diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-03-08 23:05:39 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-03-09 14:00:55 +0100 |
| commit | dc454a657f57a5cf143fddc5c1dd87a510c1790a (patch) | |
| tree | bdf8c613a56d5b7661054bf4576c761e01d333c2 /src/helpers | |
| parent | 75b3c6a15178a44c6ccff68b79c2bc3a05f7aa28 (diff) | |
nfct: remove lazy binding
Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
daemon starts"), userspace conntrack helpers do not depend on a previous
invocation of nfct to set up the userspace helpers.
Move helper definitions to nfct-extensions/helper.c since existing
deployments might still invoke nfct, even if not required anymore.
This patch was motivated by the removal of the lazy binding.
Phil Sutter says:
"For security purposes, distributions might want to pass -Wl,-z,now
linker flags to all builds, thereby disabling lazy binding globally.
In the past, nfct relied upon lazy binding: It uses the helper objects'
parsing functions without but doesn't provide all symbols the objects
use."
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/helpers')
| -rw-r--r-- | src/helpers/Makefile.am | 2 | ||||
| -rw-r--r-- | src/helpers/ftp.c | 12 | ||||
| -rw-r--r-- | src/helpers/rpc.c | 13 | ||||
| -rw-r--r-- | src/helpers/sane.c | 10 | ||||
| -rw-r--r-- | src/helpers/tns.c | 7 |
5 files changed, 8 insertions, 36 deletions
diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am index e4f10c9..e458ab4 100644 --- a/src/helpers/Makefile.am +++ b/src/helpers/Makefile.am @@ -11,7 +11,7 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \ ct_helper_slp.la \ ct_helper_ssdp.la -HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) $(LAZY_LDFLAGS) +HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS) ct_helper_amanda_la_SOURCES = amanda.c diff --git a/src/helpers/ftp.c b/src/helpers/ftp.c index 2505c71..29ac55c 100644 --- a/src/helpers/ftp.c +++ b/src/helpers/ftp.c @@ -36,17 +36,9 @@ #include <libnetfilter_queue/pktbuff.h> #include <linux/netfilter.h> -static bool loose; /* XXX: export this as config option. */ - -#define NUM_SEQ_TO_REMEMBER 2 +#include "helpers/ftp.h" -/* This structure exists only once per master */ -struct ftp_info { - /* Valid seq positions for cmd matching after newline */ - uint32_t seq_aft_nl[MYCT_DIR_MAX][NUM_SEQ_TO_REMEMBER]; - /* 0 means seq_match_aft_nl not set */ - int seq_aft_nl_num[MYCT_DIR_MAX]; -}; +static bool loose; /* XXX: export this as config option. */ enum nf_ct_ftp_type { /* PORT command from client */ diff --git a/src/helpers/rpc.c b/src/helpers/rpc.c index 3b3d0a7..732e9ba 100644 --- a/src/helpers/rpc.c +++ b/src/helpers/rpc.c @@ -41,21 +41,12 @@ #include <libnetfilter_queue/pktbuff.h> #include <linux/netfilter.h> +#include "helpers/rpc.h" + /* RFC 1050: RPC: Remote Procedure Call Protocol Specification Version 2 */ /* RFC 1014: XDR: External Data Representation Standard */ #define SUPPORTED_RPC_VERSION 2 -struct rpc_info { - /* XID */ - uint32_t xid; - /* program */ - uint32_t pm_prog; - /* program version */ - uint32_t pm_vers; - /* transport protocol: TCP|UDP */ - uint32_t pm_prot; -}; - /* So, this packet has hit the connection tracking matching code. Mangle it, and change the expectation to match the new version. */ static unsigned int diff --git a/src/helpers/sane.c b/src/helpers/sane.c index 2c07099..ebcb24c 100644 --- a/src/helpers/sane.c +++ b/src/helpers/sane.c @@ -39,11 +39,7 @@ #include <libnetfilter_queue/libnetfilter_queue_tcp.h> #include <libnetfilter_queue/pktbuff.h> #include <linux/netfilter.h> - -enum sane_state { - SANE_STATE_NORMAL, - SANE_STATE_START_REQUESTED, -}; +#include "helpers/sane.h" struct sane_request { uint32_t RPC_code; @@ -61,10 +57,6 @@ struct sane_reply_net_start { /* other fields aren't interesting for conntrack */ }; -struct nf_ct_sane_master { - enum sane_state state; -}; - static int sane_helper_cb(struct pkt_buff *pkt, uint32_t protoff, struct myct *myct, uint32_t ctinfo) diff --git a/src/helpers/tns.c b/src/helpers/tns.c index 803f40a..5692f29 100644 --- a/src/helpers/tns.c +++ b/src/helpers/tns.c @@ -29,6 +29,8 @@ #include <libnetfilter_queue/pktbuff.h> #include <linux/netfilter.h> +#include "helpers/tns.h" + /* TNS SQL*Net Version 2 */ enum tns_types { TNS_TYPE_CONNECT = 1, @@ -58,11 +60,6 @@ struct tns_redirect { uint16_t data_len; }; -struct tns_info { - /* Scan next DATA|REDIRECT packet */ - bool parse; -}; - static int try_number(const char *data, size_t dlen, uint32_t array[], int array_size, char sep, char term) { |