Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

	If this option is enabled, the connection tracking code will

	provide userspace with connection tracking events via ctnetlink.

nf_conntrack_events_retry_timeout - INTEGER (seconds)

	default 15

	This option is only relevant when "reliable connection tracking

	events" are used.  Normally, ctnetlink is "lossy", that is,

	events are normally dropped when userspace listeners can't keep up.

	Userspace can request "reliable event mode".  When this mode is

	active, the conntrack will only be destroyed after the event was

	delivered.  If event delivery fails, the kernel periodically

	re-tries to send the event to userspace.

	This is the maximum interval the kernel should use when re-trying

	to deliver the destroy event.

	A higher number means there will be fewer delivery retries and it

	will take longer for a backlog to be processed.

nf_conntrack_expect_max - INTEGER

	Maximum size of expectation table.  Default value is

	nf_conntrack_buckets / 256. Minimum is 1.

		if (ret == 0)

			ret = -EPERM;

	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {

		int err;

		RCU_INIT_POINTER(state->hook_entries, entry);

		err = nf_queue(skb, state, verdict >> NF_VERDICT_QBITS);

		if (err < 0) {

			if (err == -ESRCH &&

			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))

		ret = nf_queue(skb, state, &entry, verdict);

		if (ret == 1 && entry)

			goto next_hook;

			kfree_skb(skb);

		}

	}

	return ret;

}

		return;

	ratio = scanned ? expired_count * 100 / scanned : 0;

	if (ratio >= 90)

	if (ratio >= 90 || expired_count == GC_MAX_EVICTS)

		next_run = 0;

	gc_work->last_bucket = i;

/* nf_queue.c */

int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,

	     unsigned int queuenum);

	     struct nf_hook_entry **entryp, unsigned int verdict);

void nf_queue_nf_hook_drop(struct net *net, const struct nf_hook_entry *entry);

int __init netfilter_queue_init(void);

	rcu_read_unlock();

}

/*

 * Any packet that leaves via this function must come back

 * through nf_reinject().

 */

int nf_queue(struct sk_buff *skb,

	     struct nf_hook_state *state,

static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,

		      unsigned int queuenum)

{

	int status = -ENOENT;

	return status;

}

/* Packets leaving via this function must come back through nf_reinject(). */

int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,

	     struct nf_hook_entry **entryp, unsigned int verdict)

{

	struct nf_hook_entry *entry = *entryp;

	int ret;

	RCU_INIT_POINTER(state->hook_entries, entry);

	ret = __nf_queue(skb, state, verdict >> NF_VERDICT_QBITS);

	if (ret < 0) {

		if (ret == -ESRCH &&

		    (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) {

			*entryp = rcu_dereference(entry->next);

			return 1;

		}

		kfree_skb(skb);

	}

	return 0;

}

void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)

{

	struct nf_hook_entry *hook_entry;

	entry->state.thresh = INT_MIN;

	if (verdict == NF_ACCEPT) {

		hook_entry = rcu_dereference(hook_entry->next);

		if (hook_entry)

next_hook:

			verdict = nf_iterate(skb, &entry->state, &hook_entry);

	}

	switch (verdict & NF_VERDICT_MASK) {

	case NF_ACCEPT:

	case NF_STOP:

okfn:

		local_bh_disable();

		entry->state.okfn(entry->state.net, entry->state.sk, skb);

		local_bh_enable();

		break;

	case NF_QUEUE:

		RCU_INIT_POINTER(entry->state.hook_entries, hook_entry);

		err = nf_queue(skb, &entry->state,

			       verdict >> NF_VERDICT_QBITS);

		if (err < 0) {

			if (err == -ESRCH &&

			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))

		err = nf_queue(skb, &entry->state, &hook_entry, verdict);

		if (err == 1) {

			if (hook_entry)

				goto next_hook;

			kfree_skb(skb);

			goto okfn;

		}

		break;

	case NF_STOLEN: