lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAL5mK8wsgqQCVt0jG7YjJz4E6YoPPs3tq7rrhhbsr=BDeJMVMg@mail.gmail.com>
Date: Thu, 31 Oct 2024 00:23:16 -0700
From: Austin Hendrix <namniart@...il.com>
To: netdev@...r.kernel.org
Subject: Duplicate invocation of NF_INET_POST_ROUTING rule for outbound multicast?

I am trying to use the iptables cgroups match to filter outbound
multicast; the goal is to only allow processes in one net_cls to send
traffic on a particular multicast address.

These are not my firewall rules, but for sake of example, we could
allow processes in a cgroup to send to the mDNS multicast group, and
prevent all other processes from doing this. Let's also log those
packets, while we're at it.

-A POSTROUTING -d 224.0.0.251 -j NFLOG
-A POSTROUTING -m cgroup --cgroup 0x4242 -d 224.0.0.251 -j ACCEPT
-A POSTROUTING -d 224.0.0.251 -j DROP

In practice, when I have a single, well-behaved application that tries
to send to this multicast group, I see some very weird things:

* The NFLOG rule is hit twice for every outbound packet (I'll get back to this)
* The cgroup rule is hit once for every outbound packet, and the
packet goes out successfully.
* The DROP rule is _also_ hit once for every outbound packet.

When I use tcpdump to take a capture with nflog, things get
interesting. tcpdump captures two copies of every packet. The FIRST
copy does not have the NFULA_UID and NFULA_GID headers set; the second
copy does!

I've been staring at the linux source code for a while, and I think
this part of ip_mc_output explains it.

if (sk_mc_loop(sk)
#ifdef CONFIG_IP_MROUTE
/* Small optimization: do not loopback not local frames,
   which returned after forwarding; they will be  dropped
   by ip_mr_input in any case.
   Note, that local frames are looped back to be delivered
   to local recipients.

   This check is duplicated in ip_mr_input at the moment.
*/
    &&
    ((rt->rt_flags & RTCF_LOCAL) ||
     !(IPCB(skb)->flags & IPSKB_FORWARDED))
#endif
   ) {
struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
if (newskb)
NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
net, sk, newskb, NULL, newskb->dev,
ip_mc_finish_output);
}

It looks like ip_mc_output duplicates outgoing multicast, sends the
copy through POSTROUTING first (remember how the first copy didn't
have UID and GID?), and then loops that copy back for local multicast
listeners.

I haven't followed all of the details yet, but it looks like the copy
that is looped back lacks the sk_buff attributes which identify the
UID, GID and cgroup of the sender.

Is my understanding of this correct? Is the netdev team willing to
discuss possible solutions to this, or is this behavior "by design?"

Thanks
-Austin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ