Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2300 - kmod-br-netfilter: bundled sysctl exploits administrator inattention #6086

Closed
openwrt-bot opened this issue May 30, 2019 · 8 comments
Labels

Comments

@openwrt-bot
Copy link

config_absent:

A sysctl parameter
net.bridge.bridge-nf-call-iptables=1
is on by default on install.

This drop-in /etc/sysctl.d/11-br-netfilter.conf

disable bridge firewalling by default

net.bridge.bridge-nf-call-arptables=0
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1

will come into force only on restart.

A device administator is likely to introduce a security breach by applying rules that will be silently skipped on reboot.

I cannot see why it is neccessary to disable bridge firewalling by default. kmod-br-netfilter is absent on a clean install, therefore it cannot bother those who did not go to the trouble of installing the package. It goes without saying that an add-on firewall module should be left enabled.

@openwrt-bot
Copy link
Author

ynezz:

I can confirm, that net.bridge.bridge-nf-call-iptables=1 is set by default after the module install, but I don't agree with your proposed solution. I think, that more appropriate fix would be setting of net.bridge.bridge-nf-call-iptables=0 in the module's post install script.

I think, it's being disabled by default for a valid reasons, as for example leaving it on by default can cause other issues with some setups.

@openwrt-bot
Copy link
Author

config_absent:

I ghosted a patch and a commit message for anyone willing to apply it for me no strings attached. You claim the credit, I avoid all the red tape. I hate a security issue received so little attention.

kmod-br-netfilter: disable bridge firewalling

Disable bridge firewalling after installation to stay consistent
with /etc/sysctl.d/11-br-netfilter.conf sysctl drop-in.

diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 53188eab..17e927d7 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -880,6 +880,12 @@ define KernelPackage/br-netfilter/install
$(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
endef

+define KernelPackage/br-netfilter/postinst
+#!/bin/sh
+sysctl -w net.bridge.bridge-nf-call-iptables=0
+exit 0
+endef
+
$(eval $(call KernelPackage,br-netfilter))

@openwrt-bot
Copy link
Author

config_absent:

Is it preferred to use shell built-ins in postinst scripts to external tools? If so, please apply this patch:

diff --git a/package/kernel/linux/modules/netfilter.mk b/package/kernel/linux/modules/netfilter.mk
index 53188eab..d7cf9f01 100644
--- a/package/kernel/linux/modules/netfilter.mk
+++ b/package/kernel/linux/modules/netfilter.mk
@@ -880,6 +880,12 @@ define KernelPackage/br-netfilter/install
$(INSTALL_DATA) ./files/sysctl-br-netfilter.conf $(1)/etc/sysctl.d/11-br-netfilter.conf
endef

+define KernelPackage/br-netfilter/postinst
+#!/bin/sh
+echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables
+exit 0
+endef
+
$(eval $(call KernelPackage,br-netfilter))

@openwrt-bot
Copy link
Author

config_absent:

Yousong Zhou, would you apply my patch? I see you subscribed to the task.

@openwrt-bot
Copy link
Author

ynezz:

Thanks for the patch, would you mind sending it through one of the official channels (mail or GitHub PR)? Or at least add your Signed-off-by: Your Real Name <your@email.com> in order to have proper authorship and give you credit for this contribution?

@openwrt-bot
Copy link
Author

config_absent:

Why you don't want to take the credit yourself? I'd really prefer you to. But if it's a dealbreaker, amend the commit message like this:

kmod-br-netfilter: disable bridge firewalling

Disable bridge firewalling after installation to stay consistent
with /etc/sysctl.d/11-br-netfilter.conf sysctl drop-in.

Signed-off-by: Marco Sartorius tidbits@ormoorgmen.info

@openwrt-bot
Copy link
Author

yousong:

Thanks, Marco.

I tried the patch and am afraid the change will have to be done in default_postinst()

The problem is postinst happened before the kmod was actually loaded (invoking kmodloader).

@openwrt-bot
Copy link
Author

yousong:

Hi, Marco

I just sent a patch [1] to the mailing list for review. Please consider giving it a try

Also, if you're not okay with me using that mail address in the commit message, please provide a new one ;)

[1] http://patchwork.ozlabs.org/patch/1119411/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant