netfilter: remove nf_conntrack_helper sysctl and modparam toggles

__nf_ct_try_assign_helper() remains in place but it now requires a template to configure the helper. A toggle to disable automatic helper assignment was added by: a9006892643a ("netfilter: nf_ct_helper: allow to disable automatic helper assignment") in 2012 to address the issues described in "Secure use of iptables and connection tracking helpers". Automatic conntrack helper assignment was disabled by: 3bb398d925ec ("netfilter: nf_ct_helper: disable automatic helper assignment") back in 2016. This patch removes the sysctl and modparam toggles, users now have to rely on explicit conntrack helper configuration via ruleset. Update tools/testing/selftests/netfilter/nft_conntrack_helper.sh to check that auto-assignment does not happen anymore. Acked-by: Aaron Conole <aconole@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2022-08-26 08:49:16 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2022-08-31 12:12:32 +0200
commit: b118509076b39cc5e616c0680312b5caaca535fe (patch)
tree: e5b4b13aaf965c1dbe031e047e18d69be848eeab /include/net/netns
parent: 13a9d08c296228d18289de60b83792c586e1d073 (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index c396a3862e80..e1290c159184 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -101,7 +101,6 @@ struct netns_ct {
 	u8			sysctl_log_invalid; /* Log invalid packets */
 	u8			sysctl_events;
 	u8			sysctl_acct;
-	u8			sysctl_auto_assign_helper;
 	u8			sysctl_tstamp;
 	u8			sysctl_checksum;
author	Pablo Neira Ayuso <pablo@netfilter.org>	2022-08-26 08:49:16 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2022-08-31 12:12:32 +0200
commit	b118509076b39cc5e616c0680312b5caaca535fe (patch)
tree	e5b4b13aaf965c1dbe031e047e18d69be848eeab /include/net/netns
parent	13a9d08c296228d18289de60b83792c586e1d073 (diff)