VPN (or other services) fail through SUSE firewall after kernel update

This document (7016668) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

Situation

A SLES 11 SP3 system is acting as a router / firewall / NAT device. Workstations in the private network were making VPN connections (which make use of PPTP) to a VPN server across the internet. This was working fine, but then the SLES kernel was updated to 3.0.101-0.47.52. After this, workstations could no longer get VPN established.

Or generically speaking, this TID may apply to any protocol which stops making it through a SUSE firewall after this kernel update.

Resolution

At the SLES machine, load the netfilter connection tracking modules for PPTP with the command:

modprobe nf_nat_pptp

For added details or information about other protocols affected, see the "Cause" section of this document.

Cause

In previous kernels, a generic netfilter connection tracking module handled many protocols. For security reasons, this was changed. Details follow:

The linux connection tracker contains a generic connection tracking module able to handle packets that are not handled by a protocol-specific connection tracking module. Not understanding the higher-level protocol information (such as port numbers) in the packets, it only uses the IP-level information (the source and destination addresses). Previously, if the corresponding protocol-specific connection tracker module was not loaded, the generic connection tracker handled the packet.

This may lead to very unexpected results, including a firewall accepting packets that were intended to be dropped. The problem has been classified as a security vulnerability and assigned CVE-2014-8160. This has been solved by making the generic connection tracker ignore protocols for which we have protocol-specific connection tracking modules. This is the upstream commit, containing more technical details:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db29a9508a9246e77087c5531e45b2c88ec6988b

The protocols affected are:

    SCTP     - handled by nf_conntrack_proto_sctp.ko

    DCCP     - handled by nf_conntrack_proto_dccp.ko

    UDPLITE  - handled by nf_conntrack_proto_udplite.ko

    GRE      - handled by nf_conntrack_proto_gre.ko

    PPTP GRE - handled by nf_conntrack_pptp.ko

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.