Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9bf04646 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: revert user-space expectation helper support 



This patch partially reverts:
3d058d7b netfilter: rework user-space expectation helper support
that was applied during the 3.2 development cycle.

After this patch, the tree remains just like before patch bc01befd,
that initially added the preliminary infrastructure.

I decided to partially revert this patch because the approach
that I proposed to resolve this problem is broken in NAT setups.
Moreover, a new infrastructure will be submitted for the 3.3.x
development cycle that resolve the existing issues while
providing a neat solution.

Since nobody has been seriously using this infrastructure in
user-space, the removal of this feature should affect any know
FOSS project (to my knowledge).

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 412662d2

include/linux/netfilter/nf_conntrack_common.h

+0 −4
Original line number Diff line number Diff line
@@ -83,10 +83,6 @@ enum ip_conntrack_status { 
	/* Conntrack is a fake untracked entry */

	IPS_UNTRACKED_BIT = 12,

	IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),



	/* Conntrack has a userspace helper. */

	IPS_USERSPACE_HELPER_BIT = 13,

	IPS_USERSPACE_HELPER = (1 << IPS_USERSPACE_HELPER_BIT),

};



/* Connection tracking event types */

include/linux/netfilter/xt_CT.h

+1 −2
Original line number Diff line number Diff line
@@ -4,7 +4,6 @@ 
#include <linux/types.h>



#define XT_CT_NOTRACK	0x1

#define XT_CT_USERSPACE_HELPER	0x2



struct xt_ct_target_info {

	__u16 flags;

net/netfilter/nf_conntrack_helper.c

+0 −12
Original line number Diff line number Diff line
@@ -121,18 +121,6 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, 
	int ret = 0;



	if (tmpl != NULL) {

		/* we've got a userspace helper. */

		if (tmpl->status & IPS_USERSPACE_HELPER) {

			help = nf_ct_helper_ext_add(ct, flags);

			if (help == NULL) {

				ret = -ENOMEM;

				goto out;

			}

			rcu_assign_pointer(help->helper, NULL);

			__set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);

			ret = 0;

			goto out;

		}

		help = nfct_help(tmpl);

		if (help != NULL)

			helper = help->helper;

net/netfilter/nf_conntrack_netlink.c

+0 −4
Original line number Diff line number Diff line
@@ -2042,10 +2042,6 @@ ctnetlink_create_expect(struct net *net, u16 zone, 
	}

	help = nfct_help(ct);

	if (!help) {

		err = -EOPNOTSUPP;

		goto out;

	}

	if (test_bit(IPS_USERSPACE_HELPER_BIT, &ct->status)) {

		if (!cda[CTA_EXPECT_TIMEOUT]) {

			err = -EINVAL;

			goto out;

net/netfilter/xt_CT.c

+3 −5
Original line number Diff line number Diff line
@@ -62,8 +62,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) 
	int ret = 0;

	u8 proto;



	if (info->flags & ~(XT_CT_NOTRACK | XT_CT_USERSPACE_HELPER))

		return -EOPNOTSUPP;

	if (info->flags & ~XT_CT_NOTRACK)

		return -EINVAL;



	if (info->flags & XT_CT_NOTRACK) {

		ct = nf_ct_untracked_get();
@@ -92,9 +92,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) 
				  GFP_KERNEL))

		goto err3;



	if (info->flags & XT_CT_USERSPACE_HELPER) {

		__set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);

	} else if (info->helper[0]) {

	if (info->helper[0]) {

		ret = -ENOENT;

		proto = xt_ct_find_proto(par);

		if (!proto) {