lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <550B1852.2020209@zonque.org>
Date:	Thu, 19 Mar 2015 19:41:22 +0100
From:	Daniel Mack <daniel@...que.org>
To:	Daniel Borkmann <dborkman@...hat.com>,
	Alexey Perevalov <a.perevalov@...sung.com>
CC:	Pablo Neira Ayuso <pablo@...filter.org>,
	netdev <netdev@...r.kernel.org>
Subject: cgroup matches in INPUT chain

Hi,

I'm currently looking into the netclass CGroup controller and its
netfilter module in order to build a per-application firewall with it.
I'm having trouble understanding the commit log of a00e76349f35
("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf
hooks"), especially the following paragraph:

> It's possible to get classified sk_buff after PREROUTING, due to
> socket lookup being done in early_demux (tcp_v4_early_demux). Also
> it works for udp as well.

What is "after PREROUTING" supposed to mean exactly? After all, the
examples in the commit log put the rules into the "INPUT" chain.

In my tests, however, NF_INET_LOCAL_IN is iterated before early_demux()
is called, and for skbs that do not have a socket assigned, the cgroup
match code bails out early, making the rules ineffective. Hence,
NF_INET_LOCAL_IN can't work reliably for these matches IMO, as the
cgroup rules don't apply to at least every first packet in a TCP stream.
Am I missing something?

It would also possible to do something similar to what the "socket"
module does, and look up a listening socket directly from cgroup_mt() in
case skb->sk == NULL. I've attached a patch that implements that and
which works for me, but I'm not sure if that's a sane way to go.


Thanks,
Daniel

View attachment "0001-netfilter-x_tables-implement-matching-for-skb-sk-NUL.patch" of type "text/x-diff" (5476 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ