On 10.06, Andreas Schultz wrote: > On Wed, Jun 10, 2015 at 4:01 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Wed, Jun 10, 2015 at 12:07:27PM +0200, Andreas Schultz wrote: > > [...] > >> I think I have found the root cause why this happends. > >> > >> With iptables only the hooks defined by the ipt modules can ever exist and > >> they do apply to all namespaces. Thus hooks are registered in the global list > >> nf_hooks. > > > > I have an incomplete patchset here to introduce pernet hooks. Will > > send this for review at some point. > > Please, Could you share those patches? I have started on making nf_hooks > into a pernet structure, but having something to start from would make this > much simpler. > > Also, in it's current form having netns and nftables support enabled at the > same time can lead to some horribly broken (insecure) setups, e.g. I could > intercept traffic for the host from within a docker container. > > Shouldn't Kconfig be changed to prevent this? If my understanding of the problem is correct, this (totally untested) patch should prevent the problem until we have a proper fix. diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c index f153b07..62e371a 100644 --- a/net/netfilter/nf_tables_core.c +++ b/net/netfilter/nf_tables_core.c @@ -124,6 +124,12 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops) int rulenum; unsigned int gencursor = nft_genmask_cur(net); + /* Workaround for processing in incorrect namespace until we have + * per net hooks. + */ + if (read_pnet(&(pkt->in ? : pkt->out)->nd_net) != net) + return NF_ACCEPT; + do_chain: rulenum = 0; rule = list_entry(&chain->rules, struct nft_rule, list); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
