firewall: options to select connection-tracking helpers

My main reason for adding this is the ability to turn off helpers altogether. If you are not using any of the special protocols, keeping them turned off is safest, and in case you do want to use them, it's best to configure them through the new CT target for your network topology. Perhaps some sane defaults for nixos can be examined in the future. This change has no impact if you don't touch the added options, so no need to adapt.
2012-10-12 13:16:33 +02:00 · 2012-10-12 13:16:33 +02:00 · 97a3a99b40
parent 6c62de6a31
commit 97a3a99b40
1 changed files with 43 additions and 2 deletions
--- a/modules/services/networking/firewall.nix
+++ b/modules/services/networking/firewall.nix
@ -44,6 +44,10 @@ let
                   && kernelPackages.kernel.features ? netfilterRPFilter
                   && kernelPackages.kernel.features.netfilterRPFilter;

+  kernelCanDisableHelpers = kernelPackages.kernel ? features
+                   && kernelPackages.kernel.features ? canDisableNetfilterConntrackHelpers
+                   && kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers;
+
 in

 {
@ -161,6 +165,37 @@ in
        '';
    };

+    networking.firewall.connectionTrackingModules = mkOption {
+      default = [ "ftp" ];
+      example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
+      type = types.list types.string;
+      description =
+        ''
+          List of connection-tracking helpers that are auto-loaded.
+          The complete list of possible values is given in the example.
+
+          As helpers can pose as a security risk, it is adviced to
+          set this to an empty list and disable the setting
+          networking.firewall.autoLoadConntrackHelpers
+
+          Loading of helpers is recommended to be done through the new
+          CT target. More info:
+          https://home.regit.org/netfilter-en/secure-use-of-helpers/
+        '';
+    };
+
+    networking.firewall.autoLoadConntrackHelpers = mkOption {
+      default = true;
+      type = types.bool;
+      description =
+        ''
+          Whether to auto-load connection-tracking helpers.
+          See the description at networking.firewall.connectionTrackingModules
+
+          (needs kernel 3.5+)
+        '';
+    };
+
    networking.firewall.extraCommands = mkOption {
      default = "";
      example = "iptables -A INPUT -p icmp -j ACCEPT";
@ -189,10 +224,16 @@ in

    environment.systemPackages = [ pkgs.iptables ];

-    boot.kernelModules = [ "nf_conntrack_ftp" ];
+    boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
+    boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
+      options nf_conntrack nf_conntrack_helper=0
+    '';

    assertions = [ { assertion = ! cfg.checkReversePath || kernelHasRPFilter;
-                     message = "This kernel does not support rpfilter"; } ];
+                     message = "This kernel does not support rpfilter"; }
+                   { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers;
+                     message = "This kernel does not support disabling conntrack helpers"; }
+                 ];

    jobs.firewall =
      { startOn = "started network-interfaces";