netfilter: ctnetlink: do not allow to reset helper on existing conntrack

This feature allows to reset a helper for an existing conntrack, but it
is not safe. This requires a synchronized_rcu() call after resetting the
helper, which is going to be expensive for a large batch of conntrack
entries. This also needs to call to the .destroy callback to release the
GRE/PPTP mappings to fix it.

This feature antedates the creation of the conntrack-tools and I cannot
find a good use-case for this. Given that I cannot find any user in the
netfilter.org userspace tree, I prefer to remove this feature.

Fixes: c1d10adb4a52 ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 4e78d24829895e5bb9d516105a9f7952312d06c8..cb38ef42e9e6caa02e9933d3b07a897bcab2a670 100644 (file)
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1953,19 +1953,6 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
                return err;
        }
 
-       if (!strcmp(helpname, "") && help) {
-               helper = rcu_dereference(help->helper);
-               if (helper) {
-                       /* we had a helper before ... */
-                       nf_ct_remove_expectations(ct);
-                       RCU_INIT_POINTER(help->helper, NULL);
-                       if (refcount_dec_and_test(&helper->ct_refcnt))
-                               kfree_rcu(helper, rcu);
-               }
-               rcu_read_unlock();
-               return 0;
-       }
-
        helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
                                            nf_ct_protonum(ct));
        if (helper == NULL) {