From: Xin Long <lucien....@gmail.com> Date: Sat, 21 Oct 2017 14:06:27 +0800
> Imagine a customer generates a sosreport on their system, and > with that, it loads sctp module. From then on, if their firewall > doesn't block incoming packets for sctp, they may be prone to some > remotely triggerable issue on sctp code, without even actually using > sctp. Like I said, if the protocol is so unsafe, block it in the modules.conf file. Block all "I don't use this" protocols in netfilter. Otherwise, like I said, any user on their system can open a socket of the indicated protocol. There are many options. Furthermore, "ss" should not signal an error because the protocol module happens to not be open yet and as I understand it this is what your patch does since it chooses to not load the module in this situation.
