Hi B.J.
> I encountered a problem like this that I resolved a few weeks ago > when I decided to get 2.6.14-hardened-r7 to work (r6 had the same > problem, but I stuck to r5 until r7 came out). I have a bridge set > up for use with openvpn. > > One of the patches (1431_15.4_bridge-netfilter-race.patch) that r6 > and r7 apply to the vanilla 2.6.14 modifies the function > br_nf_pre_routing_finish_ipv6() in net/bridge/br_netfilter.c in a > way that made my hardened server crash whenever I attempted to ssh to > it (over IPv6). Looking at the upstream source for the kernel > (2.6.16.9 from kernel.org), the patch appears to have been reverted > back or never applied. > I changed the patched part to look like the upstream sources (which > also looks like 2.6.14-hardened-r5), and that stopped the kernel > panic. The patch calls skb_pull() rather than skb_push(), which I > suspect filled up a buffer rather than empty it. > > The following diff shows how I reverted the patch, and my server > hasn't panicked since then. It took me some time before I could test this (both servers I could test it on are production servers and it's not always easy to find a timeframe where you can "play" with them). But I can confirm that your patch applied to 2.6.14-hardened-r7 does indeed remove the panic I encountered when connecting with OpenVPN. Thanks. Jean-Pierre -- Powered by Linux From Scratch - http://schwicky.net/ PGP Key ID: 0xEE6F49B4 - AIM/Jabber: Schwicky - ICQ: 4690141 Nothing is impossible... Everything is relative! -- [email protected] mailing list
