lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 2 Feb 2017 14:26:52 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Jiri Kosina <jikos@...nel.org>
Cc:     Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
        Florian Westphal <fw@...len.de>,
        NetFilter <netfilter-devel@...r.kernel.org>,
        coreteam@...filter.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        info@...lonka.cz, eric@...it.org
Subject: Re: [PATCH v3] netfilter: nf_ct_helper: warn when not applying
 default helper assignment

On Wed, Feb 01, 2017 at 09:01:54PM +0100, Jiri Kosina wrote:
> From: Jiri Kosina <jkosina@...e.cz>
> 
> Commit 3bb398d925 ("netfilter: nf_ct_helper: disable automatic helper 
> assignment") is causing behavior regressions in firewalls, as traffic 
> handled by conntrack helpers is now by default not passed through even 
> though it was before due to missing CT targets (which were not necessary 
> before this commit).
> 
> The default had to be switched off due to security reasons [1] [2] and 
> therefore should stay the way it is, but let's be friendly to firewall 
> admins and issue a warning the first time we're in situation where packet 
> would be likely passed through with the old default but we're likely going 
> to drop it on the floor now.
> 
> Rewrite the code a little bit as suggested by Linus, so that we avoid 
> spaghettiing the code even more -- namely the whole decision making 
> process regarding helper selection (either automatic or not) is being 
> separated, so that the whole logic can be simplified and code (condition) 
> duplication reduced.
> 
> [1] https://cansecwest.com/csw12/conntrack-attack.pdf
> [2] https://home.regit.org/netfilter-en/secure-use-of-helpers/

Applied, thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ