-
- Downloads
netfilter: remove nf_conntrack_helper sysctl and modparam toggles
__nf_ct_try_assign_helper() remains in place but it now requires a template to configure the helper. A toggle to disable automatic helper assignment was added by: a9006892 ("netfilter: nf_ct_helper: allow to disable automatic helper assignment") in 2012 to address the issues described in "Secure use of iptables and connection tracking helpers". Automatic conntrack helper assignment was disabled by: 3bb398d9 ("netfilter: nf_ct_helper: disable automatic helper assignment") back in 2016. This patch removes the sysctl and modparam toggles, users now have to rely on explicit conntrack helper configuration via ruleset. Update tools/testing/selftests/netfilter/nft_conntrack_helper.sh to check that auto-assignment does not happen anymore. Acked-by:Aaron Conole <aconole@redhat.com> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
Showing
- include/net/netfilter/nf_conntrack.h 0 additions, 2 deletionsinclude/net/netfilter/nf_conntrack.h
- include/net/netns/conntrack.h 0 additions, 1 deletioninclude/net/netns/conntrack.h
- net/netfilter/nf_conntrack_core.c 1 addition, 6 deletionsnet/netfilter/nf_conntrack_core.c
- net/netfilter/nf_conntrack_helper.c 10 additions, 70 deletionsnet/netfilter/nf_conntrack_helper.c
- net/netfilter/nf_conntrack_netlink.c 0 additions, 5 deletionsnet/netfilter/nf_conntrack_netlink.c
- net/netfilter/nf_conntrack_standalone.c 0 additions, 10 deletionsnet/netfilter/nf_conntrack_standalone.c
- net/netfilter/nft_ct.c 0 additions, 3 deletionsnet/netfilter/nft_ct.c
- tools/testing/selftests/netfilter/nft_conntrack_helper.sh 26 additions, 10 deletionstools/testing/selftests/netfilter/nft_conntrack_helper.sh
Loading
Please register or sign in to comment