netfilter: revert user-space expectation helper support

This patch partially reverts:
3d058d7 netfilter: rework user-space expectation helper support
that was applied during the 3.2 development cycle.

After this patch, the tree remains just like before patch bc01bef,
that initially added the preliminary infrastructure.

I decided to partially revert this patch because the approach
that I proposed to resolve this problem is broken in NAT setups.
Moreover, a new infrastructure will be submitted for the 3.3.x
development cycle that resolve the existing issues while
providing a neat solution.

Since nobody has been seriously using this infrastructure in
user-space, the removal of this feature should affect any know
FOSS project (to my knowledge).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

3 files changed, 3 insertions, 21 deletions

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 299fec91f741..bbe23baa19b6 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -121,18 +121,6 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
         int ret = 0;
 
         if (tmpl != NULL) {
-                /* we've got a userspace helper. */
-                if (tmpl->status & IPS_USERSPACE_HELPER) {
-                        help = nf_ct_helper_ext_add(ct, flags);
-                        if (help == NULL) {
-                                ret = -ENOMEM;
-                                goto out;
-                        }
-                        rcu_assign_pointer(help->helper, NULL);
-                        __set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);
-                        ret = 0;
-                        goto out;
-                }
                 help = nfct_help(tmpl);
                 if (help != NULL)
                         helper = help->helper;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 2a4834b83332..9307b033c0c9 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2042,10 +2042,6 @@ ctnetlink_create_expect(struct net *net, u16 zone,
         }
         help = nfct_help(ct);
         if (!help) {
-                err = -EOPNOTSUPP;
-                goto out;
-        }
-        if (test_bit(IPS_USERSPACE_HELPER_BIT, &ct->status)) {
                 if (!cda[CTA_EXPECT_TIMEOUT]) {
                         err = -EINVAL;
                         goto out;
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 8e87123f1373..0221d10de75a 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -62,8 +62,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
         int ret = 0;
         u8 proto;
 
-        if (info->flags & ~(XT_CT_NOTRACK | XT_CT_USERSPACE_HELPER))
-                return -EOPNOTSUPP;
+        if (info->flags & ~XT_CT_NOTRACK)
+                return -EINVAL;
 
         if (info->flags & XT_CT_NOTRACK) {
                 ct = nf_ct_untracked_get();
@@ -92,9 +92,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par)
                                   GFP_KERNEL))
                 goto err3;
 
-        if (info->flags & XT_CT_USERSPACE_HELPER) {
-                __set_bit(IPS_USERSPACE_HELPER_BIT, &ct->status);
-        } else if (info->helper[0]) {
+        if (info->helper[0]) {
                 ret = -ENOENT;
                 proto = xt_ct_find_proto(par);
                 if (!proto) {