| 1 |
Hi B.J. |
| 2 |
|
| 3 |
|
| 4 |
> I encountered a problem like this that I resolved a few weeks ago |
| 5 |
> when I decided to get 2.6.14-hardened-r7 to work (r6 had the same |
| 6 |
> problem, but I stuck to r5 until r7 came out). I have a bridge set |
| 7 |
> up for use with openvpn. |
| 8 |
> |
| 9 |
> One of the patches (1431_15.4_bridge-netfilter-race.patch) that r6 |
| 10 |
> and r7 apply to the vanilla 2.6.14 modifies the function |
| 11 |
> br_nf_pre_routing_finish_ipv6() in net/bridge/br_netfilter.c in a |
| 12 |
> way that made my hardened server crash whenever I attempted to ssh to |
| 13 |
> it (over IPv6). Looking at the upstream source for the kernel |
| 14 |
> (2.6.16.9 from kernel.org), the patch appears to have been reverted |
| 15 |
> back or never applied. |
| 16 |
> I changed the patched part to look like the upstream sources (which |
| 17 |
> also looks like 2.6.14-hardened-r5), and that stopped the kernel |
| 18 |
> panic. The patch calls skb_pull() rather than skb_push(), which I |
| 19 |
> suspect filled up a buffer rather than empty it. |
| 20 |
> |
| 21 |
> The following diff shows how I reverted the patch, and my server |
| 22 |
> hasn't panicked since then. |
| 23 |
|
| 24 |
|
| 25 |
It took me some time before I could test this (both servers I could |
| 26 |
test it on are production servers and it's not always easy to find a |
| 27 |
timeframe where you can "play" with them). |
| 28 |
But I can confirm that your patch applied to 2.6.14-hardened-r7 does |
| 29 |
indeed remove the panic I encountered when connecting with OpenVPN. |
| 30 |
|
| 31 |
Thanks. |
| 32 |
|
| 33 |
|
| 34 |
Jean-Pierre |
| 35 |
|
| 36 |
|
| 37 |
-- |
| 38 |
Powered by Linux From Scratch - http://schwicky.net/ |
| 39 |
PGP Key ID: 0xEE6F49B4 - AIM/Jabber: Schwicky - ICQ: 4690141 |
| 40 |
|
| 41 |
Nothing is impossible... Everything is relative! |
| 42 |
-- |
| 43 |
gentoo-hardened@g.o mailing list |
Archives