search

arno-iptables-firewall / aif

GNU General Public License v2.0
149 stars 24 forks source link

AIF falling back to conntrack legacy automatic helper in Debian with kernel 6.0 and higher #88

Closed 68420948 closed 1 year ago

68420948 commented 1 year ago

AIF is falling back to conntrack legacy automatic helper mode in Debian since introduction of kernel 6.0.

Reasons seems to be this change to the kernel:

linux (5.19.11-1) unstable; urgency=medium
[...]
    - netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y
[...]

Excerpt from the logs of my personal machine:

[...]
Okt 30 09:49:12 e580sg systemd[1]: Starting Arno's Iptables Firewall(AIF)...
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Arno's Iptables Firewall(AIF) v2.1.1
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: -------------------------------------------------------------------------------
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Platform: Linux 5.19.0-2-amd64 x86_64
Okt 30 09:49:12 e580sg arno-iptables-firewall[2112]: Netfilter iptables version: 1.8.8
Okt 30 09:49:12 e580sg firewall[2412]: ** Starting Arno's Iptables Firewall(AIF) v2.1.1 **
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Checking/probing Iptables modules:
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ip_tables.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ip6_tables.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module nf_conntrack.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module xt_conntrack.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module xt_limit.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module xt_state.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module xt_multiport.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module iptable_filter.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ip6table_filter.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module iptable_mangle.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ip6table_mangle.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module iptable_raw.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ip6table_raw.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ipt_REJECT.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ip6t_REJECT.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module xt_LOG.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module xt_TCPMSS.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module iptable_nat.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module nf_nat.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Loaded kernel module ipt_MASQUERADE.
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Module check done...
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Setting the kernel ring buffer to only log panic messages to the console
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]: Configuring general kernel parameters:
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:   net.netfilter.nf_conntrack_helper = 0
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:  Setting the max. amount of simultaneous connections to 16384
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:   net.nf_conntrack_max = 16384
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:   net.netfilter.nf_conntrack_udp_timeout = 60
Okt 30 09:49:13 e580sg arno-iptables-firewall[2112]:   net.netfilter.nf_conntrack_acct = 1
[...]
Okt 30 10:02:54 e580sg systemd[1]: Starting Arno's Iptables Firewall(AIF)...
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Arno's Iptables Firewall(AIF) v2.1.1
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: -------------------------------------------------------------------------------
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Platform: Linux 6.0.0-2-amd64 x86_64
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Netfilter iptables version: 1.8.8
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Checking/probing Iptables modules:
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ip_tables.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ip6_tables.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module nf_conntrack.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module xt_conntrack.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module xt_limit.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module xt_state.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module xt_multiport.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module iptable_filter.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ip6table_filter.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module iptable_mangle.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ip6table_mangle.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module iptable_raw.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ip6table_raw.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ipt_REJECT.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ip6t_REJECT.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module xt_LOG.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module xt_TCPMSS.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module iptable_nat.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module nf_nat.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Loaded kernel module ipt_MASQUERADE.
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Module check done...
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Setting the kernel ring buffer to only log panic messages to the console
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]: Configuring general kernel parameters:
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Conntrack legacy automatic helper assignment is ENABLED
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:  Setting the max. amount of simultaneous connections to 16384
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:   net.nf_conntrack_max = 16384
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:   net.netfilter.nf_conntrack_udp_timeout = 60
Okt 30 10:02:54 e580sg arno-iptables-firewall[2077]:   net.netfilter.nf_conntrack_acct = 1
[...]

Output of "sysctl -a | grep conntrack":

net.netfilter.nf_conntrack_acct = 1
net.netfilter.nf_conntrack_buckets = 262144
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_count = 52
net.netfilter.nf_conntrack_dccp_loose = 1
net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
net.netfilter.nf_conntrack_dccp_timeout_closing = 64
net.netfilter.nf_conntrack_dccp_timeout_open = 43200
net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
net.netfilter.nf_conntrack_dccp_timeout_request = 240
net.netfilter.nf_conntrack_dccp_timeout_respond = 480
net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
net.netfilter.nf_conntrack_events = 2
net.netfilter.nf_conntrack_expect_max = 4096
net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
net.netfilter.nf_conntrack_frag6_timeout = 60
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_gre_timeout = 30
net.netfilter.nf_conntrack_gre_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 16384
net.netfilter.nf_conntrack_sctp_timeout_closed = 10
net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
net.netfilter.nf_conntrack_sctp_timeout_established = 432000
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_ignore_invalid_rst = 0
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_timestamp = 0
net.netfilter.nf_conntrack_udp_timeout = 60
net.netfilter.nf_conntrack_udp_timeout_stream = 120
net.nf_conntrack_max = 16384

At least nf_conntrack_helper is missing.

I am not observing any impact to my local environment while this may only be the case due to my specific configuration. Please have a look whether any measures should be taken in AIF.

Cheers, Sven

68420948 commented 1 year ago

It does not seem to be a Debian thing. In https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.7 I found

commit 7d4bfe34b9cbb0395cb9508fa64324d4a1379e00
Author: Geert Uytterhoeven <geert@linux-m68k.org>
Date:   Mon Aug 15 12:39:20 2022 +0200

    netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y

    [ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ]

    NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09
    ("netfilter: provide config option to disable ancient procfs parts") in
    v3.3.
arnova commented 1 year ago

@abelbeck : Ideas?

abelbeck commented 1 year ago

AIF keys off the net.netfilter.nf_conntrack_helper sysctl, sadly kernel 6.0 removed that sysctl [1]

The history of net.netfilter.nf_conntrack_helper and kernel versions:

6.0 does not have nf_conntrack_helper sysctl 4.7 nf_conntrack_helper defaults to 0 3.5 nf_conntrack_helper defaults to 1 3.4 does not have nf_conntrack_helper sysctl

It appears we need to treat kernel_ver_chk 6 0 0 and net.netfilter.nf_conntrack_helper=0 the same.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter/nf_conntrack_helper.c?id=b118509076b39cc5e616c0680312b5caaca535fe

arnova commented 1 year ago

Fixed with #89 . @68420948 : Can you use that for a downstream-backport?

68420948 commented 1 year ago

On Tue, 2023-02-28 at 06:54 -0800, Arno van Amersfoort wrote:

Fixed with #88 . @68420948 : Can you use that for a downstream- backport?

Thanks for the fix. A backporting patch has been prepared and a patched AIF 2.1.1 has already been uploaded into Debian Unstable.