lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <a3c79b7d-526f-92ce-144a-453ec3c200a5@googlemail.com> Date: Fri, 9 Sep 2022 19:21:47 +0100 From: Chris Clayton <chris2553@...glemail.com> To: Pablo Neira Ayuso <pablo@...filter.org>, Florian Westphal <fw@...len.de> Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org>, regressions@...muis.info Subject: Re: b118509076b3 (probably) breaks my firewall On 09/09/2022 11:19, Pablo Neira Ayuso wrote: > On Thu, Sep 08, 2022 at 11:48:59PM +0200, Florian Westphal wrote: >> Chris Clayton <chris2553@...glemail.com> wrote: >> >> [ CC Pablo ] >> >>> On 08/09/2022 20:19, Florian Westphal wrote: >>>> Chris Clayton <chris2553@...glemail.com> wrote: >>>>> Just a heads up and a question... >>>>> >>>>> I've pulled the latest and greatest from Linus' tree and built and installed the kernel. git describe gives >>>>> v6.0-rc4-126-g26b1224903b3. >>>>> >>>>> I find that my firewall is broken because /proc/sys/net/netfilter/nf_conntrack_helper no longer exists. It existed on an >>>>> -rc4 kernel. Are changes like this supposed to be introduced at this stage of the -rc cycle? >>>> >>>> The problem is that the default-autoassign (nf_conntrack_helper=1) has >>>> side effects that most people are not aware of. >>>> >>>> The bug that propmpted this toggle from getting axed was that the irc (dcc) helper allowed >>>> a remote client to create a port forwarding to the local client. >>> >>> >>> Ok, but I still think it's not the sort of change that should be introduced at this stage of the -rc cycle. >>> The other problem is that the documentation (Documentation/networking/nf_conntrack-sysctl.rst) hasn't been updated. So I >>> know my firewall is broken but there's nothing I can find that tells me how to fix it. >> >> Pablo, I don't think revert+move the 'next' will avoid this kinds of >> problems, but at least the nf_conntrack-sysctl.rst should be amended to >> reflect that this was removed. > > I'll post a patch to amend the documentation. > >> I'd keep it though because people that see an error wrt. this might be >> looking at nf_conntrack-sysctl.rst. >> >> Maybe just a link to >> https://home.regit.org/netfilter-en/secure-use-of-helpers/? >> but I'm afraid that document isn't much use to a "Joe User" like me. It's written by people who know a lot about the subject matter to be read by other people who know a lot about the subject matter. >> What do you think? > > I'll update netfilter.org to host a copy of the github sources. > > We have been announcing this going deprecated for 10 years... That may be the case, it should be broken before -rc1 is released. Breaking it at -rc4+ is, I think, a regression! Adding Thorsten Leemuis to cc list
Powered by blists - more mailing lists