[PATCH nf-next] netfilter: nf_ct_helper: disable automatic helper assignment

[PATCH nf-next] netfilter: nf_ct_helper: disable automatic helper assignment

[Pablo Neira Ayuso]

Four years ago we introduced a new sysctl knob to disable automatic
helper assignment in 72110dfaa907 ("netfilter: nf_ct_helper: disable
automatic helper assignment"). This knob kept this behaviour enabled by
default to remain conservative.

This measure was introduced to provide a secure way to configure
iptables and connection tracking helpers through explicit rules.

Give the time we have waited for this, let's turn off this by default
now, worse case users still have a chance to recover the former
behaviour by explicitly enabling this back through sysctl.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 3b40ec5..498bf74 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -38,10 +38,10 @@ unsigned int nf_ct_helper_hsize __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_helper_hsize);
 static unsigned int nf_ct_helper_count __read_mostly;
 
-static bool nf_ct_auto_assign_helper __read_mostly = true;
+static bool nf_ct_auto_assign_helper __read_mostly = false;
 module_param_named(nf_conntrack_helper, nf_ct_auto_assign_helper, bool, 0644);
 MODULE_PARM_DESC(nf_conntrack_helper,
-		 "Enable automatic conntrack helper assignment (default 1)");
+		 "Enable automatic conntrack helper assignment (default 0)");
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table helper_sysctl_table[] = {
-- 
2.1.4

Re: [PATCH nf-next] netfilter: nf_ct_helper: disable automatic helper assignment

[Joe Stringer]

On 14 April 2016 at 08:13, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Four years ago we introduced a new sysctl knob to disable automatic
> helper assignment in 72110dfaa907 ("netfilter: nf_ct_helper: disable
> automatic helper assignment"). This knob kept this behaviour enabled by
> default to remain conservative.

Presumably you mean a9006892643a ("netfilter: nf_ct_helper: allow to
disable automatic helper assignment").

Otherwise, LGTM.

Re: [PATCH nf-next] netfilter: nf_ct_helper: disable automatic helper assignment

[Pablo Neira Ayuso]

On Tue, May 03, 2016 at 03:21:00PM -0700, Joe Stringer wrote:
> On 14 April 2016 at 08:13, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Four years ago we introduced a new sysctl knob to disable automatic
> > helper assignment in 72110dfaa907 ("netfilter: nf_ct_helper: disable
> > automatic helper assignment"). This knob kept this behaviour enabled by
> > default to remain conservative.
> 
> Presumably you mean a9006892643a ("netfilter: nf_ct_helper: allow to
> disable automatic helper assignment").

Argh, right. Will fix this in the pull request message.