From: Florian Westphal Date: Fri, 12 Jun 2026 06:03:50 +0000 (+0200) Subject: netfilter: conntrack: add deprecation warnings for irc and pptp trackers X-Git-Tag: v7.2-rc1~29^2~14^2~4 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=57f940017a777aadf38b99db44cf35f727c26f4c;p=thirdparty%2Flinux.git netfilter: conntrack: add deprecation warnings for irc and pptp trackers IRC Direct client-to-client requires plaintext. IRC over TLS should be preferred, making this helper ineffective. Add a deprecation warning and update the help text to better reflect that this is needed for the DCC extension, not IRC itself. PPTP is esoteric these days and it is the only helper that requires the destroy callback in the conntrack helper API. Removal would simplify the conntrack core. Both helpers are IPv4 only. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index 81025101f86da..c761cd8158b25 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -114,6 +114,10 @@ int nf_conntrack_helpers_register(struct nf_conntrack_helper *, unsigned int, void nf_conntrack_helpers_unregister(struct nf_conntrack_helper **, unsigned int); +#define nf_conntrack_helper_deprecated(name) \ + pr_warn("The %s conntrack helper is scheduled for removal.\n" \ + "Please contact the netfilter-devel mailing list if you still need this.\n", name) + struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp); int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 665f8008cc4b2..4c04cd8d40a22 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -256,8 +256,7 @@ config NF_CONNTRACK_H323 To compile it as a module, choose M here. If unsure, say N. config NF_CONNTRACK_IRC - tristate "IRC protocol support" - default m if NETFILTER_ADVANCED=n + tristate "IRC DCC protocol support (obsolete)" help There is a commonly-used extension to IRC called Direct Client-to-Client Protocol (DCC). This enables users to send @@ -267,6 +266,8 @@ config NF_CONNTRACK_IRC using NAT, this extension will enable you to send files and initiate chats. Note that you do NOT need this extension to get files or have others initiate chats, or everything else in IRC. + DCC tracking behind NAT requires plaintext (unencrypted) IRC, so + this helper is of limited use these days. To compile it as a module, choose M here. If unsure, say N. @@ -308,17 +309,17 @@ config NF_CONNTRACK_SNMP To compile it as a module, choose M here. If unsure, say N. config NF_CONNTRACK_PPTP - tristate "PPtP protocol support" + tristate "PPtP protocol support (deprecated)" depends on NETFILTER_ADVANCED select NF_CT_PROTO_GRE help This module adds support for PPTP (Point to Point Tunnelling Protocol, RFC2637) connection tracking and NAT. - If you are running PPTP sessions over a stateful firewall or NAT + If you are still running PPTP sessions over a stateful firewall or NAT box, you may want to enable this feature. - Please note that not all PPTP modes of operation are supported yet. + Please note that not all PPTP modes of operation are supported. Specifically these limitations exist: - Blindly assumes that control connections are always established in PNS->PAC direction. This is a violation of RFC2637. diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index 0c117b8492e99..193ab34db795f 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -262,6 +262,8 @@ static int __init nf_conntrack_irc_init(void) { int i, ret; + nf_conntrack_helper_deprecated(HELPER_NAME); + if (max_dcc_channels < 1) { pr_err("max_dcc_channels must not be zero\n"); return -EINVAL; diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c index 776505a78e645..80fc14c87ddc4 100644 --- a/net/netfilter/nf_conntrack_pptp.c +++ b/net/netfilter/nf_conntrack_pptp.c @@ -545,6 +545,8 @@ static int __init nf_conntrack_pptp_init(void) pptp.destroy = gre_pptp_destroy_siblings; + nf_conntrack_helper_deprecated(pptp.name); + return nf_conntrack_helper_register(&pptp, &pptp_ptr); }