2 files changed, 16 insertions, 1 deletions

diff --git a/include/linux/netfilter/nf_conntrack_common.h b/include/linux/netfilter/nf_conntrack_common.h
index 0d3dd66322ec..d146872a0b91 100644
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -83,6 +83,10 @@ enum ip_conntrack_status {
         /* Conntrack is a fake untracked entry */
         IPS_UNTRACKED_BIT = 12,
         IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
+
+        /* Conntrack got a helper explicitly attached via CT target. */
+        IPS_HELPER_BIT = 13,
+        IPS_HELPER = (1 << IPS_HELPER_BIT),
 };
 
 /* Connection tracking event types */
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 317f6e43db87..4fa2ff961f5a 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -182,10 +182,21 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
         struct net *net = nf_ct_net(ct);
         int ret = 0;
 
+        /* We already got a helper explicitly attached. The function
+         * nf_conntrack_alter_reply - in case NAT is in use - asks for looking
+         * the helper up again. Since now the user is in full control of
+         * making consistent helper configurations, skip this automatic
+         * re-lookup, otherwise we'll lose the helper.
+         */
+        if (test_bit(IPS_HELPER_BIT, &ct->status))
+                return 0;
+
         if (tmpl != NULL) {
                 help = nfct_help(tmpl);
-                if (help != NULL)
+                if (help != NULL) {
                         helper = help->helper;
+                        set_bit(IPS_HELPER_BIT, &ct->status);
+                }
         }
 
         help = nfct_help(ct);