[iptables] avoid raw sockets which requires CAP_NET_RAW

Youfu Zhang <zhangyoufu@xxxxxxxxx> · Sun, 29 Mar 2020 17:06:19 +0800

CAP_NET_RAW is not necessary for xtables to function properly.
Netfilter socket options are reachable from TCP/UDP sockets.
Netlink is datagram-oriented, accept both SOCK_RAW and SOCK_DGRAM.

Signed-off-by: Youfu Zhang <zhangyoufu@xxxxxxxxx>
---
 extensions/libxt_set.h | 2 +-
 libipq/libipq.c        | 4 ++--
 libiptc/libiptc.c      | 2 +-
 libxtables/xtables.c   | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/extensions/libxt_set.h b/extensions/libxt_set.h
index 41dfbd30..9cdf3636 100644
--- a/extensions/libxt_set.h
+++ b/extensions/libxt_set.h
@@ -11,7 +11,7 @@
 static int
 get_version(unsigned *version)
 {
-	int res, sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+	int res, sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 	struct ip_set_req_version req_version;
 	socklen_t size = sizeof(req_version);
 	
diff --git a/libipq/libipq.c b/libipq/libipq.c
index fb65971a..e703a39c 100644
--- a/libipq/libipq.c
+++ b/libipq/libipq.c
@@ -220,9 +220,9 @@ struct ipq_handle *ipq_create_handle(uint32_t flags, uint32_t protocol)
 	memset(h, 0, sizeof(struct ipq_handle));
 	
         if (protocol == NFPROTO_IPV4)
-                h->fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_FIREWALL);
+                h->fd = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_FIREWALL);
         else if (protocol == NFPROTO_IPV6)
-                h->fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_IP6_FW);
+                h->fd = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_IP6_FW);
         else {
 		ipq_errno = IPQ_ERR_PROTOCOL;
 		free(h);
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 58882015..48f77e1a 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1309,7 +1309,7 @@ retry:
 		return NULL;
 	}
 
-	sockfd = socket(TC_AF, SOCK_RAW, IPPROTO_RAW);
+	sockfd = socket(TC_AF, SOCK_DGRAM, IPPROTO_UDP);
 	if (sockfd < 0)
 		return NULL;
 
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 777c2b08..ccc7f580 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -832,7 +832,7 @@ int xtables_compatible_revision(const char *name, uint8_t revision, int opt)
 	socklen_t s = sizeof(rev);
 	int max_rev, sockfd;
 
-	sockfd = socket(afinfo->family, SOCK_RAW, IPPROTO_RAW);
+	sockfd = socket(afinfo->family, SOCK_DGRAM, IPPROTO_UDP);
 	if (sockfd < 0) {
 		if (errno == EPERM) {
 			/* revision 0 is always supported. */
-- 
2.23.0







