From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751963AbdAXB3U (ORCPT <rfc822;w@1wt.eu>);
        Mon, 23 Jan 2017 20:29:20 -0500
Received: from mail.us.es ([193.147.175.20]:35346 "EHLO mail.us.es"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751838AbdAXB3T (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Jan 2017 20:29:19 -0500
Date: Tue, 24 Jan 2017 02:28:59 +0100
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Kosina <jikos@kernel.org>,
        Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
        Florian Westphal <fw@strlen.de>,
        NetFilter <netfilter-devel@vger.kernel.org>, coreteam@netfilter.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        info@jablonka.cz, eric@regit.org
Subject: Re: [RFC PATCH 0/2] restore original default of nf_conntrack_helper
 sysctl
Message-ID: <20170124012859.GA6375@salvia>
References: <alpine.LSU.2.20.1701240038080.25515@cbobk.fhfr.pm>
 <CA+55aFyDbDxcT+OjcxLxJ87MsFgNi0WWNoBSzZvWgA+yuQSXkg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+55aFyDbDxcT+OjcxLxJ87MsFgNi0WWNoBSzZvWgA+yuQSXkg@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 23, 2017 at 05:09:55PM -0800, Linus Torvalds wrote:
> On Mon, Jan 23, 2017 at 4:06 PM, Jiri Kosina <jikos@kernel.org> wrote:
> >
> > Considering this being really close to the "userspace breakage"
> > borderline, I'm CCing Linus as well.
> 
> For all I know, there may be some security reason why we really don't
> want the automatic helpers, even if they can be convenient.

Yes, with helper modules in place, this is known to allow attackers to
push holes in your firewall.  Eric Leblond actually show that it's
perfectly feasible to exploit this via handcrafted packets [1]. The
problem is documented here [2].

> Also, you can just enable them with a kernel command line or a sysctl,
> so it's not like you can't get the old behavior back.

Right.

[1] https://cansecwest.com/csw12/conntrack-attack.pdf
[2] https://home.regit.org/netfilter-en/secure-use-of-helpers/