Disable conntrack helper autoloading by default #22034
Conversation
|
@fpletz, thanks for your PR! By analyzing the history of the files in this pull request, we identified @edolstra, @wkennington and @primeos to be potential reviewers. |
I thought about it but this would be another test actually. We also want to test if they're disabled. I wasn't really in the mood to create another test, but after thinking about it some more, I'll add one before merging this. Thanks. |
fpletz
added
2.status: work-in-progress
and removed
2.status: work-in-progress
9.needs: changelog
labels
|
Okay, just pushed a test and added an entry to the release notes. I'd like to wait until tomorrow before merging to give others a last chance to comment on the changes. |
|
Thanks! |
| boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' | ||
| options nf_conntrack nf_conntrack_helper=0 | ||
| boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' | ||
| options nf_conntrack nf_conntrack_helper=1 |
There was a problem hiding this comment.
@fpletz Did you test that change with a reboot? I'm not entirely sure about this, but I also wasn't entirely sure why it worked before :D
My guess: Before we loaded nf_conntrack_ftp which required nf_conntrack and resulted in nf_conntrack being loaded. This would also explain why we're loading nf_conntrack if cfg.autoLoadConntrackHelpers == false.
But since we now aren't loading nf_conntrack_ftp anymore and only load nf_conntrack if cfg.autoLoadConntrackHelpers is set it might be possible that we won't be loading nf_conntrack which would break the firewall (as far as I know).
However it might still work if we load that module elsewhere or if we load another module that depends on it (e.g xt_conntrack, nf_conntrack_ipv4 (both are currently loaded on my system).
But if I didn't miss anything it might be a good idea to load nf_conntrack in any case.
There was a problem hiding this comment.
@primeos I agree. Thanks for noticing! Will add that later.
This feature is available in all kernels in nixpkgs.
This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
fpletz
force-pushed
the
conntrack-helpers
branch
from
8c54984
to
8d5a4c5
Compare
|
Okay, I did some testing and tweaking and came to the following conclusions:
To be sure The tests are still green and we're good to go. 🍻 |
Motivation for this change
Connection tracking helper autoloading was disabled by default in the Linux kernel since 4.7 and poses a security risk if not configured properly. This PR syncs this default setting with NixOS.
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f
This broke our NAT tests because they were testing active FTP and thus relying on the ftp connection tracking helper.
This test was removed.We have a new test for conntrack helpers.Additionally, as all our Linux kernels support connection tracking helper autoloading, this feature was removed from our kernel expressions.
cc #21974