[Bug 847] New: Owner matching fails on listening socket
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sat Aug 24 13:15:11 CEST 2013
https://bugzilla.netfilter.org/show_bug.cgi?id=847
Summary: Owner matching fails on listening socket
Product: netfilter/iptables
Version: unspecified
Platform: x86_64
OS/Version: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ip_tables (kernel)
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: phil at sanewall.org
Estimated Hours: 0.0
It seems the netfilter matching of socket owner by UID has changed between
kernel v3.2 and v3.10.
In 3.2 the owner would be matched whether the connection was initiated
from the firewall host or from the remote host.
In 3.10 the the UID is matched only when the connection is initiated from
the firewall host. The UID associated with the socket appears to not be
that of the process which is listening for connections.
Error results
*************
Tested were the wheezy and wheezy-backports kernels:
3.2.0-4-amd64
and:
3.10-0.bpo.2-amd64
Both with iptables v1.4.14
This was originally reported to me between two hosts, but works equally
well on the loopback device.
Using a single user for both listener and connector, and starting with
an empty firewall with everything set to ACCEPT:
$ id -u
1000
Test 1a - Works on both 3.2 and 3.10
------------------------------------
Verify connection without any firewall rules.
Start a listener on port 8889 and start a connection from source
port 8888.
Connection established and data flows.
$ nc -l -p 8889 | nc -p 8888 127.0.0.1 8889
| I can send data!
I can send data! |
| ^C
Test 1b - Works on both 3.2 and 3.10
------------------------------------
Verify connection without any firewall rules.
Start a listener on port 8888 and start a connection from source
port 8889.
Connection established and data flows.
$ nc -l -p 8888 | nc -p 8889 127.0.0.1 8888
| I can still send data!
I can still send data! |
| ^C
Setup firewall rule
-------------------
A single a rule which should stop any TCP packets from source port 8888
by our uid.
sudo iptables -t filter -A OUTPUT -p tcp --sport 8888 \
-m owner --uid-owner 1000 -j REJECT
Test 2a - works on both 3.2 and 3.10
-----------------------------------
Verify packets blocked by firewall rule.
Start a listener on port 8889 and start a connection from source
port 8888.
Connection refused because our SYN packet is rejected.
$ nc -l -p 8889 | nc -p 8888 127.0.0.1 8889
| (UNKNOWN) [127.0.0.1] 8889 (?) : Connection refused
^C |
Test 2b - works on 3.2 but not 3.10
-----------------------------------
Verify packets blocked by firewall rule.
Start a listener on port 8888 and start a connection from source
port 8889.
3.2: connection prevented (SYN ACK dropped)
$ nc -l -p 8888 | $ nc -p 8889 127.0.0.1 8888
| ^C (gave up)
3.10: can still connect and send data
$ nc -l -p 8888 | $ nc -p 8889 127.0.0.1 8888
| Still sending...!
Still sending...! |
| ^C
Extra Info
**********
There is only one commit to in the owner matching code:
git log v3.2..v3.10 -- net/netfilter/xt_owner.c
(which was appplied for v3.7).
commit 26711a791effbea125fea4284f4d1c4fa8f7bc73
Author: Eric W. Biederman <ebiederm at xmission.com>
Date: Thu Feb 2 17:33:59 2012 -0800
userns: xt_owner: Add basic user namespace support.
- Only allow adding matches from the initial user namespace
- Add the appropriate conversion functions to handle matches
against sockets in other user namespaces.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the netfilter-buglog
mailing list