[PATCH] nm-pptp-service: Attaching specific helpers via CT-based firewall rule.
- From: poma <pomidorabelisima gmail com>
- To: Network Manager <networkmanager-list gnome org>
- Cc: Thomas Haller <thaller redhat com>, Jiří Klimeš <blueowl centrum cz>
- Subject: [PATCH] nm-pptp-service: Attaching specific helpers via CT-based firewall rule.
- Date: Mon, 6 Mar 2017 06:01:40 +0100
From d4063d327e10327b71fa11b1b573d037002fbf76 Mon Sep 17 00:00:00 2001
From: poma <pomma gmail com>
Date: Mon, 6 Mar 2017 05:52:55 +0100
Subject: [PATCH] nm-pptp-service: Attaching specific helpers via CT-based firewall rule.
Default automatic helper assignment has been turned off for security reasons.
Generic helper doesn't handle protocol 47.
..........................................
nm-pptp-service - firewalld_attach_helpers:
# uname -r
4.10.1-1.fc24.x86_64
# cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper
N
# sysctl net.netfilter.nf_conntrack_helper
net.netfilter.nf_conntrack_helper = 0
# systemctl is-active firewalld
active
# firewall-cmd --get-automatic-helpers
no
# dmesg -t | grep conntrack
nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
# lsmod | grep pptp
# firewall-cmd --direct --query-rule ipv4 raw OUTPUT 0 -p tcp -j CT --helper pptp
no
# nmcli connection up pptp ifname enp2s5
VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
# cat /var/log/firewalld
[...] DEBUG1: direct.queryRule('ipv4', 'raw', 'OUTPUT', 0, '-p','tcp','-j','CT','--helper','pptp')
[...] DEBUG1: direct.addRule('ipv4', 'raw', 'OUTPUT', 0, '-p','tcp','-j','CT','--helper','pptp')
[...] DEBUG1: direct.RuleAdded('ipv4', 'raw', 'OUTPUT', 0, '-p','tcp','-j','CT','--helper','pptp')
[...] DEBUG1: zone.changeZoneOfInterface('', 'ppp0')
[...] DEBUG1: Setting zone of interface 'ppp0' to 'public'
[...] DEBUG1: zone.ZoneOfInterfaceChanged('public', 'ppp0')
[...] DEBUG1: zone.ZoneChanged('public', 'ppp0')
[...] DEBUG1: zone.getActiveZones()
# dmesg -t | grep conntrack
nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
# lsmod | grep pptp
nf_conntrack_pptp 16384 1
nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp
nf_conntrack 131072 9
nf_conntrack_ipv6,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_proto_gre,xt_CT,nf_nat_ipv6,xt_conntrack,nf_nat_ipv4,nf_nat
# nmcli connection down pptp
Connection 'pptp' successfully deactivated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/2)
# firewall-cmd --direct --query-rule ipv4 raw OUTPUT 0 -p tcp -j CT --helper pptp
yes
# cat /var/log/firewalld
[...] DEBUG1: direct.queryRule('ipv4', 'raw', 'OUTPUT', 0, '-p','tcp','-j','CT','--helper','pptp')
# nmcli connection up pptp ifname enp2s5
VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
# cat /var/log/firewalld
[...] DEBUG1: direct.queryRule('ipv4', 'raw', 'OUTPUT', 0, '-p','tcp','-j','CT','--helper','pptp')
[...] DEBUG1: zone.changeZoneOfInterface('', 'ppp0')
[...] DEBUG1: Setting zone of interface 'ppp0' to 'public'
[...] DEBUG1: zone.ZoneOfInterfaceChanged('public', 'ppp0')
[...] DEBUG1: zone.ZoneChanged('public', 'ppp0')
[...] DEBUG1: zone.getActiveZones()
.........................................
nm-pptp-service - iptables_attach_helpers:
# uname -r
4.10.1-1.fc24.x86_64
# cat /sys/module/nf_conntrack/parameters/nf_conntrack_helper
N
# sysctl net.netfilter.nf_conntrack_helper
net.netfilter.nf_conntrack_helper = 0
# systemctl is-active iptables
active
# dmesg -t | grep conntrack
nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
# lsmod | grep pptp
# iptables -t raw -S | grep CT
# nmcli connection up pptp ifname enp2s5
VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
# dmesg -t | grep conntrack
nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
# lsmod | grep pptp
nf_conntrack_pptp 16384 1
nf_conntrack_proto_gre 16384 1 nf_conntrack_pptp
nf_conntrack 131072 5 nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_proto_gre,xt_CT,xt_conntrack
# nmcli connection down pptp
Connection 'pptp' successfully deactivated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/2)
# iptables -t raw -S | grep CT
-A OUTPUT -p tcp -j CT --helper pptp
# nmcli connection up pptp ifname enp2s5
VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
# iptables -t raw -S | grep CT
-A OUTPUT -p tcp -j CT --helper pptp
....................................
Ref.
- Secure use of iptables and connection tracking helpers
https://home.regit.org/netfilter-en/secure-use-of-helpers
- netfilter: nf_ct_helper: allow to disable automatic helper assignment - 2012-05-08
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=a9006892643a
- netfilter: conntrack: disable generic tracking for known protocols - 2014-09-29
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db29a9508a92
- netfilter: conntrack: warn the user if there is a better helper to use - 2015-06-12
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=779668450a99
- netfilter: nf_ct_helper: disable automatic helper assignment - 2016-04-25
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3bb398d925ec
- netfilter: nf_ct_helper: warn when not applying default helper assignment - 2017-02-06
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=dfe75ff8ca74
---
src/nm-pptp-service.c | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/src/nm-pptp-service.c b/src/nm-pptp-service.c
index 1710fd9..d764cd3 100644
--- a/src/nm-pptp-service.c
+++ b/src/nm-pptp-service.c
@@ -1113,7 +1113,8 @@ main (int argc, char *argv[])
GMainLoop *main_loop;
gboolean persist = FALSE;
GOptionContext *opt_ctx = NULL;
- char *conntrack_module[] = { "/sbin/modprobe", "nf_conntrack_pptp", NULL };
+ char *firewalld_attach_helpers[] = { "/bin/firewall-cmd", "--direct", "--add-rule", "ipv4", "raw",
"OUTPUT", "0", "-p", "tcp", "-j", "CT", "--helper", "pptp", NULL };
+ char *iptables_attach_helpers[] = { "/sbin/iptables", "-t", "raw", "-A", "OUTPUT", "-p", "tcp", "-j",
"CT", "--helper", "pptp", NULL };
GError *error = NULL;
gs_free char *bus_name_free = NULL;
const char *bus_name;
@@ -1178,14 +1179,30 @@ main (int argc, char *argv[])
if (!persist)
g_signal_connect (plugin, "quit", G_CALLBACK (quit_mainloop), main_loop);
- /* Newer kernels require nf_conntrack_pptp kernel module so that PPTP
- * worked correctly. Load the module now. Ignore errors, the module
- * might not exist (older kernels).
- * https://bugzilla.redhat.com/show_bug.cgi?id=1187328
+ /* Default automatic helper assignment has been turned off for security reasons.
+ * Generic helper doesn't handle protocol 47.
+ * Attaching specific helpers via CT-based firewall rule.
*/
- if (!g_spawn_sync (NULL, conntrack_module, NULL, 0, NULL, NULL, NULL, NULL, NULL, &error)) {
- _LOGW ("modprobing nf_conntrack_pptp failed: %s", error->message);
- g_error_free (error);
+ if (g_file_test ("/bin/firewall-cmd", G_FILE_TEST_IS_EXECUTABLE)) {
+ if(0 == system("systemctl is-active firewalld > /dev/null")) {
+ if(0 != system("firewall-cmd --direct --query-rule ipv4 raw OUTPUT 0 -p tcp -j CT
--helper pptp > /dev/null")) {
+ if (!g_spawn_sync (NULL, firewalld_attach_helpers, NULL, 0, NULL, NULL, NULL,
NULL, NULL, &error)) {
+ _LOGW ("Attaching helpers via CT-based firewalld rule failed: %s",
error->message);
+ g_error_free (error);
+ }
+ }
+ }
+ }
+
+ if (g_file_test ("/sbin/iptables", G_FILE_TEST_IS_EXECUTABLE)) {
+ if(0 == system("systemctl is-active iptables > /dev/null")) {
+ if(0 != system("iptables -t raw -S | grep 'A OUTPUT -p tcp -j CT --helper pptp' >
/dev/null")) {
+ if (!g_spawn_sync (NULL, iptables_attach_helpers, NULL, 0, NULL, NULL, NULL,
NULL, NULL, &error)) {
+ _LOGW ("Attaching helpers via CT-based iptables rule failed: %s",
error->message);
+ g_error_free (error);
+ }
+ }
+ }
}
g_main_loop_run (main_loop);
--
2.7.4
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
