Re: filesystem access to add/remove/view ip addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 18 Oct 2024, at 8:30 PM, Telbat Diordna wrote:
> In iptables there exists the recent module (-m recent). This gives you
> the possibility to add and remove ip addresses in rulesets (usually
> blocklists).  The advantage of this method is, that you can allow
> access via FACLs to ordinary users for selected configuration items.
> E.g.:
> echo +/- <ip> > /proc/net/xt_recent/<iptname>
>
> Looks like, that in nftables there is no recent module. How can I use
> nftables in a similar way?
>
> Thanks for any information/link etc.

That's an interesting use case (that of defining FACLs).

To manipulate an nftables ruleset requires the CAP_NET_ADMIN capability. The only thing that I can think of is to write a program that would compose and dispatch the necessary set-manipulating commands through nft(8) or netlink(7), while exposing a simple command-line interface to its users. The binary could be granted the CAP_NET_ADMIN capability with the setcap(8) utility and either:

a) be limited to the relevant users and/or groups with chmod and chown
b) perform its own user and/or group membership checks upon execution

Unfortunately, this technique cannot be applied for executable scripts (BINFMT_SCRIPT), so the binary would need to be an ELF.

-- 
Kerin Millar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux