1 |
Hi B.J. |
2 |
|
3 |
|
4 |
> I encountered a problem like this that I resolved a few weeks ago |
5 |
> when I decided to get 2.6.14-hardened-r7 to work (r6 had the same |
6 |
> problem, but I stuck to r5 until r7 came out). I have a bridge set |
7 |
> up for use with openvpn. |
8 |
> |
9 |
> One of the patches (1431_15.4_bridge-netfilter-race.patch) that r6 |
10 |
> and r7 apply to the vanilla 2.6.14 modifies the function |
11 |
> br_nf_pre_routing_finish_ipv6() in net/bridge/br_netfilter.c in a |
12 |
> way that made my hardened server crash whenever I attempted to ssh to |
13 |
> it (over IPv6). Looking at the upstream source for the kernel |
14 |
> (2.6.16.9 from kernel.org), the patch appears to have been reverted |
15 |
> back or never applied. |
16 |
> I changed the patched part to look like the upstream sources (which |
17 |
> also looks like 2.6.14-hardened-r5), and that stopped the kernel |
18 |
> panic. The patch calls skb_pull() rather than skb_push(), which I |
19 |
> suspect filled up a buffer rather than empty it. |
20 |
> |
21 |
> The following diff shows how I reverted the patch, and my server |
22 |
> hasn't panicked since then. |
23 |
|
24 |
|
25 |
It took me some time before I could test this (both servers I could |
26 |
test it on are production servers and it's not always easy to find a |
27 |
timeframe where you can "play" with them). |
28 |
But I can confirm that your patch applied to 2.6.14-hardened-r7 does |
29 |
indeed remove the panic I encountered when connecting with OpenVPN. |
30 |
|
31 |
Thanks. |
32 |
|
33 |
|
34 |
Jean-Pierre |
35 |
|
36 |
|
37 |
-- |
38 |
Powered by Linux From Scratch - http://schwicky.net/ |
39 |
PGP Key ID: 0xEE6F49B4 - AIM/Jabber: Schwicky - ICQ: 4690141 |
40 |
|
41 |
Nothing is impossible... Everything is relative! |
42 |
-- |
43 |
gentoo-hardened@g.o mailing list |