Re: Support for loading firewall rules with cgroup(v2) expressions early

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6.4.2022 1.00, Pablo Neira Ayuso wrote:
On Sun, Apr 03, 2022 at 09:32:11PM +0300, Topi Miettinen wrote:
On 2.4.2022 11.12, Topi Miettinen wrote:
On 30.3.2022 5.53, Pablo Neira Ayuso wrote:
On Wed, Mar 30, 2022 at 12:25:25AM +0200, Pablo Neira Ayuso wrote:
On Tue, Mar 29, 2022 at 09:20:25PM +0300, Topi Miettinen wrote:
[...]
You could define a ruleset that describes the policy following the
cgroupsv2 hierarchy. Something like this:

   table inet filter {
          map dict_cgroup_level_1 {
                  type cgroupsv2 : verdict;
                  elements = { "system.slice" : jump system_slice }
          }

          map dict_cgroup_level_2 {
                  type cgroupsv2 : verdict;
                  elements = {
"system.slice/systemd-timesyncd.service" : jump
systemd_timesyncd }
          }

          chain systemd_timesyncd {
                  # systemd-timesyncd policy
          }

          chain system_slice {
                  socket cgroupv2 level 2 vmap @dict_cgroup_level_2
                  # policy for system.slice process
          }

          chain input {
                  type filter hook input priority filter; policy drop;

This example should use the output chain instead:

            chain output {
                    type filter hook output priority filter; policy drop;

  From the input chain, the packet relies on early demux to have access
to the socket.

The idea would be to filter out outgoing traffic and rely on conntrack
for (established) input traffic.

Is it really so that 'socket cgroupv2' can't be used on input side at
all? At least 'ss' can display the cgroup for listening sockets
correctly, so the cgroup information should be available somewhere:

$ ss -lt --cgroup
State    Recv-Q   Send-Q       Local Address:Port       Peer
Address:Port   Process
LISTEN   0        4096                  *%lo:ssh                   *:*
      cgroup:/system.slice/ssh.socket

Also 'meta skuid' doesn't seem to work in input filters. It would have been
simple to use 'meta skuid < 1000' to simulate 'system.slice' vs.
'user.slice' cgroups.

If this is intentional, the manual page should make this much clearer.

It is not yet described in nft(8) unfortunately, but
iptables-extensions(8) says:

  IMPORTANT: when being used in the INPUT chain, the cgroup matcher is currently only
        of limited functionality, meaning it will only match on packets that are processed
        for local sockets through early socket demuxing. Therefore, general usage on the INPUT
        chain is not advised unless the implications are well understood.

Something like this would be nice to add to nft(8). The concept of 'early socket demuxing' isn't very obvious (at least to me). Could the user of nft be able to control somehow, like force early demuxing with a sysctl?

-Topi


There's no warning and the kernel doesn't reject the useless input rules.

I think it should be possible to do filtering on input side based on the
socket properties (UID, GID, cgroup). Especially with UDP, it should be
possible to drop all packets if the listening process is not OK.

Everything is possible, it's not yet implemented though.

My use case is that I need to open ports for Steam games (TCP and UDP ports
27015-27030) but I don't want to make them available for system services or
any other apps besides Steam games. SELinux SECMARKs and TE rules for
sockets help me here but there are other problems.




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux