[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YxvwKlE+nyfUjHx8@salvia>
Date: Sat, 10 Sep 2022 04:02:18 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Chris Clayton <chris2553@...glemail.com>
Cc: Florian Westphal <fw@...len.de>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
regressions@...ts.linux.dev, netfilter-devel@...r.kernel.org,
coreteam@...filter.org
Subject: removing conntrack helper toggle to enable auto-assignment [was Re:
b118509076b3 (probably) breaks my firewall]
On Fri, Sep 09, 2022 at 07:21:47PM +0100, Chris Clayton wrote:
> On 09/09/2022 11:19, Pablo Neira Ayuso wrote:
> > On Thu, Sep 08, 2022 at 11:48:59PM +0200, Florian Westphal wrote:
> >> Chris Clayton <chris2553@...glemail.com> wrote:
> >>
> >> [ CC Pablo ]
> >>
> >>> On 08/09/2022 20:19, Florian Westphal wrote:
> >>>> Chris Clayton <chris2553@...glemail.com> wrote:
> >>>>> Just a heads up and a question...
> >>>>>
> >>>>> I've pulled the latest and greatest from Linus' tree and built and installed the kernel. git describe gives
> >>>>> v6.0-rc4-126-g26b1224903b3.
> >>>>>
> >>>>> I find that my firewall is broken because /proc/sys/net/netfilter/nf_conntrack_helper no longer exists. It existed on an
> >>>>> -rc4 kernel. Are changes like this supposed to be introduced at this stage of the -rc cycle?
> >>>>
> >>>> The problem is that the default-autoassign (nf_conntrack_helper=1) has
> >>>> side effects that most people are not aware of.
> >>>>
> >>>> The bug that propmpted this toggle from getting axed was that the irc (dcc) helper allowed
> >>>> a remote client to create a port forwarding to the local client.
> >>>
> >>>
> >>> Ok, but I still think it's not the sort of change that should be introduced at this stage of the -rc cycle.
> >>> The other problem is that the documentation (Documentation/networking/nf_conntrack-sysctl.rst) hasn't been updated. So I
> >>> know my firewall is broken but there's nothing I can find that tells me how to fix it.
> >>
> >> Pablo, I don't think revert+move the 'next' will avoid this kinds of
> >> problems, but at least the nf_conntrack-sysctl.rst should be amended to
> >> reflect that this was removed.
> >
> > I'll post a patch to amend the documentation.
> >
> >> I'd keep it though because people that see an error wrt. this might be
> >> looking at nf_conntrack-sysctl.rst.
> >>
> >> Maybe just a link to
> >> https://home.regit.org/netfilter-en/secure-use-of-helpers/?
>
> but
> I'm afraid that document isn't much use to a "Joe User" like me. It's written by people who know a lot about the subject
> matter to be read by other people who know a lot about the subject matter.
This is always an issue: deprecating stuff is problematic. After
finally removing this toggle, there are chances that more users come
to complain at the flag day to say they did not have enough time to
update their setup to enable conntrack helpers by policy as the
document recommends.
This is the history behind this toggle:
- In 2012, the documentation above is released and a toggle is added
to disable the existing behaviour.
- In 2016, this toggle is set off by default, _that was already
breaking existing setups_ as a way to attract users' attention on
this topic. Yes, that was a tough way to attract attention on this
topic.
Moreover, this warning message was also available via dmesg:
nf_conntrack: default automatic helper assignment
has been turned off for security reasons and CT-based
firewall rule not found. Use the iptables CT target
to attach helpers instead.
There was a simple way to restore the previous behaviour
by simply:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
Still, maybe not many people look at this warning message.
- In 2022, the toggle is removed. There is still a way to restore your
setup, which is to enable conntrack helpers via policy. Yes, it
requires a bit more effort, but there is documentation available on
how to do this.
Why at -rc stage? Someone reported a security issue related to
one of the conntrack helpers, and the reporter claims many users
still rely on the insecure configuration. This attracted again
our attention on this toggle, and we decided it was a good idea to
finally remove it, the sooner the better.
> >> What do you think?
> >
> > I'll update netfilter.org to host a copy of the github sources.
> >
> > We have been announcing this going deprecated for 10 years...
>
> That may be the case, it should be broken before -rc1 is released. Breaking it at -rc4+ is, I think, a regression!
> Adding Thorsten Leemuis to cc list
Disagreed, reverting and waiting for one more release cycle will just
postpone the fact that users must adapt their policies, and that they
rely on a configuration which is not secure.
Powered by blists - more mailing lists