RAW netfilter - "advanced netfilter setting" or not?

RAW netfilter - "advanced netfilter setting" or not?

[Linus Torvalds]

So I'm the one who long ago asked for some of the more esoteric
netfilter configuration questions to be hidden behind some "advanced"
question, and thus the reason why a lot of them are behind that
NETFILTER_ADVANCED Kconfig setting.

However, I'm now trying OpenSUSE on one of my laptops, and it looks
like the RAW filter is used by the default OS iptables setup. The fact
that it is hidden behind NETFILTER_ADVANCED now means that I either
have to enable the advanced netfilter Kconfig questions, or we should
just remove the "depends on NETFILTER_ADVANCED" for the RAW case (or,
rather - caseS - since there's a separate raw filter for ipv4 and
ipv6, which sounds odd in itself, but that's another issue entirely)

My gut feel is that if it's one of the filters that a major distro
depends on by default, it should no longer be hidden. But honestly, I
didn't look at *why* OpenSUSE uses that filter. Maybe it's just doing
something really odd and crazy.

Comments?

                           Linus

Re: RAW netfilter - "advanced netfilter setting" or not?

[Patrick McHardy]

On 23.11.2011 20:45, Linus Torvalds wrote:
> So I'm the one who long ago asked for some of the more esoteric
> netfilter configuration questions to be hidden behind some "advanced"
> question, and thus the reason why a lot of them are behind that
> NETFILTER_ADVANCED Kconfig setting.
> 
> However, I'm now trying OpenSUSE on one of my laptops, and it looks
> like the RAW filter is used by the default OS iptables setup. The fact
> that it is hidden behind NETFILTER_ADVANCED now means that I either
> have to enable the advanced netfilter Kconfig questions, or we should
> just remove the "depends on NETFILTER_ADVANCED" for the RAW case (or,
> rather - caseS - since there's a separate raw filter for ipv4 and
> ipv6, which sounds odd in itself, but that's another issue entirely)
> 
> My gut feel is that if it's one of the filters that a major distro
> depends on by default, it should no longer be hidden.

Agreed, the main point was to enable everything used by major
distributions by default (default m if NETFILTER_ADVANCED=n)
and hide everything else.

> But honestly, I
> didn't look at *why* OpenSUSE uses that filter. Maybe it's just doing
> something really odd and crazy.

Most likely they're using NOTRACK to avoid connection tracking for
some traffic. Could you post the output of "iptables -t raw -vxnL"?

Re: RAW netfilter - "advanced netfilter setting" or not?

[Linus Torvalds]

On Wed, Nov 23, 2011 at 11:58 AM, Patrick McHardy <kaber@trash.net> wrote:
>
> Most likely they're using NOTRACK to avoid connection tracking for
> some traffic. Could you post the output of "iptables -t raw -vxnL"?

Hmm. That's actually empty for me. I only went by some error messages
during bootup. Or maybe I should boot the distro kernel to see that
there isn't something else I'm missing that makes the user setup
unhappy.

                     Linus

Re: RAW netfilter - "advanced netfilter setting" or not?

[richard -rw- weinberger]

On Wed, Nov 23, 2011 at 9:17 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Wed, Nov 23, 2011 at 11:58 AM, Patrick McHardy <kaber@trash.net> wrote:
>>
>> Most likely they're using NOTRACK to avoid connection tracking for
>> some traffic. Could you post the output of "iptables -t raw -vxnL"?
>
> Hmm. That's actually empty for me. I only went by some error messages
> during bootup. Or maybe I should boot the distro kernel to see that
> there isn't something else I'm missing that makes the user setup
> unhappy.
>

SuSEfirewall2 is using NOTRACK for the lo interface.

iptables -t raw -A PREROUTING -j NOTRACK -i lo
iptables -t raw -A OUTPUT -j NOTRACK -o lo


-- 
Thanks,
//richard

Re: RAW netfilter - "advanced netfilter setting" or not?

[David Miller]

From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed, 23 Nov 2011 12:58:20 -0800

> On Nov 23, 2011 12:51 PM, "richard -rw- weinberger" <
> richard.weinberger@gmail.com> wrote:
>>
>> SuSEfirewall2 is using NOTRACK for the lo interface.
>>
>> iptables -t raw -A PREROUTING -j NOTRACK -i lo
>> iptables -t raw -A OUTPUT -j NOTRACK -o lo
> 
> Yeah, and that (NOTRACK) was another thing that was disabled due to
> depending on advanced config... Which is probably why my raw table was
> empty even after I enabled that one by hand.
> 
> So we'd need to unhide both raw and notrack, methinks.

I just tossed the following into my tree:

--------------------
[PATCH] netfilter: Remove NOTRACK/RAW dependency on NETFILTER_ADVANCED.

Distributions are using this in their default scripts, so don't hide
them behind the advanced setting.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv4/netfilter/Kconfig |    1 -
 net/ipv6/netfilter/Kconfig |    1 -
 net/netfilter/Kconfig      |    1 -
 3 files changed, 0 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 1dfc18a..f19f218 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -325,7 +325,6 @@ config IP_NF_TARGET_TTL
 # raw + specific targets
 config IP_NF_RAW
 	tristate  'raw table support (required for NOTRACK/TRACE)'
-	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `raw' table to iptables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 4484648..f792b34 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -186,7 +186,6 @@ config IP6_NF_MANGLE
 
 config IP6_NF_RAW
 	tristate  'raw table support (required for TRACE)'
-	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `raw' table to ip6tables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 8260b13..e8f3796 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -542,7 +542,6 @@ config NETFILTER_XT_TARGET_NOTRACK
 	tristate  '"NOTRACK" target support'
 	depends on IP_NF_RAW || IP6_NF_RAW
 	depends on NF_CONNTRACK
-	depends on NETFILTER_ADVANCED
 	help
 	  The NOTRACK target allows a select rule to specify
 	  which packets *not* to enter the conntrack/NAT
-- 
1.7.6.4

Re: RAW netfilter - "advanced netfilter setting" or not?

[Jan Engelhardt]

On Wednesday 2011-11-23 20:45, Linus Torvalds wrote:

>So I'm the one who long ago asked for some of the more esoteric
>netfilter configuration questions to be hidden behind some "advanced"
>question, and thus the reason why a lot of them are behind that
>NETFILTER_ADVANCED Kconfig setting.
>
>However, I'm now trying OpenSUSE on one of my laptops, and it looks
>like the RAW filter is used by the default OS iptables setup. The fact
>that it is hidden behind NETFILTER_ADVANCED now means that I either
>have to enable the advanced netfilter Kconfig questions, or we should
>just remove the "depends on NETFILTER_ADVANCED" for the RAW case (or,
>rather - caseS - since there's a separate raw filter for ipv4 and
>ipv6, which sounds odd in itself, but that's another issue entirely)

Welcome to the green. You will find the most complete Netfilter stack
here :)

>My gut feel is that if it's one of the filters that a major distro
>depends on by default, it should no longer be hidden. But honestly, I
>didn't look at *why* OpenSUSE uses that filter. Maybe it's just doing
>something really odd and crazy.

The "raw" table is populated by SUSE SFW2 with rules to exempt all
loopback packets from connection tracking since SFW2 at the same time
unconditionally allows all lo transfers in the "filter" table.

>Comments?

In my opinion, NETFILTER_ADVANCED should be changed to only control
the visibility of all suboptions, i.e. I suggest that "default m if
NETFILTER_ADVANCED=n" be done for all non-deprecated modules.
(Similar to how CONFIG_EXPERT works.)

Unless one wants to argue that "that's a detail left to the distro
makers" and "people not compiling kernels would never run into this
issue".

Re: RAW netfilter - "advanced netfilter setting" or not?

[Linus Torvalds]

On Wed, Nov 23, 2011 at 1:27 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> In my opinion, NETFILTER_ADVANCED should be changed to only control
> the visibility of all suboptions, i.e. I suggest that "default m if
> NETFILTER_ADVANCED=n" be done for all non-deprecated modules.
> (Similar to how CONFIG_EXPERT works.)

No thank you. That makes the whole option pointless.

If you want all the modules, just hold down the 'm' key, and be done
with it. There's no skill needed, or need for NETFILTER_ADVANCED.

The whole point of NETFILTER_ADVANCED is for people like me who
actually want a fairly *minimal* kernel config, and probably one that
has no modules.

Modules are evil. They are a security issue, and they encourage a
"distro kernel" approach that takes forever to compile. Just say no.
Build a lean and mean kernel that actually has what you need, and
nothing more. And don't spend stupid time compiling modules you won't
need.

I wish we had a better way of doing a sane localized kernel. "make
localyesconfig" certainly isn't it, even if it tries. But options like
NETFILTER_ADVANCED are at least meant to lessen the pain, and not have
to wade through options that no sane person will know whether they
would ever need.

                      Linus

Re: RAW netfilter - "advanced netfilter setting" or not?

[Linus Torvalds]

On Wed, Nov 23, 2011 at 1:07 PM, David Miller <davem@davemloft.net> wrote:
>
> I just tossed the following into my tree:

Thanks, looking good,

                   Linus

Re: RAW netfilter - "advanced netfilter setting" or not?

[Jan Engelhardt]

On Wednesday 2011-11-23 23:02, Linus Torvalds wrote:
>On Wed, Nov 23, 2011 at 1:27 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>>
>> In my opinion, NETFILTER_ADVANCED should be changed to only control
>> the visibility of all suboptions, i.e. I suggest that "default m if
>> NETFILTER_ADVANCED=n" be done for all non-deprecated modules.
>> (Similar to how CONFIG_EXPERT works.)
>
>No thank you. That makes the whole option pointless. [...]
>The whole point of NETFILTER_ADVANCED is for people like me who
>actually want a fairly *minimal* kernel config, and probably one that
>has no modules.

Right, but how would you decide what will be enabled/disabled by
default? It seems unlikely you will be adding a patch (like Dave's)
everytime a default distro installation throws certain errors once
you run your own kernel configs.

Re: RAW netfilter - "advanced netfilter setting" or not?

[Linus Torvalds]

On Wed, Nov 23, 2011 at 2:32 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> Right, but how would you decide what will be enabled/disabled by
> default? It seems unlikely you will be adding a patch (like Dave's)
> everytime a default distro installation throws certain errors once
> you run your own kernel configs.

I do think that "major distributions do this by default" should simply
be the point for deciding it. Nothing more, nothing less.

                      Linus

Re: RAW netfilter - "advanced netfilter setting" or not?

[Patrick McHardy]

On 23.11.2011 23:58, Linus Torvalds wrote:
> On Wed, Nov 23, 2011 at 2:32 PM, Jan Engelhardt <jengelh@medozas.de> wrote:
>>
>> Right, but how would you decide what will be enabled/disabled by
>> default? It seems unlikely you will be adding a patch (like Dave's)
>> everytime a default distro installation throws certain errors once
>> you run your own kernel configs.
> 
> I do think that "major distributions do this by default" should simply
> be the point for deciding it. Nothing more, nothing less.

Agreed, that's also the criteria we used when we introduced this option.

Re: RAW netfilter - "advanced netfilter setting" or not?

[Linus Torvalds]

On Wed, Nov 23, 2011 at 1:07 PM, David Miller <davem@davemloft.net> wrote:
>>
>> So we'd need to unhide both raw and notrack, methinks.
>
> I just tossed the following into my tree:

I found a new one: Fedora 16 needs NF_CONNTRACK_NETBIOS_NS (and thus
NF_CONNTRACK_BROADCAST) for firewalld to work correctly - otherwise it
fails when you try to find network printers.

Yeah, it used to be enough to just use a regular firewall setting that
let IPP through, but that was before firewalld "knew" that you need to
also open up the samba port and netbios.

Oh well.

So can you remove the "depends on NETFILTER_ADVANCED" from
NF_CONNTRACK_NETBIOS_NS too?

Or should I just do it?

                        Linus

Re: RAW netfilter - "advanced netfilter setting" or not?

[David Miller]

From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 1 Dec 2011 19:12:48 -0800

> I found a new one: Fedora 16 needs NF_CONNTRACK_NETBIOS_NS (and thus
> NF_CONNTRACK_BROADCAST) for firewalld to work correctly - otherwise it
> fails when you try to find network printers.
 ...
> So can you remove the "depends on NETFILTER_ADVANCED" from
> NF_CONNTRACK_NETBIOS_NS too?

I'll take care of it, thanks.