| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Oct 2013 09:42:13 +0200 From: Daniel Borkmann <dborkman@...hat.com> To: "Ni, Xun" <xun.ni@...el.com> CC: Daniel Wagner <wagi@...om.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, "pablo@...filter.org" <pablo@...filter.org>, "netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Tejun Heo <tj@...nel.org>, "cgroups@...r.kernel.org" <cgroups@...r.kernel.org> Subject: Re: [PATCH nf-next] netfilter: xtables: lightweight process control group matching On 10/22/2013 09:15 AM, Ni, Xun wrote: > Hello, Daniel: > can all your examples block early before doing network operations? What's the whole netfilter universe? Can you give us more clear examples? As you can see from the code, the netfilter hooks are located in NF_INET_LOCAL_OUT and NF_INET_POST_ROUTING. > Thanks > On 10/21/2013 05:09 PM, Daniel Wagner wrote: >> On 10/19/2013 08:16 AM, Daniel Borkmann wrote: >>> On 10/19/2013 01:21 AM, Eric W. Biederman wrote: >>> >>>> I am coming to this late. But two concrete suggestions. >>>> >>>> 1) process groups and sessions don't change as frequently as pids. >>>> >>>> 2) It is possible to put a set of processes in their own network >>>> namespace and pipe just the packets you want those processes to >>>> use into that network namespace. Using an ingress queueing filter >>>> makes that process very efficient even if you have to filter by port. >>> >>> Actually in our case we're filtering outgoing traffic, based on which >>> local socket that originated from; so you wouldn't need all of that >>> construct. Also, you wouldn't even need to have an a-prio knowledge >>> of the application internals regarding their use of particular use of >>> ports or protocols. I don't think that such a setup will have the >>> same efficiency, ease of use, and power to distinguish the >>> application the traffic came from in such a lightweight, protocol independent and easy way. >> >> Sorry for beeing late as well (and also stupid question) >> >> Couldn't you use something from the LSM? I mean you allow the >> application to create the socket etc and then block later the traffic >> originated from that socket. Wouldn't it make more sense to block >> early? > > I gave one simple example for blocking in the commit message, that's true, but it is not limited to that, meaning we can have much different scenarios/policies that netfilter allows us than just blocking, e.g. fine grained settings where applications are allowed to connect/send traffic to, application traffic marking/ conntracking, application-specific packet mangling, and so on, just think of the whole netfilter universe. > -- > To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists