From 850be7cc038f39d0293d0478927e4185c327768a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 10 May 2012 20:53:43 +0200
Subject: src: add NFCTH_STATUS and other enhancements

This patch includes the modification of the snprintf interface and
the completition of the expectation policy handling.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../libnetfilter_cthelper/libnetfilter_cthelper.h  |  31 +-
 include/linux/netfilter/nfnetlink_cthelper.h       |   4 +
 src/libnetfilter_cthelper.c                        | 336 ++++++++++++++++-----
 src/libnetfilter_cthelper.map                      |   6 +
 4 files changed, 297 insertions(+), 80 deletions(-)

diff --git a/include/libnetfilter_cthelper/libnetfilter_cthelper.h b/include/libnetfilter_cthelper/libnetfilter_cthelper.h
index d0fcfa7..1b34e44 100644
--- a/include/libnetfilter_cthelper/libnetfilter_cthelper.h
+++ b/include/libnetfilter_cthelper/libnetfilter_cthelper.h
@@ -4,21 +4,40 @@
 #include <sys/types.h>
 #include <linux/netfilter/nfnetlink_cthelper.h>
 
-struct nfct_helper;
+struct nfct_helper_policy;
+
+enum nfct_helper_policy_attr_type {
+	NFCTH_ATTR_POLICY_NAME = 0,
+	NFCTH_ATTR_POLICY_TIMEOUT,
+	NFCTH_ATTR_POLICY_MAX,
+};
+
+struct nfct_helper_policy *nfct_helper_policy_alloc(void);
+void nfct_helper_policy_free(struct nfct_helper_policy *p);
+
+void nfct_helper_policy_attr_set(struct nfct_helper_policy *p, enum nfct_helper_policy_attr_type type, const void *data);
+void nfct_helper_policy_attr_set_str(struct nfct_helper_policy *p, enum nfct_helper_policy_attr_type type, const char *name);
+void nfct_helper_policy_attr_set_u32(struct nfct_helper_policy *p, enum nfct_helper_policy_attr_type type, uint32_t value);
+void nfct_helper_policy_attr_unset(struct nfct_helper_policy *p, enum nfct_helper_policy_attr_type type);
 
 enum nfct_helper_attr_type {
 	NFCTH_ATTR_NAME = 0,
 	NFCTH_ATTR_QUEUE_NUM,
 	NFCTH_ATTR_PROTO_L3NUM,
 	NFCTH_ATTR_PROTO_L4NUM,
-	NFCTH_ATTR_EXP_POLICY_NAME,
-	NFCTH_ATTR_EXP_POLICY_TIMEOUT,
-	NFCTH_ATTR_EXP_POLICY_MAX,
 	NFCTH_ATTR_PRIV_DATA_LEN,
+	NFCTH_ATTR_POLICY,
+	NFCTH_ATTR_POLICY1 = NFCTH_ATTR_POLICY,
+	NFCTH_ATTR_POLICY2,
+	NFCTH_ATTR_POLICY3,
+	NFCTH_ATTR_POLICY4,
+	NFCTH_ATTR_STATUS,
 };
 
+struct nfct_helper;
+
 struct nfct_helper *nfct_helper_alloc(void);
-void nfct_helper_free(struct nfct_helper *nfct_helper);
+void nfct_helper_free(struct nfct_helper *h);
 
 void nfct_helper_attr_set(struct nfct_helper *nfct_helper, enum nfct_helper_attr_type type, const void *data);
 void nfct_helper_attr_set_str(struct nfct_helper *nfct_helper, enum nfct_helper_attr_type type, const char *name);
@@ -39,6 +58,6 @@ struct nlmsghdr *nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd, uint16_t fl
 void nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *nfct_helper);
 int nfct_helper_nlmsg_parse_payload(const struct nlmsghdr *nlh, struct nfct_helper *nfct_helper);
 
-int nfct_helper_snprintf(char *buf, size_t size, struct nfct_helper *nfct_helper, unsigned int flags);
+int nfct_helper_snprintf(char *buf, size_t size, struct nfct_helper *nfct_helper, unsigned int type, unsigned int flags);
 
 #endif
diff --git a/include/linux/netfilter/nfnetlink_cthelper.h b/include/linux/netfilter/nfnetlink_cthelper.h
index 4676922..33659f6 100644
--- a/include/linux/netfilter/nfnetlink_cthelper.h
+++ b/include/linux/netfilter/nfnetlink_cthelper.h
@@ -1,6 +1,9 @@
 #ifndef _NFNL_CTHELPER_H_
 #define _NFNL_CTHELPER_H_
 
+#define NFCT_HELPER_STATUS_DISABLED	0
+#define NFCT_HELPER_STATUS_ENABLED	1
+
 enum nfnl_acct_msg_types {
 	NFNL_MSG_CTHELPER_NEW,
 	NFNL_MSG_CTHELPER_GET,
@@ -15,6 +18,7 @@ enum nfnl_cthelper_type {
 	NFCTH_QUEUE_NUM,
 	NFCTH_POLICY,
 	NFCTH_PRIV_DATA_LEN,
+	NFCTH_STATUS,
 	__NFCTH_MAX
 };
 #define NFCTH_MAX (__NFCTH_MAX - 1)
diff --git a/src/libnetfilter_cthelper.c b/src/libnetfilter_cthelper.c
index 51f6cea..5f01fe4 100644
--- a/src/libnetfilter_cthelper.c
+++ b/src/libnetfilter_cthelper.c
@@ -1,11 +1,12 @@
 /*
  * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
- * (C) 2012 by Vyatta Inc. <http://www.vyatta.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the Lesser GNU General Public License as published
  * by the Free Software Foundation; either version 2.1 of the License, or
  * (at your option) any later version.
+ *
+ * This code has been sponsored by Vyatta Inc. <http://www.vyatta.com>
  */
 #include "internal.h"
 
@@ -64,21 +65,25 @@
 #define NF_CT_HELPER_CLASS_MAX 4
 #endif
 
+struct nfct_helper_policy {
+	char		name[NF_CT_HELPER_NAME_MAX];
+	uint32_t	expect_timeout;
+	uint32_t	expect_max;
+	uint32_t	bitset;
+};
+
 struct nfct_helper {
 	char		name[NF_CT_HELPER_NAME_MAX];
 	uint32_t	priv_data_len;
 	uint32_t	queue_num;
-	uint32_t	policy_num;
+	uint32_t	status;
 	struct {
 			uint16_t	l3num;
 			uint8_t		l4num;
 			uint16_t	port;
 	} tuple;
-	struct {
-			char		name[NF_CT_HELPER_NAME_MAX];
-			uint32_t	expect_timeout;
-			uint32_t	expect_max;
-	} expect_policy[NF_CT_HELPER_CLASS_MAX];
+	struct nfct_helper_policy *expect_policy[NF_CT_HELPER_CLASS_MAX];
+	uint32_t	policy_num;
 
 	uint32_t	bitset;
 };
@@ -104,12 +109,93 @@ EXPORT_SYMBOL(nfct_helper_alloc);
  * nfct_helper_free - release one helper object
  * \param nfct_helper pointer to the helper object
  */
-void nfct_helper_free(struct nfct_helper *nfct_helper)
+void nfct_helper_free(struct nfct_helper *h)
 {
-	free(nfct_helper);
+	int i;
+
+	free(h);
+	for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) {
+		if (h->expect_policy[i])
+			free(h->expect_policy[i]);
+	}
 }
 EXPORT_SYMBOL(nfct_helper_free);
 
+/**
+ * nfct_helper_policy_alloc - allocate a new helper policy object
+ *
+ * In case of success, this function returns a valid pointer, otherwise NULL
+ * s returned and errno is appropriately set.
+ */
+struct nfct_helper_policy *nfct_helper_policy_alloc(void)
+{
+	return calloc(1, sizeof(struct nfct_helper_policy));
+}
+EXPORT_SYMBOL(nfct_helper_policy_alloc);
+
+/**
+ * nfct_helper_free - release one helper policy object
+ * \param nfct_helper pointer to the helper object
+ */
+void nfct_helper_policy_free(struct nfct_helper_policy *p)
+{
+	free(p);
+}
+EXPORT_SYMBOL(nfct_helper_policy_free);
+
+/**
+ * nfct_helper_policy_attr_set - set one attribute of the helper object
+ * \param nfct_helper pointer to the helper object
+ * \param type attribute type you want to set
+ * \param data pointer to data that will be used to set this attribute
+ */
+void
+nfct_helper_policy_attr_set(struct nfct_helper_policy *p,
+			    enum nfct_helper_policy_attr_type type,
+			    const void *data)
+{
+	switch(type) {
+	case NFCTH_ATTR_POLICY_NAME:
+		strncpy(p->name, data, NF_CT_HELPER_NAME_MAX);
+		p->name[NF_CT_HELPER_NAME_MAX-1] = '\0';
+		p->bitset |= (1 << NFCTH_ATTR_POLICY_NAME);
+		break;
+	case NFCTH_ATTR_POLICY_TIMEOUT:
+		p->expect_timeout = *((uint32_t *) data);
+		p->bitset |= (1 << NFCTH_ATTR_POLICY_TIMEOUT);
+		break;
+	case NFCTH_ATTR_POLICY_MAX:
+		p->expect_max = *((uint32_t *) data);
+		p->bitset |= (1 << NFCTH_ATTR_POLICY_MAX);
+		break;
+	}
+}
+EXPORT_SYMBOL(nfct_helper_policy_attr_set);
+
+/**
+ * nfct_helper_attr_set_str - set one attribute the helper object
+ * \param nfct_helper pointer to the helper object
+ * \param type attribute type you want to set
+ * \param name string that will be used to set this attribute
+ */
+void
+nfct_helper_policy_attr_set_str(struct nfct_helper_policy *p,
+				enum nfct_helper_policy_attr_type type,
+				const char *name)
+{
+	nfct_helper_policy_attr_set(p, type, name);
+}
+EXPORT_SYMBOL(nfct_helper_policy_attr_set_str);
+
+void
+nfct_helper_policy_attr_set_u32(struct nfct_helper_policy *p,
+				enum nfct_helper_policy_attr_type type,
+				uint32_t value)
+{
+	nfct_helper_policy_attr_set(p, type, &value);
+}
+EXPORT_SYMBOL(nfct_helper_policy_attr_set_u32);
+
 /**
  * nfct_helper_attr_set - set one attribute of the helper object
  * \param nfct_helper pointer to the helper object
@@ -117,45 +203,50 @@ EXPORT_SYMBOL(nfct_helper_free);
  * \param data pointer to data that will be used to set this attribute
  */
 void
-nfct_helper_attr_set(struct nfct_helper *nfct_helper,
+nfct_helper_attr_set(struct nfct_helper *h,
 		     enum nfct_helper_attr_type type, const void *data)
 {
 	switch(type) {
 	case NFCTH_ATTR_NAME:
-		strncpy(nfct_helper->name, data, NF_CT_HELPER_NAME_MAX);
-		nfct_helper->name[NF_CT_HELPER_NAME_MAX-1] = '\0';
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_NAME);
+		strncpy(h->name, data, NF_CT_HELPER_NAME_MAX);
+		h->name[NF_CT_HELPER_NAME_MAX-1] = '\0';
+		h->bitset |= (1 << NFCTH_ATTR_NAME);
+		break;
+	case NFCTH_ATTR_QUEUE_NUM:
+		h->queue_num = *((uint32_t *) data);
+		h->bitset |= (1 << NFCTH_ATTR_QUEUE_NUM);
 		break;
 	case NFCTH_ATTR_PROTO_L3NUM:
-		nfct_helper->tuple.l3num = *((uint16_t *) data);
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_PROTO_L3NUM);
+		h->tuple.l3num = *((uint16_t *) data);
+		h->bitset |= (1 << NFCTH_ATTR_PROTO_L3NUM);
 		break;
 	case NFCTH_ATTR_PROTO_L4NUM:
-		nfct_helper->tuple.l4num = *((uint8_t *) data);
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_PROTO_L4NUM);
+		h->tuple.l4num = *((uint8_t *) data);
+		h->bitset |= (1 << NFCTH_ATTR_PROTO_L4NUM);
 		break;
-	case NFCTH_ATTR_QUEUE_NUM:
-		nfct_helper->queue_num = *((uint32_t *) data);
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_QUEUE_NUM);
+	case NFCTH_ATTR_PRIV_DATA_LEN:
+		h->priv_data_len = *((uint32_t *) data);
+		h->bitset |= (1 << NFCTH_ATTR_PRIV_DATA_LEN);
 		break;
-	case NFCTH_ATTR_EXP_POLICY_NAME:
-		strncpy(nfct_helper->expect_policy[0].name,
-			data, NF_CT_HELPER_NAME_MAX);
-		nfct_helper->expect_policy[0].name[NF_CT_HELPER_NAME_MAX-1] = '\0';
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_EXP_POLICY_NAME);
+	case NFCTH_ATTR_POLICY1:
+		h->expect_policy[0] = (struct nfct_helper_policy *)data;
+		h->bitset |= (1 << NFCTH_ATTR_POLICY1);
 		break;
-	case NFCTH_ATTR_EXP_POLICY_TIMEOUT:
-		nfct_helper->expect_policy[0].expect_timeout =
-						*((uint32_t *) data);
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_EXP_POLICY_TIMEOUT);
+	case NFCTH_ATTR_POLICY2:
+		h->expect_policy[1] = (struct nfct_helper_policy *)data;
+		h->bitset |= (1 << NFCTH_ATTR_POLICY2);
 		break;
-	case NFCTH_ATTR_EXP_POLICY_MAX:
-		nfct_helper->expect_policy[0].expect_max = *((uint32_t *) data);
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_EXP_POLICY_MAX);
+	case NFCTH_ATTR_POLICY3:
+		h->expect_policy[2] = (struct nfct_helper_policy *)data;
+		h->bitset |= (1 << NFCTH_ATTR_POLICY3);
 		break;
-	case NFCTH_ATTR_PRIV_DATA_LEN:
-		nfct_helper->priv_data_len = *((uint32_t *) data);
-		nfct_helper->bitset |= (1 << NFCTH_ATTR_PRIV_DATA_LEN);
+	case NFCTH_ATTR_POLICY4:
+		h->expect_policy[3] = (struct nfct_helper_policy *)data;
+		h->bitset |= (1 << NFCTH_ATTR_POLICY4);
+		break;
+	case NFCTH_ATTR_STATUS:
+		h->status = *((uint32_t *) data);
+		h->bitset |= (1 << NFCTH_ATTR_STATUS);
 		break;
 	}
 }
@@ -244,10 +335,26 @@ const void *nfct_helper_attr_get(struct nfct_helper *helper,
 	case NFCTH_ATTR_PROTO_L4NUM:
 		ret = &helper->tuple.l4num;
 		break;
-	default:
-		printf("boom\n");
-		exit(EXIT_FAILURE);
+	case NFCTH_ATTR_PRIV_DATA_LEN:
+		ret = &helper->priv_data_len;
+		break;
+	case NFCTH_ATTR_POLICY1:
+		ret = helper->expect_policy[0];
 		break;
+	case NFCTH_ATTR_POLICY2:
+		ret = helper->expect_policy[1];
+		break;
+	case NFCTH_ATTR_POLICY3:
+		ret = helper->expect_policy[2];
+		break;
+	case NFCTH_ATTR_POLICY4:
+		ret = helper->expect_policy[3];
+		break;
+	case NFCTH_ATTR_STATUS:
+		ret = &helper->status;
+		break;
+	default:
+		ret = NULL;
 	}
 	return ret;
 }
@@ -325,16 +432,25 @@ EXPORT_SYMBOL(nfct_helper_attr_get_u32);
  * missing. On sucess, it returns 0.
  */
 int nfct_helper_snprintf(char *buf, size_t size,
-			 struct nfct_helper *helper, unsigned int flags)
+			 struct nfct_helper *helper,
+			 unsigned int type, unsigned int flags)
 {
 	int ret;
 
-	ret = snprintf(buf, size, "{ name = %s, queuenum = %u,"
-				  " l3protonum = %u, l4protonum = %u };",
+	ret = snprintf(buf, size, "{\n"
+				  "\t.name = %s,\n"
+				  "\t.queuenum = %u,\n"
+				  "\t.l3protonum = %u,\n"
+				  "\t.l4protonum = %u,\n"
+				  "\t.priv_data_len = %u,\n"
+				  "\t.status = %s,\n};",
 		nfct_helper_attr_get_str(helper, NFCTH_ATTR_NAME),
 		nfct_helper_attr_get_u32(helper, NFCTH_ATTR_QUEUE_NUM),
 		nfct_helper_attr_get_u16(helper, NFCTH_ATTR_PROTO_L3NUM),
-		nfct_helper_attr_get_u8(helper, NFCTH_ATTR_PROTO_L4NUM));
+		nfct_helper_attr_get_u8(helper, NFCTH_ATTR_PROTO_L4NUM),
+		nfct_helper_attr_get_u32(helper, NFCTH_ATTR_PRIV_DATA_LEN),
+		nfct_helper_attr_get_u32(helper, NFCTH_ATTR_STATUS) ?
+			"enabled" : "disabled");
 
 	return ret;
 }
@@ -395,38 +511,87 @@ nfct_helper_nlmsg_build_hdr(char *buf, uint8_t cmd,
 }
 EXPORT_SYMBOL(nfct_helper_nlmsg_build_hdr);
 
+static void
+nfct_helper_nlmsg_build_policy(struct nlmsghdr *nlh,
+				struct nfct_helper_policy *p)
+{
+	struct nlattr *nest;
+
+	nest = mnl_attr_nest_start(nlh, NFCTH_POLICY_SET);
+	mnl_attr_put_strz(nlh, NFCTH_POLICY_NAME, p->name);
+	mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_MAX, htonl(p->expect_max));
+	mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_TIMEOUT,
+			htonl(p->expect_timeout));
+	mnl_attr_nest_end(nlh, nest);
+}
+
 /**
  * nfct_helper_nlmsg_build_payload - build payload from helper object
  * \param nlh: netlink message that you want to use to add the payload.
  * \param nfct_helper: pointer to a helper object
  */
-void nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh,
-				     struct nfct_helper *nfct_helper)
+void
+nfct_helper_nlmsg_build_payload(struct nlmsghdr *nlh, struct nfct_helper *h)
 {
-	struct nlattr *nest, *nest2;
+	struct nlattr *nest;
 
-	mnl_attr_put_strz(nlh, NFCTH_NAME, nfct_helper->name);
-	mnl_attr_put_u32(nlh, NFCTH_QUEUE_NUM, htonl(nfct_helper->queue_num));
-	mnl_attr_put_u32(nlh, NFCTH_PRIV_DATA_LEN,
-				htonl(nfct_helper->priv_data_len));
 
-	nest = mnl_attr_nest_start(nlh, NFCTH_TUPLE);
-	mnl_attr_put_u16(nlh, NFCTH_TUPLE_L3PROTONUM, nfct_helper->tuple.l3num);
-	mnl_attr_put_u8(nlh, NFCTH_TUPLE_L4PROTONUM, nfct_helper->tuple.l4num);
-	mnl_attr_nest_end(nlh, nest);
+	if (h->bitset & (1 << NFCTH_ATTR_NAME))
+		mnl_attr_put_strz(nlh, NFCTH_NAME, h->name);
 
-	nest = mnl_attr_nest_start(nlh, NFCTH_POLICY);
-	mnl_attr_put_u32(nlh, NFCTH_POLICY_SET_NUM, htonl(1));
+	if (h->bitset & (1 << NFCTH_ATTR_QUEUE_NUM))
+		mnl_attr_put_u32(nlh, NFCTH_QUEUE_NUM, htonl(h->queue_num));
 
-	nest2 = mnl_attr_nest_start(nlh, NFCTH_POLICY_SET);
-	mnl_attr_put_strz(nlh, NFCTH_POLICY_NAME,
-			  nfct_helper->expect_policy[0].name);
-	mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_MAX,
-			  htonl(nfct_helper->expect_policy[0].expect_max));
-	mnl_attr_put_u32(nlh, NFCTH_POLICY_EXPECT_TIMEOUT,
-			  htonl(nfct_helper->expect_policy[0].expect_timeout));
-	mnl_attr_nest_end(nlh, nest2);
-	mnl_attr_nest_end(nlh, nest);
+	if (h->bitset & (1 << NFCTH_ATTR_PRIV_DATA_LEN)) {
+		mnl_attr_put_u32(nlh, NFCTH_PRIV_DATA_LEN,
+					htonl(h->priv_data_len));
+	}
+
+	if (h->bitset & (1 << NFCTH_ATTR_PROTO_L3NUM) ||
+	    h->bitset & (1 << NFCTH_ATTR_PROTO_L4NUM)) {
+		nest = mnl_attr_nest_start(nlh, NFCTH_TUPLE);
+		mnl_attr_put_u16(nlh, NFCTH_TUPLE_L3PROTONUM,
+					htons(h->tuple.l3num));
+		mnl_attr_put_u8(nlh, NFCTH_TUPLE_L4PROTONUM, h->tuple.l4num);
+		mnl_attr_nest_end(nlh, nest);
+	}
+
+	if (h->bitset & (1 << NFCTH_ATTR_POLICY1) ||
+	    h->bitset & (1 << NFCTH_ATTR_POLICY2) ||
+	    h->bitset & (1 << NFCTH_ATTR_POLICY3) ||
+	    h->bitset & (1 << NFCTH_ATTR_POLICY4)) {
+		nest = mnl_attr_nest_start(nlh, NFCTH_POLICY);
+		int policy_set_num = 0;
+
+		if (h->bitset & (1 << NFCTH_ATTR_POLICY1)) {
+			nfct_helper_nlmsg_build_policy(nlh,
+							h->expect_policy[0]);
+			policy_set_num++;
+		}
+		if (h->bitset & (1 << NFCTH_ATTR_POLICY2)) {
+			nfct_helper_nlmsg_build_policy(nlh,
+							h->expect_policy[1]);
+			policy_set_num++;
+		}
+		if (h->bitset & (1 << NFCTH_ATTR_POLICY3)) {
+			nfct_helper_nlmsg_build_policy(nlh,
+							h->expect_policy[2]);
+			policy_set_num++;
+		}
+		if (h->bitset & (1 << NFCTH_ATTR_POLICY4)) {
+			nfct_helper_nlmsg_build_policy(nlh,
+							h->expect_policy[3]);
+			policy_set_num++;
+		}
+
+		mnl_attr_put_u32(nlh, NFCTH_POLICY_SET_NUM,
+					htonl(policy_set_num));
+
+		mnl_attr_nest_end(nlh, nest);
+	}
+
+	if (h->bitset & (1 << NFCTH_ATTR_STATUS))
+		mnl_attr_put_u32(nlh, NFCTH_STATUS, ntohl(h->status));
 }
 EXPORT_SYMBOL(nfct_helper_nlmsg_build_payload);
 
@@ -540,20 +705,27 @@ nfct_helper_nlmsg_parse_policy(const struct nlattr *attr,
 			       struct nfct_helper *helper)
 {
 	struct nlattr *tb[NFCTH_POLICY_MAX+1] = {};
+	struct nfct_helper_policy *p;
+
+	p = nfct_helper_policy_alloc();
+	if (p == NULL)
+		return;
 
 	mnl_attr_parse_nested(attr, nfct_helper_nlmsg_parse_policy_cb, tb);
 	if (tb[NFCTH_POLICY_NAME]) {
-		nfct_helper_attr_set_str(helper, NFCTH_ATTR_EXP_POLICY_NAME,
+		nfct_helper_policy_attr_set_str(p, NFCTH_ATTR_POLICY_NAME,
 			mnl_attr_get_str(tb[NFCTH_POLICY_NAME]));
 	}
 	if (tb[NFCTH_POLICY_EXPECT_MAX]) {
-		nfct_helper_attr_set_u32(helper, NFCTH_ATTR_EXP_POLICY_MAX,
+		nfct_helper_policy_attr_set_u32(p, NFCTH_ATTR_POLICY_MAX,
 			ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_EXPECT_MAX])));
 	}
 	if (tb[NFCTH_POLICY_EXPECT_TIMEOUT]) {
-		nfct_helper_attr_set_u32(helper, NFCTH_ATTR_EXP_POLICY_TIMEOUT,
+		nfct_helper_policy_attr_set_u32(p, NFCTH_ATTR_POLICY_TIMEOUT,
 			ntohl(mnl_attr_get_u32(tb[NFCTH_POLICY_EXPECT_TIMEOUT])));
 	}
+
+	helper->expect_policy[helper->policy_num++] = p;
 }
 
 static void
@@ -576,7 +748,8 @@ nfct_helper_nlmsg_parse_policy_set(const struct nlattr *attr,
 	}
 }
 
-static int nfct_helper_nlmsg_parse_attr_cb(const struct nlattr *attr, void *data)
+static int
+nfct_helper_nlmsg_parse_attr_cb(const struct nlattr *attr, void *data)
 {
 	const struct nlattr **tb = data;
 	int type = mnl_attr_get_type(attr);
@@ -624,24 +797,39 @@ static int nfct_helper_nlmsg_parse_attr_cb(const struct nlattr *attr, void *data
  */
 int
 nfct_helper_nlmsg_parse_payload(const struct nlmsghdr *nlh,
-				struct nfct_helper *helper)
+				struct nfct_helper *h)
 {
 	struct nlattr *tb[NFCTH_MAX+1] = {};
 	struct nfgenmsg *nfg = mnl_nlmsg_get_payload(nlh);
 
 	mnl_attr_parse(nlh, sizeof(*nfg), nfct_helper_nlmsg_parse_attr_cb, tb);
 	if (!tb[NFCTH_NAME] || !tb[NFCTH_QUEUE_NUM] ||
-	    !tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY])
+	    !tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_STATUS])
 		return -1;
 
-	nfct_helper_attr_set_str(helper, NFCTH_ATTR_NAME,
+	if (tb[NFCTH_NAME]) {
+		nfct_helper_attr_set_str(h, NFCTH_ATTR_NAME,
 				 mnl_attr_get_str(tb[NFCTH_NAME]));
-	nfct_helper_attr_set_u32(helper, NFCTH_ATTR_QUEUE_NUM,
+	}
+	if (tb[NFCTH_ATTR_QUEUE_NUM]) {
+		nfct_helper_attr_set_u32(h, NFCTH_ATTR_QUEUE_NUM,
 				 ntohl(mnl_attr_get_u32(tb[NFCTH_QUEUE_NUM])));
+	}
+	if (tb[NFCTH_TUPLE])
+		nfct_helper_nlmsg_parse_tuple(tb[NFCTH_TUPLE], h);
 
-	nfct_helper_nlmsg_parse_tuple(tb[NFCTH_TUPLE], helper);
-	nfct_helper_nlmsg_parse_policy_set(tb[NFCTH_POLICY], helper);
+	if (tb[NFCTH_POLICY])
+		nfct_helper_nlmsg_parse_policy_set(tb[NFCTH_POLICY], h);
 
+	if (tb[NFCTH_PRIV_DATA_LEN]) {
+		nfct_helper_attr_set_u32(h, NFCTH_ATTR_PRIV_DATA_LEN,
+			ntohl(mnl_attr_get_u32(tb[NFCTH_PRIV_DATA_LEN])));
+	}
+
+	if (tb[NFCTH_STATUS]) {
+		nfct_helper_attr_set_u32(h, NFCTH_ATTR_STATUS,
+				 ntohl(mnl_attr_get_u32(tb[NFCTH_STATUS])));
+	}
 	return 0;
 }
 EXPORT_SYMBOL(nfct_helper_nlmsg_parse_payload);
diff --git a/src/libnetfilter_cthelper.map b/src/libnetfilter_cthelper.map
index 199576b..34578de 100644
--- a/src/libnetfilter_cthelper.map
+++ b/src/libnetfilter_cthelper.map
@@ -18,6 +18,12 @@ global:
   nfct_helper_nlmsg_parse_payload;
   nfct_helper_snprintf;
 
+  nfct_helper_policy_alloc;
+  nfct_helper_policy_free;
+  nfct_helper_policy_attr_set;
+  nfct_helper_policy_attr_set_str;
+  nfct_helper_policy_attr_set_u32;
+
 local: *;
 };
 
-- 
cgit v1.2.1