diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2017-01-25 14:18:41 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-01-25 14:18:41 +0100 |
commit | b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6 (patch) | |
tree | 34520611fa51fd293267f3b93ee3fb87dca41f6e /nixos/modules | |
parent | d40b6801012613ee1fddcee95e012b01e7dc8360 (diff) | |
parent | 8d5a4c53b8734b1fc10ab4acdcba28451b836fd9 (diff) | |
download | nixlib-b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6.tar nixlib-b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6.tar.gz nixlib-b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6.tar.bz2 nixlib-b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6.tar.lz nixlib-b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6.tar.xz nixlib-b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6.tar.zst nixlib-b9b95aa4d44e9084bb6d5bbc3a1c7f2d32f45ff6.zip |
Merge pull request #22034 from mayflower/conntrack-helpers
Disable conntrack helper autoloading by default
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index c251b52e03fd..34b731ad35c9 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -41,7 +41,6 @@ let kernelPackages = config.boot.kernelPackages; kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false; - kernelCanDisableHelpers = kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers or false; helpers = '' @@ -426,7 +425,7 @@ in networking.firewall.connectionTrackingModules = mkOption { type = types.listOf types.str; - default = [ "ftp" ]; + default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = '' @@ -435,9 +434,11 @@ in As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. - Loading of helpers is recommended to be done through the new + Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/ ''; @@ -445,7 +446,7 @@ in networking.firewall.autoLoadConntrackHelpers = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether to auto-load connection-tracking helpers. @@ -505,15 +506,14 @@ in environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; - boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; - boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' - options nf_conntrack nf_conntrack_helper=0 + boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + options nf_conntrack nf_conntrack_helper=1 ''; assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; message = "This kernel does not support rpfilter"; } - { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers; - message = "This kernel does not support disabling conntrack helpers"; } ]; systemd.services.firewall = { |