lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 19 Sep 2022 23:27:43 +0200
From:   Florian Westphal <fw@...len.de>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     Florian Westphal <fw@...len.de>,
        Pablo Neira Ayuso <pablo@...filter.org>,
        Chris Clayton <chris2553@...glemail.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        regressions@...ts.linux.dev, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org
Subject: Re: removing conntrack helper toggle to enable auto-assignment [was
 Re: b118509076b3 (probably) breaks my firewall]

Jakub Kicinski <kuba@...nel.org> wrote:
> I think we should do _something_ because we broke so many things 
> in this release if we let this rot until its smell reaches Linus -
> someone is getting yelled at...

Well, we can restore the knob and some strongly worded printk.
(or even tain/warn_on_once/whatever).

So its not like we no options, but autoassign=1 is a
problematic configuration and so it would prefer to finally get rid
of it.

> Now, Linus is usually okay with breaking uAPI if there is no other 
> way of preventing a security issue. But (a) we break autoload of
> all helpers and we only have security issue in one,

This isn't 100% correct either, because its not necessarliy about
a security bug.  Helpers (by design) make things reachable that
otherwise would not be, e.g. ftp with 'loose=1' modparam adds a
'from anywhere to x:y' reverse forward, so if client is behind nat
(and the helper is active) this can be used to expose a service to
a 3rd party (granted, this is unlikely, given its off by default).

> and (b) not loading
> the module doesn't necessarily mean removing the file (at least IMHO).

We did not disable module load, but loading a connection tracking
module has no effect anymore without the needed iptables (or nftables)
rules to tell the conntrack engine which connections need to be
monitored by which helper.

Powered by blists - more mailing lists