From 403fdd737eb353734591ee59711f8c5d26ca4f90 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 22 Jan 2017 17:09:24 +0100 Subject: [PATCH 1/4] linux: remove canDisableNetfilterConntrackHelpers feature This feature is available in all kernels in nixpkgs. --- nixos/modules/services/networking/firewall.nix | 3 --- pkgs/os-specific/linux/kernel/linux-3.10.nix | 1 - pkgs/os-specific/linux/kernel/linux-3.12.nix | 1 - pkgs/os-specific/linux/kernel/linux-3.18.nix | 1 - pkgs/os-specific/linux/kernel/linux-4.1.nix | 1 - pkgs/os-specific/linux/kernel/linux-4.4.nix | 1 - pkgs/os-specific/linux/kernel/linux-4.9.nix | 1 - pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix | 1 - pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix | 3 +-- pkgs/os-specific/linux/kernel/linux-grsecurity.nix | 1 - pkgs/os-specific/linux/kernel/linux-mptcp.nix | 1 - pkgs/os-specific/linux/kernel/linux-rpi.nix | 1 - pkgs/os-specific/linux/kernel/linux-testing.nix | 1 - 13 files changed, 1 insertion(+), 16 deletions(-) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index c251b52e03f..0b0ee57cf7a 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -41,7 +41,6 @@ let kernelPackages = config.boot.kernelPackages; kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false; - kernelCanDisableHelpers = kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers or false; helpers = '' @@ -512,8 +511,6 @@ in assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; message = "This kernel does not support rpfilter"; } - { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers; - message = "This kernel does not support disabling conntrack helpers"; } ]; systemd.services.firewall = { diff --git a/pkgs/os-specific/linux/kernel/linux-3.10.nix b/pkgs/os-specific/linux/kernel/linux-3.10.nix index 3e6bd51cc47..42546b0262e 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.10.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; }) diff --git a/pkgs/os-specific/linux/kernel/linux-3.12.nix b/pkgs/os-specific/linux/kernel/linux-3.12.nix index 95ca51a972e..9a0f314c246 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.12.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.12.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; }) diff --git a/pkgs/os-specific/linux/kernel/linux-3.18.nix b/pkgs/os-specific/linux/kernel/linux-3.18.nix index 5ecfdefa97d..acfd08f2af3 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.18.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.1.nix b/pkgs/os-specific/linux/kernel/linux-4.1.nix index fd171eae001..9c7354024ad 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.1.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index 0eb87a8dd9e..bec31549ae3 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix index 54c67901f50..dba02330380 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.9.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix index 72d7cd1fba0..c8e189dcbfc 100644 --- a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix @@ -16,7 +16,6 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; features.chromiumos = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix index 4be81409ee1..b80c9acd659 100644 --- a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix @@ -16,9 +16,8 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; features.chromiumos = true; - + extraMeta.hydraPlatforms = []; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix index 8a71a771c4f..7b725f4e439 100644 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp.nix b/pkgs/os-specific/linux/kernel/linux-mptcp.nix index a037343751c..e533670014b 100644 --- a/pkgs/os-specific/linux/kernel/linux-mptcp.nix +++ b/pkgs/os-specific/linux/kernel/linux-mptcp.nix @@ -46,6 +46,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix index f41c53da5a6..e50a6c80232 100644 --- a/pkgs/os-specific/linux/kernel/linux-rpi.nix +++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix @@ -17,7 +17,6 @@ stdenv.lib.overrideDerivation (import ./generic.nix (args // rec { features.iwlwifi = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; extraMeta.hydraPlatforms = []; diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 8f18febdf0d..1778f343903 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -13,7 +13,6 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; # Should the testing kernels ever be built on Hydra? From 8322a12ef2ce6ea5a239b2221aa6f9a2fe84d904 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 22 Jan 2017 17:29:38 +0100 Subject: [PATCH 2/4] firewall: disable conntrack helper autoloading by default This was disabled in the Linux kernel since 4.7 and poses a security risk if not configured properly. https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=486dcf43da7815baa615822f3e46883ccca5400f --- nixos/modules/services/networking/firewall.nix | 17 ++++++++++------- nixos/tests/nat.nix | 3 --- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 0b0ee57cf7a..34b731ad35c 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -425,7 +425,7 @@ in networking.firewall.connectionTrackingModules = mkOption { type = types.listOf types.str; - default = [ "ftp" ]; + default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = '' @@ -434,9 +434,11 @@ in As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. - Loading of helpers is recommended to be done through the new + Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/ ''; @@ -444,7 +446,7 @@ in networking.firewall.autoLoadConntrackHelpers = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether to auto-load connection-tracking helpers. @@ -504,9 +506,10 @@ in environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; - boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; - boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' - options nf_conntrack nf_conntrack_helper=0 + boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + options nf_conntrack nf_conntrack_helper=1 ''; assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 4fbf6446268..b16260be38c 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -65,9 +65,6 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }: $server->succeed("echo Hello World > /home/ftp/foo.txt"); $client->succeed("curl -v ftp://server/foo.txt >&2"); - # Test whether active FTP works. - $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); - # Test ICMP. $client->succeed("ping -c 1 router >&2"); $router->succeed("ping -c 1 client >&2"); From 2d9152d509da7fb6b4d156b094ca7525358634bd Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 22 Jan 2017 19:42:59 +0100 Subject: [PATCH 3/4] nixos/tests/nat: add test for conntrack helper autoloading --- nixos/release.nix | 1 + nixos/tests/nat.nix | 47 ++++++++++++++++++++++++++++++--------------- 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/nixos/release.nix b/nixos/release.nix index dfa9b67654f..2d78a4db973 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -273,6 +273,7 @@ in rec { tests.mysql = callTest tests/mysql.nix {}; tests.mysqlReplication = callTest tests/mysql-replication.nix {}; tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; }; + tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; }; tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; }; tests.networking.networkd = callSubTests tests/networking.nix { networkd = true; }; tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; }; diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index b16260be38c..74e20bff8d8 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,34 +3,47 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. -import ./make-test.nix ({ pkgs, withFirewall, ... }: +import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: let unit = if withFirewall then "firewall" else "nat"; in { - name = "nat${if withFirewall then "WithFirewall" else "Standalone"}"; - meta = with pkgs.stdenv.lib.maintainers; { + name = "nat" + (if withFirewall then "WithFirewall" else "Standalone") + + (lib.optionalString withConntrackHelpers "withConntrackHelpers"); + meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco chaoflow rob wkennington ]; }; nodes = { client = { config, pkgs, nodes, ... }: - { virtualisation.vlans = [ 1 ]; - networking.firewall.allowPing = true; - networking.defaultGateway = - (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address; - }; + lib.mkMerge [ + { virtualisation.vlans = [ 1 ]; + networking.firewall.allowPing = true; + networking.defaultGateway = + (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address; + } + (lib.optionalAttrs withConntrackHelpers { + networking.firewall.connectionTrackingModules = [ "ftp" ]; + networking.firewall.autoLoadConntrackHelpers = true; + }) + ]; router = { config, pkgs, ... }: - { virtualisation.vlans = [ 2 1 ]; - networking.firewall.enable = withFirewall; - networking.firewall.allowPing = true; - networking.nat.enable = true; - networking.nat.internalIPs = [ "192.168.1.0/24" ]; - networking.nat.externalInterface = "eth1"; - }; + lib.mkMerge [ + { virtualisation.vlans = [ 2 1 ]; + networking.firewall.enable = withFirewall; + networking.firewall.allowPing = true; + networking.nat.enable = true; + networking.nat.internalIPs = [ "192.168.1.0/24" ]; + networking.nat.externalInterface = "eth1"; + } + (lib.optionalAttrs withConntrackHelpers { + networking.firewall.connectionTrackingModules = [ "ftp" ]; + networking.firewall.autoLoadConntrackHelpers = true; + }) + ]; server = { config, pkgs, ... }: @@ -65,6 +78,10 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }: $server->succeed("echo Hello World > /home/ftp/foo.txt"); $client->succeed("curl -v ftp://server/foo.txt >&2"); + # Test whether active FTP works. + $client->${if withConntrackHelpers then "succeed" else "fail"}( + "curl -v -P - ftp://server/foo.txt >&2"); + # Test ICMP. $client->succeed("ping -c 1 router >&2"); $router->succeed("ping -c 1 client >&2"); From 8d5a4c53b8734b1fc10ab4acdcba28451b836fd9 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 22 Jan 2017 19:53:19 +0100 Subject: [PATCH 4/4] nixos/release-notes: document conntrack helper changes --- nixos/doc/manual/release-notes/rl-1703.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index aa864b7a757..177010e2a32 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -133,6 +133,19 @@ following incompatible changes: + + + + Autoloading connection tracking helpers is now disabled by default. + This default was also changed in the Linux kernel and is considered + insecure if not configured properly in your firewall. If you need + connection tracking helpers (i.e. for active FTP) please enable + networking.firewall.autoLoadConntrackHelpers and + tune networking.firewall.connectionTrackingModules + to suit your needs. + + +