mirror/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-09-29 15:43:00 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #22034 from mayflower/conntrack-helpers

Browse Source 
Disable conntrack helper autoloading by default
This commit is contained in:
Franz Pletz 2017-01-25 14:18:41 +01:00 committed by GitHub
commit b9b95aa4d4
16 changed files with 55 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
nixos/doc/manual/release-notes/rl-1703.xml
View File

@ -133,6 +133,19 @@ following incompatible changes:</para>
</para>
</listitem>
<listitem>
<para>
Autoloading connection tracking helpers is now disabled by default.
This default was also changed in the Linux kernel and is considered
insecure if not configured properly in your firewall. If you need
connection tracking helpers (i.e. for active FTP) please enable
<literal>networking.firewall.autoLoadConntrackHelpers</literal> and
tune <literal>networking.firewall.connectionTrackingModules</literal>
to suit your needs.
</para>
</listitem>
</itemizedlist>

20
nixos/modules/services/networking/firewall.nix
View File

@ -41,7 +41,6 @@ let
kernelPackages = config.boot.kernelPackages;
kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false;
kernelCanDisableHelpers = kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers or false;
helpers =
''
@ -426,7 +425,7 @@ in
networking.firewall.connectionTrackingModules = mkOption {
type = types.listOf types.str;
default = [ "ftp" ];
default = [ ];
example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ];
description =
''
@ -435,9 +434,11 @@ in
As helpers can pose as a security risk, it is advised to
set this to an empty list and disable the setting
networking.firewall.autoLoadConntrackHelpers
networking.firewall.autoLoadConntrackHelpers unless you
know what you are doing. Connection tracking is disabled
by default.
Loading of helpers is recommended to be done through the new
Loading of helpers is recommended to be done through the
CT target. More info:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
'';
@ -445,7 +446,7 @@ in
networking.firewall.autoLoadConntrackHelpers = mkOption {
type = types.bool;
default = true;
default = false;
description =
''
Whether to auto-load connection-tracking helpers.
@ -505,15 +506,14 @@ in
environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages;
boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) ''
options nf_conntrack nf_conntrack_helper=0
boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack")
++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers ''
options nf_conntrack nf_conntrack_helper=1
'';
assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter;
message = "This kernel does not support rpfilter"; }
{ assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers;
message = "This kernel does not support disabling conntrack helpers"; }
];
systemd.services.firewall = {

1
nixos/release.nix
View File

@ -273,6 +273,7 @@ in rec {
tests.mysql = callTest tests/mysql.nix {};
tests.mysqlReplication = callTest tests/mysql-replication.nix {};
tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; };
tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; };
tests.networking.networkd = callSubTests tests/networking.nix { networkd = true; };
tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; };

46
nixos/tests/nat.nix
View File

@ -3,34 +3,47 @@
# client on the inside network, a server on the outside network, and a
# router connected to both that performs Network Address Translation
# for the client.
import ./make-test.nix ({ pkgs, withFirewall, ... }:
import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }:
let
unit = if withFirewall then "firewall" else "nat";
in
{
name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";
meta = with pkgs.stdenv.lib.maintainers; {
name = "nat" + (if withFirewall then "WithFirewall" else "Standalone")
+ (lib.optionalString withConntrackHelpers "withConntrackHelpers");
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ eelco chaoflow rob wkennington ];
};
nodes =
{ client =
{ config, pkgs, nodes, ... }:
{ virtualisation.vlans = [ 1 ];
networking.firewall.allowPing = true;
networking.defaultGateway =
(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
};
lib.mkMerge [
{ virtualisation.vlans = [ 1 ];
networking.firewall.allowPing = true;
networking.defaultGateway =
(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
}
(lib.optionalAttrs withConntrackHelpers {
networking.firewall.connectionTrackingModules = [ "ftp" ];
networking.firewall.autoLoadConntrackHelpers = true;
})
];
router =
{ config, pkgs, ... }:
{ virtualisation.vlans = [ 2 1 ];
networking.firewall.enable = withFirewall;
networking.firewall.allowPing = true;
networking.nat.enable = true;
networking.nat.internalIPs = [ "192.168.1.0/24" ];
networking.nat.externalInterface = "eth1";
};
lib.mkMerge [
{ virtualisation.vlans = [ 2 1 ];
networking.firewall.enable = withFirewall;
networking.firewall.allowPing = true;
networking.nat.enable = true;
networking.nat.internalIPs = [ "192.168.1.0/24" ];
networking.nat.externalInterface = "eth1";
}
(lib.optionalAttrs withConntrackHelpers {
networking.firewall.connectionTrackingModules = [ "ftp" ];
networking.firewall.autoLoadConntrackHelpers = true;
})
];
server =
{ config, pkgs, ... }:
@ -66,7 +79,8 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }:
$client->succeed("curl -v ftp://server/foo.txt >&2");
# Test whether active FTP works.
$client->succeed("curl -v -P - ftp://server/foo.txt >&2");
$client->${if withConntrackHelpers then "succeed" else "fail"}(
"curl -v -P - ftp://server/foo.txt >&2");
# Test ICMP.
$client->succeed("ping -c 1 router >&2");

1
pkgs/os-specific/linux/kernel/linux-3.10.nix
View File

@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
})

1
pkgs/os-specific/linux/kernel/linux-3.12.nix
View File

@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
})

1
pkgs/os-specific/linux/kernel/linux-3.18.nix
View File

@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

1
pkgs/os-specific/linux/kernel/linux-4.1.nix
View File

@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

1
pkgs/os-specific/linux/kernel/linux-4.4.nix
View File

@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

1
pkgs/os-specific/linux/kernel/linux-4.9.nix
View File

@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

1
pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix
View File

@ -16,7 +16,6 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
features.chromiumos = true;
} // (args.argsOverride or {}))

3
pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix
View File

@ -16,9 +16,8 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
features.chromiumos = true;
extraMeta.hydraPlatforms = [];
} // (args.argsOverride or {}))

1
pkgs/os-specific/linux/kernel/linux-grsecurity.nix
View File

@ -14,6 +14,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

1
pkgs/os-specific/linux/kernel/linux-mptcp.nix
View File

@ -46,6 +46,5 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
} // (args.argsOverride or {}))

1
pkgs/os-specific/linux/kernel/linux-rpi.nix
View File

@ -17,7 +17,6 @@ stdenv.lib.overrideDerivation (import ./generic.nix (args // rec {
features.iwlwifi = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
extraMeta.hydraPlatforms = [];

1
pkgs/os-specific/linux/kernel/linux-testing.nix
View File

@ -13,7 +13,6 @@ import ./generic.nix (args // rec {
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
# Should the testing kernels ever be built on Hydra?