1. 09 May, 2012 36 commits
  2. 08 May, 2012 4 commits
    • David S. Miller's avatar
      9bb862be
    • Pablo Neira Ayuso's avatar
      netfilter: remove ip_queue support · d16cf20e
      Pablo Neira Ayuso authored
      This patch removes ip_queue support which was marked as obsolete
      years ago. The nfnetlink_queue modules provides more advanced
      user-space packet queueing mechanism.
      
      This patch also removes capability code included in SELinux that
      refers to ip_queue. Otherwise, we break compilation.
      
      Several warning has been sent regarding this to the mailing list
      in the past month without anyone rising the hand to stop this
      with some strong argument.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d16cf20e
    • Pablo Neira Ayuso's avatar
      netfilter: nf_conntrack: fix explicit helper attachment and NAT · 6714cf54
      Pablo Neira Ayuso authored
      Explicit helper attachment via the CT target is broken with NAT
      if non-standard ports are used. This problem was hidden behind
      the automatic helper assignment routine. Thus, it becomes more
      noticeable now that we can disable the automatic helper assignment
      with Eric Leblond's:
      
      9e8ac5a netfilter: nf_ct_helper: allow to disable automatic helper assignment
      
      Basically, nf_conntrack_alter_reply asks for looking up the helper
      up if NAT is enabled. Unfortunately, we don't have the conntrack
      template at that point anymore.
      
      Since we don't want to rely on the automatic helper assignment,
      we can skip the second look-up and stick to the helper that was
      attached by iptables. With the CT target, the user is in full
      control of helper attachment, thus, the policy is to trust what
      the user explicitly configures via iptables (no automatic magic
      anymore).
      
      Interestingly, this bug was hidden by the automatic helper look-up
      code. But it can be easily trigger if you attach the helper in
      a non-standard port, eg.
      
      iptables -I PREROUTING -t raw -p tcp --dport 8888 \
      	-j CT --helper ftp
      
      And you disabled the automatic helper assignment.
      
      I added the IPS_HELPER_BIT that allows us to differenciate between
      a helper that has been explicitly attached and those that have been
      automatically assigned. I didn't come up with a better solution
      (having backward compatibility in mind).
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6714cf54
    • Kelvie Wong's avatar
      netfilter: nf_ct_expect: partially implement ctnetlink_change_expect · 9768e1ac
      Kelvie Wong authored
      This refreshes the "timeout" attribute in existing expectations if one is
      given.
      
      The use case for this would be for userspace helpers to extend the lifetime
      of the expectation when requested, as this is not possible right now
      without deleting/recreating the expectation.
      
      I use this specifically for forwarding DCERPC traffic through:
      
      DCERPC has a port mapper daemon that chooses a (seemingly) random port for
      future traffic to go to. We expect this traffic (with a reasonable
      timeout), but sometimes the port mapper will tell the client to continue
      using the same port. This allows us to extend the expectation accordingly.
      Signed-off-by: default avatarKelvie Wong <kelvie@ieee.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9768e1ac