summaryrefslogtreecommitdiffstats
path: root/include/linux/netfilter_ipv4
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2011-12-18 01:55:54 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2011-12-23 14:36:39 +0100
commit3d058d7bc2c5671ae630e0b463be8a69b5783fb9 (patch)
treef500c32545d26357da5d2ea1e8e63e64af8bbc35 /include/linux/netfilter_ipv4
parentc4042a339f40fe00d85e31055b1c0808dd025539 (diff)
downloadlinux-stable-3d058d7bc2c5671ae630e0b463be8a69b5783fb9.tar.gz
linux-stable-3d058d7bc2c5671ae630e0b463be8a69b5783fb9.tar.bz2
linux-stable-3d058d7bc2c5671ae630e0b463be8a69b5783fb9.zip
netfilter: rework user-space expectation helper support
This partially reworks bc01befdcf3e40979eb518085a075cbf0aacede0 which added userspace expectation support. This patch removes the nf_ct_userspace_expect_list since now we force to use the new iptables CT target feature to add the helper extension for conntracks that have attached expectations from userspace. A new version of the proof-of-concept code to implement userspace helpers from userspace is available at: http://people.netfilter.org/pablo/userspace-conntrack-helpers/nf-ftp-helper-POC.tar.bz2 This patch also modifies the CT target to allow to set the conntrack's userspace helper status flags. This flag is used to tell the conntrack system to explicitly allocate the helper extension. This helper extension is useful to link the userspace expectations with the master conntrack that is being tracked from one userspace helper. This feature fixes a problem in the current approach of the userspace helper support. Basically, if the master conntrack that has got a userspace expectation vanishes, the expectations point to one invalid memory address. Thus, triggering an oops in the expectation deletion event path. I decided not to add a new revision of the CT target because I only needed to add a new flag for it. I'll document in this issue in the iptables manpage. I have also changed the return value from EINVAL to EOPNOTSUPP if one flag not supported is specified. Thus, in the future adding new features that only require a new flag can be added without a new revision. There is no official code using this in userspace (apart from the proof-of-concept) that uses this infrastructure but there will be some by beginning 2012. Reported-by: Sam Roberts <vieuxtech@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/linux/netfilter_ipv4')
0 files changed, 0 insertions, 0 deletions