| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Jun 2024 11:09:31 +0200 From: Nicolas Dichtel <nicolas.dichtel@...nd.com> To: Florian Westphal <fw@...len.de> Cc: Pablo Neira Ayuso <pablo@...filter.org>, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, stable@...r.kernel.org Subject: Re: [PATCH nf] netfilter: restore default behavior for nf_conntrack_events Le 05/06/2024 à 10:55, Florian Westphal a écrit : > Nicolas Dichtel <nicolas.dichtel@...nd.com> wrote: >> Since the below commit, there are regressions for legacy setups: >> 1/ conntracks are created while there are no listener >> 2/ a listener starts and dumps all conntracks to get the current state >> 3/ conntracks deleted before the listener has started are not advertised >> >> This is problematic in containers, where conntracks could be created early. >> This sysctl is part of unsafe sysctl and could not be changed easily in >> some environments. >> >> Let's switch back to the legacy behavior. > > :-( > > Would it be possible to resolve this for containers by setting > the container default to 1 if init_net had it changed to 1 at netns > creation time? When we have access to the host, it is possible to allow the configuration of this (unsafe) sysctl for the pod. But there are cases where we don't have access to the host. https://docs.openshift.com/container-platform/4.9/nodes/containers/nodes-containers-sysctls.html#nodes-containers-sysctls-unsafe_nodes-containers-using Regards, Nicolas
Powered by blists - more mailing lists