Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following batch contains netfilter updates for your net-next tree:

1) Expose NFT_OSF_MAXGENRELEN maximum OS name length from the new OS
   passive fingerprint matching extension, from Fernando Fernandez.

2) Add extension to support for fine grain conntrack timeout policies
   from nf_tables. As preparation works, this patchset moves
   nf_ct_untimeout() to nf_conntrack_timeout and it also decouples the
   timeout policy from the ctnl_timeout object, most work done by
   Harsha Sharma.

3) Enable connection tracking when conntrack helper is in place.

4) Missing enumeration in uapi header when splitting original xt_osf
   to nfnetlink_osf, also from Fernando.

5) Fix a sparse warning due to incorrect typing in the nf_osf_find(),
   from Wei Yongjun.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

12 files changed, 304 insertions, 67 deletions

diff --git a/include/linux/netfilter/nfnetlink_osf.h b/include/linux/netfilter/nfnetlink_osf.h
index a7311bc03d3a..ecf7dab81e9e 100644
--- a/include/linux/netfilter/nfnetlink_osf.h
+++ b/include/linux/netfilter/nfnetlink_osf.h
@@ -4,18 +4,6 @@
 
 #include <uapi/linux/netfilter/nfnetlink_osf.h>
 
-/* Initial window size option state machine: multiple of mss, mtu or
- * plain numeric value. Can also be made as plain numeric value which
- * is not a multiple of specified value.
- */
-enum nf_osf_window_size_options {
-        OSF_WSS_PLAIN   = 0,
-        OSF_WSS_MSS,
-        OSF_WSS_MTU,
-        OSF_WSS_MODULO,
-        OSF_WSS_MAX,
-};
-
 enum osf_fmatch_states {
         /* Packet does not match the fingerprint */
         FMATCH_WRONG = 0,
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 6068c6da3eac..8465263b297d 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -77,7 +77,6 @@ struct nf_conntrack_l4proto {
                                struct nf_conntrack_tuple *t);
         const struct nla_policy *nla_policy;
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
         struct {
                 int (*nlattr_to_obj)(struct nlattr *tb[],
                                      struct net *net, void *data);
@@ -87,7 +86,6 @@ struct nf_conntrack_l4proto {
                 u16 nlattr_max;
                 const struct nla_policy *nla_policy;
         } ctnl_timeout;
-#endif
 #ifdef CONFIG_NF_CONNTRACK_PROCFS
         /* Print out the private part of the conntrack. */
         void (*print_conntrack)(struct seq_file *s, struct nf_conn *);
diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h
index 80ceb3d0291d..d5f62cc6c2ae 100644
--- a/include/net/netfilter/nf_conntrack_timeout.h
+++ b/include/net/netfilter/nf_conntrack_timeout.h
@@ -11,24 +11,28 @@
 
 #define CTNL_TIMEOUT_NAME_MAX   32
 
+struct nf_ct_timeout {
+        __u16                   l3num;
+        const struct nf_conntrack_l4proto *l4proto;
+        char                    data[0];
+};
+
 struct ctnl_timeout {
         struct list_head        head;
         struct rcu_head         rcu_head;
         refcount_t              refcnt;
         char                    name[CTNL_TIMEOUT_NAME_MAX];
-        __u16                   l3num;
-        const struct nf_conntrack_l4proto *l4proto;
-        char                    data[0];
+        struct nf_ct_timeout    timeout;
 };
 
 struct nf_conn_timeout {
-        struct ctnl_timeout __rcu *timeout;
+        struct nf_ct_timeout __rcu *timeout;
 };
 
 static inline unsigned int *
 nf_ct_timeout_data(struct nf_conn_timeout *t)
 {
-        struct ctnl_timeout *timeout;
+        struct nf_ct_timeout *timeout;
 
         timeout = rcu_dereference(t->timeout);
         if (timeout == NULL)
@@ -49,7 +53,7 @@ struct nf_conn_timeout *nf_ct_timeout_find(const struct nf_conn *ct)
 
 static inline
 struct nf_conn_timeout *nf_ct_timeout_ext_add(struct nf_conn *ct,
-                                              struct ctnl_timeout *timeout,
+                                              struct nf_ct_timeout *timeout,
                                               gfp_t gfp)
 {
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
@@ -83,6 +87,7 @@ static inline unsigned int *nf_ct_timeout_lookup(const struct nf_conn *ct)
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 int nf_conntrack_timeout_init(void);
 void nf_conntrack_timeout_fini(void);
+void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout);
 #else
 static inline int nf_conntrack_timeout_init(void)
 {
@@ -96,8 +101,8 @@ static inline void nf_conntrack_timeout_fini(void)
 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
-extern struct ctnl_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name);
-extern void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout);
+extern struct nf_ct_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name);
+extern void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout);
 #endif
 
 #endif /* _NF_CONNTRACK_TIMEOUT_H */
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 357862d948de..e23290ffdc77 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -8,6 +8,7 @@
 #define NFT_SET_MAXNAMELEN      NFT_NAME_MAXLEN
 #define NFT_OBJ_MAXNAMELEN      NFT_NAME_MAXLEN
 #define NFT_USERDATA_MAXLEN     256
+#define NFT_OSF_MAXGENRELEN     16
 
 /**
  * enum nft_registers - nf_tables registers
@@ -957,6 +958,7 @@ enum nft_socket_keys {
  * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
  * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
  * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
+ * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
  */
 enum nft_ct_keys {
         NFT_CT_STATE,
@@ -982,6 +984,7 @@ enum nft_ct_keys {
         NFT_CT_DST_IP,
         NFT_CT_SRC_IP6,
         NFT_CT_DST_IP6,
+        NFT_CT_TIMEOUT,
         __NFT_CT_MAX
 };
 #define NFT_CT_MAX              (__NFT_CT_MAX - 1)
@@ -1410,6 +1413,15 @@ enum nft_ct_helper_attributes {
 };
 #define NFTA_CT_HELPER_MAX      (__NFTA_CT_HELPER_MAX - 1)
 
+enum nft_ct_timeout_timeout_attributes {
+        NFTA_CT_TIMEOUT_UNSPEC,
+        NFTA_CT_TIMEOUT_L3PROTO,
+        NFTA_CT_TIMEOUT_L4PROTO,
+        NFTA_CT_TIMEOUT_DATA,
+        __NFTA_CT_TIMEOUT_MAX,
+};
+#define NFTA_CT_TIMEOUT_MAX     (__NFTA_CT_TIMEOUT_MAX - 1)
+
 #define NFT_OBJECT_UNSPEC       0
 #define NFT_OBJECT_COUNTER      1
 #define NFT_OBJECT_QUOTA        2
@@ -1417,7 +1429,8 @@ enum nft_ct_helper_attributes {
 #define NFT_OBJECT_LIMIT        4
 #define NFT_OBJECT_CONNLIMIT    5
 #define NFT_OBJECT_TUNNEL       6
-#define __NFT_OBJECT_MAX        7
+#define NFT_OBJECT_CT_TIMEOUT   7
+#define __NFT_OBJECT_MAX        8
 #define NFT_OBJECT_MAX          (__NFT_OBJECT_MAX - 1)
 
 /**
diff --git a/include/uapi/linux/netfilter/nfnetlink_osf.h b/include/uapi/linux/netfilter/nfnetlink_osf.h
index 3b93fbb9fc24..76a3527df5dd 100644
--- a/include/uapi/linux/netfilter/nfnetlink_osf.h
+++ b/include/uapi/linux/netfilter/nfnetlink_osf.h
@@ -88,6 +88,18 @@ enum iana_options {
         OSFOPT_EMPTY = 255,
 };
 
+/* Initial window size option state machine: multiple of mss, mtu or
+ * plain numeric value. Can also be made as plain numeric value which
+ * is not a multiple of specified value.
+ */
+enum nf_osf_window_size_options {
+        OSF_WSS_PLAIN   = 0,
+        OSF_WSS_MSS,
+        OSF_WSS_MTU,
+        OSF_WSS_MODULO,
+        OSF_WSS_MAX,
+};
+
 enum nf_osf_attr_type {
         OSF_ATTR_UNSPEC,
         OSF_ATTR_FINGER,
diff --git a/include/uapi/linux/netfilter/xt_osf.h b/include/uapi/linux/netfilter/xt_osf.h
index c56c59605c2b..24102b5286ec 100644
--- a/include/uapi/linux/netfilter/xt_osf.h
+++ b/include/uapi/linux/netfilter/xt_osf.h
@@ -46,6 +46,7 @@
 #define xt_osf_finger           nf_osf_finger
 #define xt_osf_nlmsg            nf_osf_nlmsg
 
+#define xt_osf_window_size_options      nf_osf_window_size_options
 #define xt_osf_attr_type        nf_osf_attr_type
 #define xt_osf_msg_types        nf_osf_msg_types
 
diff --git a/net/netfilter/nf_conntrack_timeout.c b/net/netfilter/nf_conntrack_timeout.c
index 46aee65f339b..91fbd183da2d 100644
--- a/net/netfilter/nf_conntrack_timeout.c
+++ b/net/netfilter/nf_conntrack_timeout.c
@@ -24,13 +24,30 @@
 #include <net/netfilter/nf_conntrack_extend.h>
 #include <net/netfilter/nf_conntrack_timeout.h>
 
-struct ctnl_timeout *
+struct nf_ct_timeout *
 (*nf_ct_timeout_find_get_hook)(struct net *net, const char *name) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook);
 
-void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout) __read_mostly;
+void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout) __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook);
 
+static int untimeout(struct nf_conn *ct, void *timeout)
+{
+        struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct);
+
+        if (timeout_ext && (!timeout || timeout_ext->timeout == timeout))
+                RCU_INIT_POINTER(timeout_ext->timeout, NULL);
+
+        /* We are not intended to delete this conntrack. */
+        return 0;
+}
+
+void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout)
+{
+        nf_ct_iterate_cleanup_net(net, untimeout, timeout, 0, 0);
+}
+EXPORT_SYMBOL_GPL(nf_ct_untimeout);
+
 static const struct nf_ct_ext_type timeout_extend = {
         .len    = sizeof(struct nf_conn_timeout),
         .align  = __alignof__(struct nf_conn_timeout),
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 4199e5300575..d46a236cdf31 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -113,13 +113,13 @@ static int cttimeout_new_timeout(struct net *net, struct sock *ctnl,
                         /* You cannot replace one timeout policy by another of
                          * different kind, sorry.
                          */
-                        if (matching->l3num != l3num ||
-                            matching->l4proto->l4proto != l4num)
+                        if (matching->timeout.l3num != l3num ||
+                            matching->timeout.l4proto->l4proto != l4num)
                                 return -EINVAL;
 
-                        return ctnl_timeout_parse_policy(&matching->data,
-                                                         matching->l4proto, net,
-                                                         cda[CTA_TIMEOUT_DATA]);
+                        return ctnl_timeout_parse_policy(&matching->timeout.data,
+                                                         matching->timeout.l4proto,
+                                                         net, cda[CTA_TIMEOUT_DATA]);
                 }
 
                 return -EBUSY;
@@ -140,14 +140,14 @@ static int cttimeout_new_timeout(struct net *net, struct sock *ctnl,
                 goto err_proto_put;
         }
 
-        ret = ctnl_timeout_parse_policy(&timeout->data, l4proto, net,
+        ret = ctnl_timeout_parse_policy(&timeout->timeout.data, l4proto, net,
                                         cda[CTA_TIMEOUT_DATA]);
         if (ret < 0)
                 goto err;
 
         strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME]));
-        timeout->l3num = l3num;
-        timeout->l4proto = l4proto;
+        timeout->timeout.l3num = l3num;
+        timeout->timeout.l4proto = l4proto;
         refcount_set(&timeout->refcnt, 1);
         list_add_tail_rcu(&timeout->head, &net->nfct_timeout_list);
 
@@ -166,7 +166,7 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
         struct nlmsghdr *nlh;
         struct nfgenmsg *nfmsg;
         unsigned int flags = portid ? NLM_F_MULTI : 0;
-        const struct nf_conntrack_l4proto *l4proto = timeout->l4proto;
+        const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto;
 
         event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event);
         nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
@@ -179,8 +179,9 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
         nfmsg->res_id = 0;
 
         if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) ||
-            nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(timeout->l3num)) ||
-            nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) ||
+            nla_put_be16(skb, CTA_TIMEOUT_L3PROTO,
+                         htons(timeout->timeout.l3num)) ||
+            nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto) ||
             nla_put_be32(skb, CTA_TIMEOUT_USE,
                          htonl(refcount_read(&timeout->refcnt))))
                 goto nla_put_failure;
@@ -194,7 +195,8 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
                 if (!nest_parms)
                         goto nla_put_failure;
 
-                ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data);
+                ret = l4proto->ctnl_timeout.obj_to_nlattr(skb,
+                                                        &timeout->timeout.data);
                 if (ret < 0)
                         goto nla_put_failure;
 
@@ -297,22 +299,6 @@ static int cttimeout_get_timeout(struct net *net, struct sock *ctnl,
         return ret;
 }
 
-static int untimeout(struct nf_conn *ct, void *timeout)
-{
-        struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct);
-
-        if (timeout_ext && (!timeout || timeout_ext->timeout == timeout))
-                RCU_INIT_POINTER(timeout_ext->timeout, NULL);
-
-        /* We are not intended to delete this conntrack. */
-        return 0;
-}
-
-static void ctnl_untimeout(struct net *net, struct ctnl_timeout *timeout)
-{
-        nf_ct_iterate_cleanup_net(net, untimeout, timeout, 0, 0);
-}
-
 /* try to delete object, fail if it is still in use. */
 static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout)
 {
@@ -324,8 +310,8 @@ static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout)
         if (refcount_dec_if_one(&timeout->refcnt)) {
                 /* We are protected by nfnl mutex. */
                 list_del_rcu(&timeout->head);
-                nf_ct_l4proto_put(timeout->l4proto);
-                ctnl_untimeout(net, timeout);
+                nf_ct_l4proto_put(timeout->timeout.l4proto);
+                nf_ct_untimeout(net, &timeout->timeout);
                 kfree_rcu(timeout, rcu_head);
         } else {
                 ret = -EBUSY;
@@ -526,8 +512,11 @@ err:
         return matching;
 }
 
-static void ctnl_timeout_put(struct ctnl_timeout *timeout)
+static void ctnl_timeout_put(struct nf_ct_timeout *t)
 {
+        struct ctnl_timeout *timeout =
+                container_of(t, struct ctnl_timeout, timeout);
+
         if (refcount_dec_and_test(&timeout->refcnt))
                 kfree_rcu(timeout, rcu_head);
 
@@ -573,11 +562,11 @@ static void __net_exit cttimeout_net_exit(struct net *net)
         struct ctnl_timeout *cur, *tmp;
 
         nf_ct_unconfirmed_destroy(net);
-        ctnl_untimeout(net, NULL);
+        nf_ct_untimeout(net, NULL);
 
         list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {
                 list_del_rcu(&cur->head);
-                nf_ct_l4proto_put(cur->l4proto);
+                nf_ct_l4proto_put(cur->timeout.l4proto);
 
                 if (refcount_dec_and_test(&cur->refcnt))
                         kfree_rcu(cur, rcu_head);
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index f9dba62c450f..00db27dfd2ff 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -271,7 +271,7 @@ const char *nf_osf_find(const struct sk_buff *skb,
 
         tcp = nf_osf_hdr_ctx_init(&ctx, skb, ip, opts);
         if (!tcp)
-                return false;
+                return NULL;
 
         list_for_each_entry_rcu(kf, &nf_osf_fingers[ctx.df], finger_entry) {
                 f = &kf->finger;
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 3bc82ee5464d..4855d4ce1c8f 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -22,6 +22,8 @@
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_labels.h>
+#include <net/netfilter/nf_conntrack_timeout.h>
+#include <net/netfilter/nf_conntrack_l4proto.h>
 
 struct nft_ct {
         enum nft_ct_keys        key:8;
@@ -765,6 +767,194 @@ static struct nft_expr_type nft_notrack_type __read_mostly = {
         .owner          = THIS_MODULE,
 };
 
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+static int
+nft_ct_timeout_parse_policy(void *timeouts,
+                            const struct nf_conntrack_l4proto *l4proto,
+                            struct net *net, const struct nlattr *attr)
+{
+        struct nlattr **tb;
+        int ret = 0;
+
+        if (!l4proto->ctnl_timeout.nlattr_to_obj)
+                return 0;
+
+        tb = kcalloc(l4proto->ctnl_timeout.nlattr_max + 1, sizeof(*tb),
+                     GFP_KERNEL);
+
+        if (!tb)
+                return -ENOMEM;
+
+        ret = nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max,
+                               attr, l4proto->ctnl_timeout.nla_policy,
+                               NULL);
+        if (ret < 0)
+                goto err;
+
+        ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, timeouts);
+
+err:
+        kfree(tb);
+        return ret;
+}
+
+struct nft_ct_timeout_obj {
+        struct nf_conn          *tmpl;
+        u8                      l4proto;
+};
+
+static void nft_ct_timeout_obj_eval(struct nft_object *obj,
+                                    struct nft_regs *regs,
+                                    const struct nft_pktinfo *pkt)
+{
+        const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+        struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
+        struct sk_buff *skb = pkt->skb;
+
+        if (ct ||
+            priv->l4proto != pkt->tprot)
+                return;
+
+        nf_ct_set(skb, priv->tmpl, IP_CT_NEW);
+}
+
+static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx,
+                                   const struct nlattr * const tb[],
+                                   struct nft_object *obj)
+{
+        const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
+        struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+        const struct nf_conntrack_l4proto *l4proto;
+        struct nf_conn_timeout *timeout_ext;
+        struct nf_ct_timeout *timeout;
+        int l3num = ctx->family;
+        struct nf_conn *tmpl;
+        __u8 l4num;
+        int ret;
+
+        if (!tb[NFTA_CT_TIMEOUT_L3PROTO] ||
+            !tb[NFTA_CT_TIMEOUT_L4PROTO] ||
+            !tb[NFTA_CT_TIMEOUT_DATA])
+                return -EINVAL;
+
+        l3num = ntohs(nla_get_be16(tb[NFTA_CT_TIMEOUT_L3PROTO]));
+        l4num = nla_get_u8(tb[NFTA_CT_TIMEOUT_L4PROTO]);
+        priv->l4proto = l4num;
+
+        l4proto = nf_ct_l4proto_find_get(l3num, l4num);
+
+        if (l4proto->l4proto != l4num) {
+                ret = -EOPNOTSUPP;
+                goto err_proto_put;
+        }
+
+        timeout = kzalloc(sizeof(struct nf_ct_timeout) +
+                          l4proto->ctnl_timeout.obj_size, GFP_KERNEL);
+        if (timeout == NULL) {
+                ret = -ENOMEM;
+                goto err_proto_put;
+        }
+
+        ret = nft_ct_timeout_parse_policy(&timeout->data, l4proto, ctx->net,
+                                          tb[NFTA_CT_TIMEOUT_DATA]);
+        if (ret < 0)
+                goto err_free_timeout;
+
+        timeout->l3num = l3num;
+        timeout->l4proto = l4proto;
+        tmpl = nf_ct_tmpl_alloc(ctx->net, zone, GFP_ATOMIC);
+        if (!tmpl) {
+                ret = -ENOMEM;
+                goto err_free_timeout;
+        }
+
+        timeout_ext = nf_ct_timeout_ext_add(tmpl, timeout, GFP_ATOMIC);
+        if (!timeout_ext) {
+                ret = -ENOMEM;
+                goto err_free_tmpl;
+        }
+
+        ret = nf_ct_netns_get(ctx->net, ctx->family);
+        if (ret < 0)
+                goto err_free_tmpl;
+
+        priv->tmpl = tmpl;
+
+        return 0;
+
+err_free_tmpl:
+        nf_ct_tmpl_free(tmpl);
+err_free_timeout:
+        kfree(timeout);
+err_proto_put:
+        nf_ct_l4proto_put(l4proto);
+        return ret;
+}
+
+static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
+                                       struct nft_object *obj)
+{
+        struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+        struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
+        struct nf_ct_timeout *timeout;
+
+        timeout = rcu_dereference_raw(t->timeout);
+        nf_ct_untimeout(ctx->net, timeout);
+        nf_ct_l4proto_put(timeout->l4proto);
+        nf_ct_netns_put(ctx->net, ctx->family);
+        nf_ct_tmpl_free(priv->tmpl);
+}
+
+static int nft_ct_timeout_obj_dump(struct sk_buff *skb,
+                                   struct nft_object *obj, bool reset)
+{
+        const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
+        const struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
+        const struct nf_ct_timeout *timeout = rcu_dereference_raw(t->timeout);
+        struct nlattr *nest_params;
+        int ret;
+
+        if (nla_put_u8(skb, NFTA_CT_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) ||
+            nla_put_be16(skb, NFTA_CT_TIMEOUT_L3PROTO, htons(timeout->l3num)))
+                return -1;
+
+        nest_params = nla_nest_start(skb, NFTA_CT_TIMEOUT_DATA | NLA_F_NESTED);
+        if (!nest_params)
+                return -1;
+
+        ret = timeout->l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data);
+        if (ret < 0)
+                return -1;
+        nla_nest_end(skb, nest_params);
+        return 0;
+}
+
+static const struct nla_policy nft_ct_timeout_policy[NFTA_CT_TIMEOUT_MAX + 1] = {
+        [NFTA_CT_TIMEOUT_L3PROTO] = {.type = NLA_U16 },
+        [NFTA_CT_TIMEOUT_L4PROTO] = {.type = NLA_U8 },
+        [NFTA_CT_TIMEOUT_DATA]    = {.type = NLA_NESTED },
+};
+
+static struct nft_object_type nft_ct_timeout_obj_type;
+
+static const struct nft_object_ops nft_ct_timeout_obj_ops = {
+        .type           = &nft_ct_timeout_obj_type,
+        .size           = sizeof(struct nft_ct_timeout_obj),
+        .eval           = nft_ct_timeout_obj_eval,
+        .init           = nft_ct_timeout_obj_init,
+        .destroy        = nft_ct_timeout_obj_destroy,
+        .dump           = nft_ct_timeout_obj_dump,
+};
+
+static struct nft_object_type nft_ct_timeout_obj_type __read_mostly = {
+        .type           = NFT_OBJECT_CT_TIMEOUT,
+        .ops            = &nft_ct_timeout_obj_ops,
+        .maxattr        = NFTA_CT_TIMEOUT_MAX,
+        .policy         = nft_ct_timeout_policy,
+        .owner          = THIS_MODULE,
+};
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
+
 static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
                                   const struct nlattr * const tb[],
                                   struct nft_object *obj)
@@ -773,6 +963,7 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
         struct nf_conntrack_helper *help4, *help6;
         char name[NF_CT_HELPER_NAME_LEN];
         int family = ctx->family;
+        int err;
 
         if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
                 return -EINVAL;
@@ -823,7 +1014,18 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
         priv->helper4 = help4;
         priv->helper6 = help6;
 
+        err = nf_ct_netns_get(ctx->net, ctx->family);
+        if (err < 0)
+                goto err_put_helper;
+
         return 0;
+
+err_put_helper:
+        if (priv->helper4)
+                nf_conntrack_helper_put(priv->helper4);
+        if (priv->helper6)
+                nf_conntrack_helper_put(priv->helper6);
+        return err;
 }
 
 static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
@@ -835,6 +1037,8 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
                 nf_conntrack_helper_put(priv->helper4);
         if (priv->helper6)
                 nf_conntrack_helper_put(priv->helper6);
+
+        nf_ct_netns_put(ctx->net, ctx->family);
 }
 
 static void nft_ct_helper_obj_eval(struct nft_object *obj,
@@ -949,9 +1153,17 @@ static int __init nft_ct_module_init(void)
         err = nft_register_obj(&nft_ct_helper_obj_type);
         if (err < 0)
                 goto err2;
-
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+        err = nft_register_obj(&nft_ct_timeout_obj_type);
+        if (err < 0)
+                goto err3;
+#endif
         return 0;
 
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+err3:
+        nft_unregister_obj(&nft_ct_helper_obj_type);
+#endif
 err2:
         nft_unregister_expr(&nft_notrack_type);
 err1:
@@ -961,6 +1173,9 @@ err1:
 
 static void __exit nft_ct_module_exit(void)
 {
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
+        nft_unregister_obj(&nft_ct_timeout_obj_type);
+#endif
         nft_unregister_obj(&nft_ct_helper_obj_type);
         nft_unregister_expr(&nft_notrack_type);
         nft_unregister_expr(&nft_ct_type);
@@ -974,3 +1189,4 @@ MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_ALIAS_NFT_EXPR("ct");
 MODULE_ALIAS_NFT_EXPR("notrack");
 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER);
+MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT);
diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
index 9b2f3de7be4f..5af74b37f423 100644
--- a/net/netfilter/nft_osf.c
+++ b/net/netfilter/nft_osf.c
@@ -4,8 +4,6 @@
 #include <net/netfilter/nf_tables.h>
 #include <linux/netfilter/nfnetlink_osf.h>
 
-#define OSF_GENRE_SIZE          32
-
 struct nft_osf {
         enum nft_registers      dreg:8;
 };
@@ -37,9 +35,9 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
 
         os_name = nf_osf_find(skb, nf_osf_fingers);
         if (!os_name)
-                strncpy((char *)dest, "unknown", IFNAMSIZ);
+                strncpy((char *)dest, "unknown", NFT_OSF_MAXGENRELEN);
         else
-                strncpy((char *)dest, os_name, IFNAMSIZ);
+                strncpy((char *)dest, os_name, NFT_OSF_MAXGENRELEN);
 }
 
 static int nft_osf_init(const struct nft_ctx *ctx,
@@ -51,7 +49,7 @@ static int nft_osf_init(const struct nft_ctx *ctx,
 
         priv->dreg = nft_parse_register(tb[NFTA_OSF_DREG]);
         err = nft_validate_register_store(ctx, priv->dreg, NULL,
-                                          NFTA_DATA_VALUE, OSF_GENRE_SIZE);
+                                          NFTA_DATA_VALUE, NFT_OSF_MAXGENRELEN);
         if (err < 0)
                 return err;
 
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 7ba454e9e3fa..89457efd2e00 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -104,7 +104,7 @@ xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
 }
 
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
-static void __xt_ct_tg_timeout_put(struct ctnl_timeout *timeout)
+static void __xt_ct_tg_timeout_put(struct nf_ct_timeout *timeout)
 {
         typeof(nf_ct_timeout_put_hook) timeout_put;
 
@@ -121,7 +121,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
         const struct nf_conntrack_l4proto *l4proto;
-        struct ctnl_timeout *timeout;
+        struct nf_ct_timeout *timeout;
         struct nf_conn_timeout *timeout_ext;
         const char *errmsg = NULL;
         int ret = 0;