599354 – hardened-sources-4.7.x breaks CONNTRACK_FTP

Bug 599354 - hardened-sources-4.7.x breaks CONNTRACK_FTP

Summary: hardened-sources-4.7.x breaks CONNTRACK_FTP

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-10 05:50 UTC by lou
Modified:	2016-11-30 21:46 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description lou 2016-11-10 05:50:44 UTC

Migrating from hardened-sources-4.4.8 to 4.7.6 or 4.7.10 breaks FTP CONNTRACK to FTP servers. I'm using working config and CONNTRACK is built into the kernel.

Here is specific CONNTRACK portion of the broken kernel version (4.7.10)

CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y

Here is complete Net Filter section. I tried adding multiple CONNTRACK features, but still unable to connect to passive FTP servers. Again, rolling back to 4.4.8, everything works again..

CONFIG_NF_CONNTRACK=y
CONFIG_NF_LOG_COMMON=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=y
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_CT_NETLINK=y
# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_PROTO_DCCP=y
CONFIG_NF_NAT_PROTO_UDPLITE=y
CONFIG_NF_NAT_PROTO_SCTP=y
# CONFIG_NF_NAT_AMANDA is not set
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_IRC=y
# CONFIG_NF_NAT_SIP is not set
CONFIG_NF_NAT_TFTP=y
CONFIG_NF_NAT_REDIRECT=y
# CONFIG_NF_TABLES is not set
CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
# CONFIG_NF_DUP_IPV4 is not set
# CONFIG_NF_LOG_ARP is not set
CONFIG_NF_LOG_IPV4=y
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_NAT_IPV4=y
# CONFIG_NF_NAT_MASQUERADE_IPV4 is not set
# CONFIG_NF_NAT_PPTP is not set
# CONFIG_NF_NAT_H323 is not set
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_AH is not set
CONFIG_IP_NF_MATCH_ECN=y
# CONFIG_IP_NF_MATCH_RPFILTER is not set
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_SYNPROXY is not set
CONFIG_IP_NF_NAT=y
# CONFIG_IP_NF_TARGET_MASQUERADE is not set
# CONFIG_IP_NF_TARGET_NETMAP is not set
# CONFIG_IP_NF_TARGET_REDIRECT is not set
CONFIG_IP_NF_MANGLE=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_RAW=y
# CONFIG_IP_NF_SECURITY is not set
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
# CONFIG_BRIDGE_NF_EBTABLES is not set

Comment 1 Anthony Basile gentoo-dev

2016-11-25 13:27:43 UTC

can you test hardened-sources-4.8.10

Comment 2 lou 2016-11-30 14:36:29 UTC

Hello Anthony

I just tried with 4.8.10. Same problem.

ERROR:>   	[11/30/2016 7:27:51 AM] PASV failed, trying PORT.

STATUS:>  	[11/30/2016 7:27:52 AM] This site can resume broken downloads.
COMMAND:>	[11/30/2016 7:27:52 AM] REST 0
		[11/30/2016 7:27:52 AM] 350 Restarting at 0
COMMAND:>	[11/30/2016 7:27:52 AM] PORT 10,0,0,xxx,18,83
		[11/30/2016 7:27:52 AM] 500 I won't open a connection to 10.0.0.xx (only to 69.xxx.xxx.xxx)
ERROR:>   	[11/30/2016 7:27:52 AM] Syntax error: command unrecognized.
ERROR:>   	[11/30/2016 7:27:52 AM] Failed to establish data socket.

10.0.0.xx is internal IP
69.xxx.xxx.xxx is public NAT IP

It loses my NAT it appears when FTPing. I can hit the internet fine, etc. Notice the ERROR .. PASV failed. Again, this is not a problem with 4.4.8 and older and started in 4.7

Also, in the logs, I'm seeing FORWARD drops..

Nov 30 07:25:30 comp kernel: FW_FORWARD: IN=eth0 OUT=eth1 MAC=00:13:20:0a:46:8c:00:13:20:67:ad:5e:08:00 SRC=10.0.0.xx DST=72.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35766 DF PROTO=TCP SPT=4683 DPT=62970 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 30 07:25:33 comp kernel: FW_FORWARD: IN=eth0 OUT=eth1 MAC=00:13:20:0a:46:8c:00:13:20:67:ad:5e:08:00 SRC=10.0.0.xx DST=72.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35783 DF PROTO=TCP SPT=4683 DPT=62970 WINDOW=65535 RES=0x00 SYN URGP=0
Nov 30 07:25:39 comp kernel: FW_FORWARD: IN=eth0 OUT=eth1 MAC=00:13:20:0a:46:8c:00:13:20:67:ad:5e:08:00 SRC=10.0.0.xx DST=72.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=35808 DF PROTO=TCP SPT=4683 DPT=62970 WINDOW=65535 RES=0x00 SYN URGP=0

I'm guessing that the PASV connection

Comment 3 lou 2016-11-30 14:58:46 UTC

Also during the build phase I do see this warning. Not sure if this is related...

In file included from ./include/linux/list.h:8:0,
                 from ./include/linux/module.h:9,
                 from net/ipv4/inet_hashtables.c:16:
net/ipv4/inet_hashtables.c: In function 'inet_ehash_locks_alloc':
./include/linux/kernel.h:748:17: warning: comparison of distinct pointer types lacks a cast
  (void) (&_max1 == &_max2);  \
                 ^
net/ipv4/inet_hashtables.c:688:13: note: in expansion of macro 'max'
   nblocks = max(2U * L1_CACHE_BYTES / locksz, 1U);
             ^

Comment 4 lou 2016-11-30 15:10:16 UTC

I also disabled PAX and GRSEC.. same problem.

Comment 5 Francisco Blas Izquierdo Riera gentoo-dev

2016-11-30 19:05:18 UTC

This is a feature in the kernel, see https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/netfilter/nf_conntrack_helper.c?h=v4.7&id=3bb398d925ec73e42b778cf823c8f4aecae359ea

Or for more info: http://www.firewalld.org/2016/10/automatic-helper-assignment and http://www.spinics.net/lists/netfilter/msg56874.html

For now you can use:
# echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

But that may eventually be dropped out of the kernel too.

@blueness you probably want to close this one as WONTFIX unless you feel like reverting that commit.

Comment 6 Anthony Basile gentoo-dev

2016-11-30 21:02:37 UTC

> @blueness you probably want to close this one as WONTFIX unless you feel
> like reverting that commit.

we're moving towards 4.8 next, where I presume this isn't a problem.  please reopen the bug if the same issue arises in hardened-sources-4.8.11 or above.

Comment 7 Anthony Basile gentoo-dev

2016-11-30 21:46:07 UTC

(In reply to Anthony Basile from comment #6)
> > @blueness you probably want to close this one as WONTFIX unless you feel
> > like reverting that commit.
> 
> we're moving towards 4.8 next, where I presume this isn't a problem.  please
> reopen the bug if the same issue arises in hardened-sources-4.8.11 or above.

ah never mind, this is a permanent change in the kernel, so i guess we're going to have to live with it.  i'm not going to carry forward a patch and also i think we should stick with upstream's decision and bug them if you just can't live with their choice.