linux/net/netfilter
Pablo Neira Ayuso 6714cf5465 netfilter: nf_conntrack: fix explicit helper attachment and NAT
Explicit helper attachment via the CT target is broken with NAT
if non-standard ports are used. This problem was hidden behind
the automatic helper assignment routine. Thus, it becomes more
noticeable now that we can disable the automatic helper assignment
with Eric Leblond's:

9e8ac5a netfilter: nf_ct_helper: allow to disable automatic helper assignment

Basically, nf_conntrack_alter_reply asks for looking up the helper
up if NAT is enabled. Unfortunately, we don't have the conntrack
template at that point anymore.

Since we don't want to rely on the automatic helper assignment,
we can skip the second look-up and stick to the helper that was
attached by iptables. With the CT target, the user is in full
control of helper attachment, thus, the policy is to trust what
the user explicitly configures via iptables (no automatic magic
anymore).

Interestingly, this bug was hidden by the automatic helper look-up
code. But it can be easily trigger if you attach the helper in
a non-standard port, eg.

iptables -I PREROUTING -t raw -p tcp --dport 8888 \
	-j CT --helper ftp

And you disabled the automatic helper assignment.

I added the IPS_HELPER_BIT that allows us to differenciate between
a helper that has been explicitly attached and those that have been
automatically assigned. I didn't come up with a better solution
(having backward compatibility in mind).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2012-05-08 19:44:42 +02:00
..
ipset net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
ipvs ipvs: ip_vs_proto: local functions should not be exposed globally 2012-05-08 19:40:54 +02:00
Kconfig netfilter: nf_ct_ext: add timeout extension 2012-03-07 17:41:25 +01:00
Makefile netfilter: nf_ct_ext: add timeout extension 2012-03-07 17:41:25 +01:00
core.c net: Delete all remaining instances of ctl_path 2012-04-20 21:22:30 -04:00
nf_conntrack_acct.c net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
nf_conntrack_amanda.c
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: nf_ct_helper: allow to disable automatic helper assignment 2012-05-08 19:35:18 +02:00
nf_conntrack_ecache.c netfilter: nf_ct_ecache: refactor notifier registration 2012-05-08 19:17:23 +02:00
nf_conntrack_expect.c netfilter: provide config option to disable ancient procfs parts 2011-12-27 20:45:28 +01:00
nf_conntrack_extend.c net: reintroduce missing rcu_assign_pointer() calls 2012-01-12 12:26:56 -08:00
nf_conntrack_ftp.c module_param: make bool parameters really bool (net & drivers/net) 2011-12-19 22:27:29 -05:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: nf_conntrack: fix explicit helper attachment and NAT 2012-05-08 19:44:42 +02:00
nf_conntrack_irc.c netfilter: add more values to enum ip_conntrack_info 2011-06-06 01:35:10 +02:00
nf_conntrack_l3proto_generic.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: nf_ct_expect: partially implement ctnetlink_change_expect 2012-05-08 19:40:59 +02:00
nf_conntrack_pptp.c netfilter: nf_ct_pptp: fix DNATed PPTP connection address translation 2011-08-30 15:23:03 +02:00
nf_conntrack_proto.c net: Convert nf_conntrack_proto to use register_net_sysctl 2012-04-20 21:22:30 -04:00
nf_conntrack_proto_dccp.c net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
nf_conntrack_proto_generic.c nf_conntrack_proto_generic: Stop using NLA_PUT*(). 2012-04-01 18:52:31 -04:00
nf_conntrack_proto_gre.c nf_conntrack_proto_gre: Stop using NLA_PUT*(). 2012-04-01 18:52:03 -04:00
nf_conntrack_proto_sctp.c nf_conntrack_proto_sctp: Stop using NLA_PUT*(). 2012-04-01 18:51:39 -04:00
nf_conntrack_proto_tcp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2012-04-12 19:41:23 -04:00
nf_conntrack_proto_udp.c nf_conntrack_proto_udp{,lite}: Stop using NLA_PUT*(). 2012-04-01 18:48:06 -04:00
nf_conntrack_proto_udplite.c nf_conntrack_proto_udp{,lite}: Stop using NLA_PUT*(). 2012-04-01 18:48:06 -04:00
nf_conntrack_sane.c netfilter: add more values to enum ip_conntrack_info 2011-06-06 01:35:10 +02:00
nf_conntrack_sip.c netfilter: add more values to enum ip_conntrack_info 2011-06-06 01:35:10 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c netfilter: nf_ct_ext: add timeout extension 2012-03-07 17:41:25 +01:00
nf_conntrack_timestamp.c net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
nf_internals.h
nf_log.c net: Convert all sysctl registrations to register_net_sysctl 2012-04-20 21:22:30 -04:00
nf_queue.c netfilter: nf_queue: fix queueing of bridged gro skbs 2012-02-09 20:47:53 +01:00
nf_sockopt.c
nf_tproxy_core.c
nfnetlink.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
nfnetlink_acct.c nfnetlink_acct: Stop using NLA_PUT*(). 2012-04-01 18:46:29 -04:00
nfnetlink_cttimeout.c nfnetlink_cttimeout: Stop using NLA_PUT*(). 2012-04-01 18:46:00 -04:00
nfnetlink_log.c nfnetlink_log: Stop using NLA_PUT*(). 2012-04-01 18:43:44 -04:00
nfnetlink_queue.c nfnetlink_queue: Stop using NLA_PUT*(). 2012-04-01 18:43:44 -04:00
x_tables.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_AUDIT.c ipv6: Add fragment reporting to ipv6_skip_exthdr(). 2011-12-03 09:35:10 -08:00
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_CONNSECMARK.c
xt_CT.c netfilter: xt_CT: fix wrong checking in the timeout assignment path 2012-04-30 10:40:36 +02:00
xt_DSCP.c netfilter: IPv6: fix DSCP mangle code 2011-05-10 10:00:21 +02:00
xt_HL.c netfilter: Reduce switch/case indent 2011-07-01 16:11:15 -07:00
xt_IDLETIMER.c netfilter: Remove unnecessary OOM logging messages 2011-11-01 09:19:49 +01:00
xt_LED.c
xt_LOG.c netfilter: xt_LOG: use CONFIG_IP6_NF_IPTABLES instead of CONFIG_IPV6 2012-03-22 11:50:56 +01:00
xt_NFLOG.c
xt_NFQUEUE.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_NOTRACK.c
xt_RATEEST.c net,rcu: Convert call_rcu(xt_rateest_free_rcu) to kfree_rcu() 2011-07-20 14:10:19 -07:00
xt_SECMARK.c
xt_TCPMSS.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_TCPOPTSTRIP.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_TEE.c netfilter: ip6_route_output() never returns NULL. 2012-02-22 15:30:15 -05:00
xt_TPROXY.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_TRACE.c
xt_addrtype.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_cluster.c
xt_comment.c
xt_connbytes.c Merge branch 'nf-next' of git://1984.lsi.us.es/net-next 2011-12-25 02:21:45 -05:00
xt_connlimit.c
xt_connmark.c
xt_conntrack.c netfilter: revert a2361c8735 2011-05-10 12:13:36 +02:00
xt_cpu.c
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_ecn.c netfilter: xtables: collapse conditions in xt_ecn 2011-12-27 20:45:25 +01:00
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit: fix unused variable warning if IPv6 disabled 2012-01-16 13:40:54 +01:00
xt_helper.c
xt_hl.c netfilter: Reduce switch/case indent 2011-07-01 16:11:15 -07:00
xt_iprange.c
xt_ipvs.c
xt_length.c
xt_limit.c
xt_mac.c
xt_mark.c
xt_multiport.c
xt_nfacct.c netfilter: xtables: add nfacct match to support extended accounting 2011-12-25 02:43:17 +01:00
xt_osf.c net,rcu: convert call_rcu(xt_osf_finger_free_rcu) to kfree_rcu() 2011-05-07 22:51:12 -07:00
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_rateest.c netfilter: xt_rateest: fix xt_rateest_mt_checkentry() 2011-07-29 16:24:46 +02:00
xt_realm.c
xt_recent.c net: cleanup unsigned to unsigned int 2012-04-15 12:44:40 -04:00
xt_repldata.h
xt_sctp.c
xt_set.c Remove redundant linux/version.h includes from net/ 2011-06-21 16:03:17 -07:00
xt_socket.c net:netfilter: use IS_ENABLED 2011-12-16 15:49:52 -05:00
xt_state.c
xt_statistic.c net: Fix files explicitly needing to include module.h 2011-10-31 19:30:28 -04:00
xt_string.c
xt_tcpmss.c
xt_tcpudp.c
xt_time.c
xt_u32.c