On Fri, 12 Apr 2024, at 12:38 PM, William N. wrote: > On Thu, 11 Apr 2024 21:04:53 +0100 Kerin Millar wrote: > >> # zgrep NFT_CONNLIMIT /proc/config.gz >> # CONFIG_NFT_CONNLIMIT is not set > > Same here. It is the same because I compiled a kernel with the feature disabled in the course of evaluating my theory. > >> With that in mind, are you able to "modprobe nft_connlimit" at all? > > It returns a fatal error that the module is not found. Consequently, you will not be able to use this feature of nftables. > > All I find when searching is that the module is missing in different > distros and some references to CVE-2022-32250 which doesn't clarify > much: > > https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/#rip-control-by-triggering-garbage-collection > > I wonder if distros have deliberately removed the module because of the > CVE or if there is something else. It would be highly irresponsible of them. For one thing, the removal of a Netfilter feature would result in dependent rulesets outright failing to load upon upgrading the kernel and rebooting. For another, that vulnerability is almost two years old and has long since been addressed. > > What would you advise? I'll assume that all of the following holds true. - the affected distro releases have not yet reached end-of-life - you are running a standard, vendor-provided kernel package - all of your packages are up to date In that case, I would advise you to file bugs against the affected distros and demand that those responsible for their kernel packages rectify this. For any of the CONFIG_NFT_ prefixed options to be disabled in a mainstream distribution is appalling. Rather, they should all be set to "m" so that the functionality of each is made available in the form of a loadable kernel module. -- Kerin Millar
