From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C6B5ECAAD3 for ; Fri, 9 Sep 2022 18:21:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230384AbiIISVx (ORCPT ); Fri, 9 Sep 2022 14:21:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229546AbiIISVw (ORCPT ); Fri, 9 Sep 2022 14:21:52 -0400 Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3529DFF0B9 for ; Fri, 9 Sep 2022 11:21:51 -0700 (PDT) Received: by mail-wr1-x429.google.com with SMTP id e20so4171736wri.13 for ; Fri, 09 Sep 2022 11:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date; bh=APQzmEt5NhFdc3UBI3DQ++zJAo3zX616AmktIupeadk=; b=IiEBHjUN1IVrpkNhdaX/saFWQ/8xlrtnf1yA/QBkmXAxTuJdCKvdzHEBnxW2MoSmbr dTnawqsnmxt0Xi1x6HB+Vh3WERzIzwg+w9moiiUdupHyw0NbB4r2MRKjO/OHLHwaJPWT vxhWZsd6TriISVYcbSFUR2+04XZ7qX5jD6iL9z/xP1nWizftpykEBxW476Rv1K2bMa1X KSFxUBUCrgqOCDc2aek1s/AIYuRNrYtNL8tKbhqLwmneLfS5nDRctAADhZWvEnWKpyzX aLdVZDC88WGumEFswdbLzlfS5VXLeZS/bX1UMXrAOFayuZulNxxnCDKlGT/7adtOQDOQ cVBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=APQzmEt5NhFdc3UBI3DQ++zJAo3zX616AmktIupeadk=; b=UBpn9w/45A98bx6alhx7z0xjX1zXiInwzQJ0ULHfp7b3M0Wy1Su5ue0XSpVALuXLci DU1sUp3vWLVWiHBDDzv0UrIMMkwRSa/mnypqToVC3XTx9/yn56DvYmXhahx/xbZzg7gI mgVTOPiUhs8UCBNp6EbVvzqbbslBOdNf2RKeImV3UNGg4voeMxJ6yB8G79VHardM/8Dn XUVfDQi+xSqYzcPwZK6moK+SvHURTpsY5CBD78hAz22aVW7mY3ip38z+EzjGmsJbkAO2 CshE8wkm8b1MYKY0XkFYIyu1HRjn2EjN1YWFwkAz1vfwxtkCG+xh6dj+DwoDUkpqGMjX MT4A== X-Gm-Message-State: ACgBeo39aresy/M4qkGJOdKm2ndy+bypQApnQn1kaxZB098CbcvrOf3K D7e+LB3tWPKYuANd3L9B14g= X-Google-Smtp-Source: AA6agR6UqHnbp7FWjnomBQSSUwkSbFaRVPYQrbI89yXNFDfuA3QjBWgwUCYxcUeHwfETGOgoQXXT5Q== X-Received: by 2002:a05:6000:1365:b0:22a:2ee9:4363 with SMTP id q5-20020a056000136500b0022a2ee94363mr5414299wrz.393.1662747709642; Fri, 09 Sep 2022 11:21:49 -0700 (PDT) Received: from [192.168.1.10] (2e41ab4c.skybroadband.com. [46.65.171.76]) by smtp.googlemail.com with ESMTPSA id j13-20020adff54d000000b00229d55994e0sm1018024wrp.59.2022.09.09.11.21.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 09 Sep 2022 11:21:48 -0700 (PDT) Message-ID: Date: Fri, 9 Sep 2022 19:21:47 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.2.2 Subject: Re: b118509076b3 (probably) breaks my firewall To: Pablo Neira Ayuso , Florian Westphal Cc: "netdev@vger.kernel.org" , regressions@leemuis.info References: <20220908191925.GB16543@breakpoint.cc> <78611fbd-434e-c948-5677-a0bdb66f31a5@googlemail.com> <20220908214859.GD16543@breakpoint.cc> Content-Language: en-GB From: Chris Clayton In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 09/09/2022 11:19, Pablo Neira Ayuso wrote: > On Thu, Sep 08, 2022 at 11:48:59PM +0200, Florian Westphal wrote: >> Chris Clayton wrote: >> >> [ CC Pablo ] >> >>> On 08/09/2022 20:19, Florian Westphal wrote: >>>> Chris Clayton wrote: >>>>> Just a heads up and a question... >>>>> >>>>> I've pulled the latest and greatest from Linus' tree and built and installed the kernel. git describe gives >>>>> v6.0-rc4-126-g26b1224903b3. >>>>> >>>>> I find that my firewall is broken because /proc/sys/net/netfilter/nf_conntrack_helper no longer exists. It existed on an >>>>> -rc4 kernel. Are changes like this supposed to be introduced at this stage of the -rc cycle? >>>> >>>> The problem is that the default-autoassign (nf_conntrack_helper=1) has >>>> side effects that most people are not aware of. >>>> >>>> The bug that propmpted this toggle from getting axed was that the irc (dcc) helper allowed >>>> a remote client to create a port forwarding to the local client. >>> >>> >>> Ok, but I still think it's not the sort of change that should be introduced at this stage of the -rc cycle. >>> The other problem is that the documentation (Documentation/networking/nf_conntrack-sysctl.rst) hasn't been updated. So I >>> know my firewall is broken but there's nothing I can find that tells me how to fix it. >> >> Pablo, I don't think revert+move the 'next' will avoid this kinds of >> problems, but at least the nf_conntrack-sysctl.rst should be amended to >> reflect that this was removed. > > I'll post a patch to amend the documentation. > >> I'd keep it though because people that see an error wrt. this might be >> looking at nf_conntrack-sysctl.rst. >> >> Maybe just a link to >> https://home.regit.org/netfilter-en/secure-use-of-helpers/? >> but I'm afraid that document isn't much use to a "Joe User" like me. It's written by people who know a lot about the subject matter to be read by other people who know a lot about the subject matter. >> What do you think? > > I'll update netfilter.org to host a copy of the github sources. > > We have been announcing this going deprecated for 10 years... That may be the case, it should be broken before -rc1 is released. Breaking it at -rc4+ is, I think, a regression! Adding Thorsten Leemuis to cc list