15 files changed, 270 insertions, 118 deletions

diff --git a/include/linux/netfilter/Kbuild b/include/linux/netfilter/Kbuild
index af9d2fb97212..2aea50399c0b 100644
--- a/include/linux/netfilter/Kbuild
+++ b/include/linux/netfilter/Kbuild
@@ -33,6 +33,7 @@ header-y += xt_limit.h
 header-y += xt_mac.h
 header-y += xt_mark.h
 header-y += xt_multiport.h
+header-y += xt_osf.h
 header-y += xt_owner.h
 header-y += xt_pkttype.h
 header-y += xt_quota.h
diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 885cbe282260..a8248ee422b7 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -75,75 +75,6 @@ enum ip_conntrack_status {
         IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
 };
 
-/* Connection tracking event bits */
-enum ip_conntrack_events
-{
-        /* New conntrack */
-        IPCT_NEW_BIT = 0,
-        IPCT_NEW = (1 << IPCT_NEW_BIT),
-
-        /* Expected connection */
-        IPCT_RELATED_BIT = 1,
-        IPCT_RELATED = (1 << IPCT_RELATED_BIT),
-
-        /* Destroyed conntrack */
-        IPCT_DESTROY_BIT = 2,
-        IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
-
-        /* Timer has been refreshed */
-        IPCT_REFRESH_BIT = 3,
-        IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
-
-        /* Status has changed */
-        IPCT_STATUS_BIT = 4,
-        IPCT_STATUS = (1 << IPCT_STATUS_BIT),
-
-        /* Update of protocol info */
-        IPCT_PROTOINFO_BIT = 5,
-        IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
-
-        /* Volatile protocol info */
-        IPCT_PROTOINFO_VOLATILE_BIT = 6,
-        IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
-
-        /* New helper for conntrack */
-        IPCT_HELPER_BIT = 7,
-        IPCT_HELPER = (1 << IPCT_HELPER_BIT),
-
-        /* Update of helper info */
-        IPCT_HELPINFO_BIT = 8,
-        IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
-
-        /* Volatile helper info */
-        IPCT_HELPINFO_VOLATILE_BIT = 9,
-        IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
-
-        /* NAT info */
-        IPCT_NATINFO_BIT = 10,
-        IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
-
-        /* Counter highest bit has been set, unused */
-        IPCT_COUNTER_FILLING_BIT = 11,
-        IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
-
-        /* Mark is set */
-        IPCT_MARK_BIT = 12,
-        IPCT_MARK = (1 << IPCT_MARK_BIT),
-
-        /* NAT sequence adjustment */
-        IPCT_NATSEQADJ_BIT = 13,
-        IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
-
-        /* Secmark is set */
-        IPCT_SECMARK_BIT = 14,
-        IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
-};
-
-enum ip_conntrack_expect_events {
-        IPEXP_NEW_BIT = 0,
-        IPEXP_NEW = (1 << IPEXP_NEW_BIT),
-};
-
 #ifdef __KERNEL__
 struct ip_conntrack_stat
 {
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h
index b2f384d42611..4352feed2377 100644
--- a/include/linux/netfilter/nf_conntrack_tcp.h
+++ b/include/linux/netfilter/nf_conntrack_tcp.h
@@ -15,7 +15,8 @@ enum tcp_conntrack {
         TCP_CONNTRACK_LAST_ACK,
         TCP_CONNTRACK_TIME_WAIT,
         TCP_CONNTRACK_CLOSE,
-        TCP_CONNTRACK_LISTEN,
+        TCP_CONNTRACK_LISTEN,   /* obsolete */
+#define TCP_CONNTRACK_SYN_SENT2 TCP_CONNTRACK_LISTEN
         TCP_CONNTRACK_MAX,
         TCP_CONNTRACK_IGNORE
 };
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index c600083cbdf5..bff4d5741d98 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -46,7 +46,8 @@ struct nfgenmsg {
 #define NFNL_SUBSYS_CTNETLINK_EXP       2
 #define NFNL_SUBSYS_QUEUE               3
 #define NFNL_SUBSYS_ULOG                4
-#define NFNL_SUBSYS_COUNT               5
+#define NFNL_SUBSYS_OSF                 5
+#define NFNL_SUBSYS_COUNT               6
 
 #ifdef __KERNEL__
 
@@ -75,7 +76,7 @@ extern int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n);
 
 extern int nfnetlink_has_listeners(unsigned int group);
 extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, 
-                          int echo);
+                          int echo, gfp_t flags);
 extern void nfnetlink_set_err(u32 pid, u32 group, int error);
 extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
 
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
index 1a865e48b8eb..ed4ef8d0b11b 100644
--- a/include/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -101,6 +101,7 @@ enum ctattr_protoinfo_dccp {
         CTA_PROTOINFO_DCCP_UNSPEC,
         CTA_PROTOINFO_DCCP_STATE,
         CTA_PROTOINFO_DCCP_ROLE,
+        CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
         __CTA_PROTOINFO_DCCP_MAX,
 };
 #define CTA_PROTOINFO_DCCP_MAX (__CTA_PROTOINFO_DCCP_MAX - 1)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index c9efe039dc57..1030b7593898 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -184,9 +184,10 @@ struct xt_counters_info
  * @matchinfo:  per-match data
  * @fragoff:    packet is a fragment, this is the data offset
  * @thoff:      position of transport header relative to skb->data
- * @hotdrop:    drop packet if we had inspection problems
+ * @hook:       hook number given packet came from
  * @family:     Actual NFPROTO_* through which the function is invoked
  *              (helpful when match->family == NFPROTO_UNSPEC)
+ * @hotdrop:    drop packet if we had inspection problems
  */
 struct xt_match_param {
         const struct net_device *in, *out;
@@ -194,8 +195,9 @@ struct xt_match_param {
         const void *matchinfo;
         int fragoff;
         unsigned int thoff;
-        bool *hotdrop;
+        unsigned int hooknum;
         u_int8_t family;
+        bool *hotdrop;
 };
 
 /**
diff --git a/include/linux/netfilter/xt_NFQUEUE.h b/include/linux/netfilter/xt_NFQUEUE.h
index 982a89f78272..2584f4a777de 100644
--- a/include/linux/netfilter/xt_NFQUEUE.h
+++ b/include/linux/netfilter/xt_NFQUEUE.h
@@ -15,4 +15,9 @@ struct xt_NFQ_info {
         __u16 queuenum;
 };
 
+struct xt_NFQ_info_v1 {
+        __u16 queuenum;
+        __u16 queues_total;
+};
+
 #endif /* _XT_NFQ_TARGET_H */
diff --git a/include/linux/netfilter/xt_osf.h b/include/linux/netfilter/xt_osf.h
new file mode 100644
index 000000000000..fd2272e0959a
--- /dev/null
+++ b/include/linux/netfilter/xt_osf.h
@@ -0,0 +1,133 @@
+/*
+ * Copyright (c) 2003+ Evgeniy Polyakov <johnpol@2ka.mxt.ru>
+ *
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#ifndef _XT_OSF_H
+#define _XT_OSF_H
+
+#define MAXGENRELEN             32
+
+#define XT_OSF_GENRE            (1<<0)
+#define XT_OSF_TTL              (1<<1)
+#define XT_OSF_LOG              (1<<2)
+#define XT_OSF_INVERT           (1<<3)
+
+#define XT_OSF_LOGLEVEL_ALL     0       /* log all matched fingerprints */
+#define XT_OSF_LOGLEVEL_FIRST   1       /* log only the first matced fingerprint */
+#define XT_OSF_LOGLEVEL_ALL_KNOWN       2 /* do not log unknown packets */
+
+#define XT_OSF_TTL_TRUE         0       /* True ip and fingerprint TTL comparison */
+#define XT_OSF_TTL_LESS         1       /* Check if ip TTL is less than fingerprint one */
+#define XT_OSF_TTL_NOCHECK      2       /* Do not compare ip and fingerprint TTL at all */
+
+struct xt_osf_info {
+        char                    genre[MAXGENRELEN];
+        __u32                   len;
+        __u32                   flags;
+        __u32                   loglevel;
+        __u32                   ttl;
+};
+
+/*
+ * Wildcard MSS (kind of).
+ * It is used to implement a state machine for the different wildcard values
+ * of the MSS and window sizes.
+ */
+struct xt_osf_wc {
+        __u32                   wc;
+        __u32                   val;
+};
+
+/*
+ * This struct represents IANA options
+ * http://www.iana.org/assignments/tcp-parameters
+ */
+struct xt_osf_opt {
+        __u16                   kind, length;
+        struct xt_osf_wc        wc;
+};
+
+struct xt_osf_user_finger {
+        struct xt_osf_wc        wss;
+
+        __u8                    ttl, df;
+        __u16                   ss, mss;
+        __u16                   opt_num;
+
+        char                    genre[MAXGENRELEN];
+        char                    version[MAXGENRELEN];
+        char                    subtype[MAXGENRELEN];
+
+        /* MAX_IPOPTLEN is maximum if all options are NOPs or EOLs */
+        struct xt_osf_opt       opt[MAX_IPOPTLEN];
+};
+
+struct xt_osf_nlmsg {
+        struct xt_osf_user_finger       f;
+        struct iphdr            ip;
+        struct tcphdr           tcp;
+};
+
+/* Defines for IANA option kinds */
+
+enum iana_options {
+        OSFOPT_EOL = 0,         /* End of options */
+        OSFOPT_NOP,             /* NOP */
+        OSFOPT_MSS,             /* Maximum segment size */
+        OSFOPT_WSO,             /* Window scale option */
+        OSFOPT_SACKP,           /* SACK permitted */
+        OSFOPT_SACK,            /* SACK */
+        OSFOPT_ECHO,
+        OSFOPT_ECHOREPLY,
+        OSFOPT_TS,              /* Timestamp option */
+        OSFOPT_POCP,            /* Partial Order Connection Permitted */
+        OSFOPT_POSP,            /* Partial Order Service Profile */
+
+        /* Others are not used in the current OSF */
+        OSFOPT_EMPTY = 255,
+};
+
+/*
+ * Initial window size option state machine: multiple of mss, mtu or
+ * plain numeric value. Can also be made as plain numeric value which
+ * is not a multiple of specified value.
+ */
+enum xt_osf_window_size_options {
+        OSF_WSS_PLAIN   = 0,
+        OSF_WSS_MSS,
+        OSF_WSS_MTU,
+        OSF_WSS_MODULO,
+        OSF_WSS_MAX,
+};
+
+/*
+ * Add/remove fingerprint from the kernel.
+ */
+enum xt_osf_msg_types {
+        OSF_MSG_ADD,
+        OSF_MSG_REMOVE,
+        OSF_MSG_MAX,
+};
+
+enum xt_osf_attr_type {
+        OSF_ATTR_UNSPEC,
+        OSF_ATTR_FINGER,
+        OSF_ATTR_MAX,
+};
+
+#endif                          /* _XT_OSF_H */
diff --git a/include/linux/netfilter/xt_socket.h b/include/linux/netfilter/xt_socket.h
new file mode 100644
index 000000000000..6f475b8ff34b
--- /dev/null
+++ b/include/linux/netfilter/xt_socket.h
@@ -0,0 +1,12 @@
+#ifndef _XT_SOCKET_H
+#define _XT_SOCKET_H
+
+enum {
+        XT_SOCKET_TRANSPARENT = 1 << 0,
+};
+
+struct xt_socket_mtinfo1 {
+        __u8 flags;
+};
+
+#endif /* _XT_SOCKET_H */
diff --git a/include/net/netfilter/ipv4/nf_conntrack_icmp.h b/include/net/netfilter/ipv4/nf_conntrack_icmp.h
deleted file mode 100644
index 3dd22cff23ec..000000000000
--- a/include/net/netfilter/ipv4/nf_conntrack_icmp.h
+++ /dev/null
@@ -1,11 +0,0 @@
-#ifndef _NF_CONNTRACK_ICMP_H
-#define _NF_CONNTRACK_ICMP_H
-/* ICMP tracking. */
-#include <asm/atomic.h>
-
-struct ip_ct_icmp
-{
-        /* Optimization: when number in == number out, forget immediately. */
-        atomic_t count;
-};
-#endif /* _NF_CONNTRACK_ICMP_H */
diff --git a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
index 86591afda29c..67edd50a398a 100644
--- a/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
+++ b/include/net/netfilter/ipv6/nf_conntrack_icmpv6.h
@@ -9,7 +9,6 @@
 
 #ifndef _NF_CONNTRACK_ICMPV6_H
 #define _NF_CONNTRACK_ICMPV6_H
-#include <asm/atomic.h>
 
 #ifndef ICMPV6_NI_QUERY
 #define ICMPV6_NI_QUERY 139
@@ -18,10 +17,4 @@
 #define ICMPV6_NI_REPLY 140
 #endif
 
-struct nf_ct_icmpv6
-{
-        /* Optimization: when number in == number out, forget immediately. */
-        atomic_t count;
-};
-
 #endif /* _NF_CONNTRACK_ICMPV6_H */
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 6c3f964de9e1..ecc79f959076 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -23,7 +23,6 @@
 #include <linux/netfilter/nf_conntrack_dccp.h>
 #include <linux/netfilter/nf_conntrack_sctp.h>
 #include <linux/netfilter/nf_conntrack_proto_gre.h>
-#include <net/netfilter/ipv4/nf_conntrack_icmp.h>
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 
 #include <net/netfilter/nf_conntrack_tuple.h>
@@ -34,8 +33,6 @@ union nf_conntrack_proto {
         struct nf_ct_dccp dccp;
         struct ip_ct_sctp sctp;
         struct ip_ct_tcp tcp;
-        struct ip_ct_icmp icmp;
-        struct nf_ct_icmpv6 icmpv6;
         struct nf_ct_gre gre;
 };
 
@@ -96,6 +93,8 @@ struct nf_conn {
            plus 1 for any connection(s) we are `master' for */
         struct nf_conntrack ct_general;
 
+        spinlock_t lock;
+
         /* XXX should I move this to the tail ? - Y.K */
         /* These are my tuples; original and reply */
         struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
@@ -144,6 +143,8 @@ static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
         return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
 }
 
+#define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
+
 /* get master conntrack via master expectation */
 #define master_ct(conntr) (conntr->master)
 
@@ -201,7 +202,7 @@ __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);
 
 extern void nf_conntrack_hash_insert(struct nf_conn *ct);
 
-extern void nf_conntrack_flush(struct net *net, u32 pid, int report);
+extern void nf_conntrack_flush_report(struct net *net, u32 pid, int report);
 
 extern bool nf_ct_get_tuplepr(const struct sk_buff *skb,
                               unsigned int nhoff, u_int16_t l3num,
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 0ff0dc69ca4a..1afb907e015a 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -6,11 +6,55 @@
 #define _NF_CONNTRACK_ECACHE_H
 #include <net/netfilter/nf_conntrack.h>
 
-#include <linux/notifier.h>
 #include <linux/interrupt.h>
 #include <net/net_namespace.h>
 #include <net/netfilter/nf_conntrack_expect.h>
 
+/* Connection tracking event bits */
+enum ip_conntrack_events
+{
+        /* New conntrack */
+        IPCT_NEW_BIT = 0,
+        IPCT_NEW = (1 << IPCT_NEW_BIT),
+
+        /* Expected connection */
+        IPCT_RELATED_BIT = 1,
+        IPCT_RELATED = (1 << IPCT_RELATED_BIT),
+
+        /* Destroyed conntrack */
+        IPCT_DESTROY_BIT = 2,
+        IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
+
+        /* Status has changed */
+        IPCT_STATUS_BIT = 3,
+        IPCT_STATUS = (1 << IPCT_STATUS_BIT),
+
+        /* Update of protocol info */
+        IPCT_PROTOINFO_BIT = 4,
+        IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
+
+        /* New helper for conntrack */
+        IPCT_HELPER_BIT = 5,
+        IPCT_HELPER = (1 << IPCT_HELPER_BIT),
+
+        /* Mark is set */
+        IPCT_MARK_BIT = 6,
+        IPCT_MARK = (1 << IPCT_MARK_BIT),
+
+        /* NAT sequence adjustment */
+        IPCT_NATSEQADJ_BIT = 7,
+        IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
+
+        /* Secmark is set */
+        IPCT_SECMARK_BIT = 8,
+        IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
+};
+
+enum ip_conntrack_expect_events {
+        IPEXP_NEW_BIT = 0,
+        IPEXP_NEW = (1 << IPEXP_NEW_BIT),
+};
+
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 struct nf_conntrack_ecache {
         struct nf_conn *ct;
@@ -24,9 +68,13 @@ struct nf_ct_event {
         int report;
 };
 
-extern struct atomic_notifier_head nf_conntrack_chain;
-extern int nf_conntrack_register_notifier(struct notifier_block *nb);
-extern int nf_conntrack_unregister_notifier(struct notifier_block *nb);
+struct nf_ct_event_notifier {
+        int (*fcn)(unsigned int events, struct nf_ct_event *item);
+};
+
+extern struct nf_ct_event_notifier *nf_conntrack_event_cb;
+extern int nf_conntrack_register_notifier(struct nf_ct_event_notifier *nb);
+extern void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *nb);
 
 extern void nf_ct_deliver_cached_events(const struct nf_conn *ct);
 extern void __nf_ct_event_cache_init(struct nf_conn *ct);
@@ -52,13 +100,23 @@ nf_conntrack_event_report(enum ip_conntrack_events event,
                           u32 pid,
                           int report)
 {
-        struct nf_ct_event item = {
-                .ct     = ct,
-                .pid    = pid,
-                .report = report
-        };
-        if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
-                atomic_notifier_call_chain(&nf_conntrack_chain, event, &item);
+        struct nf_ct_event_notifier *notify;
+
+        rcu_read_lock();
+        notify = rcu_dereference(nf_conntrack_event_cb);
+        if (notify == NULL)
+                goto out_unlock;
+
+        if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) {
+                struct nf_ct_event item = {
+                        .ct     = ct,
+                        .pid    = pid,
+                        .report = report
+                };
+                notify->fcn(event, &item);
+        }
+out_unlock:
+        rcu_read_unlock();
 }
 
 static inline void
@@ -73,9 +131,13 @@ struct nf_exp_event {
         int report;
 };
 
-extern struct atomic_notifier_head nf_ct_expect_chain;
-extern int nf_ct_expect_register_notifier(struct notifier_block *nb);
-extern int nf_ct_expect_unregister_notifier(struct notifier_block *nb);
+struct nf_exp_event_notifier {
+        int (*fcn)(unsigned int events, struct nf_exp_event *item);
+};
+
+extern struct nf_exp_event_notifier *nf_expect_event_cb;
+extern int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *nb);
+extern void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *nb);
 
 static inline void
 nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
@@ -83,12 +145,23 @@ nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
                           u32 pid,
                           int report)
 {
-        struct nf_exp_event item = {
-                .exp    = exp,
-                .pid    = pid,
-                .report = report
-        };
-        atomic_notifier_call_chain(&nf_ct_expect_chain, event, &item);
+        struct nf_exp_event_notifier *notify;
+
+        rcu_read_lock();
+        notify = rcu_dereference(nf_expect_event_cb);
+        if (notify == NULL)
+                goto out_unlock;
+
+        {
+                struct nf_exp_event item = {
+                        .exp    = exp,
+                        .pid    = pid,
+                        .report = report
+                };
+                notify->fcn(event, &item);
+        }
+out_unlock:
+        rcu_read_unlock();
 }
 
 static inline void
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index ba32ed7bdabe..3767fb41e541 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -59,11 +59,11 @@ struct nf_conntrack_l4proto
                            const struct nf_conntrack_tuple *);
 
         /* Print out the private part of the conntrack. */
-        int (*print_conntrack)(struct seq_file *s, const struct nf_conn *);
+        int (*print_conntrack)(struct seq_file *s, struct nf_conn *);
 
         /* convert protoinfo to nfnetink attributes */
         int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,
-                         const struct nf_conn *ct);
+                         struct nf_conn *ct);
         /* Calculate protoinfo nlattr size */
         int (*nlattr_size)(void);
 
diff --git a/include/net/netlink.h b/include/net/netlink.h
index eddb50289d6d..007bdb07dabb 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -940,6 +940,15 @@ static inline u64 nla_get_u64(const struct nlattr *nla)
 }
 
 /**
+ * nla_get_be64 - return payload of __be64 attribute
+ * @nla: __be64 netlink attribute
+ */
+static inline __be64 nla_get_be64(const struct nlattr *nla)
+{
+        return *(__be64 *) nla_data(nla);
+}
+
+/**
  * nla_get_flag - return payload of flag attribute
  * @nla: flag netlink attribute
  */