<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - iptables-save fails silently in unprivileged lxc/lxd container"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1064">1064</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>iptables-save fails silently in unprivileged lxc/lxd container
</td>
</tr>
<tr>
<th>Product</th>
<td>iptables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>enhancement
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>iptables-save
</td>
</tr>
<tr>
<th>Assignee</th>
<td>netfilter-buglog@lists.netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>phiphi@phiphi.ch
</td>
</tr></table>
<p>
<div>
<pre>Originally reported to <a href="https://github.com/lxc/lxd/issues/1978">https://github.com/lxc/lxd/issues/1978</a>
in an unprivileged lxc container, /proc/net/ip_tables_names is not readable.
iptables-save gives no output, but returns exitcode 0.
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission
denied)
exit_group(0) = ?
+++ exited with 0 +++
iptables-save command returns no output while iptables -nL works as expected
iptables-save is required to manage firewall with Puppet inside the containers,
as puppet relies on its output for deciding with which order it should add a
rule. Currently, the last rule drop all gets added at position 0 which will
instantly block all traffic to that container.
Is it a bug, that /proc/net/ip_tables_names is not readable by unprivileged
containers? Where should this be reported?
Full strace:
root@iptables-test:~# strace iptables-save
execve("/sbin/iptables-save", ["iptables-save"], [/* 11 vars */]) = 0
brk(NULL) = 0x1e65000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f8b2320e000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20483, ...}) = 0
mmap(NULL, 20483, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8b23208000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\26\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27424, ...}) = 0
mmap(NULL, 2122496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8b22de4000
mprotect(0x7f8b22dea000, 2093056, PROT_NONE) = 0
mmap(0x7f8b22fe9000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f8b22fe9000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\27\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27456, ...}) = 0
mmap(NULL, 2122528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8b22bdd000
mprotect(0x7f8b22be3000, 2093056, PROT_NONE) = 0
mmap(0x7f8b22de2000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f8b22de2000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libxtables.so.11", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200/\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=51872, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f8b23207000
mmap(NULL, 2148792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8b229d0000
mprotect(0x7f8b229db000, 2097152, PROT_NONE) = 0
mmap(0x7f8b22bdb000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f8b22bdb000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8b22607000
mprotect(0x7f8b227c7000, 2093056, PROT_NONE) = 0
mmap(0x7f8b229c6000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7f8b229c6000
mmap(0x7f8b229cc000, 14848, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8b229cc000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x7f8b22403000
mprotect(0x7f8b22406000, 2093056, PROT_NONE) = 0
mmap(0x7f8b22605000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f8b22605000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f8b23206000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f8b23205000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f8b23204000
arch_prctl(ARCH_SET_FS, 0x7f8b23205700) = 0
mprotect(0x7f8b229c6000, 16384, PROT_READ) = 0
mprotect(0x7f8b22605000, 4096, PROT_READ) = 0
mprotect(0x7f8b22bdb000, 4096, PROT_READ) = 0
mprotect(0x7f8b22de2000, 4096, PROT_READ) = 0
mprotect(0x7f8b22fe9000, 4096, PROT_READ) = 0
mprotect(0x613000, 4096, PROT_READ) = 0
mprotect(0x7f8b23210000, 4096, PROT_READ) = 0
munmap(0x7f8b23208000, 20483) = 0
brk(NULL) = 0x1e65000
brk(0x1e86000) = 0x1e86000
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission
denied)
exit_group(0) = ?
+++ exited with 0 +++</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>