New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable conntrack helper autoloading by default #22034
Conversation
@fpletz, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @wkennington and @primeos to be potential reviewers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add that to the release notes please? Otherwise looks fine, had just been reading up on the connection tracking stuff.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've read a bit more on conntrack helpers and am okay with that idea now. One moment -- why won't we enable conntrack helper in the test instead to check if it wotks?
I thought about it but this would be another test actually. We also want to test if they're disabled. I wasn't really in the mood to create another test, but after thinking about it some more, I'll add one before merging this. Thanks. |
Okay, just pushed a test and added an entry to the release notes. I'd like to wait until tomorrow before merging to give others a last chance to comment on the changes. |
Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about the one thing I commented but otherwise it looks great! - Thanks for implementing that 👍
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' | ||
options nf_conntrack nf_conntrack_helper=0 | ||
boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' | ||
options nf_conntrack nf_conntrack_helper=1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fpletz Did you test that change with a reboot? I'm not entirely sure about this, but I also wasn't entirely sure why it worked before :D
My guess: Before we loaded nf_conntrack_ftp
which required nf_conntrack
and resulted in nf_conntrack
being loaded. This would also explain why we're loading nf_conntrack
if cfg.autoLoadConntrackHelpers == false
.
But since we now aren't loading nf_conntrack_ftp
anymore and only load nf_conntrack
if cfg.autoLoadConntrackHelpers
is set it might be possible that we won't be loading nf_conntrack
which would break the firewall (as far as I know).
However it might still work if we load that module elsewhere or if we load another module that depends on it (e.g xt_conntrack
, nf_conntrack_ipv4
(both are currently loaded on my system).
But if I didn't miss anything it might be a good idea to load nf_conntrack
in any case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@primeos I agree. Thanks for noticing! Will add that later.
This feature is available in all kernels in nixpkgs.
This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
8c54984
to
8d5a4c5
Compare
Okay, I did some testing and tweaking and came to the following conclusions:
To be sure The tests are still green and we're good to go. 🍻 |
Motivation for this change
Connection tracking helper autoloading was disabled by default in the Linux kernel since 4.7 and poses a security risk if not configured properly. This PR syncs this default setting with NixOS.
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
This broke our NAT tests because they were testing active FTP and thus relying on the ftp connection tracking helper.
This test was removed.We have a new test for conntrack helpers.Additionally, as all our Linux kernels support connection tracking helper autoloading, this feature was removed from our kernel expressions.
cc #21974