From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com, fw@strlen.de,
horms@kernel.org
Subject: [PATCH net 10/14] netfilter: conntrack: add deprecation warnings for irc and pptp trackers
Date: Wed, 24 Jun 2026 00:15:43 +0200 [thread overview]
Message-ID: <20260623221548.701545-11-pablo@netfilter.org> (raw)
In-Reply-To: <20260623221548.701545-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
IRC Direct client-to-client requires plaintext. IRC over TLS should be
preferred, making this helper ineffective. Add a deprecation warning and
update the help text to better reflect that this is needed for the DCC
extension, not IRC itself.
PPTP is esoteric these days and it is the only helper that requires the
destroy callback in the conntrack helper API.
Removal would simplify the conntrack core.
Both helpers are IPv4 only.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack_helper.h | 4 ++++
net/netfilter/Kconfig | 11 ++++++-----
net/netfilter/nf_conntrack_irc.c | 2 ++
net/netfilter/nf_conntrack_pptp.c | 2 ++
4 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 81025101f86d..c761cd8158b2 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -114,6 +114,10 @@ int nf_conntrack_helpers_register(struct nf_conntrack_helper *, unsigned int,
void nf_conntrack_helpers_unregister(struct nf_conntrack_helper **,
unsigned int);
+#define nf_conntrack_helper_deprecated(name) \
+ pr_warn("The %s conntrack helper is scheduled for removal.\n" \
+ "Please contact the netfilter-devel mailing list if you still need this.\n", name)
+
struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp);
int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 665f8008cc4b..4c04cd8d40a2 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -256,8 +256,7 @@ config NF_CONNTRACK_H323
To compile it as a module, choose M here. If unsure, say N.
config NF_CONNTRACK_IRC
- tristate "IRC protocol support"
- default m if NETFILTER_ADVANCED=n
+ tristate "IRC DCC protocol support (obsolete)"
help
There is a commonly-used extension to IRC called
Direct Client-to-Client Protocol (DCC). This enables users to send
@@ -267,6 +266,8 @@ config NF_CONNTRACK_IRC
using NAT, this extension will enable you to send files and initiate
chats. Note that you do NOT need this extension to get files or
have others initiate chats, or everything else in IRC.
+ DCC tracking behind NAT requires plaintext (unencrypted) IRC, so
+ this helper is of limited use these days.
To compile it as a module, choose M here. If unsure, say N.
@@ -308,17 +309,17 @@ config NF_CONNTRACK_SNMP
To compile it as a module, choose M here. If unsure, say N.
config NF_CONNTRACK_PPTP
- tristate "PPtP protocol support"
+ tristate "PPtP protocol support (deprecated)"
depends on NETFILTER_ADVANCED
select NF_CT_PROTO_GRE
help
This module adds support for PPTP (Point to Point Tunnelling
Protocol, RFC2637) connection tracking and NAT.
- If you are running PPTP sessions over a stateful firewall or NAT
+ If you are still running PPTP sessions over a stateful firewall or NAT
box, you may want to enable this feature.
- Please note that not all PPTP modes of operation are supported yet.
+ Please note that not all PPTP modes of operation are supported.
Specifically these limitations exist:
- Blindly assumes that control connections are always established
in PNS->PAC direction. This is a violation of RFC2637.
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 0c117b8492e9..193ab34db795 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -262,6 +262,8 @@ static int __init nf_conntrack_irc_init(void)
{
int i, ret;
+ nf_conntrack_helper_deprecated(HELPER_NAME);
+
if (max_dcc_channels < 1) {
pr_err("max_dcc_channels must not be zero\n");
return -EINVAL;
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index 776505a78e64..80fc14c87ddc 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -545,6 +545,8 @@ static int __init nf_conntrack_pptp_init(void)
pptp.destroy = gre_pptp_destroy_siblings;
+ nf_conntrack_helper_deprecated(pptp.name);
+
return nf_conntrack_helper_register(&pptp, &pptp_ptr);
}
--
2.47.3
next prev parent reply other threads:[~2026-06-23 22:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 22:15 [PATCH net 00/14] Netfilter fixes for net Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 01/14] netfilter: nf_nat: avoid invalid nat_net pointer use on failed nf_nat_init() Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 02/14] netfilter: nf_conncount: prevent connlimit drops for early confirmed ct Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 03/14] netfilter: flowtable: Validate iph->ihl in nf_flow_ip4_tunnel_proto() Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 04/14] netfilter: x_tables.h: fix all kernel-doc warnings Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 05/14] netfilter: nft_synproxy: stop bypassing the priv->info snapshot Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 06/14] selftests: netfilter: conntrack_sctp_collision.sh: Introduce SCTP INIT collision test Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 07/14] netfilter: nft_compat: ebtables emulation must reject non-bridge targets Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 08/14] selftests: nft_queue.sh: add a bridge queue test Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 09/14] netfilter: ctnetlink: do not allow to reset helper on existing conntrack Pablo Neira Ayuso
2026-06-23 22:15 ` Pablo Neira Ayuso [this message]
2026-06-23 22:15 ` [PATCH net 11/14] netfilter: nf_conntrack_expect: store master_tuple in expectation Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 12/14] netfilter: nf_conntrack_expect: run expectation eviction with no helper Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 13/14] netfilter: nft_ct: expectation timeouts are passed in milliseconds Pablo Neira Ayuso
2026-06-23 22:15 ` [PATCH net 14/14] netfilter: nf_conntrack_helper: cap maximum number of expectation at helper registration Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623221548.701545-11-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox