User-space queueing

Chris Wilson chris@netservers.co.uk
Fri, 15 Feb 2002 18:49:17 +0000 (GMT) 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--8323328-832853195-1013798957=:11014
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hello, kind Netfilter developers,

First of all, thanks again for writing and supporting Netfilter, which 
is by far the best packet filter I have ever worked with.

Secondly, we have been implementing the IDS gateway described at 
http://w3.cablespeed.com/~rvmcmil/IDSGateway/idgateway.htm, which uses 
libipq to feed packets into Snort. It seems to work very well, but for one 
problem: Snort cannot drop privileges in this mode.

The problem is that ip_queue.c is very strict on security checks, 
and will not accept a verdict message from user space unless the the 
sending process _currently_ has CAP_NET_ADMIN. I think that may be a 
little paranoid, and might actually reduce security in this case, because 
it forces Snort to stay root in order to use the netlink socket.

So, I wrote a small patch to the ip_queue module, which only checks 
CAP_NET_ADMIN when the pid of the peer changes (I'm assuming that this 
only happens when a new peer connects). Then, Snort can open the 
netlink socket as root, and drop privileges, and still work properly. I 
have briefly tested it and verified that Snort works properly running as a 
normal user.

I very much hope you will consider the patch or the patched ip_queue.c for 
inclusion in the standard Netfilter distribution. The patch is attached 
below.

Thanks again,
Chris Wilson.

--- linux/net/ipv4/netfilter/ip_queue.c Sun Sep 30 20:26:08 2001
+++ linux-2.4.17-CHRIS/net/ipv4/netfilter/ip_queue.c    Fri Feb 15 
18:46:29 2002@@ -517,5 +517,6 @@
        if (type <= IPQM_BASE)
                return;
-       if(!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
+       if (nlq->peer.pid != nlh->nlmsg_pid &&
+           !cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
                RCV_SKB_FAIL(-EPERM);
        if (nlq->peer.pid && !nlq->peer.died

-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

--8323328-832853195-1013798957=:11014
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ip_queue.c.uid-check.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.44.0202151849170.11014@localhost>
Content-Description: 
Content-Disposition: attachment; filename="ip_queue.c.uid-check.patch"

LS0tIGxpbnV4L25ldC9pcHY0L25ldGZpbHRlci9pcF9xdWV1ZS5jCVN1biBT
ZXAgMzAgMjA6MjY6MDggMjAwMQ0KKysrIGxpbnV4LTIuNC4xNy1DSFJJUy9u
ZXQvaXB2NC9uZXRmaWx0ZXIvaXBfcXVldWUuYwlGcmkgRmViIDE1IDE4OjQ2
OjI5IDIwMDINCkBAIC01MTcsNSArNTE3LDYgQEANCiAJaWYgKHR5cGUgPD0g
SVBRTV9CQVNFKQ0KIAkJcmV0dXJuOw0KLQlpZighY2FwX3JhaXNlZChORVRM
SU5LX0NCKHNrYikuZWZmX2NhcCwgQ0FQX05FVF9BRE1JTikpDQorCWlmIChu
bHEtPnBlZXIucGlkICE9IG5saC0+bmxtc2dfcGlkICYmDQorCSAgICAhY2Fw
X3JhaXNlZChORVRMSU5LX0NCKHNrYikuZWZmX2NhcCwgQ0FQX05FVF9BRE1J
TikpDQogCQlSQ1ZfU0tCX0ZBSUwoLUVQRVJNKTsNCiAJaWYgKG5scS0+cGVl
ci5waWQgJiYgIW5scS0+cGVlci5kaWVkDQo=
--8323328-832853195-1013798957=:11014--