Control: tag -1 wontfix Control: retitle -1 Linux 4.7: conntrack protocol helpers must now be enabled explicitly On Mon, 2016-10-03 at 12:20 +0300, Vladimir Kudrya wrote: > Package: src:linux > Version: 4.7.5-1 > Severity: important > Tags: upstream > > Dear Maintainer, in latest kernel conntrack seems to be off by > default. > https://bugzilla.kernel.org/show_bug.cgi?id=152101 > > The effect is that network gateway with loaded i.e. nf_nat_pptp > module would silently > become unable to properly pass GRE packets after update. > It is now required to also explicitly enable > net.netfilter.nf_conntrack_helper in sysctl. > Unfortunately, there were no information about that in debian > changelogs that I know of. > This change should be either documented and announced via apt- > listchanges or reverted. The old behaviour has been deprecated since Linux 3.5, with a kernel log message warning for this. So I see no need for further warnings. We will not revert this as the old behaviour is bad for security: https: //home.regit.org/netfilter-en/secure-use-of-helpers/ Ben. -- Ben Hutchings Horngren's Observation: Among economists, the real world is often a special case.
Attachment:
signature.asc
Description: This is a digitally signed message part