16 files changed, 437 insertions, 272 deletions
diff --git a/include/linux/genetlink.h b/include/linux/genetlink.h
new file mode 100644
index 000000000000..84f12a41dc01
--- /dev/null
+++ b/include/linux/genetlink.h
@@ -0,0 +1,51 @@
+#ifndef __LINUX_GENERIC_NETLINK_H
+#define __LINUX_GENERIC_NETLINK_H
+#include <linux/netlink.h>
+#define GENL_NAMSIZ     16      /* length of family name */
+#define GENL_MIN_ID     NLMSG_MIN_TYPE
+#define GENL_MAX_ID     1023
+struct genlmsghdr {
+        __u8    cmd;
+        __u8    version;
+        __u16   reserved;
+};
+#define GENL_HDRLEN     NLMSG_ALIGN(sizeof(struct genlmsghdr))
+/*
+ * List of reserved static generic netlink identifiers:
+ */
+#define GENL_ID_GENERATE        0
+#define GENL_ID_CTRL            NLMSG_MIN_TYPE
+/**************************************************************************
+ * Controller
+ **************************************************************************/
+enum {
+        CTRL_CMD_UNSPEC,
+        CTRL_CMD_NEWFAMILY,
+        CTRL_CMD_DELFAMILY,
+        CTRL_CMD_GETFAMILY,
+        CTRL_CMD_NEWOPS,
+        CTRL_CMD_DELOPS,
+        CTRL_CMD_GETOPS,
+        __CTRL_CMD_MAX,
+};
+#define CTRL_CMD_MAX (__CTRL_CMD_MAX - 1)
+enum {
+        CTRL_ATTR_UNSPEC,
+        CTRL_ATTR_FAMILY_ID,
+        CTRL_ATTR_FAMILY_NAME,
+        __CTRL_ATTR_MAX,
+};
+#define CTRL_ATTR_MAX (__CTRL_ATTR_MAX - 1)
+#endif  /* __LINUX_GENERIC_NETLINK_H */
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
new file mode 100644
index 000000000000..6d39b518486b
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -0,0 +1,159 @@
+#ifndef _NF_CONNTRACK_COMMON_H
+#define _NF_CONNTRACK_COMMON_H
+/* Connection state tracking for netfilter.  This is separated from,
+   but required by, the NAT layer; it can also be used by an iptables
+   extension. */
+enum ip_conntrack_info
+{
+        /* Part of an established connection (either direction). */
+        IP_CT_ESTABLISHED,
+        /* Like NEW, but related to an existing connection, or ICMP error
+           (in either direction). */
+        IP_CT_RELATED,
+        /* Started a new connection to track (only
+           IP_CT_DIR_ORIGINAL); may be a retransmission. */
+        IP_CT_NEW,
+        /* >= this indicates reply direction */
+        IP_CT_IS_REPLY,
+        /* Number of distinct IP_CT types (no NEW in reply dirn). */
+        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
+};
+/* Bitset representing status of connection. */
+enum ip_conntrack_status {
+        /* It's an expected connection: bit 0 set.  This bit never changed */
+        IPS_EXPECTED_BIT = 0,
+        IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
+        /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
+        IPS_SEEN_REPLY_BIT = 1,
+        IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
+        /* Conntrack should never be early-expired. */
+        IPS_ASSURED_BIT = 2,
+        IPS_ASSURED = (1 << IPS_ASSURED_BIT),
+        /* Connection is confirmed: originating packet has left box */
+        IPS_CONFIRMED_BIT = 3,
+        IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
+        /* Connection needs src nat in orig dir.  This bit never changed. */
+        IPS_SRC_NAT_BIT = 4,
+        IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
+        /* Connection needs dst nat in orig dir.  This bit never changed. */
+        IPS_DST_NAT_BIT = 5,
+        IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
+        /* Both together. */
+        IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
+        /* Connection needs TCP sequence adjusted. */
+        IPS_SEQ_ADJUST_BIT = 6,
+        IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
+        /* NAT initialization bits. */
+        IPS_SRC_NAT_DONE_BIT = 7,
+        IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
+        IPS_DST_NAT_DONE_BIT = 8,
+        IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
+        /* Both together */
+        IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+        /* Connection is dying (removed from lists), can not be unset. */
+        IPS_DYING_BIT = 9,
+        IPS_DYING = (1 << IPS_DYING_BIT),
+};
+/* Connection tracking event bits */
+enum ip_conntrack_events
+{
+        /* New conntrack */
+        IPCT_NEW_BIT = 0,
+        IPCT_NEW = (1 << IPCT_NEW_BIT),
+        /* Expected connection */
+        IPCT_RELATED_BIT = 1,
+        IPCT_RELATED = (1 << IPCT_RELATED_BIT),
+        /* Destroyed conntrack */
+        IPCT_DESTROY_BIT = 2,
+        IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
+        /* Timer has been refreshed */
+        IPCT_REFRESH_BIT = 3,
+        IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
+        /* Status has changed */
+        IPCT_STATUS_BIT = 4,
+        IPCT_STATUS = (1 << IPCT_STATUS_BIT),
+        /* Update of protocol info */
+        IPCT_PROTOINFO_BIT = 5,
+        IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
+        /* Volatile protocol info */
+        IPCT_PROTOINFO_VOLATILE_BIT = 6,
+        IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
+        /* New helper for conntrack */
+        IPCT_HELPER_BIT = 7,
+        IPCT_HELPER = (1 << IPCT_HELPER_BIT),
+        /* Update of helper info */
+        IPCT_HELPINFO_BIT = 8,
+        IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
+        /* Volatile helper info */
+        IPCT_HELPINFO_VOLATILE_BIT = 9,
+        IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
+        /* NAT info */
+        IPCT_NATINFO_BIT = 10,
+        IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
+        /* Counter highest bit has been set */
+        IPCT_COUNTER_FILLING_BIT = 11,
+        IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
+};
+enum ip_conntrack_expect_events {
+        IPEXP_NEW_BIT = 0,
+        IPEXP_NEW = (1 << IPEXP_NEW_BIT),
+};
+#ifdef __KERNEL__
+struct ip_conntrack_counter
+{
+        u_int32_t packets;
+        u_int32_t bytes;
+};
+struct ip_conntrack_stat
+{
+        unsigned int searched;
+        unsigned int found;
+        unsigned int new;
+        unsigned int invalid;
+        unsigned int ignore;
+        unsigned int delete;
+        unsigned int delete_list;
+        unsigned int insert;
+        unsigned int insert_failed;
+        unsigned int drop;
+        unsigned int early_drop;
+        unsigned int error;
+        unsigned int expect_new;
+        unsigned int expect_create;
+        unsigned int expect_delete;
+};
+#endif /* __KERNEL__ */
+#endif /* _NF_CONNTRACK_COMMON_H */
diff --git a/include/linux/netfilter/nf_conntrack_ftp.h b/include/linux/netfilter/nf_conntrack_ftp.h
new file mode 100644
index 000000000000..ad4a41c9ce93
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_ftp.h
@@ -0,0 +1,44 @@
+#ifndef _NF_CONNTRACK_FTP_H
+#define _NF_CONNTRACK_FTP_H
+/* FTP tracking. */
+/* This enum is exposed to userspace */
+enum ip_ct_ftp_type
+{
+        /* PORT command from client */
+        IP_CT_FTP_PORT,
+        /* PASV response from server */
+        IP_CT_FTP_PASV,
+        /* EPRT command from client */
+        IP_CT_FTP_EPRT,
+        /* EPSV response from server */
+        IP_CT_FTP_EPSV,
+};
+#ifdef __KERNEL__
+#define FTP_PORT        21
+#define NUM_SEQ_TO_REMEMBER 2
+/* This structure exists only once per master */
+struct ip_ct_ftp_master {
+        /* Valid seq positions for cmd matching after newline */
+        u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
+        /* 0 means seq_match_aft_nl not set */
+        int seq_aft_nl_num[IP_CT_DIR_MAX];
+};
+struct ip_conntrack_expect;
+/* For NAT to hook in when we find a packet which describes what other
+ * connection we should expect. */
+extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
+                                       enum ip_conntrack_info ctinfo,
+                                       enum ip_ct_ftp_type type,
+                                       unsigned int matchoff,
+                                       unsigned int matchlen,
+                                       struct ip_conntrack_expect *exp,
+                                       u32 *seq);
+#endif /* __KERNEL__ */
+#endif /* _NF_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_sctp.h b/include/linux/netfilter/nf_conntrack_sctp.h
new file mode 100644
index 000000000000..b8994d9fd1a9
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_sctp.h
@@ -0,0 +1,27 @@
+#ifndef _NF_CONNTRACK_SCTP_H
+#define _NF_CONNTRACK_SCTP_H
+/* SCTP tracking. */
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+enum sctp_conntrack {
+        SCTP_CONNTRACK_NONE,
+        SCTP_CONNTRACK_CLOSED,
+        SCTP_CONNTRACK_COOKIE_WAIT,
+        SCTP_CONNTRACK_COOKIE_ECHOED,
+        SCTP_CONNTRACK_ESTABLISHED,
+        SCTP_CONNTRACK_SHUTDOWN_SENT,
+        SCTP_CONNTRACK_SHUTDOWN_RECD,
+        SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
+        SCTP_CONNTRACK_MAX
+};
+struct ip_ct_sctp
+{
+        enum sctp_conntrack state;
+        u_int32_t vtag[IP_CT_DIR_MAX];
+        u_int32_t ttag[IP_CT_DIR_MAX];
+};
+#endif /* _NF_CONNTRACK_SCTP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
new file mode 100644
index 000000000000..b2feeffde384
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -0,0 +1,56 @@
+#ifndef _NF_CONNTRACK_TCP_H
+#define _NF_CONNTRACK_TCP_H
+/* TCP tracking. */
+/* This is exposed to userspace (ctnetlink) */
+enum tcp_conntrack {
+        TCP_CONNTRACK_NONE,
+        TCP_CONNTRACK_SYN_SENT,
+        TCP_CONNTRACK_SYN_RECV,
+        TCP_CONNTRACK_ESTABLISHED,
+        TCP_CONNTRACK_FIN_WAIT,
+        TCP_CONNTRACK_CLOSE_WAIT,
+        TCP_CONNTRACK_LAST_ACK,
+        TCP_CONNTRACK_TIME_WAIT,
+        TCP_CONNTRACK_CLOSE,
+        TCP_CONNTRACK_LISTEN,
+        TCP_CONNTRACK_MAX,
+        TCP_CONNTRACK_IGNORE
+};
+/* Window scaling is advertised by the sender */
+#define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01
+/* SACK is permitted by the sender */
+#define IP_CT_TCP_FLAG_SACK_PERM                0x02
+/* This sender sent FIN first */
+#define IP_CT_TCP_FLAG_CLOSE_INIT               0x03
+#ifdef __KERNEL__
+struct ip_ct_tcp_state {
+        u_int32_t       td_end;         /* max of seq + len */
+        u_int32_t       td_maxend;      /* max of ack + max(win, 1) */
+        u_int32_t       td_maxwin;      /* max(win) */
+        u_int8_t        td_scale;       /* window scale factor */
+        u_int8_t        loose;          /* used when connection picked up from the middle */
+        u_int8_t        flags;          /* per direction options */
+};
+struct ip_ct_tcp
+{
+        struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */
+        u_int8_t        state;          /* state of the connection (enum tcp_conntrack) */
+        /* For detecting stale connections */
+        u_int8_t        last_dir;       /* Direction of the last packet (enum ip_conntrack_dir) */
+        u_int8_t        retrans;        /* Number of retransmitted packets */
+        u_int8_t        last_index;     /* Index of the last packet */
+        u_int32_t       last_seq;       /* Last sequence number seen in dir */
+        u_int32_t       last_ack;       /* Last sequence number seen in opposite dir */
+        u_int32_t       last_end;       /* Last seq + len */
+};
+#endif /* __KERNEL__ */
+#endif /* _NF_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
new file mode 100644
index 000000000000..8e145f0d61cb
--- /dev/null
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -0,0 +1,13 @@
+#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
+#define _NF_CONNTRACK_TUPLE_COMMON_H
+enum ip_conntrack_dir
+{
+        IP_CT_DIR_ORIGINAL,
+        IP_CT_DIR_REPLY,
+        IP_CT_DIR_MAX
+};
+#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
+#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index d078bb91d9e5..b3432ab59a17 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -1,132 +1,7 @@
 #ifndef _IP_CONNTRACK_H
 #define _IP_CONNTRACK_H
-/* Connection state tracking for netfilter.  This is separated from,
-   but required by, the NAT layer; it can also be used by an iptables
-   extension. */
-enum ip_conntrack_info
-{
-        /* Part of an established connection (either direction). */
-        IP_CT_ESTABLISHED,
-        /* Like NEW, but related to an existing connection, or ICMP error
-           (in either direction). */
-        IP_CT_RELATED,
-        /* Started a new connection to track (only
-           IP_CT_DIR_ORIGINAL); may be a retransmission. */
-        IP_CT_NEW,
-        /* >= this indicates reply direction */
-        IP_CT_IS_REPLY,
-        /* Number of distinct IP_CT types (no NEW in reply dirn). */
-        IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
-};
-/* Bitset representing status of connection. */
-enum ip_conntrack_status {
-        /* It's an expected connection: bit 0 set.  This bit never changed */
-        IPS_EXPECTED_BIT = 0,
-        IPS_EXPECTED = (1 << IPS_EXPECTED_BIT),
-        /* We've seen packets both ways: bit 1 set.  Can be set, not unset. */
-        IPS_SEEN_REPLY_BIT = 1,
-        IPS_SEEN_REPLY = (1 << IPS_SEEN_REPLY_BIT),
-        /* Conntrack should never be early-expired. */
-        IPS_ASSURED_BIT = 2,
-        IPS_ASSURED = (1 << IPS_ASSURED_BIT),
-        /* Connection is confirmed: originating packet has left box */
-        IPS_CONFIRMED_BIT = 3,
-        IPS_CONFIRMED = (1 << IPS_CONFIRMED_BIT),
-        /* Connection needs src nat in orig dir.  This bit never changed. */
-        IPS_SRC_NAT_BIT = 4,
-        IPS_SRC_NAT = (1 << IPS_SRC_NAT_BIT),
-        /* Connection needs dst nat in orig dir.  This bit never changed. */
-        IPS_DST_NAT_BIT = 5,
-        IPS_DST_NAT = (1 << IPS_DST_NAT_BIT),
-        /* Both together. */
-        IPS_NAT_MASK = (IPS_DST_NAT | IPS_SRC_NAT),
-        /* Connection needs TCP sequence adjusted. */
-        IPS_SEQ_ADJUST_BIT = 6,
-        IPS_SEQ_ADJUST = (1 << IPS_SEQ_ADJUST_BIT),
-        /* NAT initialization bits. */
-        IPS_SRC_NAT_DONE_BIT = 7,
-        IPS_SRC_NAT_DONE = (1 << IPS_SRC_NAT_DONE_BIT),
-        IPS_DST_NAT_DONE_BIT = 8,
-        IPS_DST_NAT_DONE = (1 << IPS_DST_NAT_DONE_BIT),
-        /* Both together */
-        IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
-        /* Connection is dying (removed from lists), can not be unset. */
-        IPS_DYING_BIT = 9,
-        IPS_DYING = (1 << IPS_DYING_BIT),
-};
-/* Connection tracking event bits */
-enum ip_conntrack_events
-{
-        /* New conntrack */
-        IPCT_NEW_BIT = 0,
-        IPCT_NEW = (1 << IPCT_NEW_BIT),
-        /* Expected connection */
-        IPCT_RELATED_BIT = 1,
-        IPCT_RELATED = (1 << IPCT_RELATED_BIT),
-        /* Destroyed conntrack */
-        IPCT_DESTROY_BIT = 2,
-        IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
-        /* Timer has been refreshed */
-        IPCT_REFRESH_BIT = 3,
-        IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
-        /* Status has changed */
-        IPCT_STATUS_BIT = 4,
-        IPCT_STATUS = (1 << IPCT_STATUS_BIT),
-        /* Update of protocol info */
-        IPCT_PROTOINFO_BIT = 5,
-        IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
-        /* Volatile protocol info */
-        IPCT_PROTOINFO_VOLATILE_BIT = 6,
-        IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
-        /* New helper for conntrack */
-        IPCT_HELPER_BIT = 7,
-        IPCT_HELPER = (1 << IPCT_HELPER_BIT),
-        /* Update of helper info */
-        IPCT_HELPINFO_BIT = 8,
-        IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
-        /* Volatile helper info */
-        IPCT_HELPINFO_VOLATILE_BIT = 9,
-        IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
-        /* NAT info */
+#include <linux/netfilter/nf_conntrack_common.h>
-        IPCT_NATINFO_BIT = 10,
-        IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
-        /* Counter highest bit has been set */
-        IPCT_COUNTER_FILLING_BIT = 11,
-        IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
-};
-enum ip_conntrack_expect_events {
-        IPEXP_NEW_BIT = 0,
-        IPEXP_NEW = (1 << IPEXP_NEW_BIT),
-};
 #ifdef __KERNEL__
 #include <linux/config.h>
@@ -194,12 +69,6 @@ do {									\
 #define IP_NF_ASSERT(x)
 #endif
-struct ip_conntrack_counter
-{
-        u_int32_t packets;
-        u_int32_t bytes;
-};
 struct ip_conntrack_helper;
 struct ip_conntrack
@@ -426,25 +295,6 @@ static inline int is_dying(struct ip_conntrack *ct)
 extern unsigned int ip_conntrack_htable_size;
 
-struct ip_conntrack_stat
-{
-        unsigned int searched;
-        unsigned int found;
-        unsigned int new;
-        unsigned int invalid;
-        unsigned int ignore;
-        unsigned int delete;
-        unsigned int delete_list;
-        unsigned int insert;
-        unsigned int insert_failed;
-        unsigned int drop;
-        unsigned int early_drop;
-        unsigned int error;
-        unsigned int expect_new;
-        unsigned int expect_create;
-        unsigned int expect_delete;
-};
 #define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_ftp.h b/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
index 5f06429b9047..63811934de4d 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_ftp.h
@@ -1,43 +1,6 @@
 #ifndef _IP_CONNTRACK_FTP_H
 #define _IP_CONNTRACK_FTP_H
-/* FTP tracking. */
-#ifdef __KERNEL__
+#include <linux/netfilter/nf_conntrack_ftp.h>
-#define FTP_PORT        21
-#endif /* __KERNEL__ */
-enum ip_ct_ftp_type
-{
-        /* PORT command from client */
-        IP_CT_FTP_PORT,
-        /* PASV response from server */
-        IP_CT_FTP_PASV,
-        /* EPRT command from client */
-        IP_CT_FTP_EPRT,
-        /* EPSV response from server */
-        IP_CT_FTP_EPSV,
-};
-#define NUM_SEQ_TO_REMEMBER 2
-/* This structure exists only once per master */
-struct ip_ct_ftp_master {
-        /* Valid seq positions for cmd matching after newline */
-        u_int32_t seq_aft_nl[IP_CT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
-        /* 0 means seq_match_aft_nl not set */
-        int seq_aft_nl_num[IP_CT_DIR_MAX];
-};
-struct ip_conntrack_expect;
-/* For NAT to hook in when we find a packet which describes what other
- * connection we should expect. */
-extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
-                                       enum ip_conntrack_info ctinfo,
-                                       enum ip_ct_ftp_type type,
-                                       unsigned int matchoff,
-                                       unsigned int matchlen,
-                                       struct ip_conntrack_expect *exp,
-                                       u32 *seq);
 #endif /* _IP_CONNTRACK_FTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_icmp.h b/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
index f1664abbe392..eed5ee3e4744 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_icmp.h
@@ -1,11 +1,6 @@
 #ifndef _IP_CONNTRACK_ICMP_H
 #define _IP_CONNTRACK_ICMP_H
-/* ICMP tracking. */
-#include <asm/atomic.h>
-struct ip_ct_icmp
+#include <net/netfilter/ipv4/nf_conntrack_icmp.h>
-{
-        /* Optimization: when number in == number out, forget immediately. */
-        atomic_t count;
-};
 #endif /* _IP_CONNTRACK_ICMP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_sctp.h b/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
index 7a8d869321f7..4099a041a32a 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_sctp.h
@@ -1,25 +1,6 @@
 #ifndef _IP_CONNTRACK_SCTP_H
 #define _IP_CONNTRACK_SCTP_H
-/* SCTP tracking. */
-enum sctp_conntrack {
+#include <linux/netfilter/nf_conntrack_sctp.h>
-        SCTP_CONNTRACK_NONE,
-        SCTP_CONNTRACK_CLOSED,
-        SCTP_CONNTRACK_COOKIE_WAIT,
-        SCTP_CONNTRACK_COOKIE_ECHOED,
-        SCTP_CONNTRACK_ESTABLISHED,
-        SCTP_CONNTRACK_SHUTDOWN_SENT,
-        SCTP_CONNTRACK_SHUTDOWN_RECD,
-        SCTP_CONNTRACK_SHUTDOWN_ACK_SENT,
-        SCTP_CONNTRACK_MAX
-};
-struct ip_ct_sctp
-{
-        enum sctp_conntrack state;
-        u_int32_t vtag[IP_CT_DIR_MAX];
-        u_int32_t ttag[IP_CT_DIR_MAX];
-};
 #endif /* _IP_CONNTRACK_SCTP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
index 16da044d97a7..876b8fb17e68 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
@@ -1,51 +1,6 @@
 #ifndef _IP_CONNTRACK_TCP_H
 #define _IP_CONNTRACK_TCP_H
-/* TCP tracking. */
-enum tcp_conntrack {
+#include <linux/netfilter/nf_conntrack_tcp.h>
-        TCP_CONNTRACK_NONE,
-        TCP_CONNTRACK_SYN_SENT,
-        TCP_CONNTRACK_SYN_RECV,
-        TCP_CONNTRACK_ESTABLISHED,
-        TCP_CONNTRACK_FIN_WAIT,
-        TCP_CONNTRACK_CLOSE_WAIT,
-        TCP_CONNTRACK_LAST_ACK,
-        TCP_CONNTRACK_TIME_WAIT,
-        TCP_CONNTRACK_CLOSE,
-        TCP_CONNTRACK_LISTEN,
-        TCP_CONNTRACK_MAX,
-        TCP_CONNTRACK_IGNORE
-};
-/* Window scaling is advertised by the sender */
-#define IP_CT_TCP_FLAG_WINDOW_SCALE             0x01
-/* SACK is permitted by the sender */
-#define IP_CT_TCP_FLAG_SACK_PERM                0x02
-/* This sender sent FIN first */
-#define IP_CT_TCP_FLAG_CLOSE_INIT               0x03
-struct ip_ct_tcp_state {
-        u_int32_t       td_end;         /* max of seq + len */
-        u_int32_t       td_maxend;      /* max of ack + max(win, 1) */
-        u_int32_t       td_maxwin;      /* max(win) */
-        u_int8_t        td_scale;       /* window scale factor */
-        u_int8_t        loose;          /* used when connection picked up from the middle */
-        u_int8_t        flags;          /* per direction options */
-};
-struct ip_ct_tcp
-{
-        struct ip_ct_tcp_state seen[2]; /* connection parameters per direction */
-        u_int8_t        state;          /* state of the connection (enum tcp_conntrack) */
-        /* For detecting stale connections */
-        u_int8_t        last_dir;       /* Direction of the last packet (enum ip_conntrack_dir) */
-        u_int8_t        retrans;        /* Number of retransmitted packets */
-        u_int8_t        last_index;     /* Index of the last packet */
-        u_int32_t       last_seq;       /* Last sequence number seen in dir */
-        u_int32_t       last_ack;       /* Last sequence number seen in opposite dir */
-        u_int32_t       last_end;       /* Last seq + len */
-};
 #endif /* _IP_CONNTRACK_TCP_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
index 3232db11a4e5..2fdabdb4c0ef 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_tuple.h
@@ -2,6 +2,7 @@
 #define _IP_CONNTRACK_TUPLE_H
 #include <linux/types.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
 /* A `tuple' is a structure containing the information to uniquely
  identify a connection.  ie. if two packets have the same tuple, they
@@ -88,13 +89,6 @@ struct ip_conntrack_tuple
                (tuple)->dst.u.all = 0;                         \
        } while (0)
-enum ip_conntrack_dir
-{
-        IP_CT_DIR_ORIGINAL,
-        IP_CT_DIR_REPLY,
-        IP_CT_DIR_MAX
-};
 #ifdef __KERNEL__
 #define DUMP_TUPLE(tp)                                          \
@@ -103,8 +97,6 @@ DEBUGP("tuple %p: %u %u.%u.%u.%u:%hu -> %u.%u.%u.%u:%hu\n",	\
       NIPQUAD((tp)->src.ip), ntohs((tp)->src.u.all),           \
       NIPQUAD((tp)->dst.ip), ntohs((tp)->dst.u.all))
-#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
 /* If we're the first tuple, it's the original dir. */
 #define DIRECTION(h) ((enum ip_conntrack_dir)(h)->tuple.dst.dir)
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index edcc2c6eb5c7..53b2983f6278 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -59,6 +59,7 @@
 enum nf_ip6_hook_priorities {
        NF_IP6_PRI_FIRST = INT_MIN,
+        NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
        NF_IP6_PRI_SELINUX_FIRST = -225,
        NF_IP6_PRI_CONNTRACK = -200,
        NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index ba25ca874c20..6a2ccf78a356 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -71,7 +71,8 @@ struct nlmsghdr
 #define NLMSG_ALIGNTO   4
 #define NLMSG_ALIGN(len) ( ((len)+NLMSG_ALIGNTO-1) & ~(NLMSG_ALIGNTO-1) )
-#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(sizeof(struct nlmsghdr)))
+#define NLMSG_HDRLEN     ((int) NLMSG_ALIGN(sizeof(struct nlmsghdr)))
+#define NLMSG_LENGTH(len) ((len)+NLMSG_ALIGN(NLMSG_HDRLEN))
 #define NLMSG_SPACE(len) NLMSG_ALIGN(NLMSG_LENGTH(len))
 #define NLMSG_DATA(nlh)  ((void*)(((char*)nlh) + NLMSG_LENGTH(0)))
 #define NLMSG_NEXT(nlh,len)      ((len) -= NLMSG_ALIGN((nlh)->nlmsg_len), \
@@ -86,6 +87,8 @@ struct nlmsghdr
 #define NLMSG_DONE              0x3     /* End of a dump        */
 #define NLMSG_OVERRUN           0x4     /* Data lost            */
+#define NLMSG_MIN_TYPE          0x10    /* < 0x10: reserved control messages */
 struct nlmsgerr
 {
        int             error;
@@ -108,6 +111,25 @@ enum {
        NETLINK_CONNECTED,
 };
+/*
+ *  <------- NLA_HDRLEN ------> <-- NLA_ALIGN(payload)-->
+ * +---------------------+- - -+- - - - - - - - - -+- - -+
+ * |        Header       | Pad |     Payload       | Pad |
+ * |   (struct nlattr)   | ing |                   | ing |
+ * +---------------------+- - -+- - - - - - - - - -+- - -+
+ *  <-------------- nlattr->nla_len -------------->
+ */
+struct nlattr
+{
+        __u16           nla_len;
+        __u16           nla_type;
+};
+#define NLA_ALIGNTO             4
+#define NLA_ALIGN(len)          (((len) + NLA_ALIGNTO - 1) & ~(NLA_ALIGNTO - 1))
+#define NLA_HDRLEN              ((int) NLA_ALIGN(sizeof(struct nlattr)))
 #ifdef __KERNEL__
 #include <linux/capability.h>
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index fdfb8fe8c38c..83010231db99 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -274,6 +274,9 @@ struct sk_buff {
 #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE)
        __u8                    ipvs_property:1;
 #endif
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+        struct sk_buff          *nfct_reasm;
+#endif
 #ifdef CONFIG_BRIDGE_NETFILTER
        struct nf_bridge_info   *nf_bridge;
 #endif
@@ -1313,10 +1316,26 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct)
        if (nfct)
                atomic_inc(&nfct->use);
 }
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+static inline void nf_conntrack_get_reasm(struct sk_buff *skb)
+{
+        if (skb)
+                atomic_inc(&skb->users);
+}
+static inline void nf_conntrack_put_reasm(struct sk_buff *skb)
+{
+        if (skb)
+                kfree_skb(skb);
+}
+#endif
 static inline void nf_reset(struct sk_buff *skb)
 {
        nf_conntrack_put(skb->nfct);
        skb->nfct = NULL;
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+        nf_conntrack_put_reasm(skb->nfct_reasm);
+        skb->nfct_reasm = NULL;
+#endif
 }
 #ifdef CONFIG_BRIDGE_NETFILTER
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index fc131d6602b9..22cf5e1ac987 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -205,6 +205,7 @@ enum
        NET_ECONET=16,
        NET_SCTP=17,
        NET_LLC=18,
+        NET_NETFILTER=19,
 };
 /* /proc/sys/kernel/random */
@@ -270,6 +271,42 @@ enum
        NET_UNIX_MAX_DGRAM_QLEN=3,
 };
+/* /proc/sys/net/netfilter */
+enum
+{
+        NET_NF_CONNTRACK_MAX=1,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT=2,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV=3,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED=4,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT=5,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT=6,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK=7,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT=8,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_CLOSE=9,
+        NET_NF_CONNTRACK_UDP_TIMEOUT=10,
+        NET_NF_CONNTRACK_UDP_TIMEOUT_STREAM=11,
+        NET_NF_CONNTRACK_ICMP_TIMEOUT=12,
+        NET_NF_CONNTRACK_GENERIC_TIMEOUT=13,
+        NET_NF_CONNTRACK_BUCKETS=14,
+        NET_NF_CONNTRACK_LOG_INVALID=15,
+        NET_NF_CONNTRACK_TCP_TIMEOUT_MAX_RETRANS=16,
+        NET_NF_CONNTRACK_TCP_LOOSE=17,
+        NET_NF_CONNTRACK_TCP_BE_LIBERAL=18,
+        NET_NF_CONNTRACK_TCP_MAX_RETRANS=19,
+        NET_NF_CONNTRACK_SCTP_TIMEOUT_CLOSED=20,
+        NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_WAIT=21,
+        NET_NF_CONNTRACK_SCTP_TIMEOUT_COOKIE_ECHOED=22,
+        NET_NF_CONNTRACK_SCTP_TIMEOUT_ESTABLISHED=23,
+        NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=24,
+        NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=25,
+        NET_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26,
+        NET_NF_CONNTRACK_COUNT=27,
+        NET_NF_CONNTRACK_ICMPV6_TIMEOUT=28,
+        NET_NF_CONNTRACK_FRAG6_TIMEOUT=29,
+        NET_NF_CONNTRACK_FRAG6_LOW_THRESH=30,
+        NET_NF_CONNTRACK_FRAG6_HIGH_THRESH=31,
+};
 /* /proc/sys/net/ipv4 */
 enum
 {