diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2026-06-22 13:12:49 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2026-06-23 08:11:22 +0200 |
| commit | aaa0cd698ffa5dffbb0a1e81474a63a9f3ee47b1 (patch) | |
| tree | 26d0cc84210746ebf82ad6912682d34c68c93a88 | |
| parent | 8a2cfe7951f679350d39239de4c610448731a68e (diff) | |
netfilter: ctnetlink: do not allow to reset helper on existing conntrack
This feature allows to reset a helper for an existing conntrack, but it
is not safe. This requires a synchronized_rcu() call after resetting the
helper, which is going to be expensive for a large batch of conntrack
entries. This also needs to call to the .destroy callback to release the
GRE/PPTP mappings to fix it.
This feature antedates the creation of the conntrack-tools and I cannot
find a good use-case for this. Given that I cannot find any user in the
netfilter.org userspace tree, I prefer to remove this feature.
Fixes: c1d10adb4a52 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 13 |
1 files changed, 0 insertions, 13 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 4e78d2482989..cb38ef42e9e6 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -1953,19 +1953,6 @@ static int ctnetlink_change_helper(struct nf_conn *ct, return err; } - if (!strcmp(helpname, "") && help) { - helper = rcu_dereference(help->helper); - if (helper) { - /* we had a helper before ... */ - nf_ct_remove_expectations(ct); - RCU_INIT_POINTER(help->helper, NULL); - if (refcount_dec_and_test(&helper->ct_refcnt)) - kfree_rcu(helper, rcu); - } - rcu_read_unlock(); - return 0; - } - helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), nf_ct_protonum(ct)); if (helper == NULL) { |
