lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YxvwKlE+nyfUjHx8@salvia>
Date:   Sat, 10 Sep 2022 04:02:18 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Chris Clayton <chris2553@...glemail.com>
Cc:     Florian Westphal <fw@...len.de>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        regressions@...ts.linux.dev, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org
Subject: removing conntrack helper toggle to enable auto-assignment [was Re:
 b118509076b3 (probably) breaks my firewall]

On Fri, Sep 09, 2022 at 07:21:47PM +0100, Chris Clayton wrote:
> On 09/09/2022 11:19, Pablo Neira Ayuso wrote:
> > On Thu, Sep 08, 2022 at 11:48:59PM +0200, Florian Westphal wrote:
> >> Chris Clayton <chris2553@...glemail.com> wrote:
> >>
> >> [ CC Pablo ]
> >>
> >>> On 08/09/2022 20:19, Florian Westphal wrote:
> >>>> Chris Clayton <chris2553@...glemail.com> wrote:
> >>>>> Just a heads up and a question...
> >>>>>
> >>>>> I've pulled the latest and greatest from Linus' tree and built and installed the kernel. git describe gives
> >>>>> v6.0-rc4-126-g26b1224903b3.
> >>>>>
> >>>>> I find that my firewall is broken because /proc/sys/net/netfilter/nf_conntrack_helper no longer exists. It existed on an
> >>>>> -rc4 kernel. Are changes like this supposed to be introduced at this stage of the -rc cycle?
> >>>>
> >>>> The problem is that the default-autoassign (nf_conntrack_helper=1) has
> >>>> side effects that most people are not aware of.
> >>>>
> >>>> The bug that propmpted this toggle from getting axed was that the irc (dcc) helper allowed
> >>>> a remote client to create a port forwarding to the local client.
> >>>
> >>>
> >>> Ok, but I still think it's not the sort of change that should be introduced at this stage of the -rc cycle.
> >>> The other problem is that the documentation (Documentation/networking/nf_conntrack-sysctl.rst) hasn't been updated. So I
> >>> know my firewall is broken but there's nothing I can find that tells me how to fix it.
> >>
> >> Pablo, I don't think revert+move the 'next' will avoid this kinds of
> >> problems, but at least the nf_conntrack-sysctl.rst should be amended to
> >> reflect that this was removed.
> > 
> > I'll post a patch to amend the documentation.
> > 
> >> I'd keep it though because people that see an error wrt. this might be
> >> looking at nf_conntrack-sysctl.rst.
> >>
> >> Maybe just a link to
> >> https://home.regit.org/netfilter-en/secure-use-of-helpers/?
>
> but
> I'm afraid that document isn't much use to a "Joe User" like me. It's written by people who know a lot about the subject
> matter to be read by other people who know a lot about the subject matter.

This is always an issue: deprecating stuff is problematic. After
finally removing this toggle, there are chances that more users come
to complain at the flag day to say they did not have enough time to
update their setup to enable conntrack helpers by policy as the
document recommends.

This is the history behind this toggle:

- In 2012, the documentation above is released and a toggle is added
  to disable the existing behaviour.

- In 2016, this toggle is set off by default, _that was already
  breaking existing setups_ as a way to attract users' attention on
  this topic. Yes, that was a tough way to attract attention on this
  topic.

  Moreover, this warning message was also available via dmesg:

        nf_conntrack: default automatic helper assignment
                      has been turned off for security reasons and CT-based
                      firewall rule not found. Use the iptables CT target
                      to attach helpers instead.

  There was a simple way to restore the previous behaviour
  by simply:

        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

  Still, maybe not many people look at this warning message.

- In 2022, the toggle is removed. There is still a way to restore your
  setup, which is to enable conntrack helpers via policy. Yes, it
  requires a bit more effort, but there is documentation available on
  how to do this.

  Why at -rc stage? Someone reported a security issue related to
  one of the conntrack helpers, and the reporter claims many users
  still rely on the insecure configuration. This attracted again
  our attention on this toggle, and we decided it was a good idea to
  finally remove it, the sooner the better.

> >> What do you think?
> > 
> > I'll update netfilter.org to host a copy of the github sources.
> > 
> > We have been announcing this going deprecated for 10 years...
> 
> That may be the case, it should be broken before -rc1 is released. Breaking it at -rc4+ is, I think, a regression!
> Adding Thorsten Leemuis to cc list

Disagreed, reverting and waiting for one more release cycle will just
postpone the fact that users must adapt their policies, and that they
rely on a configuration which is not secure.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ