lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 5 Jun 2024 20:41:51 +0200
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Nicolas Dichtel <nicolas.dichtel@...nd.com>
Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH nf] netfilter: restore default behavior for
 nf_conntrack_events

On Wed, Jun 05, 2024 at 11:09:31AM +0200, Nicolas Dichtel wrote:
> Le 05/06/2024 à 10:55, Florian Westphal a écrit :
> > Nicolas Dichtel <nicolas.dichtel@...nd.com> wrote:
> >> Since the below commit, there are regressions for legacy setups:
> >> 1/ conntracks are created while there are no listener
> >> 2/ a listener starts and dumps all conntracks to get the current state
> >> 3/ conntracks deleted before the listener has started are not advertised
> >>
> >> This is problematic in containers, where conntracks could be created early.
> >> This sysctl is part of unsafe sysctl and could not be changed easily in
> >> some environments.
> >>
> >> Let's switch back to the legacy behavior.
> > 
> > :-(
> > 
> > Would it be possible to resolve this for containers by setting
> > the container default to 1 if init_net had it changed to 1 at netns
> > creation time?
> 
> When we have access to the host, it is possible to allow the configuration of
> this (unsafe) sysctl for the pod. But there are cases where we don't have access
> to the host.
> 
> https://docs.openshift.com/container-platform/4.9/nodes/containers/nodes-containers-sysctls.html#nodes-containers-sysctls-unsafe_nodes-containers-using

conntrack is enabled on-demand by the ruleset these days, such monitor
process could be created _before_ the ruleset is loaded?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ