Hi Patrick,
The following patches rework the userspace expectation support
to fix one problematic scenario: if the master conntrack vanishes
while there are still userspace expectations, we hit an oops
in the destroy event path for expectations.
The idea to fix this is to extend the iptables CT target to
explicit allocate the helper extension for conntracks that
are suppose to behave as master for user-space expectations.
In the case of the userspace FTP helper, people would need
to add the following rule:
iptables -A PREROUTING -t raw \
-p tcp --dport 21 -j CT --userspace-helper
Thus, we can store the list of expectations that belong to
one master, and delete them in case that the master vanishes.
---
Pablo Neira Ayuso (2):
netfilter: CT: allow to set userspace helper status flag
netfilter: nf_ct_expect: rework userspace expectation support
include/linux/netfilter/nf_conntrack_common.h | 4 ++
include/linux/netfilter/xt_CT.h | 3 +
include/net/netfilter/nf_conntrack_expect.h | 1
net/netfilter/nf_conntrack_expect.c | 63 ++++++++-----------------
net/netfilter/nf_conntrack_helper.c | 12 +++++
net/netfilter/nf_conntrack_netlink.c | 5 ++
net/netfilter/xt_CT.c | 8 ++-
7 files changed, 48 insertions(+), 48 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
