lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c527582b-05dd-45bf-a9b1-2499b01280ee@6wind.com>
Date: Wed, 5 Jun 2024 11:09:31 +0200
From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
To: Florian Westphal <fw@...len.de>
Cc: Pablo Neira Ayuso <pablo@...filter.org>, netdev@...r.kernel.org,
 netfilter-devel@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH nf] netfilter: restore default behavior for
 nf_conntrack_events

Le 05/06/2024 à 10:55, Florian Westphal a écrit :
> Nicolas Dichtel <nicolas.dichtel@...nd.com> wrote:
>> Since the below commit, there are regressions for legacy setups:
>> 1/ conntracks are created while there are no listener
>> 2/ a listener starts and dumps all conntracks to get the current state
>> 3/ conntracks deleted before the listener has started are not advertised
>>
>> This is problematic in containers, where conntracks could be created early.
>> This sysctl is part of unsafe sysctl and could not be changed easily in
>> some environments.
>>
>> Let's switch back to the legacy behavior.
> 
> :-(
> 
> Would it be possible to resolve this for containers by setting
> the container default to 1 if init_net had it changed to 1 at netns
> creation time?

When we have access to the host, it is possible to allow the configuration of
this (unsafe) sysctl for the pod. But there are cases where we don't have access
to the host.

https://docs.openshift.com/container-platform/4.9/nodes/containers/nodes-containers-sysctls.html#nodes-containers-sysctls-unsafe_nodes-containers-using


Regards,
Nicolas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ