On Mon, Jan 23, 2017 at 05:09:55PM -0800, Linus Torvalds wrote: > On Mon, Jan 23, 2017 at 4:06 PM, Jiri Kosina <jikos@xxxxxxxxxx> wrote: > > > > Considering this being really close to the "userspace breakage" > > borderline, I'm CCing Linus as well. > > For all I know, there may be some security reason why we really don't > want the automatic helpers, even if they can be convenient. Yes, with helper modules in place, this is known to allow attackers to push holes in your firewall. Eric Leblond actually show that it's perfectly feasible to exploit this via handcrafted packets [1]. The problem is documented here [2]. > Also, you can just enable them with a kernel command line or a sysctl, > so it's not like you can't get the old behavior back. Right. [1] https://cansecwest.com/csw12/conntrack-attack.pdf [2] https://home.regit.org/netfilter-en/secure-use-of-helpers/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
