Merge pull request #22034 from mayflower/conntrack-helpers
Disable conntrack helper autoloading by default
This commit is contained in:
Franz Pletz
GitHub
commit
b9b95aa4d4
@ -133,6 +133,19 @@ following incompatible changes:</para>
|
|||||||
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
Autoloading connection tracking helpers is now disabled by default.
|
||||||
|
This default was also changed in the Linux kernel and is considered
|
||||||
|
insecure if not configured properly in your firewall. If you need
|
||||||
|
connection tracking helpers (i.e. for active FTP) please enable
|
||||||
|
<literal>networking.firewall.autoLoadConntrackHelpers</literal> and
|
||||||
|
tune <literal>networking.firewall.connectionTrackingModules</literal>
|
||||||
|
to suit your needs.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -41,7 +41,6 @@ let
|
|||||||
kernelPackages = config.boot.kernelPackages;
|
kernelPackages = config.boot.kernelPackages;
|
||||||
|
|
||||||
kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false;
|
kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false;
|
||||||
kernelCanDisableHelpers = kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers or false;
|
|
||||||
|
|
||||||
helpers =
|
helpers =
|
||||||
''
|
''
|
||||||
@ -426,7 +425,7 @@ in
|
|||||||
|
|
||||||
networking.firewall.connectionTrackingModules = mkOption {
|
networking.firewall.connectionTrackingModules = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [ "ftp" ];
|
default = [ ];
|
||||||
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
|
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
|
||||||
description =
|
description =
|
||||||
''
|
''
|
||||||
@ -435,9 +434,11 @@ in
|
|||||||
|
|
||||||
As helpers can pose as a security risk, it is advised to
|
As helpers can pose as a security risk, it is advised to
|
||||||
set this to an empty list and disable the setting
|
set this to an empty list and disable the setting
|
||||||
networking.firewall.autoLoadConntrackHelpers
|
networking.firewall.autoLoadConntrackHelpers unless you
|
||||||
|
know what you are doing. Connection tracking is disabled
|
||||||
|
by default.
|
||||||
|
|
||||||
Loading of helpers is recommended to be done through the new
|
Loading of helpers is recommended to be done through the
|
||||||
CT target. More info:
|
CT target. More info:
|
||||||
https://home.regit.org/netfilter-en/secure-use-of-helpers/
|
https://home.regit.org/netfilter-en/secure-use-of-helpers/
|
||||||
'';
|
'';
|
||||||
@ -445,7 +446,7 @@ in
|
|||||||
|
|
||||||
networking.firewall.autoLoadConntrackHelpers = mkOption {
|
networking.firewall.autoLoadConntrackHelpers = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = true;
|
default = false;
|
||||||
description =
|
description =
|
||||||
''
|
''
|
||||||
Whether to auto-load connection-tracking helpers.
|
Whether to auto-load connection-tracking helpers.
|
||||||
@ -505,15 +506,14 @@ in
|
|||||||
|
|
||||||
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
|
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
|
||||||
|
|
||||||
boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
|
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
|
||||||
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
|
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
|
||||||
options nf_conntrack nf_conntrack_helper=0
|
boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers ''
|
||||||
|
options nf_conntrack nf_conntrack_helper=1
|
||||||
'';
|
'';
|
||||||
|
|
||||||
assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter;
|
assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter;
|
||||||
message = "This kernel does not support rpfilter"; }
|
message = "This kernel does not support rpfilter"; }
|
||||||
{ assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers;
|
|
||||||
message = "This kernel does not support disabling conntrack helpers"; }
|
|
||||||
];
|
];
|
||||||
|
|
||||||
systemd.services.firewall = {
|
systemd.services.firewall = {
|
||||||
|
|||||||
@ -273,6 +273,7 @@ in rec {
|
|||||||
tests.mysql = callTest tests/mysql.nix {};
|
tests.mysql = callTest tests/mysql.nix {};
|
||||||
tests.mysqlReplication = callTest tests/mysql-replication.nix {};
|
tests.mysqlReplication = callTest tests/mysql-replication.nix {};
|
||||||
tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
|
tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
|
||||||
|
tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; };
|
||||||
tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; };
|
tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; };
|
||||||
tests.networking.networkd = callSubTests tests/networking.nix { networkd = true; };
|
tests.networking.networkd = callSubTests tests/networking.nix { networkd = true; };
|
||||||
tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; };
|
tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; };
|
||||||
|
|||||||
@ -3,34 +3,47 @@
|
|||||||
# client on the inside network, a server on the outside network, and a
|
# client on the inside network, a server on the outside network, and a
|
||||||
# router connected to both that performs Network Address Translation
|
# router connected to both that performs Network Address Translation
|
||||||
# for the client.
|
# for the client.
|
||||||
import ./make-test.nix ({ pkgs, withFirewall, ... }:
|
import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }:
|
||||||
let
|
let
|
||||||
unit = if withFirewall then "firewall" else "nat";
|
unit = if withFirewall then "firewall" else "nat";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";
|
name = "nat" + (if withFirewall then "WithFirewall" else "Standalone")
|
||||||
meta = with pkgs.stdenv.lib.maintainers; {
|
+ (lib.optionalString withConntrackHelpers "withConntrackHelpers");
|
||||||
|
meta = with pkgs.stdenv.lib.maintainers; {
|
||||||
maintainers = [ eelco chaoflow rob wkennington ];
|
maintainers = [ eelco chaoflow rob wkennington ];
|
||||||
};
|
};
|
||||||
|
|
||||||
nodes =
|
nodes =
|
||||||
{ client =
|
{ client =
|
||||||
{ config, pkgs, nodes, ... }:
|
{ config, pkgs, nodes, ... }:
|
||||||
{ virtualisation.vlans = [ 1 ];
|
lib.mkMerge [
|
||||||
networking.firewall.allowPing = true;
|
{ virtualisation.vlans = [ 1 ];
|
||||||
networking.defaultGateway =
|
networking.firewall.allowPing = true;
|
||||||
(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
|
networking.defaultGateway =
|
||||||
};
|
(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
|
||||||
|
}
|
||||||
|
(lib.optionalAttrs withConntrackHelpers {
|
||||||
|
networking.firewall.connectionTrackingModules = [ "ftp" ];
|
||||||
|
networking.firewall.autoLoadConntrackHelpers = true;
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
router =
|
router =
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
{ virtualisation.vlans = [ 2 1 ];
|
lib.mkMerge [
|
||||||
networking.firewall.enable = withFirewall;
|
{ virtualisation.vlans = [ 2 1 ];
|
||||||
networking.firewall.allowPing = true;
|
networking.firewall.enable = withFirewall;
|
||||||
networking.nat.enable = true;
|
networking.firewall.allowPing = true;
|
||||||
networking.nat.internalIPs = [ "192.168.1.0/24" ];
|
networking.nat.enable = true;
|
||||||
networking.nat.externalInterface = "eth1";
|
networking.nat.internalIPs = [ "192.168.1.0/24" ];
|
||||||
};
|
networking.nat.externalInterface = "eth1";
|
||||||
|
}
|
||||||
|
(lib.optionalAttrs withConntrackHelpers {
|
||||||
|
networking.firewall.connectionTrackingModules = [ "ftp" ];
|
||||||
|
networking.firewall.autoLoadConntrackHelpers = true;
|
||||||
|
})
|
||||||
|
];
|
||||||
|
|
||||||
server =
|
server =
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
@ -66,7 +79,8 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }:
|
|||||||
$client->succeed("curl -v ftp://server/foo.txt >&2");
|
$client->succeed("curl -v ftp://server/foo.txt >&2");
|
||||||
|
|
||||||
# Test whether active FTP works.
|
# Test whether active FTP works.
|
||||||
$client->succeed("curl -v -P - ftp://server/foo.txt >&2");
|
$client->${if withConntrackHelpers then "succeed" else "fail"}(
|
||||||
|
"curl -v -P - ftp://server/foo.txt >&2");
|
||||||
|
|
||||||
# Test ICMP.
|
# Test ICMP.
|
||||||
$client->succeed("ping -c 1 router >&2");
|
$client->succeed("ping -c 1 router >&2");
|
||||||
|
|||||||
@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
})
|
})
|
||||||
|
|||||||
@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
})
|
})
|
||||||
|
|||||||
@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -16,7 +16,6 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
features.chromiumos = true;
|
features.chromiumos = true;
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -16,9 +16,8 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
features.chromiumos = true;
|
features.chromiumos = true;
|
||||||
|
|
||||||
extraMeta.hydraPlatforms = [];
|
extraMeta.hydraPlatforms = [];
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -46,6 +46,5 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
} // (args.argsOverride or {}))
|
} // (args.argsOverride or {}))
|
||||||
|
|||||||
@ -17,7 +17,6 @@ stdenv.lib.overrideDerivation (import ./generic.nix (args // rec {
|
|||||||
|
|
||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
|
|
||||||
extraMeta.hydraPlatforms = [];
|
extraMeta.hydraPlatforms = [];
|
||||||
|
|||||||
@ -13,7 +13,6 @@ import ./generic.nix (args // rec {
|
|||||||
features.iwlwifi = true;
|
features.iwlwifi = true;
|
||||||
features.efiBootStub = true;
|
features.efiBootStub = true;
|
||||||
features.needsCifsUtils = true;
|
features.needsCifsUtils = true;
|
||||||
features.canDisableNetfilterConntrackHelpers = true;
|
|
||||||
features.netfilterRPFilter = true;
|
features.netfilterRPFilter = true;
|
||||||
|
|
||||||
# Should the testing kernels ever be built on Hydra?
|
# Should the testing kernels ever be built on Hydra?
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user