack",
-                                               sizeof(struct ip_conntrack), 0,
-                                               0, NULL, NULL);
-       if (!ip_conntrack_cachep) {
-               printk(KERN_ERR "Unable to create ip_conntrack slab cache\n");
-               goto err_free_hash;
-       }
-
-       ip_conntrack_expect_cachep = kmem_cache_create("ip_conntrack_expect",
-                                       sizeof(struct ip_conntrack_expect),
-                                       0, 0, NULL, NULL);
-       if (!ip_conntrack_expect_cachep) {
-               printk(KERN_ERR "Unable to create ip_expect slab cache\n");
-               goto err_free_conntrack_slab;
-       }
-
-       /* Don't NEED lock here, but good form anyway. */
-       write_lock_bh(&ip_conntrack_lock);
-       for (i = 0; i < MAX_IP_CT_PROTO; i++)
-               rcu_assign_pointer(ip_ct_protos[i], &ip_conntrack_generic_protocol);
-       /* Sew in builtin protocols. */
-       rcu_assign_pointer(ip_ct_protos[IPPROTO_TCP], &ip_conntrack_protocol_tcp);
-       rcu_assign_pointer(ip_ct_protos[IPPROTO_UDP], &ip_conntrack_protocol_udp);
-       rcu_assign_pointer(ip_ct_protos[IPPROTO_ICMP], &ip_conntrack_protocol_icmp);
-       write_unlock_bh(&ip_conntrack_lock);
-
-       /* For use by ipt_REJECT */
-       rcu_assign_pointer(ip_ct_attach, ip_conntrack_attach);
-
-       /* Set up fake conntrack:
-           - to never be deleted, not in any hashes */
-       atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
-       /*  - and look it like as a confirmed connection */
-       set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
-
-       return ret;
-
-err_free_conntrack_slab:
-       kmem_cache_destroy(ip_conntrack_cachep);
-err_free_hash:
-       free_conntrack_hash(ip_conntrack_hash, ip_conntrack_vmalloc,
-                           ip_conntrack_htable_size);
-err_unreg_sockopt:
-       nf_unregister_sockopt(&so_getorigdst);
-
-       return -ENOMEM;
-}
diff --git a/net/ipv4/netfilter/ip_conntrack_ftp.c b/net/ipv4/netfilter/ip_conntrack_ftp.c
deleted file mode 100644 (file)
index 9238998..0000000
+++ /dev/null
@@ -1,520 +0,0 @@
-/* FTP extension for IP connection tracking. */
-
-/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <linux/ctype.h>
-#include <net/checksum.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
-#include <linux/moduleparam.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
-MODULE_DESCRIPTION("ftp connection tracking helper");
-
-/* This is slow, but it's simple. --RR */
-static char *ftp_buffer;
-static DEFINE_SPINLOCK(ip_ftp_lock);
-
-#define MAX_PORTS 8
-static unsigned short ports[MAX_PORTS];
-static int ports_c;
-module_param_array(ports, ushort, &ports_c, 0400);
-
-static int loose;
-module_param(loose, bool, 0600);
-
-unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
-                               enum ip_conntrack_info ctinfo,
-                               enum ip_ct_ftp_type type,
-                               unsigned int matchoff,
-                               unsigned int matchlen,
-                               struct ip_conntrack_expect *exp,
-                               u32 *seq);
-EXPORT_SYMBOL_GPL(ip_nat_ftp_hook);
-
-#if 0
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-
-static int try_rfc959(const char *, size_t, u_int32_t [], char);
-static int try_eprt(const char *, size_t, u_int32_t [], char);
-static int try_epsv_response(const char *, size_t, u_int32_t [], char);
-
-static const struct ftp_search {
-       const char *pattern;
-       size_t plen;
-       char skip;
-       char term;
-       enum ip_ct_ftp_type ftptype;
-       int (*getnum)(const char *, size_t, u_int32_t[], char);
-} search[IP_CT_DIR_MAX][2] = {
-       [IP_CT_DIR_ORIGINAL] = {
-               {
-                       .pattern        =  "PORT",
-                       .plen           = sizeof("PORT") - 1,
-                       .skip           = ' ',
-                       .term           = '\r',
-                       .ftptype        = IP_CT_FTP_PORT,
-                       .getnum         = try_rfc959,
-               },
-               {
-                       .pattern        = "EPRT",
-                       .plen           = sizeof("EPRT") - 1,
-                       .skip           = ' ',
-                       .term           = '\r',
-                       .ftptype        = IP_CT_FTP_EPRT,
-                       .getnum         = try_eprt,
-               },
-       },
-       [IP_CT_DIR_REPLY] = {
-               {
-                       .pattern        = "227 ",
-                       .plen           = sizeof("227 ") - 1,
-                       .skip           = '(',
-                       .term           = ')',
-                       .ftptype        = IP_CT_FTP_PASV,
-                       .getnum         = try_rfc959,
-               },
-               {
-                       .pattern        = "229 ",
-                       .plen           = sizeof("229 ") - 1,
-                       .skip           = '(',
-                       .term           = ')',
-                       .ftptype        = IP_CT_FTP_EPSV,
-                       .getnum         = try_epsv_response,
-               },
-       },
-};
-
-static int try_number(const char *data, size_t dlen, u_int32_t array[],
-                     int array_size, char sep, char term)
-{
-       u_int32_t i, len;
-
-       memset(array, 0, sizeof(array[0])*array_size);
-
-       /* Keep data pointing at next char. */
-       for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) {
-               if (*data >= '0' && *data <= '9') {
-                       array[i] = array[i]*10 + *data - '0';
-               }
-               else if (*data == sep)
-                       i++;
-               else {
-                       /* Unexpected character; true if it's the
-                          terminator and we're finished. */
-                       if (*data == term && i == array_size - 1)
-                               return len;
-
-                       DEBUGP("Char %u (got %u nums) `%u' unexpected\n",
-                              len, i, *data);
-                       return 0;
-               }
-       }
-       DEBUGP("Failed to fill %u numbers separated by %c\n", array_size, sep);
-
-       return 0;
-}
-
-/* Returns 0, or length of numbers: 192,168,1,1,5,6 */
-static int try_rfc959(const char *data, size_t dlen, u_int32_t array[6],
-                      char term)
-{
-       return try_number(data, dlen, array, 6, ',', term);
-}
-
-/* Grab port: number up to delimiter */
-static int get_port(const char *data, int start, size_t dlen, char delim,
-                   u_int32_t array[2])
-{
-       u_int16_t port = 0;
-       int i;
-
-       for (i = start; i < dlen; i++) {
-               /* Finished? */
-               if (data[i] == delim) {
-                       if (port == 0)
-                               break;
-                       array[0] = port >> 8;
-                       array[1] = port;
-                       return i + 1;
-               }
-               else if (data[i] >= '0' && data[i] <= '9')
-                       port = port*10 + data[i] - '0';
-               else /* Some other crap */
-                       break;
-       }
-       return 0;
-}
-
-/* Returns 0, or length of numbers: |1|132.235.1.2|6275| */
-static int try_eprt(const char *data, size_t dlen, u_int32_t array[6],
-                   char term)
-{
-       char delim;
-       int length;
-
-       /* First character is delimiter, then "1" for IPv4, then
-          delimiter again. */
-       if (dlen <= 3) return 0;
-       delim = data[0];
-       if (isdigit(delim) || delim < 33 || delim > 126
-           || data[1] != '1' || data[2] != delim)
-               return 0;
-
-       DEBUGP("EPRT: Got |1|!\n");
-       /* Now we have IP address. */
-       length = try_number(data + 3, dlen - 3, array, 4, '.', delim);
-       if (length == 0)
-               return 0;
-
-       DEBUGP("EPRT: Got IP address!\n");
-       /* Start offset includes initial "|1|", and trailing delimiter */
-       return get_port(data, 3 + length + 1, dlen, delim, array+4);
-}
-
-/* Returns 0, or length of numbers: |||6446| */
-static int try_epsv_response(const char *data, size_t dlen, u_int32_t array[6],
-                            char term)
-{
-       char delim;
-
-       /* Three delimiters. */
-       if (dlen <= 3) return 0;
-       delim = data[0];
-       if (isdigit(delim) || delim < 33 || delim > 126
-           || data[1] != delim || data[2] != delim)
-               return 0;
-
-       return get_port(data, 3, dlen, delim, array+4);
-}
-
-/* Return 1 for match, 0 for accept, -1 for partial. */
-static int find_pattern(const char *data, size_t dlen,
-                       const char *pattern, size_t plen,
-                       char skip, char term,
-                       unsigned int *numoff,
-                       unsigned int *numlen,
-                       u_int32_t array[6],
-                       int (*getnum)(const char *, size_t, u_int32_t[], char))
-{
-       size_t i;
-
-       DEBUGP("find_pattern `%s': dlen = %u\n", pattern, dlen);
-       if (dlen == 0)
-               return 0;
-
-       if (dlen <= plen) {
-               /* Short packet: try for partial? */
-               if (strnicmp(data, pattern, dlen) == 0)
-                       return -1;
-               else return 0;
-       }
-
-       if (strnicmp(data, pattern, plen) != 0) {
-#if 0
-               size_t i;
-
-               DEBUGP("ftp: string mismatch\n");
-               for (i = 0; i < plen; i++) {
-                       DEBUGP("ftp:char %u `%c'(%u) vs `%c'(%u)\n",
-                               i, data[i], data[i],
-                               pattern[i], pattern[i]);
-               }
-#endif
-               return 0;
-       }
-
-       DEBUGP("Pattern matches!\n");
-       /* Now we've found the constant string, try to skip
-          to the 'skip' character */
-       for (i = plen; data[i] != skip; i++)
-               if (i == dlen - 1) return -1;
-
-       /* Skip over the last character */
-       i++;
-
-       DEBUGP("Skipped up to `%c'!\n", skip);
-
-       *numoff = i;
-       *numlen = getnum(data + i, dlen - i, array, term);
-       if (!*numlen)
-               return -1;
-
-       DEBUGP("Match succeeded!\n");
-       return 1;
-}
-
-/* Look up to see if we're just after a \n. */
-static int find_nl_seq(u32 seq, const struct ip_ct_ftp_master *info, int dir)
-{
-       unsigned int i;
-
-       for (i = 0; i < info->seq_aft_nl_num[dir]; i++)
-               if (info->seq_aft_nl[dir][i] == seq)
-                       return 1;
-       return 0;
-}
-
-/* We don't update if it's older than what we have. */
-static void update_nl_seq(u32 nl_seq, struct ip_ct_ftp_master *info, int dir,
-                         struct sk_buff *skb)
-{
-       unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
-
-       /* Look for oldest: if we find exact match, we're done. */
-       for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
-               if (info->seq_aft_nl[dir][i] == nl_seq)
-                       return;
-
-               if (oldest == info->seq_aft_nl_num[dir]
-                   || before(info->seq_aft_nl[dir][i], oldest))
-                       oldest = i;
-       }
-
-       if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
-               info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
-               ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
-       } else if (oldest != NUM_SEQ_TO_REMEMBER) {
-               info->seq_aft_nl[dir][oldest] = nl_seq;
-               ip_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb);
-       }
-}
-
-static int help(struct sk_buff **pskb,
-               struct ip_conntrack *ct,
-               enum ip_conntrack_info ctinfo)
-{
-       unsigned int dataoff, datalen;
-       struct tcphdr _tcph, *th;
-       char *fb_ptr;
-       int ret;
-       u32 seq, array[6] = { 0 };
-       int dir = CTINFO2DIR(ctinfo);
-       unsigned int matchlen, matchoff;
-       struct ip_ct_ftp_master *ct_ftp_info = &ct->help.ct_ftp_info;
-       struct ip_conntrack_expect *exp;
-       unsigned int i;
-       int found = 0, ends_in_nl;
-       typeof(ip_nat_ftp_hook) ip_nat_ftp;
-
-       /* Until there's been traffic both ways, don't look in packets. */
-       if (ctinfo != IP_CT_ESTABLISHED
-           && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
-               DEBUGP("ftp: Conntrackinfo = %u\n", ctinfo);
-               return NF_ACCEPT;
-       }
-
-       th = skb_header_pointer(*pskb, ip_hdrlen(*pskb),
-                               sizeof(_tcph), &_tcph);
-       if (th == NULL)
-               return NF_ACCEPT;
-
-       dataoff = ip_hdrlen(*pskb) + th->doff * 4;
-       /* No data? */
-       if (dataoff >= (*pskb)->len) {
-               DEBUGP("ftp: pskblen = %u\n", (*pskb)->len);
-               return NF_ACCEPT;
-       }
-       datalen = (*pskb)->len - dataoff;
-
-       spin_lock_bh(&ip_ftp_lock);
-       fb_ptr = skb_header_pointer(*pskb, dataoff,
-                                   (*pskb)->len - dataoff, ftp_buffer);
-       BUG_ON(fb_ptr == NULL);
-
-       ends_in_nl = (fb_ptr[datalen - 1] == '\n');
-       seq = ntohl(th->seq) + datalen;
-
-       /* Look up to see if we're just after a \n. */
-       if (!find_nl_seq(ntohl(th->seq), ct_ftp_info, dir)) {
-               /* Now if this ends in \n, update ftp info. */
-               DEBUGP("ip_conntrack_ftp_help: wrong seq pos %s(%u) or %s(%u)\n",
-                      ct_ftp_info->seq_aft_nl[0][dir]
-                      old_seq_aft_nl_set ? "":"(UNSET) ", old_seq_aft_nl);
-               ret = NF_ACCEPT;
-               goto out_update_nl;
-       }
-
-       /* Initialize IP array to expected address (it's not mentioned
-          in EPSV responses) */
-       array[0] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 24) & 0xFF;
-       array[1] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 16) & 0xFF;
-       array[2] = (ntohl(ct->tuplehash[dir].tuple.src.ip) >> 8) & 0xFF;
-       array[3] = ntohl(ct->tuplehash[dir].tuple.src.ip) & 0xFF;
-
-       for (i = 0; i < ARRAY_SIZE(search[dir]); i++) {
-               found = find_pattern(fb_ptr, (*pskb)->len - dataoff,
-                                    search[dir][i].pattern,
-                                    search[dir][i].plen,
-                                    search[dir][i].skip,
-                                    search[dir][i].term,
-                                    &matchoff, &matchlen,
-                                    array,
-                                    search[dir][i].getnum);
-               if (found) break;
-       }
-       if (found == -1) {
-               /* We don't usually drop packets.  After all, this is
-                  connection tracking, not packet filtering.
-                  However, it is necessary for accurate tracking in
-                  this case. */
-               if (net_ratelimit())
-                       printk("conntrack_ftp: partial %s %u+%u\n",
-                              search[dir][i].pattern,
-                              ntohl(th->seq), datalen);
-               ret = NF_DROP;
-               goto out;
-       } else if (found == 0) { /* No match */
-               ret = NF_ACCEPT;
-               goto out_update_nl;
-       }
-
-       DEBUGP("conntrack_ftp: match `%s' (%u bytes at %u)\n",
-              fb_ptr + matchoff, matchlen, ntohl(th->seq) + matchoff);
-
-       /* Allocate expectation which will be inserted */
-       exp = ip_conntrack_expect_alloc(ct);
-       if (exp == NULL) {
-               ret = NF_DROP;
-               goto out;
-       }
-
-       /* We refer to the reverse direction ("!dir") tuples here,
-        * because we're expecting something in the other direction.
-        * Doesn't matter unless NAT is happening.  */
-       exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
-
-       if (htonl((array[0] << 24) | (array[1] << 16) | (array[2] << 8) | array[3])
-           != ct->tuplehash[dir].tuple.src.ip) {
-               /* Enrico Scholz's passive FTP to partially RNAT'd ftp
-                  server: it really wants us to connect to a
-                  different IP address.  Simply don't record it for
-                  NAT. */
-               DEBUGP("conntrack_ftp: NOT RECORDING: %u,%u,%u,%u != %u.%u.%u.%u\n",
-                      array[0], array[1], array[2], array[3],
-                      NIPQUAD(ct->tuplehash[dir].tuple.src.ip));
-
-               /* Thanks to Cristiano Lincoln Mattos
-                  <lincoln@cesar.org.br> for reporting this potential
-                  problem (DMZ machines opening holes to internal
-                  networks, or the packet filter itself). */
-               if (!loose) {
-                       ret = NF_ACCEPT;
-                       goto out_put_expect;
-               }
-               exp->tuple.dst.ip = htonl((array[0] << 24) | (array[1] << 16)
-                                        | (array[2] << 8) | array[3]);
-       }
-
-       exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       exp->tuple.dst.u.tcp.port = htons(array[4] << 8 | array[5]);
-       exp->tuple.src.u.tcp.port = 0; /* Don't care. */
-       exp->tuple.dst.protonum = IPPROTO_TCP;
-       exp->mask = ((struct ip_conntrack_tuple)
-               { { htonl(0xFFFFFFFF), { 0 } },
-                 { htonl(0xFFFFFFFF), { .tcp = { htons(0xFFFF) } }, 0xFF }});
-
-       exp->expectfn = NULL;
-       exp->flags = 0;
-
-       /* Now, NAT might want to mangle the packet, and register the
-        * (possibly changed) expectation itself. */
-       ip_nat_ftp = rcu_dereference(ip_nat_ftp_hook);
-       if (ip_nat_ftp)
-               ret = ip_nat_ftp(pskb, ctinfo, search[dir][i].ftptype,
-                                matchoff, matchlen, exp, &seq);
-       else {
-               /* Can't expect this?  Best to drop packet now. */
-               if (ip_conntrack_expect_related(exp) != 0)
-                       ret = NF_DROP;
-               else
-                       ret = NF_ACCEPT;
-       }
-
-out_put_expect:
-       ip_conntrack_expect_put(exp);
-
-out_update_nl:
-       /* Now if this ends in \n, update ftp info.  Seq may have been
-        * adjusted by NAT code. */
-       if (ends_in_nl)
-               update_nl_seq(seq, ct_ftp_info,dir, *pskb);
- out:
-       spin_unlock_bh(&ip_ftp_lock);
-       return ret;
-}
-
-static struct ip_conntrack_helper ftp[MAX_PORTS];
-static char ftp_names[MAX_PORTS][sizeof("ftp-65535")];
-
-/* Not __exit: called from init() */
-static void ip_conntrack_ftp_fini(void)
-{
-       int i;
-       for (i = 0; i < ports_c; i++) {
-               DEBUGP("ip_ct_ftp: unregistering helper for port %d\n",
-                               ports[i]);
-               ip_conntrack_helper_unregister(&ftp[i]);
-       }
-
-       kfree(ftp_buffer);
-}
-
-static int __init ip_conntrack_ftp_init(void)
-{
-       int i, ret;
-       char *tmpname;
-
-       ftp_buffer = kmalloc(65536, GFP_KERNEL);
-       if (!ftp_buffer)
-               return -ENOMEM;
-
-       if (ports_c == 0)
-               ports[ports_c++] = FTP_PORT;
-
-       for (i = 0; i < ports_c; i++) {
-               ftp[i].tuple.src.u.tcp.port = htons(ports[i]);
-               ftp[i].tuple.dst.protonum = IPPROTO_TCP;
-               ftp[i].mask.src.u.tcp.port = htons(0xFFFF);
-               ftp[i].mask.dst.protonum = 0xFF;
-               ftp[i].max_expected = 1;
-               ftp[i].timeout = 5 * 60; /* 5 minutes */
-               ftp[i].me = THIS_MODULE;
-               ftp[i].help = help;
-
-               tmpname = &ftp_names[i][0];
-               if (ports[i] == FTP_PORT)
-                       sprintf(tmpname, "ftp");
-               else
-                       sprintf(tmpname, "ftp-%d", ports[i]);
-               ftp[i].name = tmpname;
-
-               DEBUGP("ip_ct_ftp: registering helper for port %d\n",
-                               ports[i]);
-               ret = ip_conntrack_helper_register(&ftp[i]);
-
-               if (ret) {
-                       ip_conntrack_ftp_fini();
-                       return ret;
-               }
-       }
-       return 0;
-}
-
-module_init(ip_conntrack_ftp_init);
-module_exit(ip_conntrack_ftp_fini);
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_h323.c b/net/ipv4/netfilter/ip_conntrack_helper_h323.c
deleted file mode 100644 (file)
index cecb6e0..0000000
+++ /dev/null
@@ -1,1840 +0,0 @@
-/*
- * H.323 connection tracking helper
- *
- * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
- *
- * This source code is licensed under General Public License version 2.
- *
- * Based on the 'brute force' H.323 connection tracking module by
- * Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
- *
- * For more information, please see http://nath323.sourceforge.net/
- */
-
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <net/tcp.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_core.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
-#include <linux/moduleparam.h>
-#include <linux/ctype.h>
-#include <linux/inet.h>
-
-#if 0
-#define DEBUGP printk
-#else
-#define DEBUGP(format, args...)
-#endif
-
-/* Parameters */
-static unsigned int default_rrq_ttl = 300;
-module_param(default_rrq_ttl, uint, 0600);
-MODULE_PARM_DESC(default_rrq_ttl, "use this TTL if it's missing in RRQ");
-
-static int gkrouted_only = 1;
-module_param(gkrouted_only, int, 0600);
-MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
-
-static int callforward_filter = 1;
-module_param(callforward_filter, bool, 0600);
-MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
-                                    "if both endpoints are on different sides "
-                                    "(determined by routing information)");
-
-/* Hooks for NAT */
-int (*set_h245_addr_hook) (struct sk_buff ** pskb,
-                          unsigned char **data, int dataoff,
-                          H245_TransportAddress * addr,
-                          __be32 ip, u_int16_t port);
-int (*set_h225_addr_hook) (struct sk_buff ** pskb,
-                          unsigned char **data, int dataoff,
-                          TransportAddress * addr,
-                          __be32 ip, u_int16_t port);
-int (*set_sig_addr_hook) (struct sk_buff ** pskb,
-                         struct ip_conntrack * ct,
-                         enum ip_conntrack_info ctinfo,
-                         unsigned char **data,
-                         TransportAddress * addr, int count);
-int (*set_ras_addr_hook) (struct sk_buff ** pskb,
-                         struct ip_conntrack * ct,
-                         enum ip_conntrack_info ctinfo,
-                         unsigned char **data,
-                         TransportAddress * addr, int count);
-int (*nat_rtp_rtcp_hook) (struct sk_buff ** pskb,
-                         struct ip_conntrack * ct,
-                         enum ip_conntrack_info ctinfo,
-                         unsigned char **data, int dataoff,
-                         H245_TransportAddress * addr,
-                         u_int16_t port, u_int16_t rtp_port,
-                         struct ip_conntrack_expect * rtp_exp,
-                         struct ip_conntrack_expect * rtcp_exp);
-int (*nat_t120_hook) (struct sk_buff ** pskb,
-                     struct ip_conntrack * ct,
-                     enum ip_conntrack_info ctinfo,
-                     unsigned char **data, int dataoff,
-                     H245_TransportAddress * addr, u_int16_t port,
-                     struct ip_conntrack_expect * exp);
-int (*nat_h245_hook) (struct sk_buff ** pskb,
-                     struct ip_conntrack * ct,
-                     enum ip_conntrack_info ctinfo,
-                     unsigned char **data, int dataoff,
-                     TransportAddress * addr, u_int16_t port,
-                     struct ip_conntrack_expect * exp);
-int (*nat_callforwarding_hook) (struct sk_buff ** pskb,
-                               struct ip_conntrack * ct,
-                               enum ip_conntrack_info ctinfo,
-                               unsigned char **data, int dataoff,
-                               TransportAddress * addr, u_int16_t port,
-                               struct ip_conntrack_expect * exp);
-int (*nat_q931_hook) (struct sk_buff ** pskb,
-                     struct ip_conntrack * ct,
-                     enum ip_conntrack_info ctinfo,
-                     unsigned char **data, TransportAddress * addr, int idx,
-                     u_int16_t port, struct ip_conntrack_expect * exp);
-
-
-static DEFINE_SPINLOCK(ip_h323_lock);
-static char *h323_buffer;
-
-/****************************************************************************/
-static int get_tpkt_data(struct sk_buff **pskb, struct ip_conntrack *ct,
-                        enum ip_conntrack_info ctinfo,
-                        unsigned char **data, int *datalen, int *dataoff)
-{
-       struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
-       int dir = CTINFO2DIR(ctinfo);
-       struct tcphdr _tcph, *th;
-       int tcpdatalen;
-       int tcpdataoff;
-       unsigned char *tpkt;
-       int tpktlen;
-       int tpktoff;
-
-       /* Get TCP header */
-       th = skb_header_pointer(*pskb, ip_hdrlen(*pskb),
-                               sizeof(_tcph), &_tcph);
-       if (th == NULL)
-               return 0;
-
-       /* Get TCP data offset */
-       tcpdataoff = ip_hdrlen(*pskb) + th->doff * 4;
-
-       /* Get TCP data length */
-       tcpdatalen = (*pskb)->len - tcpdataoff;
-       if (tcpdatalen <= 0)    /* No TCP data */
-               goto clear_out;
-
-       if (*data == NULL) {    /* first TPKT */
-               /* Get first TPKT pointer */
-               tpkt = skb_header_pointer(*pskb, tcpdataoff, tcpdatalen,
-                                         h323_buffer);
-               BUG_ON(tpkt == NULL);
-
-               /* Validate TPKT identifier */
-               if (tcpdatalen < 4 || tpkt[0] != 0x03 || tpkt[1] != 0) {
-                       /* Netmeeting sends TPKT header and data separately */
-                       if (info->tpkt_len[dir] > 0) {
-                               DEBUGP("ip_ct_h323: previous packet "
-                                      "indicated separate TPKT data of %hu "
-                                      "bytes\n", info->tpkt_len[dir]);
-                               if (info->tpkt_len[dir] <= tcpdatalen) {
-                                       /* Yes, there was a TPKT header
-                                        * received */
-                                       *data = tpkt;
-                                       *datalen = info->tpkt_len[dir];
-                                       *dataoff = 0;
-                                       goto out;
-                               }
-
-                               /* Fragmented TPKT */
-                               if (net_ratelimit())
-                                       printk("ip_ct_h323: "
-                                              "fragmented TPKT\n");
-                               goto clear_out;
-                       }
-
-                       /* It is not even a TPKT */
-                       return 0;
-               }
-               tpktoff = 0;
-       } else {                /* Next TPKT */
-               tpktoff = *dataoff + *datalen;
-               tcpdatalen -= tpktoff;
-               if (tcpdatalen <= 4)    /* No more TPKT */
-                       goto clear_out;
-               tpkt = *data + *datalen;
-
-               /* Validate TPKT identifier */
-               if (tpkt[0] != 0x03 || tpkt[1] != 0)
-                       goto clear_out;
-       }
-
-       /* Validate TPKT length */
-       tpktlen = tpkt[2] * 256 + tpkt[3];
-       if (tpktlen < 4)
-               goto clear_out;
-       if (tpktlen > tcpdatalen) {
-               if (tcpdatalen == 4) {  /* Separate TPKT header */
-                       /* Netmeeting sends TPKT header and data separately */
-                       DEBUGP("ip_ct_h323: separate TPKT header indicates "
-                              "there will be TPKT data of %hu bytes\n",
-                              tpktlen - 4);
-                       info->tpkt_len[dir] = tpktlen - 4;
-                       return 0;
-               }
-
-               if (net_ratelimit())
-                       printk("ip_ct_h323: incomplete TPKT (fragmented?)\n");
-               goto clear_out;
-       }
-
-       /* This is the encapsulated data */
-       *data = tpkt + 4;
-       *datalen = tpktlen - 4;
-       *dataoff = tpktoff + 4;
-
-      out:
-       /* Clear TPKT length */
-       info->tpkt_len[dir] = 0;
-       return 1;
-
-      clear_out:
-       info->tpkt_len[dir] = 0;
-       return 0;
-}
-
-/****************************************************************************/
-static int get_h245_addr(unsigned char *data, H245_TransportAddress * addr,
-                        __be32 * ip, u_int16_t * port)
-{
-       unsigned char *p;
-
-       if (addr->choice != eH245_TransportAddress_unicastAddress ||
-           addr->unicastAddress.choice != eUnicastAddress_iPAddress)
-               return 0;
-
-       p = data + addr->unicastAddress.iPAddress.network;
-       *ip = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | (p[3]));
-       *port = (p[4] << 8) | (p[5]);
-
-       return 1;
-}
-
-/****************************************************************************/
-static int expect_rtp_rtcp(struct sk_buff **pskb, struct ip_conntrack *ct,
-                          enum ip_conntrack_info ctinfo,
-                          unsigned char **data, int dataoff,
-                          H245_TransportAddress * addr)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       __be32 ip;
-       u_int16_t port;
-       u_int16_t rtp_port;
-       struct ip_conntrack_expect *rtp_exp;
-       struct ip_conntrack_expect *rtcp_exp;
-       typeof(nat_rtp_rtcp_hook) nat_rtp_rtcp;
-
-       /* Read RTP or RTCP address */
-       if (!get_h245_addr(*data, addr, &ip, &port) ||
-           ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
-               return 0;
-
-       /* RTP port is even */
-       rtp_port = port & (~1);
-
-       /* Create expect for RTP */
-       if ((rtp_exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       rtp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       rtp_exp->tuple.src.u.udp.port = 0;
-       rtp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
-       rtp_exp->tuple.dst.u.udp.port = htons(rtp_port);
-       rtp_exp->tuple.dst.protonum = IPPROTO_UDP;
-       rtp_exp->mask.src.ip = htonl(0xFFFFFFFF);
-       rtp_exp->mask.src.u.udp.port = 0;
-       rtp_exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       rtp_exp->mask.dst.u.udp.port = htons(0xFFFF);
-       rtp_exp->mask.dst.protonum = 0xFF;
-       rtp_exp->flags = 0;
-
-       /* Create expect for RTCP */
-       if ((rtcp_exp = ip_conntrack_expect_alloc(ct)) == NULL) {
-               ip_conntrack_expect_put(rtp_exp);
-               return -1;
-       }
-       rtcp_exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       rtcp_exp->tuple.src.u.udp.port = 0;
-       rtcp_exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
-       rtcp_exp->tuple.dst.u.udp.port = htons(rtp_port + 1);
-       rtcp_exp->tuple.dst.protonum = IPPROTO_UDP;
-       rtcp_exp->mask.src.ip = htonl(0xFFFFFFFF);
-       rtcp_exp->mask.src.u.udp.port = 0;
-       rtcp_exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       rtcp_exp->mask.dst.u.udp.port = htons(0xFFFF);
-       rtcp_exp->mask.dst.protonum = 0xFF;
-       rtcp_exp->flags = 0;
-
-       if (ct->tuplehash[dir].tuple.src.ip !=
-           ct->tuplehash[!dir].tuple.dst.ip &&
-           (nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook))) {
-               /* NAT needed */
-               ret = nat_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
-                                  addr, port, rtp_port, rtp_exp, rtcp_exp);
-       } else {                /* Conntrack only */
-               rtp_exp->expectfn = NULL;
-               rtcp_exp->expectfn = NULL;
-
-               if (ip_conntrack_expect_related(rtp_exp) == 0) {
-                       if (ip_conntrack_expect_related(rtcp_exp) == 0) {
-                               DEBUGP("ip_ct_h323: expect RTP "
-                                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                                      NIPQUAD(rtp_exp->tuple.src.ip),
-                                      ntohs(rtp_exp->tuple.src.u.udp.port),
-                                      NIPQUAD(rtp_exp->tuple.dst.ip),
-                                      ntohs(rtp_exp->tuple.dst.u.udp.port));
-                               DEBUGP("ip_ct_h323: expect RTCP "
-                                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                                      NIPQUAD(rtcp_exp->tuple.src.ip),
-                                      ntohs(rtcp_exp->tuple.src.u.udp.port),
-                                      NIPQUAD(rtcp_exp->tuple.dst.ip),
-                                      ntohs(rtcp_exp->tuple.dst.u.udp.port));
-                       } else {
-                               ip_conntrack_unexpect_related(rtp_exp);
-                               ret = -1;
-                       }
-               } else
-                       ret = -1;
-       }
-
-       ip_conntrack_expect_put(rtp_exp);
-       ip_conntrack_expect_put(rtcp_exp);
-
-       return ret;
-}
-
-/****************************************************************************/
-static int expect_t120(struct sk_buff **pskb,
-                      struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, int dataoff,
-                      H245_TransportAddress * addr)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       __be32 ip;
-       u_int16_t port;
-       struct ip_conntrack_expect *exp = NULL;
-       typeof(nat_t120_hook) nat_t120;
-
-       /* Read T.120 address */
-       if (!get_h245_addr(*data, addr, &ip, &port) ||
-           ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
-               return 0;
-
-       /* Create expect for T.120 connections */
-       if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       exp->tuple.src.u.tcp.port = 0;
-       exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
-       exp->tuple.dst.u.tcp.port = htons(port);
-       exp->tuple.dst.protonum = IPPROTO_TCP;
-       exp->mask.src.ip = htonl(0xFFFFFFFF);
-       exp->mask.src.u.tcp.port = 0;
-       exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.tcp.port = htons(0xFFFF);
-       exp->mask.dst.protonum = 0xFF;
-       exp->flags = IP_CT_EXPECT_PERMANENT;    /* Accept multiple channels */
-
-       if (ct->tuplehash[dir].tuple.src.ip !=
-           ct->tuplehash[!dir].tuple.dst.ip &&
-           (nat_t120 = rcu_dereference(nat_t120_hook))) {
-               /* NAT needed */
-               ret = nat_t120(pskb, ct, ctinfo, data, dataoff, addr,
-                              port, exp);
-       } else {                /* Conntrack only */
-               exp->expectfn = NULL;
-               if (ip_conntrack_expect_related(exp) == 0) {
-                       DEBUGP("ip_ct_h323: expect T.120 "
-                              "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                              NIPQUAD(exp->tuple.src.ip),
-                              ntohs(exp->tuple.src.u.tcp.port),
-                              NIPQUAD(exp->tuple.dst.ip),
-                              ntohs(exp->tuple.dst.u.tcp.port));
-               } else
-                       ret = -1;
-       }
-
-       ip_conntrack_expect_put(exp);
-
-       return ret;
-}
-
-/****************************************************************************/
-static int process_h245_channel(struct sk_buff **pskb,
-                               struct ip_conntrack *ct,
-                               enum ip_conntrack_info ctinfo,
-                               unsigned char **data, int dataoff,
-                               H2250LogicalChannelParameters * channel)
-{
-       int ret;
-
-       if (channel->options & eH2250LogicalChannelParameters_mediaChannel) {
-               /* RTP */
-               ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
-                                     &channel->mediaChannel);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (channel->
-           options & eH2250LogicalChannelParameters_mediaControlChannel) {
-               /* RTCP */
-               ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
-                                     &channel->mediaControlChannel);
-               if (ret < 0)
-                       return -1;
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_olc(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, int dataoff,
-                      OpenLogicalChannel * olc)
-{
-       int ret;
-
-       DEBUGP("ip_ct_h323: OpenLogicalChannel\n");
-
-       if (olc->forwardLogicalChannelParameters.multiplexParameters.choice ==
-           eOpenLogicalChannel_forwardLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters)
-       {
-               ret = process_h245_channel(pskb, ct, ctinfo, data, dataoff,
-                                          &olc->
-                                          forwardLogicalChannelParameters.
-                                          multiplexParameters.
-                                          h2250LogicalChannelParameters);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if ((olc->options &
-            eOpenLogicalChannel_reverseLogicalChannelParameters) &&
-           (olc->reverseLogicalChannelParameters.options &
-            eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters)
-           && (olc->reverseLogicalChannelParameters.multiplexParameters.
-               choice ==
-               eOpenLogicalChannel_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
-       {
-               ret =
-                   process_h245_channel(pskb, ct, ctinfo, data, dataoff,
-                                        &olc->
-                                        reverseLogicalChannelParameters.
-                                        multiplexParameters.
-                                        h2250LogicalChannelParameters);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if ((olc->options & eOpenLogicalChannel_separateStack) &&
-           olc->forwardLogicalChannelParameters.dataType.choice ==
-           eDataType_data &&
-           olc->forwardLogicalChannelParameters.dataType.data.application.
-           choice == eDataApplicationCapability_application_t120 &&
-           olc->forwardLogicalChannelParameters.dataType.data.application.
-           t120.choice == eDataProtocolCapability_separateLANStack &&
-           olc->separateStack.networkAddress.choice ==
-           eNetworkAccessParameters_networkAddress_localAreaAddress) {
-               ret = expect_t120(pskb, ct, ctinfo, data, dataoff,
-                                 &olc->separateStack.networkAddress.
-                                 localAreaAddress);
-               if (ret < 0)
-                       return -1;
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_olca(struct sk_buff **pskb, struct ip_conntrack *ct,
-                       enum ip_conntrack_info ctinfo,
-                       unsigned char **data, int dataoff,
-                       OpenLogicalChannelAck * olca)
-{
-       H2250LogicalChannelAckParameters *ack;
-       int ret;
-
-       DEBUGP("ip_ct_h323: OpenLogicalChannelAck\n");
-
-       if ((olca->options &
-            eOpenLogicalChannelAck_reverseLogicalChannelParameters) &&
-           (olca->reverseLogicalChannelParameters.options &
-            eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters)
-           && (olca->reverseLogicalChannelParameters.multiplexParameters.
-               choice ==
-               eOpenLogicalChannelAck_reverseLogicalChannelParameters_multiplexParameters_h2250LogicalChannelParameters))
-       {
-               ret = process_h245_channel(pskb, ct, ctinfo, data, dataoff,
-                                          &olca->
-                                          reverseLogicalChannelParameters.
-                                          multiplexParameters.
-                                          h2250LogicalChannelParameters);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if ((olca->options &
-            eOpenLogicalChannelAck_forwardMultiplexAckParameters) &&
-           (olca->forwardMultiplexAckParameters.choice ==
-            eOpenLogicalChannelAck_forwardMultiplexAckParameters_h2250LogicalChannelAckParameters))
-       {
-               ack = &olca->forwardMultiplexAckParameters.
-                   h2250LogicalChannelAckParameters;
-               if (ack->options &
-                   eH2250LogicalChannelAckParameters_mediaChannel) {
-                       /* RTP */
-                       ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
-                                             &ack->mediaChannel);
-                       if (ret < 0)
-                               return -1;
-               }
-
-               if (ack->options &
-                   eH2250LogicalChannelAckParameters_mediaControlChannel) {
-                       /* RTCP */
-                       ret = expect_rtp_rtcp(pskb, ct, ctinfo, data, dataoff,
-                                             &ack->mediaControlChannel);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_h245(struct sk_buff **pskb, struct ip_conntrack *ct,
-                       enum ip_conntrack_info ctinfo,
-                       unsigned char **data, int dataoff,
-                       MultimediaSystemControlMessage * mscm)
-{
-       switch (mscm->choice) {
-       case eMultimediaSystemControlMessage_request:
-               if (mscm->request.choice ==
-                   eRequestMessage_openLogicalChannel) {
-                       return process_olc(pskb, ct, ctinfo, data, dataoff,
-                                          &mscm->request.openLogicalChannel);
-               }
-               DEBUGP("ip_ct_h323: H.245 Request %d\n",
-                      mscm->request.choice);
-               break;
-       case eMultimediaSystemControlMessage_response:
-               if (mscm->response.choice ==
-                   eResponseMessage_openLogicalChannelAck) {
-                       return process_olca(pskb, ct, ctinfo, data, dataoff,
-                                           &mscm->response.
-                                           openLogicalChannelAck);
-               }
-               DEBUGP("ip_ct_h323: H.245 Response %d\n",
-                      mscm->response.choice);
-               break;
-       default:
-               DEBUGP("ip_ct_h323: H.245 signal %d\n", mscm->choice);
-               break;
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int h245_help(struct sk_buff **pskb, struct ip_conntrack *ct,
-                    enum ip_conntrack_info ctinfo)
-{
-       static MultimediaSystemControlMessage mscm;
-       unsigned char *data = NULL;
-       int datalen;
-       int dataoff;
-       int ret;
-
-       /* Until there's been traffic both ways, don't look in packets. */
-       if (ctinfo != IP_CT_ESTABLISHED
-           && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
-               return NF_ACCEPT;
-       }
-       DEBUGP("ip_ct_h245: skblen = %u\n", (*pskb)->len);
-
-       spin_lock_bh(&ip_h323_lock);
-
-       /* Process each TPKT */
-       while (get_tpkt_data(pskb, ct, ctinfo, &data, &datalen, &dataoff)) {
-               DEBUGP("ip_ct_h245: TPKT %u.%u.%u.%u->%u.%u.%u.%u, len=%d\n",
-                      NIPQUAD(ip_hdr(*pskb)->saddr),
-                      NIPQUAD(ip_hdr(*pskb)->daddr), datalen);
-
-               /* Decode H.245 signal */
-               ret = DecodeMultimediaSystemControlMessage(data, datalen,
-                                                          &mscm);
-               if (ret < 0) {
-                       if (net_ratelimit())
-                               printk("ip_ct_h245: decoding error: %s\n",
-                                      ret == H323_ERROR_BOUND ?
-                                      "out of bound" : "out of range");
-                       /* We don't drop when decoding error */
-                       break;
-               }
-
-               /* Process H.245 signal */
-               if (process_h245(pskb, ct, ctinfo, &data, dataoff, &mscm) < 0)
-                       goto drop;
-       }
-
-       spin_unlock_bh(&ip_h323_lock);
-       return NF_ACCEPT;
-
-      drop:
-       spin_unlock_bh(&ip_h323_lock);
-       if (net_ratelimit())
-               printk("ip_ct_h245: packet dropped\n");
-       return NF_DROP;
-}
-
-/****************************************************************************/
-static struct ip_conntrack_helper ip_conntrack_helper_h245 = {
-       .name = "H.245",
-       .me = THIS_MODULE,
-       .max_expected = H323_RTP_CHANNEL_MAX * 4 + 2 /* T.120 */ ,
-       .timeout = 240,
-       .tuple = {.dst = {.protonum = IPPROTO_TCP}},
-       .mask = {.src = {.u = {0xFFFF}},
-                .dst = {.protonum = 0xFF}},
-       .help = h245_help
-};
-
-/****************************************************************************/
-void ip_conntrack_h245_expect(struct ip_conntrack *new,
-                             struct ip_conntrack_expect *this)
-{
-       write_lock_bh(&ip_conntrack_lock);
-       new->helper = &ip_conntrack_helper_h245;
-       write_unlock_bh(&ip_conntrack_lock);
-}
-
-/****************************************************************************/
-int get_h225_addr(unsigned char *data, TransportAddress * addr,
-                 __be32 * ip, u_int16_t * port)
-{
-       unsigned char *p;
-
-       if (addr->choice != eTransportAddress_ipAddress)
-               return 0;
-
-       p = data + addr->ipAddress.ip;
-       *ip = htonl((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | (p[3]));
-       *port = (p[4] << 8) | (p[5]);
-
-       return 1;
-}
-
-/****************************************************************************/
-static int expect_h245(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, int dataoff,
-                      TransportAddress * addr)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       __be32 ip;
-       u_int16_t port;
-       struct ip_conntrack_expect *exp = NULL;
-       typeof(nat_h245_hook) nat_h245;
-
-       /* Read h245Address */
-       if (!get_h225_addr(*data, addr, &ip, &port) ||
-           ip != ct->tuplehash[dir].tuple.src.ip || port == 0)
-               return 0;
-
-       /* Create expect for h245 connection */
-       if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       exp->tuple.src.u.tcp.port = 0;
-       exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
-       exp->tuple.dst.u.tcp.port = htons(port);
-       exp->tuple.dst.protonum = IPPROTO_TCP;
-       exp->mask.src.ip = htonl(0xFFFFFFFF);
-       exp->mask.src.u.tcp.port = 0;
-       exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.tcp.port = htons(0xFFFF);
-       exp->mask.dst.protonum = 0xFF;
-       exp->flags = 0;
-
-       if (ct->tuplehash[dir].tuple.src.ip !=
-           ct->tuplehash[!dir].tuple.dst.ip &&
-           (nat_h245 = rcu_dereference(nat_h245_hook))) {
-               /* NAT needed */
-               ret = nat_h245(pskb, ct, ctinfo, data, dataoff, addr,
-                              port, exp);
-       } else {                /* Conntrack only */
-               exp->expectfn = ip_conntrack_h245_expect;
-
-               if (ip_conntrack_expect_related(exp) == 0) {
-                       DEBUGP("ip_ct_q931: expect H.245 "
-                              "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                              NIPQUAD(exp->tuple.src.ip),
-                              ntohs(exp->tuple.src.u.tcp.port),
-                              NIPQUAD(exp->tuple.dst.ip),
-                              ntohs(exp->tuple.dst.u.tcp.port));
-               } else
-                       ret = -1;
-       }
-
-       ip_conntrack_expect_put(exp);
-
-       return ret;
-}
-
-/* Forwarding declaration */
-void ip_conntrack_q931_expect(struct ip_conntrack *new,
-                             struct ip_conntrack_expect *this);
-
-/****************************************************************************/
-static int expect_callforwarding(struct sk_buff **pskb,
-                                struct ip_conntrack *ct,
-                                enum ip_conntrack_info ctinfo,
-                                unsigned char **data, int dataoff,
-                                TransportAddress * addr)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       __be32 ip;
-       u_int16_t port;
-       struct ip_conntrack_expect *exp = NULL;
-       typeof(nat_callforwarding_hook) nat_callforwarding;
-
-       /* Read alternativeAddress */
-       if (!get_h225_addr(*data, addr, &ip, &port) || port == 0)
-               return 0;
-
-       /* If the calling party is on the same side of the forward-to party,
-        * we don't need to track the second call */
-       if (callforward_filter) {
-               struct rtable *rt1, *rt2;
-               struct flowi fl1 = {
-                       .fl4_dst = ip,
-               };
-               struct flowi fl2 = {
-                       .fl4_dst = ct->tuplehash[!dir].tuple.src.ip,
-               };
-
-               if (ip_route_output_key(&rt1, &fl1) == 0) {
-                       if (ip_route_output_key(&rt2, &fl2) == 0) {
-                               if (rt1->rt_gateway == rt2->rt_gateway &&
-                                   rt1->u.dst.dev  == rt2->u.dst.dev)
-                                       ret = 1;
-                               dst_release(&rt2->u.dst);
-                       }
-                       dst_release(&rt1->u.dst);
-               }
-               if (ret) {
-                       DEBUGP("ip_ct_q931: Call Forwarding not tracked\n");
-                       return 0;
-               }
-       }
-
-       /* Create expect for the second call leg */
-       if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       exp->tuple.src.u.tcp.port = 0;
-       exp->tuple.dst.ip = ip;
-       exp->tuple.dst.u.tcp.port = htons(port);
-       exp->tuple.dst.protonum = IPPROTO_TCP;
-       exp->mask.src.ip = htonl(0xFFFFFFFF);
-       exp->mask.src.u.tcp.port = 0;
-       exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.tcp.port = htons(0xFFFF);
-       exp->mask.dst.protonum = 0xFF;
-       exp->flags = 0;
-
-       if (ct->tuplehash[dir].tuple.src.ip !=
-           ct->tuplehash[!dir].tuple.dst.ip &&
-           (nat_callforwarding = rcu_dereference(nat_callforwarding_hook))) {
-               /* Need NAT */
-               ret = nat_callforwarding(pskb, ct, ctinfo, data, dataoff,
-                                        addr, port, exp);
-       } else {                /* Conntrack only */
-               exp->expectfn = ip_conntrack_q931_expect;
-
-               if (ip_conntrack_expect_related(exp) == 0) {
-                       DEBUGP("ip_ct_q931: expect Call Forwarding "
-                              "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                              NIPQUAD(exp->tuple.src.ip),
-                              ntohs(exp->tuple.src.u.tcp.port),
-                              NIPQUAD(exp->tuple.dst.ip),
-                              ntohs(exp->tuple.dst.u.tcp.port));
-               } else
-                       ret = -1;
-       }
-
-       ip_conntrack_expect_put(exp);
-
-       return ret;
-}
-
-/****************************************************************************/
-static int process_setup(struct sk_buff **pskb, struct ip_conntrack *ct,
-                        enum ip_conntrack_info ctinfo,
-                        unsigned char **data, int dataoff,
-                        Setup_UUIE * setup)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret;
-       int i;
-       __be32 ip;
-       u_int16_t port;
-       typeof(set_h225_addr_hook) set_h225_addr;
-
-       DEBUGP("ip_ct_q931: Setup\n");
-
-       if (setup->options & eSetup_UUIE_h245Address) {
-               ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
-                                 &setup->h245Address);
-               if (ret < 0)
-                       return -1;
-       }
-
-       set_h225_addr = rcu_dereference(set_h225_addr_hook);
-
-       if ((setup->options & eSetup_UUIE_destCallSignalAddress) &&
-           (set_h225_addr) &&
-           get_h225_addr(*data, &setup->destCallSignalAddress, &ip, &port) &&
-           ip != ct->tuplehash[!dir].tuple.src.ip) {
-               DEBUGP("ip_ct_q931: set destCallSignalAddress "
-                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                      NIPQUAD(ip), port,
-                      NIPQUAD(ct->tuplehash[!dir].tuple.src.ip),
-                      ntohs(ct->tuplehash[!dir].tuple.src.u.tcp.port));
-               ret = set_h225_addr(pskb, data, dataoff,
-                                   &setup->destCallSignalAddress,
-                                   ct->tuplehash[!dir].tuple.src.ip,
-                                   ntohs(ct->tuplehash[!dir].tuple.src.
-                                         u.tcp.port));
-               if (ret < 0)
-                       return -1;
-       }
-
-       if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) &&
-           (set_h225_addr) &&
-           get_h225_addr(*data, &setup->sourceCallSignalAddress, &ip, &port)
-           && ip != ct->tuplehash[!dir].tuple.dst.ip) {
-               DEBUGP("ip_ct_q931: set sourceCallSignalAddress "
-                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                      NIPQUAD(ip), port,
-                      NIPQUAD(ct->tuplehash[!dir].tuple.dst.ip),
-                      ntohs(ct->tuplehash[!dir].tuple.dst.u.tcp.port));
-               ret = set_h225_addr(pskb, data, dataoff,
-                                   &setup->sourceCallSignalAddress,
-                                   ct->tuplehash[!dir].tuple.dst.ip,
-                                   ntohs(ct->tuplehash[!dir].tuple.dst.
-                                         u.tcp.port));
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (setup->options & eSetup_UUIE_fastStart) {
-               for (i = 0; i < setup->fastStart.count; i++) {
-                       ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-                                         &setup->fastStart.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_callproceeding(struct sk_buff **pskb,
-                                 struct ip_conntrack *ct,
-                                 enum ip_conntrack_info ctinfo,
-                                 unsigned char **data, int dataoff,
-                                 CallProceeding_UUIE * callproc)
-{
-       int ret;
-       int i;
-
-       DEBUGP("ip_ct_q931: CallProceeding\n");
-
-       if (callproc->options & eCallProceeding_UUIE_h245Address) {
-               ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
-                                 &callproc->h245Address);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (callproc->options & eCallProceeding_UUIE_fastStart) {
-               for (i = 0; i < callproc->fastStart.count; i++) {
-                       ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-                                         &callproc->fastStart.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_connect(struct sk_buff **pskb, struct ip_conntrack *ct,
-                          enum ip_conntrack_info ctinfo,
-                          unsigned char **data, int dataoff,
-                          Connect_UUIE * connect)
-{
-       int ret;
-       int i;
-
-       DEBUGP("ip_ct_q931: Connect\n");
-
-       if (connect->options & eConnect_UUIE_h245Address) {
-               ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
-                                 &connect->h245Address);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (connect->options & eConnect_UUIE_fastStart) {
-               for (i = 0; i < connect->fastStart.count; i++) {
-                       ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-                                         &connect->fastStart.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_alerting(struct sk_buff **pskb, struct ip_conntrack *ct,
-                           enum ip_conntrack_info ctinfo,
-                           unsigned char **data, int dataoff,
-                           Alerting_UUIE * alert)
-{
-       int ret;
-       int i;
-
-       DEBUGP("ip_ct_q931: Alerting\n");
-
-       if (alert->options & eAlerting_UUIE_h245Address) {
-               ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
-                                 &alert->h245Address);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (alert->options & eAlerting_UUIE_fastStart) {
-               for (i = 0; i < alert->fastStart.count; i++) {
-                       ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-                                         &alert->fastStart.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_information(struct sk_buff **pskb,
-                              struct ip_conntrack *ct,
-                              enum ip_conntrack_info ctinfo,
-                              unsigned char **data, int dataoff,
-                              Information_UUIE * info)
-{
-       int ret;
-       int i;
-
-       DEBUGP("ip_ct_q931: Information\n");
-
-       if (info->options & eInformation_UUIE_fastStart) {
-               for (i = 0; i < info->fastStart.count; i++) {
-                       ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-                                         &info->fastStart.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_facility(struct sk_buff **pskb, struct ip_conntrack *ct,
-                           enum ip_conntrack_info ctinfo,
-                           unsigned char **data, int dataoff,
-                           Facility_UUIE * facility)
-{
-       int ret;
-       int i;
-
-       DEBUGP("ip_ct_q931: Facility\n");
-
-       if (facility->reason.choice == eFacilityReason_callForwarded) {
-               if (facility->options & eFacility_UUIE_alternativeAddress)
-                       return expect_callforwarding(pskb, ct, ctinfo, data,
-                                                    dataoff,
-                                                    &facility->
-                                                    alternativeAddress);
-               return 0;
-       }
-
-       if (facility->options & eFacility_UUIE_h245Address) {
-               ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
-                                 &facility->h245Address);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (facility->options & eFacility_UUIE_fastStart) {
-               for (i = 0; i < facility->fastStart.count; i++) {
-                       ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-                                         &facility->fastStart.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_progress(struct sk_buff **pskb, struct ip_conntrack *ct,
-                           enum ip_conntrack_info ctinfo,
-                           unsigned char **data, int dataoff,
-                           Progress_UUIE * progress)
-{
-       int ret;
-       int i;
-
-       DEBUGP("ip_ct_q931: Progress\n");
-
-       if (progress->options & eProgress_UUIE_h245Address) {
-               ret = expect_h245(pskb, ct, ctinfo, data, dataoff,
-                                 &progress->h245Address);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (progress->options & eProgress_UUIE_fastStart) {
-               for (i = 0; i < progress->fastStart.count; i++) {
-                       ret = process_olc(pskb, ct, ctinfo, data, dataoff,
-                                         &progress->fastStart.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_q931(struct sk_buff **pskb, struct ip_conntrack *ct,
-                       enum ip_conntrack_info ctinfo,
-                       unsigned char **data, int dataoff, Q931 * q931)
-{
-       H323_UU_PDU *pdu = &q931->UUIE.h323_uu_pdu;
-       int i;
-       int ret = 0;
-
-       switch (pdu->h323_message_body.choice) {
-       case eH323_UU_PDU_h323_message_body_setup:
-               ret = process_setup(pskb, ct, ctinfo, data, dataoff,
-                                   &pdu->h323_message_body.setup);
-               break;
-       case eH323_UU_PDU_h323_message_body_callProceeding:
-               ret = process_callproceeding(pskb, ct, ctinfo, data, dataoff,
-                                            &pdu->h323_message_body.
-                                            callProceeding);
-               break;
-       case eH323_UU_PDU_h323_message_body_connect:
-               ret = process_connect(pskb, ct, ctinfo, data, dataoff,
-                                     &pdu->h323_message_body.connect);
-               break;
-       case eH323_UU_PDU_h323_message_body_alerting:
-               ret = process_alerting(pskb, ct, ctinfo, data, dataoff,
-                                      &pdu->h323_message_body.alerting);
-               break;
-       case eH323_UU_PDU_h323_message_body_information:
-               ret = process_information(pskb, ct, ctinfo, data, dataoff,
-                                         &pdu->h323_message_body.
-                                         information);
-               break;
-       case eH323_UU_PDU_h323_message_body_facility:
-               ret = process_facility(pskb, ct, ctinfo, data, dataoff,
-                                      &pdu->h323_message_body.facility);
-               break;
-       case eH323_UU_PDU_h323_message_body_progress:
-               ret = process_progress(pskb, ct, ctinfo, data, dataoff,
-                                      &pdu->h323_message_body.progress);
-               break;
-       default:
-               DEBUGP("ip_ct_q931: Q.931 signal %d\n",
-                      pdu->h323_message_body.choice);
-               break;
-       }
-
-       if (ret < 0)
-               return -1;
-
-       if (pdu->options & eH323_UU_PDU_h245Control) {
-               for (i = 0; i < pdu->h245Control.count; i++) {
-                       ret = process_h245(pskb, ct, ctinfo, data, dataoff,
-                                          &pdu->h245Control.item[i]);
-                       if (ret < 0)
-                               return -1;
-               }
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int q931_help(struct sk_buff **pskb, struct ip_conntrack *ct,
-                    enum ip_conntrack_info ctinfo)
-{
-       static Q931 q931;
-       unsigned char *data = NULL;
-       int datalen;
-       int dataoff;
-       int ret;
-
-       /* Until there's been traffic both ways, don't look in packets. */
-       if (ctinfo != IP_CT_ESTABLISHED
-           && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
-               return NF_ACCEPT;
-       }
-       DEBUGP("ip_ct_q931: skblen = %u\n", (*pskb)->len);
-
-       spin_lock_bh(&ip_h323_lock);
-
-       /* Process each TPKT */
-       while (get_tpkt_data(pskb, ct, ctinfo, &data, &datalen, &dataoff)) {
-               DEBUGP("ip_ct_q931: TPKT %u.%u.%u.%u->%u.%u.%u.%u, len=%d\n",
-                      NIPQUAD(ip_hdr(*pskb)->saddr),
-                      NIPQUAD(ip_hdr(*pskb)->daddr), datalen);
-
-               /* Decode Q.931 signal */
-               ret = DecodeQ931(data, datalen, &q931);
-               if (ret < 0) {
-                       if (net_ratelimit())
-                               printk("ip_ct_q931: decoding error: %s\n",
-                                      ret == H323_ERROR_BOUND ?
-                                      "out of bound" : "out of range");
-                       /* We don't drop when decoding error */
-                       break;
-               }
-
-               /* Process Q.931 signal */
-               if (process_q931(pskb, ct, ctinfo, &data, dataoff, &q931) < 0)
-                       goto drop;
-       }
-
-       spin_unlock_bh(&ip_h323_lock);
-       return NF_ACCEPT;
-
-      drop:
-       spin_unlock_bh(&ip_h323_lock);
-       if (net_ratelimit())
-               printk("ip_ct_q931: packet dropped\n");
-       return NF_DROP;
-}
-
-/****************************************************************************/
-static struct ip_conntrack_helper ip_conntrack_helper_q931 = {
-       .name = "Q.931",
-       .me = THIS_MODULE,
-       .max_expected = H323_RTP_CHANNEL_MAX * 4 + 4 /* T.120 and H.245 */ ,
-       .timeout = 240,
-       .tuple = {.src = {.u = {.tcp = {.port = __constant_htons(Q931_PORT)}}},
-                 .dst = {.protonum = IPPROTO_TCP}},
-       .mask = {.src = {.u = {0xFFFF}},
-                .dst = {.protonum = 0xFF}},
-       .help = q931_help
-};
-
-/****************************************************************************/
-void ip_conntrack_q931_expect(struct ip_conntrack *new,
-                             struct ip_conntrack_expect *this)
-{
-       write_lock_bh(&ip_conntrack_lock);
-       new->helper = &ip_conntrack_helper_q931;
-       write_unlock_bh(&ip_conntrack_lock);
-}
-
-/****************************************************************************/
-static unsigned char *get_udp_data(struct sk_buff **pskb, int *datalen)
-{
-       struct udphdr _uh, *uh;
-       int dataoff;
-
-       uh = skb_header_pointer(*pskb, ip_hdrlen(*pskb), sizeof(_uh), &_uh);
-       if (uh == NULL)
-               return NULL;
-       dataoff = ip_hdrlen(*pskb) + sizeof(_uh);
-       if (dataoff >= (*pskb)->len)
-               return NULL;
-       *datalen = (*pskb)->len - dataoff;
-       return skb_header_pointer(*pskb, dataoff, *datalen, h323_buffer);
-}
-
-/****************************************************************************/
-static struct ip_conntrack_expect *find_expect(struct ip_conntrack *ct,
-                                              __be32 ip, u_int16_t port)
-{
-       struct ip_conntrack_expect *exp;
-       struct ip_conntrack_tuple tuple;
-
-       tuple.src.ip = 0;
-       tuple.src.u.tcp.port = 0;
-       tuple.dst.ip = ip;
-       tuple.dst.u.tcp.port = htons(port);
-       tuple.dst.protonum = IPPROTO_TCP;
-
-       exp = __ip_conntrack_expect_find(&tuple);
-       if (exp && exp->master == ct)
-               return exp;
-       return NULL;
-}
-
-/****************************************************************************/
-static int set_expect_timeout(struct ip_conntrack_expect *exp,
-                             unsigned timeout)
-{
-       if (!exp || !del_timer(&exp->timeout))
-               return 0;
-
-       exp->timeout.expires = jiffies + timeout * HZ;
-       add_timer(&exp->timeout);
-
-       return 1;
-}
-
-/****************************************************************************/
-static int expect_q931(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data,
-                      TransportAddress * addr, int count)
-{
-       struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       int i;
-       __be32 ip;
-       u_int16_t port;
-       struct ip_conntrack_expect *exp;
-       typeof(nat_q931_hook) nat_q931;
-
-       /* Look for the first related address */
-       for (i = 0; i < count; i++) {
-               if (get_h225_addr(*data, &addr[i], &ip, &port) &&
-                   ip == ct->tuplehash[dir].tuple.src.ip && port != 0)
-                       break;
-       }
-
-       if (i >= count)         /* Not found */
-               return 0;
-
-       /* Create expect for Q.931 */
-       if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       exp->tuple.src.ip = gkrouted_only ?     /* only accept calls from GK? */
-           ct->tuplehash[!dir].tuple.src.ip : 0;
-       exp->tuple.src.u.tcp.port = 0;
-       exp->tuple.dst.ip = ct->tuplehash[!dir].tuple.dst.ip;
-       exp->tuple.dst.u.tcp.port = htons(port);
-       exp->tuple.dst.protonum = IPPROTO_TCP;
-       exp->mask.src.ip = gkrouted_only ? htonl(0xFFFFFFFF) : 0;
-       exp->mask.src.u.tcp.port = 0;
-       exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.tcp.port = htons(0xFFFF);
-       exp->mask.dst.protonum = 0xFF;
-       exp->flags = IP_CT_EXPECT_PERMANENT;    /* Accept multiple calls */
-
-       nat_q931 = rcu_dereference(nat_q931_hook);
-       if (nat_q931) { /* Need NAT */
-               ret = nat_q931(pskb, ct, ctinfo, data, addr, i, port, exp);
-       } else {                /* Conntrack only */
-               exp->expectfn = ip_conntrack_q931_expect;
-
-               if (ip_conntrack_expect_related(exp) == 0) {
-                       DEBUGP("ip_ct_ras: expect Q.931 "
-                              "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                              NIPQUAD(exp->tuple.src.ip),
-                              ntohs(exp->tuple.src.u.tcp.port),
-                              NIPQUAD(exp->tuple.dst.ip),
-                              ntohs(exp->tuple.dst.u.tcp.port));
-
-                       /* Save port for looking up expect in processing RCF */
-                       info->sig_port[dir] = port;
-               } else
-                       ret = -1;
-       }
-
-       ip_conntrack_expect_put(exp);
-
-       return ret;
-}
-
-/****************************************************************************/
-static int process_grq(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, GatekeeperRequest * grq)
-{
-       typeof(set_ras_addr_hook) set_ras_addr;
-
-       DEBUGP("ip_ct_ras: GRQ\n");
-
-       set_ras_addr = rcu_dereference(set_ras_addr_hook);
-       if (set_ras_addr)       /* NATed */
-               return set_ras_addr(pskb, ct, ctinfo, data,
-                                   &grq->rasAddress, 1);
-       return 0;
-}
-
-/* Declare before using */
-static void ip_conntrack_ras_expect(struct ip_conntrack *new,
-                                   struct ip_conntrack_expect *this);
-
-/****************************************************************************/
-static int process_gcf(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, GatekeeperConfirm * gcf)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       __be32 ip;
-       u_int16_t port;
-       struct ip_conntrack_expect *exp;
-
-       DEBUGP("ip_ct_ras: GCF\n");
-
-       if (!get_h225_addr(*data, &gcf->rasAddress, &ip, &port))
-               return 0;
-
-       /* Registration port is the same as discovery port */
-       if (ip == ct->tuplehash[dir].tuple.src.ip &&
-           port == ntohs(ct->tuplehash[dir].tuple.src.u.udp.port))
-               return 0;
-
-       /* Avoid RAS expectation loops. A GCF is never expected. */
-       if (test_bit(IPS_EXPECTED_BIT, &ct->status))
-               return 0;
-
-       /* Need new expect */
-       if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       exp->tuple.src.u.tcp.port = 0;
-       exp->tuple.dst.ip = ip;
-       exp->tuple.dst.u.tcp.port = htons(port);
-       exp->tuple.dst.protonum = IPPROTO_UDP;
-       exp->mask.src.ip = htonl(0xFFFFFFFF);
-       exp->mask.src.u.tcp.port = 0;
-       exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.tcp.port = htons(0xFFFF);
-       exp->mask.dst.protonum = 0xFF;
-       exp->flags = 0;
-       exp->expectfn = ip_conntrack_ras_expect;
-       if (ip_conntrack_expect_related(exp) == 0) {
-               DEBUGP("ip_ct_ras: expect RAS "
-                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                      NIPQUAD(exp->tuple.src.ip),
-                      ntohs(exp->tuple.src.u.tcp.port),
-                      NIPQUAD(exp->tuple.dst.ip),
-                      ntohs(exp->tuple.dst.u.tcp.port));
-       } else
-               ret = -1;
-
-       ip_conntrack_expect_put(exp);
-
-       return ret;
-}
-
-/****************************************************************************/
-static int process_rrq(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, RegistrationRequest * rrq)
-{
-       struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
-       int ret;
-       typeof(set_ras_addr_hook) set_ras_addr;
-
-       DEBUGP("ip_ct_ras: RRQ\n");
-
-       ret = expect_q931(pskb, ct, ctinfo, data,
-                         rrq->callSignalAddress.item,
-                         rrq->callSignalAddress.count);
-       if (ret < 0)
-               return -1;
-
-       set_ras_addr = rcu_dereference(set_ras_addr_hook);
-       if (set_ras_addr) {
-               ret = set_ras_addr(pskb, ct, ctinfo, data,
-                                  rrq->rasAddress.item,
-                                  rrq->rasAddress.count);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (rrq->options & eRegistrationRequest_timeToLive) {
-               DEBUGP("ip_ct_ras: RRQ TTL = %u seconds\n", rrq->timeToLive);
-               info->timeout = rrq->timeToLive;
-       } else
-               info->timeout = default_rrq_ttl;
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_rcf(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, RegistrationConfirm * rcf)
-{
-       struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
-       int dir = CTINFO2DIR(ctinfo);
-       int ret;
-       struct ip_conntrack_expect *exp;
-       typeof(set_sig_addr_hook) set_sig_addr;
-
-       DEBUGP("ip_ct_ras: RCF\n");
-
-       set_sig_addr = rcu_dereference(set_sig_addr_hook);
-       if (set_sig_addr) {
-               ret = set_sig_addr(pskb, ct, ctinfo, data,
-                                  rcf->callSignalAddress.item,
-                                  rcf->callSignalAddress.count);
-               if (ret < 0)
-                       return -1;
-       }
-
-       if (rcf->options & eRegistrationConfirm_timeToLive) {
-               DEBUGP("ip_ct_ras: RCF TTL = %u seconds\n", rcf->timeToLive);
-               info->timeout = rcf->timeToLive;
-       }
-
-       if (info->timeout > 0) {
-               DEBUGP
-                   ("ip_ct_ras: set RAS connection timeout to %u seconds\n",
-                    info->timeout);
-               ip_ct_refresh(ct, *pskb, info->timeout * HZ);
-
-               /* Set expect timeout */
-               read_lock_bh(&ip_conntrack_lock);
-               exp = find_expect(ct, ct->tuplehash[dir].tuple.dst.ip,
-                                 info->sig_port[!dir]);
-               if (exp) {
-                       DEBUGP("ip_ct_ras: set Q.931 expect "
-                              "(%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu) "
-                              "timeout to %u seconds\n",
-                              NIPQUAD(exp->tuple.src.ip),
-                              ntohs(exp->tuple.src.u.tcp.port),
-                              NIPQUAD(exp->tuple.dst.ip),
-                              ntohs(exp->tuple.dst.u.tcp.port),
-                              info->timeout);
-                       set_expect_timeout(exp, info->timeout);
-               }
-               read_unlock_bh(&ip_conntrack_lock);
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_urq(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, UnregistrationRequest * urq)
-{
-       struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
-       int dir = CTINFO2DIR(ctinfo);
-       int ret;
-       typeof(set_sig_addr_hook) set_sig_addr;
-
-       DEBUGP("ip_ct_ras: URQ\n");
-
-       set_sig_addr = rcu_dereference(set_sig_addr_hook);
-       if (set_sig_addr) {
-               ret = set_sig_addr(pskb, ct, ctinfo, data,
-                                  urq->callSignalAddress.item,
-                                  urq->callSignalAddress.count);
-               if (ret < 0)
-                       return -1;
-       }
-
-       /* Clear old expect */
-       ip_ct_remove_expectations(ct);
-       info->sig_port[dir] = 0;
-       info->sig_port[!dir] = 0;
-
-       /* Give it 30 seconds for UCF or URJ */
-       ip_ct_refresh(ct, *pskb, 30 * HZ);
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_arq(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, AdmissionRequest * arq)
-{
-       struct ip_ct_h323_master *info = &ct->help.ct_h323_info;
-       int dir = CTINFO2DIR(ctinfo);
-       __be32 ip;
-       u_int16_t port;
-       typeof(set_h225_addr_hook) set_h225_addr;
-
-       DEBUGP("ip_ct_ras: ARQ\n");
-
-       set_h225_addr = rcu_dereference(set_h225_addr_hook);
-       if ((arq->options & eAdmissionRequest_destCallSignalAddress) &&
-           get_h225_addr(*data, &arq->destCallSignalAddress, &ip, &port) &&
-           ip == ct->tuplehash[dir].tuple.src.ip &&
-           port == info->sig_port[dir] && set_h225_addr) {
-               /* Answering ARQ */
-               return set_h225_addr(pskb, data, 0,
-                                    &arq->destCallSignalAddress,
-                                    ct->tuplehash[!dir].tuple.dst.ip,
-                                    info->sig_port[!dir]);
-       }
-
-       if ((arq->options & eAdmissionRequest_srcCallSignalAddress) &&
-           get_h225_addr(*data, &arq->srcCallSignalAddress, &ip, &port) &&
-           ip == ct->tuplehash[dir].tuple.src.ip && set_h225_addr) {
-               /* Calling ARQ */
-               return set_h225_addr(pskb, data, 0,
-                                    &arq->srcCallSignalAddress,
-                                    ct->tuplehash[!dir].tuple.dst.ip,
-                                    port);
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_acf(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, AdmissionConfirm * acf)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       __be32 ip;
-       u_int16_t port;
-       struct ip_conntrack_expect *exp;
-       typeof(set_sig_addr_hook) set_sig_addr;
-
-       DEBUGP("ip_ct_ras: ACF\n");
-
-       if (!get_h225_addr(*data, &acf->destCallSignalAddress, &ip, &port))
-               return 0;
-
-       if (ip == ct->tuplehash[dir].tuple.dst.ip) {    /* Answering ACF */
-               set_sig_addr = rcu_dereference(set_sig_addr_hook);
-               if (set_sig_addr)
-                       return set_sig_addr(pskb, ct, ctinfo, data,
-                                           &acf->destCallSignalAddress, 1);
-               return 0;
-       }
-
-       /* Need new expect */
-       if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       exp->tuple.src.u.tcp.port = 0;
-       exp->tuple.dst.ip = ip;
-       exp->tuple.dst.u.tcp.port = htons(port);
-       exp->tuple.dst.protonum = IPPROTO_TCP;
-       exp->mask.src.ip = htonl(0xFFFFFFFF);
-       exp->mask.src.u.tcp.port = 0;
-       exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.tcp.port = htons(0xFFFF);
-       exp->mask.dst.protonum = 0xFF;
-       exp->flags = IP_CT_EXPECT_PERMANENT;
-       exp->expectfn = ip_conntrack_q931_expect;
-
-       if (ip_conntrack_expect_related(exp) == 0) {
-               DEBUGP("ip_ct_ras: expect Q.931 "
-                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                      NIPQUAD(exp->tuple.src.ip),
-                      ntohs(exp->tuple.src.u.tcp.port),
-                      NIPQUAD(exp->tuple.dst.ip),
-                      ntohs(exp->tuple.dst.u.tcp.port));
-       } else
-               ret = -1;
-
-       ip_conntrack_expect_put(exp);
-
-       return ret;
-}
-
-/****************************************************************************/
-static int process_lrq(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, LocationRequest * lrq)
-{
-       typeof(set_ras_addr_hook) set_ras_addr;
-
-       DEBUGP("ip_ct_ras: LRQ\n");
-
-       set_ras_addr = rcu_dereference(set_ras_addr_hook);
-       if (set_ras_addr)
-               return set_ras_addr(pskb, ct, ctinfo, data,
-                                   &lrq->replyAddress, 1);
-       return 0;
-}
-
-/****************************************************************************/
-static int process_lcf(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, LocationConfirm * lcf)
-{
-       int dir = CTINFO2DIR(ctinfo);
-       int ret = 0;
-       __be32 ip;
-       u_int16_t port;
-       struct ip_conntrack_expect *exp = NULL;
-
-       DEBUGP("ip_ct_ras: LCF\n");
-
-       if (!get_h225_addr(*data, &lcf->callSignalAddress, &ip, &port))
-               return 0;
-
-       /* Need new expect for call signal */
-       if ((exp = ip_conntrack_expect_alloc(ct)) == NULL)
-               return -1;
-       exp->tuple.src.ip = ct->tuplehash[!dir].tuple.src.ip;
-       exp->tuple.src.u.tcp.port = 0;
-       exp->tuple.dst.ip = ip;
-       exp->tuple.dst.u.tcp.port = htons(port);
-       exp->tuple.dst.protonum = IPPROTO_TCP;
-       exp->mask.src.ip = htonl(0xFFFFFFFF);
-       exp->mask.src.u.tcp.port = 0;
-       exp->mask.dst.ip = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.tcp.port = htons(0xFFFF);
-       exp->mask.dst.protonum = 0xFF;
-       exp->flags = IP_CT_EXPECT_PERMANENT;
-       exp->expectfn = ip_conntrack_q931_expect;
-
-       if (ip_conntrack_expect_related(exp) == 0) {
-               DEBUGP("ip_ct_ras: expect Q.931 "
-                      "%u.%u.%u.%u:%hu->%u.%u.%u.%u:%hu\n",
-                      NIPQUAD(exp->tuple.src.ip),
-                      ntohs(exp->tuple.src.u.tcp.port),
-                      NIPQUAD(exp->tuple.dst.ip),
-                      ntohs(exp->tuple.dst.u.tcp.port));
-       } else
-               ret = -1;
-
-       ip_conntrack_expect_put(exp);
-
-       /* Ignore rasAddress */
-
-       return ret;
-}
-
-/****************************************************************************/
-static int process_irr(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, InfoRequestResponse * irr)
-{
-       int ret;
-       typeof(set_ras_addr_hook) set_ras_addr;
-       typeof(set_sig_addr_hook) set_sig_addr;
-
-       DEBUGP("ip_ct_ras: IRR\n");
-
-       set_ras_addr = rcu_dereference(set_ras_addr_hook);
-       if (set_ras_addr) {
-               ret = set_ras_addr(pskb, ct, ctinfo, data,
-                                  &irr->rasAddress, 1);
-               if (ret < 0)
-                       return -1;
-       }
-
-       set_sig_addr = rcu_dereference(set_sig_addr_hook);
-       if (set_sig_addr) {
-               ret = set_sig_addr(pskb, ct, ctinfo, data,
-                                  irr->callSignalAddress.item,
-                                  irr->callSignalAddress.count);
-               if (ret < 0)
-                       return -1;
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int process_ras(struct sk_buff **pskb, struct ip_conntrack *ct,
-                      enum ip_conntrack_info ctinfo,
-                      unsigned char **data, RasMessage * ras)
-{
-       switch (ras->choice) {
-       case eRasMessage_gatekeeperRequest:
-               return process_grq(pskb, ct, ctinfo, data,
-                                  &ras->gatekeeperRequest);
-       case eRasMessage_gatekeeperConfirm:
-               return process_gcf(pskb, ct, ctinfo, data,
-                                  &ras->gatekeeperConfirm);
-       case eRasMessage_registrationRequest:
-               return process_rrq(pskb, ct, ctinfo, data,
-                                  &ras->registrationRequest);
-       case eRasMessage_registrationConfirm:
-               return process_rcf(pskb, ct, ctinfo, data,
-                                  &ras->registrationConfirm);
-       case eRasMessage_unregistrationRequest:
-               return process_urq(pskb, ct, ctinfo, data,
-                                  &ras->unregistrationRequest);
-       case eRasMessage_admissionRequest:
-               return process_arq(pskb, ct, ctinfo, data,
-                                  &ras->admissionRequest);
-       case eRasMessage_admissionConfirm:
-               return process_acf(pskb, ct, ctinfo, data,
-                                  &ras->admissionConfirm);
-       case eRasMessage_locationRequest:
-               return process_lrq(pskb, ct, ctinfo, data,
-                                  &ras->locationRequest);
-       case eRasMessage_locationConfirm:
-               return process_lcf(pskb, ct, ctinfo, data,
-                                  &ras->locationConfirm);
-       case eRasMessage_infoRequestResponse:
-               return process_irr(pskb, ct, ctinfo, data,
-                                  &ras->infoRequestResponse);
-       default:
-               DEBUGP("ip_ct_ras: RAS message %d\n", ras->choice);
-               break;
-       }
-
-       return 0;
-}
-
-/****************************************************************************/
-static int ras_help(struct sk_buff **pskb, struct ip_conntrack *ct,
-                   enum ip_conntrack_info ctinfo)
-{
-       static RasMessage ras;
-       unsigned char *data;
-       int datalen = 0;
-       int ret;
-
-       DEBUGP("ip_ct_ras: skblen = %u\n", (*pskb)->len);
-
-       spin_lock_bh(&ip_h323_lock);
-
-       /* Get UDP data */
-       data = get_udp_data(pskb, &datalen);
-       if (data == NULL)
-               goto accept;
-       DEBUGP("ip_ct_ras: RAS message %u.%u.%u.%u->%u.%u.%u.%u, len=%d\n",
-              NIPQUAD(ip_hdr(*pskb)->saddr),
-              NIPQUAD(ip_hdr(*pskb)->daddr), datalen);
-
-       /* Decode RAS message */
-       ret = DecodeRasMessage(data, datalen, &ras);
-       if (ret < 0) {
-               if (net_ratelimit())
-                       printk("ip_ct_ras: decoding error: %s\n",
-                              ret == H323_ERROR_BOUND ?
-                              "out of bound" : "out of range");
-               goto accept;
-       }
-
-       /* Process RAS message */
-       if (process_ras(pskb, ct, ctinfo, &data, &ras) < 0)
-               goto drop;
-
-      accept:
-       spin_unlock_bh(&ip_h323_lock);
-       return NF_ACCEPT;
-
-      drop:
-       spin_unlock_bh(&ip_h323_lock);
-       if (net_ratelimit())
-               printk("ip_ct_ras: packet dropped\n");
-       return NF_DROP;
-}
-
-/****************************************************************************/
-static struct ip_conntrack_helper ip_conntrack_helper_ras = {
-       .name = "RAS",
-       .me = THIS_MODULE,
-       .max_expected = 32,
-       .timeout = 240,
-       .tuple = {.src = {.u = {.tcp = {.port = __constant_htons(RAS_PORT)}}},
-                 .dst = {.protonum = IPPROTO_UDP}},
-       .mask = {.src = {.u = {0xFFFE}},
-                .dst = {.protonum = 0xFF}},
-       .help = ras_help,
-};
-
-/****************************************************************************/
-static void ip_conntrack_ras_expect(struct ip_conntrack *new,
-                                   struct ip_conntrack_expect *this)
-{
-       write_lock_bh(&ip_conntrack_lock);
-       new->helper = &ip_conntrack_helper_ras;
-       write_unlock_bh(&ip_conntrack_lock);
-}
-
-/****************************************************************************/
-/* Not __exit - called from init() */
-static void fini(void)
-{
-       ip_conntrack_helper_unregister(&ip_conntrack_helper_ras);
-       ip_conntrack_helper_unregister(&ip_conntrack_helper_q931);
-       kfree(h323_buffer);
-       DEBUGP("ip_ct_h323: fini\n");
-}
-
-/****************************************************************************/
-static int __init init(void)
-{
-       int ret;
-
-       h323_buffer = kmalloc(65536, GFP_KERNEL);
-       if (!h323_buffer)
-               return -ENOMEM;
-       if ((ret = ip_conntrack_helper_register(&ip_conntrack_helper_q931)) ||
-           (ret = ip_conntrack_helper_register(&ip_conntrack_helper_ras))) {
-               fini();
-               return ret;
-       }
-       DEBUGP("ip_ct_h323: init success\n");
-       return 0;
-}
-
-/****************************************************************************/
-module_init(init);
-module_exit(fini);
-
-EXPORT_SYMBOL_GPL(get_h225_addr);
-EXPORT_SYMBOL_GPL(ip_conntrack_h245_expect);
-EXPORT_SYMBOL_GPL(ip_conntrack_q931_expect);
-EXPORT_SYMBOL_GPL(set_h245_addr_hook);
-EXPORT_SYMBOL_GPL(set_h225_addr_hook);
-EXPORT_SYMBOL_GPL(set_sig_addr_hook);
-EXPORT_SYMBOL_GPL(set_ras_addr_hook);
-EXPORT_SYMBOL_GPL(nat_rtp_rtcp_hook);
-EXPORT_SYMBOL_GPL(nat_t120_hook);
-EXPORT_SYMBOL_GPL(nat_h245_hook);
-EXPORT_SYMBOL_GPL(nat_callforwarding_hook);
-EXPORT_SYMBOL_GPL(nat_q931_hook);
-
-MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>");
-MODULE_DESCRIPTION("H.323 connection tracking helper");
-MODULE_LICENSE("GPL");
diff --git a/net/ipv4/netfilter/ip_conntrack_helper_pptp.c b/net/ipv4/netfilter/ip_conntrack_helper_pptp.c
deleted file mode 100644 (file)
index f5ab8e4..0000000
+++ /dev/null
@@ -1,684 +0,0 @@
-/*
- * ip_conntrack_pptp.c - Version 3.0
- *
- * Connection tracking support for PPTP (Point to Point Tunneling Protocol).
- * PPTP is a a protocol for creating virtual private networks.
- * It is a specification defined by Microsoft and some vendors
- * working with Microsoft.  PPTP is built on top of a modified
- * version of the Internet Generic Routing Encapsulation Protocol.
- * GRE is defined in RFC 1701 and RFC 1702.  Documentation of
- * PPTP can be found in RFC 2637
- *
- * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
- *
- * Development of this code funded by Astaro AG (http://www.astaro.com/)
- *
- * Limitations:
- *      - We blindly assume that control connections are always
- *        established in PNS->PAC direction.  This is a violation
- *        of RFFC2673
- *      - We can only support one single call within each session
- *
- * TODO:
- *      - testing of incoming PPTP calls
- *
- * Changes:
- *     2002-02-05 - Version 1.3
- *       - Call ip_conntrack_unexpect_related() from
- *         pptp_destroy_siblings() to destroy expectations in case
- *         CALL_DISCONNECT_NOTIFY or tcp fin packet was seen
- *         (Philip Craig <philipc@snapgear.com>)
- *       - Add Version information at module loadtime
- *     2002-02-10 - Version 1.6
- *       - move to C99 style initializers
- *       - remove second expectation if first arrives
- *     2004-10-22 - Version 2.0
- *       - merge Mandrake's 2.6.x port with recent 2.6.x API changes
- *       - fix lots of linear skb assumptions from Mandrake's port
- *     2005-06-10 - Version 2.1
- *       - use ip_conntrack_expect_free() instead of kfree() on the
- *         expect's (which are from the slab for quite some time)
- *     2005-06-10 - Version 3.0
- *       - port helper to post-2.6.11 API changes,
- *         funded by Oxcoda NetBox Blue (http://www.netboxblue.com/)
- *     2005-07-30 - Version 3.1
- *       - port helper to 2.6.13 API changes
- *
- */
-
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_core.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_proto_gre.h>
-#include <linux/netfilter_ipv4/ip_conntrack_pptp.h>
-
-#define IP_CT_PPTP_VERSION "3.1"
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>");
-MODULE_DESCRIPTION("Netfilter connection tracking helper module for PPTP");
-
-static DEFINE_SPINLOCK(ip_pptp_lock);
-
-int
-(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb,
-                         struct ip_conntrack *ct,
-                         enum ip_conntrack_info ctinfo,
-                         struct PptpControlHeader *ctlh,
-                         union pptp_ctrl_union *pptpReq);
-
-int
-(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb,
-                         struct ip_conntrack *ct,
-                         enum ip_conntrack_info ctinfo,
-                         struct PptpControlHeader *ctlh,
-                         union pptp_ctrl_union *pptpReq);
-
-void
-(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *expect_orig,
-                           struct ip_conntrack_expect *expect_reply);
-
-void
-(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct,
-                            struct ip_conntrack_expect *exp);
-
-#if 0
-/* PptpControlMessageType names */
-const char *pptp_msg_name[] = {
-       "UNKNOWN_MESSAGE",
-       "START_SESSION_REQUEST",
-       "START_SESSION_REPLY",
-       "STOP_SESSION_REQUEST",
-       "STOP_SESSION_REPLY",
-       "ECHO_REQUEST",
-       "ECHO_REPLY",
-       "OUT_CALL_REQUEST",
-       "OUT_CALL_REPLY",
-       "IN_CALL_REQUEST",
-       "IN_CALL_REPLY",
-       "IN_CALL_CONNECT",
-       "CALL_CLEAR_REQUEST",
-       "CALL_DISCONNECT_NOTIFY",
-       "WAN_ERROR_NOTIFY",
-       "SET_LINK_INFO"
-};
-EXPORT_SYMBOL(pptp_msg_name);
-#define DEBUGP(format, args...)        printk(KERN_DEBUG "%s:%s: " format, __FILE__, __FUNCTION__, ## args)
-#else
-#define DEBUGP(format, args...)
-#endif
-
-#define SECS *HZ
-#define MINS * 60 SECS
-#define HOURS * 60 MINS
-
-#define PPTP_GRE_TIMEOUT               (10 MINS)
-#define PPTP_GRE_STREAM_TIMEOUT        (5 HOURS)
-
-static void pptp_expectfn(struct ip_conntrack *ct,
-                        struct ip_conntrack_expect *exp)
-{
-       typeof(ip_nat_pptp_hook_expectfn) ip_nat_pptp_expectfn;
-
-       DEBUGP("increasing timeouts\n");
-
-       /* increase timeout of GRE data channel conntrack entry */
-       ct->proto.gre.timeout = PPTP_GRE_TIMEOUT;
-       ct->proto.gre.stream_timeout = PPTP_GRE_STREAM_TIMEOUT;
-
-       /* Can you see how rusty this code is, compared with the pre-2.6.11
-        * one? That's what happened to my shiny newnat of 2002 ;( -HW */
-
-       rcu_read_lock();
-       ip_nat_pptp_expectfn = rcu_dereference(ip_nat_pptp_hook_expectfn);
-       if (!ip_nat_pptp_expectfn) {
-               struct ip_conntrack_tuple inv_t;
-               struct ip_conntrack_expect *exp_other;
-
-               /* obviously this tuple inversion only works until you do NAT */
-               invert_tuplepr(&inv_t, &exp->tuple);
-               DEBUGP("trying to unexpect other dir: ");
-               DUMP_TUPLE(&inv_t);
-
-               exp_other = ip_conntrack_expect_find_get(&inv_t);
-               if (exp_other) {
-                       /* delete other expectation.  */
-                       DEBUGP("found\n");
-                       ip_conntrack_unexpect_related(exp_other);
-                       ip_conntrack_expect_put(exp_other);
-               } else {
-                       DEBUGP("not found\n");
-               }
-       } else {
-               /* we need more than simple inversion */
-               ip_nat_pptp_expectfn(ct, exp);
-       }
-       rcu_read_unlock();
-}
-
-static int destroy_sibling_or_exp(const struct ip_conntrack_tuple *t)
-{
-       struct ip_conntrack_tuple_hash *h;
-       struct ip_conntrack_expect *exp;
-
-       DEBUGP("trying to timeout ct or exp for tuple ");
-       DUMP_TUPLE(t);
-
-       h = ip_conntrack_find_get(t, NULL);
-       if (h)  {
-               struct ip_conntrack *sibling = tuplehash_to_ctrack(h);
-               DEBUGP("setting timeout of conntrack %p to 0\n", sibling);
-               sibling->proto.gre.timeout = 0;
-               sibling->proto.gre.stream_timeout = 0;
-               if (del_timer(&sibling->timeout))
-                       sibling->timeout.function((unsigned long)sibling);
-               ip_conntrack_put(sibling);
-               return 1;
-       } else {
-               exp = ip_conntrack_expect_find_get(t);
-               if (exp) {
-                       DEBUGP("unexpect_related of expect %p\n", exp);
-                       ip_conntrack_unexpect_related(exp);
-                       ip_conntrack_expect_put(exp);
-                       return 1;
-               }
-       }
-
-       return 0;
-}
-
-
-/* timeout GRE data connections */
-static void pptp_destroy_siblings(struct ip_conntrack *ct)
-{
-       struct ip_conntrack_tuple t;
-
-       ip_ct_gre_keymap_destroy(ct);
-       /* Since ct->sibling_list has literally rusted away in 2.6.11,
-        * we now need another way to find out about our sibling
-        * contrack and expects... -HW */
-
-       /* try original (pns->pac) tuple */
-       memcpy(&t, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, sizeof(t));
-       t.dst.protonum = IPPROTO_GRE;
-       t.src.u.gre.key = ct->help.ct_pptp_info.pns_call_id;
-       t.dst.u.gre.key = ct->help.ct_pptp_info.pac_call_id;
-
-       if (!destroy_sibling_or_exp(&t))
-               DEBUGP("failed to timeout original pns->pac ct/exp\n");
-
-       /* try reply (pac->pns) tuple */
-       memcpy(&t, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, sizeof(t));
-       t.dst.protonum = IPPROTO_GRE;
-       t.src.u.gre.key = ct->help.ct_pptp_info.pac_call_id;
-       t.dst.u.gre.key = ct->help.ct_pptp_info.pns_call_id;
-
-       if (!destroy_sibling_or_exp(&t))
-               DEBUGP("failed to timeout reply pac->pns ct/exp\n");
-}
-
-/* expect GRE connections (PNS->PAC and PAC->PNS direction) */
-static inline int
-exp_gre(struct ip_conntrack *ct,
-       __be16 callid,
-       __be16 peer_callid)
-{
-       struct ip_conntrack_expect *exp_orig, *exp_reply;
-       int ret = 1;
-       typeof(ip_nat_pptp_hook_exp_gre) ip_nat_pptp_exp_gre;
-
-       exp_orig = ip_conntrack_expect_alloc(ct);
-       if (exp_orig == NULL)
-               goto out;
-
-       exp_reply = ip_conntrack_expect_alloc(ct);
-       if (exp_reply == NULL)
-               goto out_put_orig;
-
-       /* original direction, PNS->PAC */
-       exp_orig->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
-       exp_orig->tuple.src.u.gre.key = peer_callid;
-       exp_orig->tuple.dst.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip;
-       exp_orig->tuple.dst.u.gre.key = callid;
-       exp_orig->tuple.dst.protonum = IPPROTO_GRE;
-
-       exp_orig->mask.src.ip = htonl(0xffffffff);
-       exp_orig->mask.src.u.all = 0;
-       exp_orig->mask.dst.u.gre.key = htons(0xffff);
-       exp_orig->mask.dst.ip = htonl(0xffffffff);
-       exp_orig->mask.dst.protonum = 0xff;
-
-       exp_orig->master = ct;
-       exp_orig->expectfn = pptp_expectfn;
-       exp_orig->flags = 0;
-
-       /* both expectations are identical apart from tuple */
-       memcpy(exp_reply, exp_orig, sizeof(*exp_reply));
-
-       /* reply direction, PAC->PNS */
-       exp_reply->tuple.src.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.ip;
-       exp_reply->tuple.src.u.gre.key = callid;
-       exp_reply->tuple.dst.ip = ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip;
-       exp_reply->tuple.dst.u.gre.key = peer_callid;
-       exp_reply->tuple.dst.protonum = IPPROTO_GRE;
-
-       ip_nat_pptp_exp_gre = rcu_dereference(ip_nat_pptp_hook_exp_gre);
-       if (ip_nat_pptp_exp_gre)
-               ip_nat_pptp_exp_gre(exp_orig, exp_reply);
-       if (ip_conntrack_expect_related(exp_orig) != 0)
-               goto out_put_both;
-       if (ip_conntrack_expect_related(exp_reply) != 0)
-               goto out_unexpect_orig;
-
-       /* Add GRE keymap entries */
-       if (ip_ct_gre_keymap_add(ct, &exp_orig->tuple, 0) != 0)
-               goto out_unexpect_both;
-       if (ip_ct_gre_keymap_add(ct, &exp_reply->tuple, 1) != 0) {
-               ip_ct_gre_keymap_destroy(ct);
-               goto out_unexpect_both;
-       }
-       ret = 0;
-
-out_put_both:
-       ip_conntrack_expect_put(exp_reply);
-out_put_orig:
-       ip_conntrack_expect_put(exp_orig);
-out:
-       return ret;
-
-out_unexpect_both:
-       ip_conntrack_unexpect_related(exp_reply);
-out_unexpect_orig:
-       ip_conntrack_unexpect_related(exp_orig);
-       goto out_put_both;
-}
-
-static inline int
-pptp_inbound_pkt(struct sk_buff **pskb,
-                struct PptpControlHeader *ctlh,
-                union pptp_ctrl_union *pptpReq,
-                unsigned int reqlen,
-                struct ip_conntrack *ct,
-                enum ip_conntrack_info ctinfo)
-{
-       struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
-       u_int16_t msg;
-       __be16 cid = 0, pcid = 0;
-       typeof(ip_nat_pptp_hook_inbound) ip_nat_pptp_inbound;
-
-       msg = ntohs(ctlh->messageType);
-       DEBUGP("inbound control message %s\n", pptp_msg_name[msg]);
-
-       switch (msg) {
-       case PPTP_START_SESSION_REPLY:
-               /* server confirms new control session */
-               if (info->sstate < PPTP_SESSION_REQUESTED)
-                       goto invalid;
-               if (pptpReq->srep.resultCode == PPTP_START_OK)
-                       info->sstate = PPTP_SESSION_CONFIRMED;
-               else
-                       info->sstate = PPTP_SESSION_ERROR;
-               break;
-
-       case PPTP_STOP_SESSION_REPLY:
-               /* server confirms end of control session */
-               if (info->sstate > PPTP_SESSION_STOPREQ)
-                       goto invalid;
-               if (pptpReq->strep.resultCode == PPTP_STOP_OK)
-                       info->sstate = PPTP_SESSION_NONE;
-               else
-                       info->sstate = PPTP_SESSION_ERROR;
-               break;
-
-       case PPTP_OUT_CALL_REPLY:
-               /* server accepted call, we now expect GRE frames */
-               if (info->sstate != PPTP_SESSION_CONFIRMED)
-                       goto invalid;
-               if (info->cstate != PPTP_CALL_OUT_REQ &&
-                   info->cstate != PPTP_CALL_OUT_CONF)
-                       goto invalid;
-
-               cid = pptpReq->ocack.callID;
-               pcid = pptpReq->ocack.peersCallID;
-               if (info->pns_call_id != pcid)
-                       goto invalid;
-               DEBUGP("%s, CID=%X, PCID=%X\n", pptp_msg_name[msg],
-                       ntohs(cid), ntohs(pcid));
-
-               if (pptpReq->ocack.resultCode == PPTP_OUTCALL_CONNECT) {
-                       info->cstate = PPTP_CALL_OUT_CONF;
-                       info->pac_call_id = cid;
-                       exp_gre(ct, cid, pcid);
-               } else
-                       info->cstate = PPTP_CALL_NONE;
-               break;
-
-       case PPTP_IN_CALL_REQUEST:
-               /* server tells us about incoming call request */
-               if (info->sstate != PPTP_SESSION_CONFIRMED)
-                       goto invalid;
-
-               cid = pptpReq->icreq.callID;
-               DEBUGP("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
-               info->cstate = PPTP_CALL_IN_REQ;
-               info->pac_call_id = cid;
-               break;
-
-       case PPTP_IN_CALL_CONNECT:
-               /* server tells us about incoming call established */
-               if (info->sstate != PPTP_SESSION_CONFIRMED)
-                       goto invalid;
-               if (info->cstate != PPTP_CALL_IN_REP &&
-                   info->cstate != PPTP_CALL_IN_CONF)
-                       goto invalid;
-
-               pcid = pptpReq->iccon.peersCallID;
-               cid = info->pac_call_id;
-
-               if (info->pns_call_id != pcid)
-                       goto invalid;
-
-               DEBUGP("%s, PCID=%X\n", pptp_msg_name[msg], ntohs(pcid));
-               info->cstate = PPTP_CALL_IN_CONF;
-
-               /* we expect a GRE connection from PAC to PNS */
-               exp_gre(ct, cid, pcid);
-               break;
-
-       case PPTP_CALL_DISCONNECT_NOTIFY:
-               /* server confirms disconnect */
-               cid = pptpReq->disc.callID;
-               DEBUGP("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
-               info->cstate = PPTP_CALL_NONE;
-
-               /* untrack this call id, unexpect GRE packets */
-               pptp_destroy_siblings(ct);
-               break;
-
-       case PPTP_WAN_ERROR_NOTIFY:
-       case PPTP_ECHO_REQUEST:
-       case PPTP_ECHO_REPLY:
-               /* I don't have to explain these ;) */
-               break;
-       default:
-               goto invalid;
-       }
-
-       ip_nat_pptp_inbound = rcu_dereference(ip_nat_pptp_hook_inbound);
-       if (ip_nat_pptp_inbound)
-               return ip_nat_pptp_inbound(pskb, ct, ctinfo, ctlh, pptpReq);
-       return NF_ACCEPT;
-
-invalid:
-       DEBUGP("invalid %s: type=%d cid=%u pcid=%u "
-              "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
-              msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
-              msg, ntohs(cid), ntohs(pcid),  info->cstate, info->sstate,
-              ntohs(info->pns_call_id), ntohs(info->pac_call_id));
-       return NF_ACCEPT;
-}
-
-static inline int
-pptp_outbound_pkt(struct sk_buff **pskb,
-                 struct PptpControlHeader *ctlh,
-                 union pptp_ctrl_union *pptpReq,
-                 unsigned int reqlen,
-                 struct ip_conntrack *ct,
-                 enum ip_conntrack_info ctinfo)
-{
-       struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
-       u_int16_t msg;
-       __be16 cid = 0, pcid = 0;
-       typeof(ip_nat_pptp_hook_outbound) ip_nat_pptp_outbound;
-
-       msg = ntohs(ctlh->messageType);
-       DEBUGP("outbound control message %s\n", pptp_msg_name[msg]);
-
-       switch (msg) {
-       case PPTP_START_SESSION_REQUEST:
-               /* client requests for new control session */
-               if (info->sstate != PPTP_SESSION_NONE)
-                       goto invalid;
-               info->sstate = PPTP_SESSION_REQUESTED;
-               break;
-       case PPTP_STOP_SESSION_REQUEST:
-               /* client requests end of control session */
-               info->sstate = PPTP_SESSION_STOPREQ;
-               break;
-
-       case PPTP_OUT_CALL_REQUEST:
-               /* client initiating connection to server */
-               if (info->sstate != PPTP_SESSION_CONFIRMED)
-                       goto invalid;
-               info->cstate = PPTP_CALL_OUT_REQ;
-               /* track PNS call id */
-               cid = pptpReq->ocreq.callID;
-               DEBUGP("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
-               info->pns_call_id = cid;
-               break;
-       case PPTP_IN_CALL_REPLY:
-               /* client answers incoming call */
-               if (info->cstate != PPTP_CALL_IN_REQ &&
-                   info->cstate != PPTP_CALL_IN_REP)
-                       goto invalid;
-
-               cid = pptpReq->icack.callID;
-               pcid = pptpReq->icack.peersCallID;
-               if (info->pac_call_id != pcid)
-                       goto invalid;
-               DEBUGP("%s, CID=%X PCID=%X\n", pptp_msg_name[msg],
-                      ntohs(cid), ntohs(pcid));
-
-               if (pptpReq->icack.resultCode == PPTP_INCALL_ACCEPT) {
-                       /* part two of the three-way handshake */
-                       info->cstate = PPTP_CALL_IN_REP;
-                       info->pns_call_id = cid;
-               } else
-                       info->cstate = PPTP_CALL_NONE;
-               break;
-
-       case PPTP_CALL_CLEAR_REQUEST:
-               /* client requests hangup of call */
-               if (info->sstate != PPTP_SESSION_CONFIRMED)
-                       goto invalid;
-               /* FUTURE: iterate over all calls and check if
-                * call ID is valid.  We don't do this without newnat,
-                * because we only know about last call */
-               info->cstate = PPTP_CALL_CLEAR_REQ;
-               break;
-       case PPTP_SET_LINK_INFO:
-       case PPTP_ECHO_REQUEST:
-       case PPTP_ECHO_REPLY:
-               /* I don't have to explain these ;) */
-               break;
-       default:
-               goto invalid;
-       }
-
-       ip_nat_pptp_outbound = rcu_dereference(ip_nat_pptp_hook_outbound);
-       if (ip_nat_pptp_outbound)
-               return ip_nat_pptp_outbound(pskb, ct, ctinfo, ctlh, pptpReq);
-       return NF_ACCEPT;
-
-invalid:
-       DEBUGP("invalid %s: type=%d cid=%u pcid=%u "
-              "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
-              msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
-              msg, ntohs(cid), ntohs(pcid),  info->cstate, info->sstate,
-              ntohs(info->pns_call_id), ntohs(info->pac_call_id));
-       return NF_ACCEPT;
-}
-
-static const unsigned int pptp_msg_size[] = {
-       [PPTP_START_SESSION_REQUEST]  = sizeof(struct PptpStartSessionRequest),
-       [PPTP_START_SESSION_REPLY]    = sizeof(struct PptpStartSessionReply),
-       [PPTP_STOP_SESSION_REQUEST]   = sizeof(struct PptpStopSessionRequest),
-       [PPTP_STOP_SESSION_REPLY]     = sizeof(struct PptpStopSessionReply),
-       [PPTP_OUT_CALL_REQUEST]       = sizeof(struct PptpOutCallRequest),
-       [PPTP_OUT_CALL_REPLY]         = sizeof(struct PptpOutCallReply),
-       [PPTP_IN_CALL_REQUEST]        = sizeof(struct PptpInCallRequest),
-       [PPTP_IN_CALL_REPLY]          = sizeof(struct PptpInCallReply),
-       [PPTP_IN_CALL_CONNECT]        = sizeof(struct PptpInCallConnected),
-       [PPTP_CALL_CLEAR_REQUEST]     = sizeof(struct PptpClearCallRequest),
-       [PPTP_CALL_DISCONNECT_NOTIFY] = sizeof(struct PptpCallDisconnectNotify),
-       [PPTP_WAN_ERROR_NOTIFY]       = sizeof(struct PptpWanErrorNotify),
-       [PPTP_SET_LINK_INFO]          = sizeof(struct PptpSetLinkInfo),
-};
-
-/* track caller id inside control connection, call expect_related */
-static int
-conntrack_pptp_help(struct sk_buff **pskb,
-                   struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
-
-{
-       int dir = CTINFO2DIR(ctinfo);
-       struct ip_ct_pptp_master *info = &ct->help.ct_pptp_info;
-       struct tcphdr _tcph, *tcph;
-       struct pptp_pkt_hdr _pptph, *pptph;
-       struct PptpControlHeader _ctlh, *ctlh;
-       union pptp_ctrl_union _pptpReq, *pptpReq;
-       unsigned int tcplen = (*pskb)->len - ip_hdrlen(*pskb);
-       unsigned int datalen, reqlen, nexthdr_off;
-       int oldsstate, oldcstate;
-       int ret;
-       u_int16_t msg;
-
-       /* don't do any tracking before tcp handshake complete */
-       if (ctinfo != IP_CT_ESTABLISHED
-           && ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY) {
-               DEBUGP("ctinfo = %u, skipping\n", ctinfo);
-               return NF_ACCEPT;
-       }
-
-       nexthdr_off = ip_hdrlen(*pskb);
-       tcph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_tcph), &_tcph);
-       BUG_ON(!tcph);
-       nexthdr_off += tcph->doff * 4;
-       datalen = tcplen - tcph->doff * 4;
-
-       pptph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_pptph), &_pptph);
-       if (!pptph) {
-               DEBUGP("no full PPTP header, can't track\n");
-               return NF_ACCEPT;
-       }
-       nexthdr_off += sizeof(_pptph);
-       datalen -= sizeof(_pptph);
-
-       /* if it's not a control message we can't do anything with it */
-       if (ntohs(pptph->packetType) != PPTP_PACKET_CONTROL ||
-           ntohl(pptph->magicCookie) != PPTP_MAGIC_COOKIE) {
-               DEBUGP("not a control packet\n");
-               return NF_ACCEPT;
-       }
-
-       ctlh = skb_header_pointer(*pskb, nexthdr_off, sizeof(_ctlh), &_ctlh);
-       if (!ctlh)
-               return NF_ACCEPT;
-       nexthdr_off += sizeof(_ctlh);
-       datalen -= sizeof(_ctlh);
-
-       reqlen = datalen;
-       msg = ntohs(ctlh->messageType);
-       if (msg > 0 && msg <= PPTP_MSG_MAX && reqlen < pptp_msg_size[msg])
-               return NF_ACCEPT;
-       if (reqlen > sizeof(*pptpReq))
-               reqlen = sizeof(*pptpReq);
-
-       pptpReq = skb_header_pointer(*pskb, nexthdr_off, reqlen, &_pptpReq);
-       if (!pptpReq)
-               return NF_ACCEPT;
-
-       oldsstate = info->sstate;
-       oldcstate = info->cstate;
-
-       spin_lock_bh(&ip_pptp_lock);
-
-       /* FIXME: We just blindly assume that the control connection is always
-        * established from PNS->PAC.  However, RFC makes no guarantee */
-       if (dir == IP_CT_DIR_ORIGINAL)
-               /* client -> server (PNS -> PAC) */
-               ret = pptp_outbound_pkt(pskb, ctlh, pptpReq, reqlen, ct,
-                                       ctinfo);
-       else
-               /* server -> client (PAC -> PNS) */
-               ret = pptp_inbound_pkt(pskb, ctlh, pptpReq, reqlen, ct,
-                                      ctinfo);
-       DEBUGP("sstate: %d->%d, cstate: %d->%d\n",
-               oldsstate, info->sstate, oldcstate, info->cstate);
-       spin_unlock_bh(&ip_pptp_lock);
-
-       return ret;
-}
-
-/* control protocol helper */
-static struct ip_conntrack_helper pptp = {
-       .list = { NULL, NULL },
-       .name = "pptp",
-       .me = THIS_MODULE,
-       .max_expected = 2,
-       .timeout = 5 * 60,
-       .tuple = { .src = { .ip = 0,
-                           .u = { .tcp = { .port =
-                                   __constant_htons(PPTP_CONTROL_PORT) } }
-                         },
-                  .dst = { .ip = 0,
-                           .u = { .all = 0 },
-                           .protonum = IPPROTO_TCP
-                         }
-                },
-       .mask = { .src = { .ip = 0,
-                          .u = { .tcp = { .port = __constant_htons(0xffff) } }
-                        },
-                 .dst = { .ip = 0,
-                          .u = { .all = 0 },
-                          .protonum = 0xff
-                        }
-               },
-       .help = conntrack_pptp_help,
-       .destroy = pptp_destroy_siblings,
-};
-
-extern void ip_ct_proto_gre_fini(void);
-extern int __init ip_ct_proto_gre_init(void);
-
-/* ip_conntrack_pptp initialization */
-static int __init ip_conntrack_helper_pptp_init(void)
-{
-       int retcode;
-
-       retcode = ip_ct_proto_gre_init();
-       if (retcode < 0)
-               return retcode;
-
-       DEBUGP(" registering helper\n");
-       if ((retcode = ip_conntrack_helper_register(&pptp))) {
-               printk(KERN_ERR "Unable to register conntrack application "
-                               "helper for pptp: %d\n", retcode);
-               ip_ct_proto_gre_fini();
-               return retcode;
-       }
-
-       printk("ip_conntrack_pptp version %s loaded\n", IP_CT_PPTP_VERSION);
-       return 0;
-}
-
-static void __exit ip_conntrack_helper_pptp_fini(void)
-{
-       ip_conntrack_helper_unregister(&pptp);
-       ip_ct_proto_gre_fini();
-       printk("ip_conntrack_pptp version %s unloaded\n", IP_CT_PPTP_VERSION);
-}
-
-module_init(ip_conntrack_helper_pptp_init);
-module_exit(ip_conntrack_helper_pptp_fini);
-
-EXPORT_SYMBOL(ip_nat_pptp_hook_outbound);
-EXPORT_SYMBOL(ip_nat_pptp_hook_inbound);
-EXPORT_SYMBOL(ip_nat_pptp_hook_exp_gre);
-EXPORT_SYMBOL(ip_nat_pptp_hook_expectfn);
diff --git a/net/ipv4/netfilter/ip_conntrack_irc.c b/net/ipv4/netfilter/ip_conntrack_irc.c
deleted file mode 100644 (file)
index ee99abe..0000000
+++ /dev/null
@@ -1,314 +0,0 @@
-/* IRC extension for IP connection tracking, Version 1.21
- * (C) 2000-2002 by Harald Welte <laforge@gnumonks.org>
- * based on RR's ip_conntrack_ftp.c
- *
- * ip_conntrack_irc.c,v 1.21 2002/02/05 14:49:26 laforge Exp
- *
- *      This program is free software; you can redistribute it and/or
- *      modify it under the terms of the GNU General Public License
- *      as published by the Free Software Foundation; either version
- *      2 of the License, or (at your option) any later version.
- **
- *     Module load syntax:
- *     insmod ip_conntrack_irc.o ports=port1,port2,...port<MAX_PORTS>
- *                         max_dcc_channels=n dcc_timeout=secs
- *
- *     please give the ports of all IRC servers You wish to connect to.
- *     If You don't specify ports, the default will be port 6667.
- *     With max_dcc_channels you can define the maximum number of not
- *     yet answered DCC channels per IRC session (default 8).
- *     With dcc_timeout you can specify how long the system waits for
- *     an expected DCC channel (default 300 seconds).
- *
- */
-
-#include <linux/module.h>
-#include <linux/netfilter.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-#include <net/tcp.h>
-
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_irc.h>
-#include <linux/moduleparam.h>
-
-#define MAX_PORTS 8
-static unsigned short ports[MAX_PORTS];
-static int ports_c;
-static unsigned int max_dcc_channels = 8;
-static unsigned int dcc_timeout = 300;
-/* This is slow, but it's simple. --RR */
-static char *irc_buffer;
-static DEFINE_SPINLOCK(irc_buffer_lock);
-
-unsigned int (*ip_nat_irc_hook)(struct sk_buff **pskb,
-                               enum ip_conntrack_info ctinfo,
-                               unsigned int matchoff,
-                               unsigned int matchlen,
-                               struct ip_conntrack_expect *exp);
-EXPORT_SYMBOL_GPL(ip_nat_irc_hook);
-
-MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_DESCRIPTION("IRC (DCC) connection tracking helper");
-MODULE_LICENSE("GPL");
-module_param_array(ports, ushort, &ports_c, 0400);
-MODULE_PARM_DESC(ports, "port numbers of IRC servers");
-module_param(max_dcc_channels, uint, 0400);
-MODULE_PARM_DESC(max_dcc_channels, "max number of expected DCC channels per IRC session");
-module_param(dcc_timeout, uint, 0400);
-MODULE_PARM_DESC(dcc_timeout, "timeout on for unestablished DCC channels");
-
-static const char *dccprotos[] = { "SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT " };
-#define MINMATCHLEN    5
-
-#if 0
-#define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s:" format, \
-                                      __FILE__, __FUNCTION__ , ## args)
-#else
-#define DEBUGP(format, args...)
-#endif
-
-static int parse_dcc(char *data, char *data_end, u_int32_t *ip,
-                    u_int16_t *port, char **ad_beg_p, char **ad_end_p)
-/* tries to get the ip_addr and port out of a dcc command
-   return value: -1 on failure, 0 on success
-       data            pointer to first byte of DCC command data
-       data_end        pointer to last byte of dcc command data
-       ip              returns parsed ip of dcc command
-       port            returns parsed port of dcc command
-       ad_beg_p        returns pointer to first byte of addr data
-       ad_end_p        returns pointer to last byte of addr data */
-{
-
-       /* at least 12: "AAAAAAAA P\1\n" */
-       while (*data++ != ' ')
-               if (data > data_end - 12)
-                       return -1;
-
-       *ad_beg_p = data;
-       *ip = simple_strtoul(data, &data, 10);
-
-       /* skip blanks between ip and port */
-       while (*data == ' ') {
-               if (data >= data_end)
-                       return -1;
-               data++;
-       }
-
-       *port = simple_strtoul(data, &data, 10);
-       *ad_end_p = data;
-
-       return 0;
-}
-
-static int help(struct sk_buff **pskb,
-               struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
-{
-       unsigned int dataoff;
-       struct tcphdr _tcph, *th;
-       char *data, *data_limit, *ib_ptr;
-       int dir = CTINFO2DIR(ctinfo);
-       struct ip_conntrack_expect *exp;
-       u32 seq;
-       u_int32_t dcc_ip;
-       u_int16_t dcc_port;
-       int i, ret = NF_ACCEPT;
-       char *addr_beg_p, *addr_end_p;
-       typeof(ip_nat_irc_hook) ip_nat_irc;
-
-       DEBUGP("entered\n");
-
-       /* If packet is coming from IRC server */
-       if (dir == IP_CT_DIR_REPLY)
-               return NF_ACCEPT;
-
-       /* Until there's been traffic both ways, don't look in packets. */
-       if (ctinfo != IP_CT_ESTABLISHED
-           && ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
-               DEBUGP("Conntrackinfo = %u\n", ctinfo);
-               return NF_ACCEPT;
-       }
-
-       /* Not a full tcp header? */
-       th = skb_header_pointer(*pskb, ip_hdrlen(*pskb),
-                               sizeof(_tcph), &_tcph);
-       if (th == NULL)
-               return NF_ACCEPT;
-
-       /* No data? */
-       dataoff = ip_hdrlen(*pskb) + th->doff * 4;
-       if (dataoff >= (*pskb)->len)
-               return NF_ACCEPT;
-
-       spin_lock_bh(&irc_buffer_lock);
-       ib_ptr = skb_header_pointer(*pskb, dataoff,
-                                   (*pskb)->len - dataoff, irc_buffer);
-       BUG_ON(ib_ptr == NULL);
-
-       data = ib_ptr;
-       data_limit = ib_ptr + (*pskb)->len - dataoff;
-
-       /* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24
-        * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */
-       while (data < (data_limit - (19 + MINMATCHLEN))) {
-               if (memcmp(data, "\1DCC ", 5)) {
-                       data++;
-                       continue;
-               }
-
-               data += 5;
-               /* we have at least (19+MINMATCHLEN)-5 bytes valid data left */
-
-               DEBUGP("DCC found in master %u.%u.%u.%u:%u %u.%u.%u.%u:%u...\n",
-                       NIPQUAD(iph->saddr), ntohs(th->source),
-                       NIPQUAD(iph->daddr), ntohs(th->dest));
-
-               for (i = 0; i < ARRAY_SIZE(dccprotos); i++) {
-                       if (memcmp(data, dccprotos[i], strlen(dccprotos[i]))) {
-                               /* no match */
-                               continue;
-                       }
-
-                       DEBUGP("DCC %s detected\n", dccprotos[i]);
-                       data += strlen(dccprotos[i]);
-                       /* we have at least
-                        * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
-                        * data left (== 14/13 bytes) */
-                       if (parse_dcc((char *)data, data_limit, &dcc_ip,
-                                      &dcc_port, &addr_beg_p, &addr_end_p)) {
-                               /* unable to parse */
-                               DEBUGP("unable to parse dcc command\n");
-                               continue;
-                       }
-                       DEBUGP("DCC bound ip/port: %u.%u.%u.%u:%u\n",
-                               HIPQUAD(dcc_ip), dcc_port);
-
-                       /* dcc_ip can be the internal OR external (NAT'ed) IP
-                        * Tiago Sousa <mirage@kaotik.org> */
-                       if (ct->tuplehash[dir].tuple.src.ip != htonl(dcc_ip)
-                           && ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.ip != htonl(dcc_ip)) {
-                               if (net_ratelimit())
-                                       printk(KERN_WARNING
-                                               "Forged DCC command from "
-                                               "%u.%u.%u.%u: %u.%u.%u.%u:%u\n",
-                               NIPQUAD(ct->tuplehash[dir].tuple.src.ip),
-                                               HIPQUAD(dcc_ip), dcc_port);
-
-                               continue;
-                       }
-
-                       exp = ip_conntrack_expect_alloc(ct);
-                       if (exp == NULL) {
-                               ret = NF_DROP;
-                               goto out;
-                       }
-
-                       /* save position of address in dcc string,
-                        * necessary for NAT */
-                       DEBUGP("tcph->seq = %u\n", th->seq);
-                       seq = ntohl(th->seq) + (addr_beg_p - ib_ptr);
-
-                       /* We refer to the reverse direction ("!dir")
-                        * tuples here, because we're expecting
-                        * something in the other * direction.
-                        * Doesn't matter unless NAT is happening.  */
-                       exp->tuple = ((struct ip_conntrack_tuple)
-                               { { 0, { 0 } },
-                                 { ct->tuplehash[!dir].tuple.dst.ip,
-                                   { .tcp = { htons(dcc_port) } },
-                                   IPPROTO_TCP }});
-                       exp->mask = ((struct ip_conntrack_tuple)
-                               { { 0, { 0 } },
-                                 { htonl(0xFFFFFFFF),
-                                       { .tcp = { htons(0xFFFF) } }, 0xFF }});
-                       exp->expectfn = NULL;
-                       exp->flags = 0;
-                       ip_nat_irc = rcu_dereference(ip_nat_irc_hook);
-                       if (ip_nat_irc)
-                               ret = ip_nat_irc(pskb, ctinfo,
-                                                addr_beg_p - ib_ptr,
-                                                addr_end_p - addr_beg_p,
-                                                exp);
-                       else if (ip_conntrack_expect_related(exp) != 0)
-                               ret = NF_DROP;
-                       ip_conntrack_expect_put(exp);
-                       goto out;
-               } /* for .. NUM_DCCPROTO */
-       } /* while data < ... */
-
- out:
-       spin_unlock_bh(&irc_buffer_lock);
-       return ret;
-}
-
-static struct ip_conntrack_helper irc_helpers[MAX_PORTS];
-static char irc_names[MAX_PORTS][sizeof("irc-65535")];
-
-static void ip_conntrack_irc_fini(void);
-
-static int __init ip_conntrack_irc_init(void)
-{
-       int i, ret;
-       struct ip_conntrack_helper *hlpr;
-       char *tmpname;
-
-       if (max_dcc_channels < 1) {
-               printk("ip_conntrack_irc: max_dcc_channels must be a positive integer\n");
-               return -EBUSY;
-       }
-
-       irc_buffer = kmalloc(65536, GFP_KERNEL);
-       if (!irc_buffer)
-               return -ENOMEM;
-
-       /* If no port given, default to standard irc port */
-       if (ports_c == 0)
-               ports[ports_c++] = IRC_PORT;
-
-       for (i = 0; i < ports_c; i++) {
-               hlpr = &irc_helpers[i];
-               hlpr->tuple.src.u.tcp.port = htons(ports[i]);
-               hlpr->tuple.dst.protonum = IPPROTO_TCP;
-               hlpr->mask.src.u.tcp.port = htons(0xFFFF);
-               hlpr->mask.dst.protonum = 0xFF;
-               hlpr->max_expected = max_dcc_channels;
-               hlpr->timeout = dcc_timeout;
-               hlpr->me = THIS_MODULE;
-               hlpr->help = help;
-
-               tmpname = &irc_names[i][0];
-               if (ports[i] == IRC_PORT)
-                       sprintf(tmpname, "irc");
-               else
-                       sprintf(tmpname, "irc-%d", i);
-               hlpr->name = tmpname;
-
-               DEBUGP("port #%d: %d\n", i, ports[i]);
-
-               ret = ip_conntrack_helper_register(hlpr);
-
-               if (ret) {
-                       printk("ip_conntrack_irc: ERROR registering port %d\n",
-                               ports[i]);
-                       ip_conntrack_irc_fini();
-                       return -EBUSY;
-               }
-       }
-       return 0;
-}
-
-/* This function is intentionally _NOT_ defined as __exit, because
- * it is needed by the init function */
-static void ip_conntrack_irc_fini(void)
-{
-       int i;
-       for (i = 0; i < ports_c; i++) {
-               DEBUGP("unregistering port %d\n",
-                      ports[i]);
-               ip_conntrack_helper_unregister(&irc_helpers[i]);
-       }
-       kfree(irc_buffer);
-}
-
-module_init(ip_conntrack_irc_init);
-module_exit(ip_conntrack_irc_fini);
diff --git a/net/ipv4/netfilter/ip_conntrack_netbios_ns.c b/net/ipv4/netfilter/ip_conntrack_netbios_ns.c
deleted file mode 100644 (file)
index df07c5f..0000000
+++ /dev/null
@@ -1,143 +0,0 @@
-/*
- *      NetBIOS name service broadcast connection tracking helper
- *
- *      (c) 2005 Patrick McHardy <kaber@trash.net>
- *
- *      This program is free software; you can redistribute it and/or
- *      modify it under the terms of the GNU General Public License
- *      as published by the Free Software Foundation; either version
- *      2 of the License, or (at your option) any later version.
- */
-/*
- *      This helper tracks locally originating NetBIOS name service
- *      requests by issuing permanent expectations (valid until
- *      timing out) matching all reply connections from the
- *      destination network. The only NetBIOS specific thing is
- *      actually the port number.
- */
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/init.h>
-#include <linux/skbuff.h>
-#include <linux/netdevice.h>
-#include <linux/inetdevice.h>
-#include <linux/if_addr.h>
-#include <linux/in.h>
-#include <linux/ip.h>
-#include <net/route.h>
-
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-
-#define NMBD_PORT      137
-
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("NetBIOS name service broadcast connection tracking helper");
-MODULE_LICENSE("GPL");
-
-static unsigned int timeout = 3;
-module_param(timeout, uint, 0400);
-MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
-
-static int help(struct sk_buff **pskb,
-               struct ip_conntrack *ct, enum ip_conntrack_info ctinfo)
-{
-       struct ip_conntrack_expect *exp;
-       struct iphdr *iph = ip_hdr(*pskb);
-       struct rtable *rt = (struct rtable *)(*pskb)->dst;
-       struct in_device *in_dev;
-       __be32 mask = 0;
-
-       /* we're only interested in locally generated packets */
-       if ((*pskb)->sk == NULL)
-               goto out;
-       if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))
-               goto out;
-       if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
-               goto out;
-
-       rcu_read_lock();
-       in_dev = __in_dev_get_rcu(rt->u.dst.dev);
-       if (in_dev != NULL) {
-               for_primary_ifa(in_dev) {
-                       if (ifa->ifa_broadcast == iph->daddr) {
-                               mask = ifa->ifa_mask;
-                               break;
-                       }
-               } endfor_ifa(in_dev);
-       }
-       rcu_read_unlock();
-
-       if (mask == 0)
-               goto out;
-
-       exp = ip_conntrack_expect_alloc(ct);
-       if (exp == NULL)
-               goto out;
-
-       exp->tuple                = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
-       exp->tuple.src.u.udp.port = htons(NMBD_PORT);
-
-       exp->mask.src.ip          = mask;
-       exp->mask.src.u.udp.port  = htons(0xFFFF);
-       exp->mask.dst.ip          = htonl(0xFFFFFFFF);
-       exp->mask.dst.u.udp.port  = htons(0xFFFF);
-       exp->mask.dst.protonum    = 0xFF;
-
-       exp->expectfn             = NULL;
-       exp->flags                = IP_CT_EXPECT_PERMANENT;
-
-       ip_conntrack_expect_related(exp);
-       ip_conntrack_expect_put(exp);
-
-       ip_ct_refresh(ct, *pskb, timeout * HZ);
-out:
-       return NF_ACCEPT;
-}
-
-static struct ip_conntrack_helper helper = {
-       .name                   = "netbios-ns",
-       .tuple = {
-               .src = {
-                       .u = {
-                               .udp = {
-                                       .port   = __constant_htons(NMBD_PORT),
-                               }
-                       }
-               },
-               .dst = {
-                       .protonum       = IPPROTO_UDP,
-               },
-       },
-       .mask = {
-               .src = {
-                       .u = {
-                               .udp = {
-                                       .port   = __constant_htons(0xFFFF),
-                               }
-                       }
-               },
-               .dst = {
-                       .protonum       = 0xFF,
-               },
-       },
-       .max_expected           = 1,
-       .me                     = THIS_MODULE,
-       .help                   = help,
-};
-
-static int __init ip_conntrack_netbios_ns_init(void)
-{
-       helper.timeout = timeout;
-       return ip_conntrack_helper_register(&helper);
-}
-
-static void __exit ip_conntrack_netbios_ns_fini(void)
-{
-       ip_conntrack_helper_unregister(&helper);
-}
-
-module_init(ip_conntrack_netbios_ns_init);
-module_exit(ip_conntrack_netbios_ns_fini);
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
deleted file mode 100644 (file)
index 9228b76..0000000
+++ /dev/null
@@ -1,1577 +0,0 @@
-/* Connection tracking via netlink socket. Allows for user space
- * protocol helpers and general trouble making from userspace.
- *
- * (C) 2001 by Jay Schulist <jschlst@samba.org>
- * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
- * (C) 2003 by Patrick Mchardy <kaber@trash.net>
- * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
- *
- * I've reworked this stuff to use attributes instead of conntrack
- * structures. 5.44 am. I need more tea. --pablo 05/07/11.
- *
- * Initial connection tracking via netlink development funded and
- * generally made possible by Network Robots, Inc. (www.networkrobots.com)
- *
- * Further development of this code funded by Astaro AG (http://www.astaro.com)
- *
- * This software may be used and distributed according to the terms
- * of the GNU General Public License, incorporated herein by reference.
- */
-
-#include <linux/init.h>
-#include <linux/module.h>
-#include <linux/kernel.h>
-#include <linux/types.h>
-#include <linux/timer.h>
-#include <linux/skbuff.h>
-#include <linux/errno.h>
-#include <linux/netlink.h>
-#include <linux/spinlock.h>
-#include <linux/interrupt.h>
-#include <linux/notifier.h>
-
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4/ip_conntrack.h>
-#include <linux/netfilter_ipv4/ip_conntrack_core.h>
-#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
-#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
-#include <linux/netfilter_ipv4/ip_nat_protocol.h>
-
-#include <linux/netfilter/nfnetlink.h>
-#include <linux/netfilter/nfnetlink_conntrack.h>
-
-MODULE_LICENSE("GPL");
-
-static char __initdata version[] = "0.90";
-
-static inline int
-ctnetlink_dump_tuples_proto(struct sk_buff *skb,
-                           const struct ip_conntrack_tuple *tuple,
-                           struct ip_conntrack_protocol *proto)
-{
-       int ret = 0;
-       struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
-
-       NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
-
-       if (likely(proto->tuple_to_nfattr))
-               ret = proto->tuple_to_nfattr(skb, tuple);
-
-       NFA_NEST_END(skb, nest_parms);
-
-       return ret;
-
-nfattr_failure:
-       return -1;
-}
-
-static inline int
-ctnetlink_dump_tuples_ip(struct sk_buff *skb,
-                        const struct ip_conntrack_tuple *tuple)
-{
-       struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
-
-       NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(__be32), &tuple->src.ip);
-       NFA_PUT(skb, CTA_IP_V4_DST, sizeof(__be32), &tuple->dst.ip);
-
-       NFA_NEST_END(skb, nest_parms);
-
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-
-static inline int
-ctnetlink_dump_tuples(struct sk_buff *skb,
-                     const struct ip_conntrack_tuple *tuple)
-{
-       int ret;
-       struct ip_conntrack_protocol *proto;
-
-       ret = ctnetlink_dump_tuples_ip(skb, tuple);
-       if (unlikely(ret < 0))
-               return ret;
-
-       proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
-       ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
-       ip_conntrack_proto_put(proto);
-
-       return ret;
-}
-
-static inline int
-ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct)
-{
-       __be32 status = htonl((u_int32_t) ct->status);
-       NFA_PUT(skb, CTA_STATUS, sizeof(status), &status);
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-
-static inline int
-ctnetlink_dump_timeout(struct sk_buff *skb, const struct ip_conntrack *ct)
-{
-       long timeout_l = ct->timeout.expires - jiffies;
-       __be32 timeout;
-
-       if (timeout_l < 0)
-               timeout = 0;
-       else
-               timeout = htonl(timeout_l / HZ);
-
-       NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-
-static inline int
-ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
-{
-       struct ip_conntrack_protocol *proto = ip_conntrack_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
-
-       struct nfattr *nest_proto;
-       int ret;
-
-       if (!proto->to_nfattr) {
-               ip_conntrack_proto_put(proto);
-               return 0;
-       }
-
-       nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
-
-       ret = proto->to_nfattr(skb, nest_proto, ct);
-
-       ip_conntrack_proto_put(proto);
-
-       NFA_NEST_END(skb, nest_proto);
-
-       return ret;
-
-nfattr_failure:
-       ip_conntrack_proto_put(proto);
-       return -1;
-}
-
-static inline int
-ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
-{
-       struct nfattr *nest_helper;
-
-       if (!ct->helper)
-               return 0;
-
-       nest_helper = NFA_NEST(skb, CTA_HELP);
-       NFA_PUT(skb, CTA_HELP_NAME, strlen(ct->helper->name), ct->helper->name);
-
-       if (ct->helper->to_nfattr)
-               ct->helper->to_nfattr(skb, ct);
-
-       NFA_NEST_END(skb, nest_helper);
-
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-
-#ifdef CONFIG_IP_NF_CT_ACCT
-static inline int
-ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct,
-                       enum ip_conntrack_dir dir)
-{
-       enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
-       struct nfattr *nest_count = NFA_NEST(skb, type);
-       __be32 tmp;
-
-       tmp = htonl(ct->counters[dir].packets);
-       NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(__be32), &tmp);
-
-       tmp = htonl(ct->counters[dir].bytes);
-       NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(__be32), &tmp);
-
-       NFA_NEST_END(skb, nest_count);
-
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-#else
-#define ctnetlink_dump_counters(a, b, c) (0)
-#endif
-
-#ifdef CONFIG_IP_NF_CONNTRACK_MARK
-static inline int
-ctnetlink_dump_mark(struct sk_buff *skb, const struct ip_conntrack *ct)
-{
-       __be32 mark = htonl(ct->mark);
-
-       NFA_PUT(skb, CTA_MARK, sizeof(__be32), &mark);
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-#else
-#define ctnetlink_dump_mark(a, b) (0)
-#endif
-
-static inline int
-ctnetlink_dump_id(struct sk_buff *skb, const struct ip_conntrack *ct)
-{
-       __be32 id = htonl(ct->id);
-       NFA_PUT(skb, CTA_ID, sizeof(__be32), &id);
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-
-static inline int
-ctnetlink_dump_use(struct sk_buff *skb, const struct ip_conntrack *ct)
-{
-       __be32 use = htonl(atomic_read(&ct->ct_general.use));
-
-       NFA_PUT(skb, CTA_USE, sizeof(__be32), &use);
-       return 0;
-
-nfattr_failure:
-       return -1;
-}
-
-#define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
-
-static int
-ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
-                   int event, int nowait,
-                   const struct ip_conntrack *ct)
-{
-       struct nlmsghdr *nlh;
-       struct nfgenmsg *nfmsg;
-       struct nfattr *nest_parms;
-       unsigned char *b;
-
-       b = skb->tail;
-
-       event |= NFNL_SUBSYS_CTNETLINK << 8;
-       nlh    = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
-       nfmsg  = NLMSG_DATA(nlh);
-
-       nlh->nlmsg_flags    = (nowait && pid) ? NLM_F_MULTI : 0;
-       nfmsg->nfgen_family = AF_INET;
-       nfmsg->version      = NFNETLINK_V0;
-       nfmsg->res_id       = 0;
-
-       nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
-       if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
-               goto nfattr_failure;
-       NFA_NEST_END(skb, nest_parms);