diff options
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1703.xml | 13 | ||||
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 20 | ||||
-rw-r--r-- | nixos/release.nix | 1 | ||||
-rw-r--r-- | nixos/tests/nat.nix | 46 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-3.10.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-3.12.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-3.18.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.1.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.4.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-4.9.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix | 3 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-grsecurity.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-mptcp.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-rpi.nix | 1 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/linux-testing.nix | 1 |
16 files changed, 55 insertions, 39 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index aa864b7a757a..177010e2a322 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -133,6 +133,19 @@ following incompatible changes:</para> </para> </listitem> + + <listitem> + <para> + Autoloading connection tracking helpers is now disabled by default. + This default was also changed in the Linux kernel and is considered + insecure if not configured properly in your firewall. If you need + connection tracking helpers (i.e. for active FTP) please enable + <literal>networking.firewall.autoLoadConntrackHelpers</literal> and + tune <literal>networking.firewall.connectionTrackingModules</literal> + to suit your needs. + </para> + </listitem> + </itemizedlist> diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index c251b52e03fd..34b731ad35c9 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -41,7 +41,6 @@ let kernelPackages = config.boot.kernelPackages; kernelHasRPFilter = kernelPackages.kernel.features.netfilterRPFilter or false; - kernelCanDisableHelpers = kernelPackages.kernel.features.canDisableNetfilterConntrackHelpers or false; helpers = '' @@ -426,7 +425,7 @@ in networking.firewall.connectionTrackingModules = mkOption { type = types.listOf types.str; - default = [ "ftp" ]; + default = [ ]; example = [ "ftp" "irc" "sane" "sip" "tftp" "amanda" "h323" "netbios_sn" "pptp" "snmp" ]; description = '' @@ -435,9 +434,11 @@ in As helpers can pose as a security risk, it is advised to set this to an empty list and disable the setting - networking.firewall.autoLoadConntrackHelpers + networking.firewall.autoLoadConntrackHelpers unless you + know what you are doing. Connection tracking is disabled + by default. - Loading of helpers is recommended to be done through the new + Loading of helpers is recommended to be done through the CT target. More info: https://home.regit.org/netfilter-en/secure-use-of-helpers/ ''; @@ -445,7 +446,7 @@ in networking.firewall.autoLoadConntrackHelpers = mkOption { type = types.bool; - default = true; + default = false; description = '' Whether to auto-load connection-tracking helpers. @@ -505,15 +506,14 @@ in environment.systemPackages = [ pkgs.iptables ] ++ cfg.extraPackages; - boot.kernelModules = map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; - boot.extraModprobeConfig = optionalString (!cfg.autoLoadConntrackHelpers) '' - options nf_conntrack nf_conntrack_helper=0 + boot.kernelModules = (optional cfg.autoLoadConntrackHelpers "nf_conntrack") + ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules; + boot.extraModprobeConfig = optionalString cfg.autoLoadConntrackHelpers '' + options nf_conntrack nf_conntrack_helper=1 ''; assertions = [ { assertion = (cfg.checkReversePath != false) || kernelHasRPFilter; message = "This kernel does not support rpfilter"; } - { assertion = cfg.autoLoadConntrackHelpers || kernelCanDisableHelpers; - message = "This kernel does not support disabling conntrack helpers"; } ]; systemd.services.firewall = { diff --git a/nixos/release.nix b/nixos/release.nix index dfa9b67654fb..2d78a4db9736 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -273,6 +273,7 @@ in rec { tests.mysql = callTest tests/mysql.nix {}; tests.mysqlReplication = callTest tests/mysql-replication.nix {}; tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; }; + tests.nat.firewall-conntrack = callTest tests/nat.nix { withFirewall = true; withConntrackHelpers = true; }; tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; }; tests.networking.networkd = callSubTests tests/networking.nix { networkd = true; }; tests.networking.scripted = callSubTests tests/networking.nix { networkd = false; }; diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 4fbf64462682..74e20bff8d81 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,34 +3,47 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. -import ./make-test.nix ({ pkgs, withFirewall, ... }: +import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: let unit = if withFirewall then "firewall" else "nat"; in { - name = "nat${if withFirewall then "WithFirewall" else "Standalone"}"; - meta = with pkgs.stdenv.lib.maintainers; { + name = "nat" + (if withFirewall then "WithFirewall" else "Standalone") + + (lib.optionalString withConntrackHelpers "withConntrackHelpers"); + meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ eelco chaoflow rob wkennington ]; }; nodes = { client = { config, pkgs, nodes, ... }: - { virtualisation.vlans = [ 1 ]; - networking.firewall.allowPing = true; - networking.defaultGateway = - (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address; - }; + lib.mkMerge [ + { virtualisation.vlans = [ 1 ]; + networking.firewall.allowPing = true; + networking.defaultGateway = + (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address; + } + (lib.optionalAttrs withConntrackHelpers { + networking.firewall.connectionTrackingModules = [ "ftp" ]; + networking.firewall.autoLoadConntrackHelpers = true; + }) + ]; router = { config, pkgs, ... }: - { virtualisation.vlans = [ 2 1 ]; - networking.firewall.enable = withFirewall; - networking.firewall.allowPing = true; - networking.nat.enable = true; - networking.nat.internalIPs = [ "192.168.1.0/24" ]; - networking.nat.externalInterface = "eth1"; - }; + lib.mkMerge [ + { virtualisation.vlans = [ 2 1 ]; + networking.firewall.enable = withFirewall; + networking.firewall.allowPing = true; + networking.nat.enable = true; + networking.nat.internalIPs = [ "192.168.1.0/24" ]; + networking.nat.externalInterface = "eth1"; + } + (lib.optionalAttrs withConntrackHelpers { + networking.firewall.connectionTrackingModules = [ "ftp" ]; + networking.firewall.autoLoadConntrackHelpers = true; + }) + ]; server = { config, pkgs, ... }: @@ -66,7 +79,8 @@ import ./make-test.nix ({ pkgs, withFirewall, ... }: $client->succeed("curl -v ftp://server/foo.txt >&2"); # Test whether active FTP works. - $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); + $client->${if withConntrackHelpers then "succeed" else "fail"}( + "curl -v -P - ftp://server/foo.txt >&2"); # Test ICMP. $client->succeed("ping -c 1 router >&2"); diff --git a/pkgs/os-specific/linux/kernel/linux-3.10.nix b/pkgs/os-specific/linux/kernel/linux-3.10.nix index 3e6bd51cc475..42546b0262e6 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.10.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; }) diff --git a/pkgs/os-specific/linux/kernel/linux-3.12.nix b/pkgs/os-specific/linux/kernel/linux-3.12.nix index 95ca51a972e9..9a0f314c2465 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.12.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.12.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; }) diff --git a/pkgs/os-specific/linux/kernel/linux-3.18.nix b/pkgs/os-specific/linux/kernel/linux-3.18.nix index 5ecfdefa97d8..acfd08f2af3e 100644 --- a/pkgs/os-specific/linux/kernel/linux-3.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-3.18.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.1.nix b/pkgs/os-specific/linux/kernel/linux-4.1.nix index fd171eae0012..9c7354024ada 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.1.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.4.nix b/pkgs/os-specific/linux/kernel/linux-4.4.nix index 0eb87a8dd9e2..bec31549ae3c 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.4.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-4.9.nix b/pkgs/os-specific/linux/kernel/linux-4.9.nix index 54c67901f503..dba02330380a 100644 --- a/pkgs/os-specific/linux/kernel/linux-4.9.nix +++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix index 72d7cd1fba0a..c8e189dcbfcb 100644 --- a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix +++ b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.14.nix @@ -16,7 +16,6 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; features.chromiumos = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix index 4be81409ee1e..b80c9acd659e 100644 --- a/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix +++ b/pkgs/os-specific/linux/kernel/linux-chromiumos-3.18.nix @@ -16,9 +16,8 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; features.chromiumos = true; - + extraMeta.hydraPlatforms = []; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix index a5ce23ee3e47..ebeb47397bca 100644 --- a/pkgs/os-specific/linux/kernel/linux-grsecurity.nix +++ b/pkgs/os-specific/linux/kernel/linux-grsecurity.nix @@ -14,6 +14,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp.nix b/pkgs/os-specific/linux/kernel/linux-mptcp.nix index a037343751ca..e533670014b3 100644 --- a/pkgs/os-specific/linux/kernel/linux-mptcp.nix +++ b/pkgs/os-specific/linux/kernel/linux-mptcp.nix @@ -46,6 +46,5 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) diff --git a/pkgs/os-specific/linux/kernel/linux-rpi.nix b/pkgs/os-specific/linux/kernel/linux-rpi.nix index f41c53da5a68..e50a6c802326 100644 --- a/pkgs/os-specific/linux/kernel/linux-rpi.nix +++ b/pkgs/os-specific/linux/kernel/linux-rpi.nix @@ -17,7 +17,6 @@ stdenv.lib.overrideDerivation (import ./generic.nix (args // rec { features.iwlwifi = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; extraMeta.hydraPlatforms = []; diff --git a/pkgs/os-specific/linux/kernel/linux-testing.nix b/pkgs/os-specific/linux/kernel/linux-testing.nix index 8f18febdf0df..1778f3439039 100644 --- a/pkgs/os-specific/linux/kernel/linux-testing.nix +++ b/pkgs/os-specific/linux/kernel/linux-testing.nix @@ -13,7 +13,6 @@ import ./generic.nix (args // rec { features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; - features.canDisableNetfilterConntrackHelpers = true; features.netfilterRPFilter = true; # Should the testing kernels ever be built on Hydra? |