nfct: remove lazy binding

Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.

Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.

This patch was motivated by the removal of the lazy binding.

Phil Sutter says:

"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.

In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."

Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

7 files changed, 54 insertions, 1 deletions

diff --git a/include/Makefile.am b/include/Makefile.am
index 352054e..4741b50 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -1,4 +1,4 @@
-SUBDIRS = linux
+SUBDIRS = linux helpers
 
 noinst_HEADERS = alarm.h jhash.h cache.h linux_list.h linux_rbtree.h \
 		 sync.h conntrackd.h local.h udp.h tcp.h \
diff --git a/include/helper.h b/include/helper.h
index d540667..08d4cf4 100644
--- a/include/helper.h
+++ b/include/helper.h
@@ -56,6 +56,7 @@ extern int in4_pton(const char *src, int srclen, uint8_t *dst, int delim, const
 extern int in6_pton(const char *src, int srclen, uint8_t *dst, int delim, const char **end);
 
 extern void helper_register(struct ctd_helper *helper);
+struct ctd_helper *__helper_find(const char *helper_name, uint8_t l4proto);
 struct ctd_helper *helper_find(const char *libdir_path, const char *name, uint8_t l4proto, int flags);
 
 #define min_t(type, x, y) ({			\
diff --git a/include/helpers/Makefile.am b/include/helpers/Makefile.am
new file mode 100644
index 0000000..99a4257
--- /dev/null
+++ b/include/helpers/Makefile.am
@@ -0,0 +1 @@
+noinst_HEADERS = ftp.h  rpc.h  sane.h  tns.h
diff --git a/include/helpers/ftp.h b/include/helpers/ftp.h
new file mode 100644
index 0000000..50e2d0c
--- /dev/null
+++ b/include/helpers/ftp.h
@@ -0,0 +1,14 @@
+#ifndef _CTD_FTP_H
+#define _CTD_FTP_H
+
+#define NUM_SEQ_TO_REMEMBER 2
+
+/* This structure exists only once per master */
+struct ftp_info {
+	/* Valid seq positions for cmd matching after newline */
+	uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER];
+	/* 0 means seq_match_aft_nl not set */
+	int seq_aft_nl_num[MYCT_DIR_MAX];
+};
+
+#endif
diff --git a/include/helpers/rpc.h b/include/helpers/rpc.h
new file mode 100644
index 0000000..b0b8d17
--- /dev/null
+++ b/include/helpers/rpc.h
@@ -0,0 +1,15 @@
+#ifndef _CTD_RPC_H
+#define _CTD_RPC_H
+
+struct rpc_info {
+	/* XID */
+	uint32_t xid;
+	/* program */
+	uint32_t pm_prog;
+	/* program version */
+	uint32_t pm_vers;
+	/* transport protocol: TCP|UDP */
+	uint32_t pm_prot;
+};
+
+#endif
diff --git a/include/helpers/sane.h b/include/helpers/sane.h
new file mode 100644
index 0000000..1e70ff6
--- /dev/null
+++ b/include/helpers/sane.h
@@ -0,0 +1,13 @@
+#ifndef _CTD_SANE_H
+#define _CTD_SANE_H
+
+enum sane_state {
+	SANE_STATE_NORMAL,
+	SANE_STATE_START_REQUESTED,
+};
+
+struct nf_ct_sane_master {
+	enum sane_state state;
+};
+
+#endif
diff --git a/include/helpers/tns.h b/include/helpers/tns.h
new file mode 100644
index 0000000..60dcf25
--- /dev/null
+++ b/include/helpers/tns.h
@@ -0,0 +1,9 @@
+#ifndef _CTD_TNS_H
+#define _CTD_TNS_H
+
+struct tns_info {
+	/* Scan next DATA|REDIRECT packet */
+	bool parse;
+};
+
+#endif