Commit 9bf04646 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: revert user-space expectation helper support

This patch partially reverts:
3d058d7b netfilter: rework user-space expectation helper support
that was applied during the 3.2 development cycle.

After this patch, the tree remains just like before patch bc01bef,
that initially added the preliminary infrastructure.

I decided to partially revert this patch because the approach
that I proposed to resolve this problem is broken in NAT setups.
Moreover, a new infrastructure will be submitted for the 3.3.x
development cycle that resolve the existing issues while
providing a neat solution.

Since nobody has been seriously using this infrastructure in
user-space, the removal of this feature should affect any know
FOSS project (to my knowledge).
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 412662d2
...@@ -83,10 +83,6 @@ enum ip_conntrack_status { ...@@ -83,10 +83,6 @@ enum ip_conntrack_status {
/* Conntrack is a fake untracked entry */ /* Conntrack is a fake untracked entry */
IPS_UNTRACKED_BIT = 12, IPS_UNTRACKED_BIT = 12,
IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT), IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
/* Conntrack has a userspace helper. */
IPS_USERSPACE_HELPER_BIT = 13,
IPS_USERSPACE_HELPER = (1 << IPS_USERSPACE_HELPER_BIT),
}; };
/* Connection tracking event types */ /* Connection tracking event types */
......
...@@ -3,8 +3,7 @@ ...@@ -3,8 +3,7 @@
#include <linux/types.h> #include <linux/types.h>
#define XT_CT_NOTRACK 0x1 #define XT_CT_NOTRACK 0x1
#define XT_CT_USERSPACE_HELPER 0x2
struct xt_ct_target_info { struct xt_ct_target_info {
__u16 flags; __u16 flags;
......
...@@ -121,18 +121,6 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, ...@@ -121,18 +121,6 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
int ret = 0; int ret = 0;
if (tmpl != NULL) { if (tmpl != NULL) {
/* we've got a userspace helper. */
if (tmpl->status & IPS_USERSPACE_HELPER) {
help = nf_ct_helper_ext_add(ct, flags);
if (help == NULL) {
ret = -ENOMEM;
goto out;
}
rcu_assign_pointer(help->helper, NULL);
__set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);
ret = 0;
goto out;
}
help = nfct_help(tmpl); help = nfct_help(tmpl);
if (help != NULL) if (help != NULL)
helper = help->helper; helper = help->helper;
......
...@@ -2042,10 +2042,6 @@ ctnetlink_create_expect(struct net *net, u16 zone, ...@@ -2042,10 +2042,6 @@ ctnetlink_create_expect(struct net *net, u16 zone,
} }
help = nfct_help(ct); help = nfct_help(ct);
if (!help) { if (!help) {
err = -EOPNOTSUPP;
goto out;
}
if (test_bit(IPS_USERSPACE_HELPER_BIT, &ct->status)) {
if (!cda[CTA_EXPECT_TIMEOUT]) { if (!cda[CTA_EXPECT_TIMEOUT]) {
err = -EINVAL; err = -EINVAL;
goto out; goto out;
......
...@@ -62,8 +62,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) ...@@ -62,8 +62,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
int ret = 0; int ret = 0;
u8 proto; u8 proto;
if (info->flags & ~(XT_CT_NOTRACK | XT_CT_USERSPACE_HELPER)) if (info->flags & ~XT_CT_NOTRACK)
return -EOPNOTSUPP; return -EINVAL;
if (info->flags & XT_CT_NOTRACK) { if (info->flags & XT_CT_NOTRACK) {
ct = nf_ct_untracked_get(); ct = nf_ct_untracked_get();
...@@ -92,9 +92,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par) ...@@ -92,9 +92,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
GFP_KERNEL)) GFP_KERNEL))
goto err3; goto err3;
if (info->flags & XT_CT_USERSPACE_HELPER) { if (info->helper[0]) {
__set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);
} else if (info->helper[0]) {
ret = -ENOENT; ret = -ENOENT;
proto = xt_ct_find_proto(par); proto = xt_ct_find_proto(par);
if (!proto) { if (!proto) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment