Hi,

Attached a patch, yet incomplete, that introduces the new API for
libnetfilter_conntrack. Basically the idea consists of providing
"conntrack" objects constructor/destructor functions and an interface to
get and set object attributes. The conntrack object structure is
encapsulated therefore we can add new attributes without breaking binary
backward compatibility. There is an example of the new API use in the
patch (see test.c file)

See that conntrack object attributes are different from the netlink
attributes therefore they provide a high level interface that abstract
from netlink details. The idea is to let the programmer make the choice
to work with high level (objects) or low level (netlink) and provide the
gateways to switch from high to low level and vice-versa by means of
functions to build/parse netlink messages from/to conntrack objects.

The reason why I posted this patch is because I'm thinking about
generalizing this a bit more and provide a complete high level API that
would be the same for all the netfilter subsystems. This will result in
a single library to rules them all with a subdirectory that contains the
details of every specific subsystem.

nfh = nf_open();                   /* encapsulate nfnl_open() */
ssh = nf_setup_subsys(nfnlh, CONNTRACK); /* encapsulate
nfnl_subsys_open() */
...
ct = nf_new_object(NF_CONNTRACK_OBJECT);
nf_set_attr_u8(ct, ATTR_XXX, value);
nf_set_attr_u16(ct, ATTR_XXX, value);
...
nf_query_object(ssh, NF_CT_CREATE, ct);
nf_free_object(ct);
nf_close(nfh);

I'd like to hear from you before going ahead, always appreciate your
feedback guys. Comments welcome.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris