On Wed, Apr 27, 2022 at 09:07:07PM +0300, Topi Miettinen wrote:
> On 27.4.2022 0.07, Pablo Neira Ayuso wrote:
> > On Tue, Apr 26, 2022 at 11:05:09PM +0200, Pablo Neira Ayuso wrote:
> > > On Thu, Apr 21, 2022 at 07:35:06PM +0300, Topi Miettinen wrote:
> > > > On 21.4.2022 0.15, Jan Engelhardt wrote:
> > > > >
> > > > > On Wednesday 2022-04-20 20:54, Topi Miettinen wrote:
> > > > >
> > > > > > Add socket expressions for checking GID or UID of the originating
> > > > > > socket. These work also on input side, unlike meta skuid/skgid.
> > > > >
> > > > > Why exactly is it that meta skuid does not work?
> > > > > Because of the skb_to_full_sk() call in nft_meta_get_eval_skugid()?
> > > >
> > > > I don't know the details, but early demux isn't reliable and filters aren't
> > > > run after final demux. In my case, something like "ct state new meta skuid <
> > > > 1000 drop" as part of input filter doesn't do anything. Making "meta skuid"
> > > > 100% reliable would be of course preferable to adding a new expression.
> > >
> > > Could you give a try to this kernel patch?
> > >
> > > This patch adds a new socket hook for inet layer 4 protocols, it is
> > > coming after the NF_LOCAL_IN hook, where the socket information is
> > > available for all cases.
> > >
> > > You also need a small patch for userspace nft.
> >
> > Quickly tested it with:
> >
> > table inet x {
> > chain y {
> > type filter hook socket priority 0; policy accept;
> > counter
> > }
> > }
>
> Thanks. Assuming that this makes the 'meta skuid' and 'meta cgroupv2' always
> usable, I'd prefer this approach to new 'socket uid'.
>
> I changed the hook of my input and output filters to 'socket' but then there
> are lots of errors:
>
> /etc/nftables.conf:411:3-67: Error: Could not process rule: Operation not
> supported
> ct state new socket cgroupv2 level 1 vmap
> @dict_cgroup_level_1_in
My patch is missing an update for nft_socket.
Could you send me your ruleset so I can test my next patchset works
with it? Private email is fine.
Thanks.
