summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2026-06-22 13:12:49 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2026-06-23 08:11:22 +0200
commitaaa0cd698ffa5dffbb0a1e81474a63a9f3ee47b1 (patch)
tree26d0cc84210746ebf82ad6912682d34c68c93a88
parent8a2cfe7951f679350d39239de4c610448731a68e (diff)
netfilter: ctnetlink: do not allow to reset helper on existing conntrack
This feature allows to reset a helper for an existing conntrack, but it is not safe. This requires a synchronized_rcu() call after resetting the helper, which is going to be expensive for a large batch of conntrack entries. This also needs to call to the .destroy callback to release the GRE/PPTP mappings to fix it. This feature antedates the creation of the conntrack-tools and I cannot find a good use-case for this. Given that I cannot find any user in the netfilter.org userspace tree, I prefer to remove this feature. Fixes: c1d10adb4a52 ("[NETFILTER]: Add ctnetlink port for nf_conntrack") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--net/netfilter/nf_conntrack_netlink.c13
1 files changed, 0 insertions, 13 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4e78d2482989..cb38ef42e9e6 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1953,19 +1953,6 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
return err;
}
- if (!strcmp(helpname, "") && help) {
- helper = rcu_dereference(help->helper);
- if (helper) {
- /* we had a helper before ... */
- nf_ct_remove_expectations(ct);
- RCU_INIT_POINTER(help->helper, NULL);
- if (refcount_dec_and_test(&helper->ct_refcnt))
- kfree_rcu(helper, rcu);
- }
- rcu_read_unlock();
- return 0;
- }
-
helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
if (helper == NULL) {