[Bug 1210] New: nftables gets confused by user namespaces when meta skuid is used

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jan 4 12:48:30 CET 2018 

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

            Bug ID: 1210
           Summary: nftables gets confused by user namespaces when meta
                    skuid is used
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: bugz at yalis.fr

(for reference: https://github.com/systemd/systemd/issues/7800)

### versions, the issue has been seen with

linux v4.14.9
nftables v0.8
systemd v236.0

OS : Up-to-date Archlinux (as of 2017-12-31)

### Expected behaviour

`sudo -u exim telnet smtp.bbox.fr 25` should be able to connect.

### Actual behaviour

`sudo -u exim telnet smtp.bbox.fr 25` times out.

### Steps to reproduce the problem

The setup is such:
* Archlinux host
* Archlinux systemd-nspawn guest (named `seuil3`), launched with the standard
`systemd-nspawn at .service` launcher, plus the following drop-in:
```
[Service]
ExecStart=
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot
--link-journal=guest -U --settings=override --machine=%i
```

By changing `-U` (== with user namespace) with `--private-users=0
--private-users-chown` (== without user namespace) in the drop-in, the above
`telnet` works.

#### Host-specific configuration

`/etc/systemd/nspawn/seuil3.nspawn`:
```
[Exec]
NotifyReady=yes
Capability=CAP_NET_ADMIN

[Network]
Bridge=wire
```

`/etc/systemd/network/wired.network`:
```
[Match]
Name=en*

[Network]
Bridge=wire
```

`/etc/systemd/network/bridge.netdev`:
```
[NetDev]
Name=wire
Kind=bridge
```

`/etc/systemd/network/bridge.network`:
```
[Match]
Name=wire

[Network]
IPForward=yes
Address=XXX.XXX.XXX.aaa/mm
Gateway=XXX.XXX.XXX.1
```

Outgoing nftables rules:
```
chain FilterOut {
  type filter hook output priority 0
  policy accept
}
```

#### Guest-specific configuration

`/etc/systemd/network/00-wired.network`:
```
[Match]
Name=host*
Virtualization=container

[Network]
Address=XXX.XXX.XXX.bbb/mm
Gateway=XXX.XXX.XXX.1
LLDP=yes
EmitLLDP=customer-bridge
```

Outgoing nftables rules:
```
chain FilterOut {
  type filter hook output priority 0
  policy drop
  ct state {established, related} accept
  meta oif lo accept
  ip daddr /* LAN, DNS, NTP… */ accept
  …
  meta skuid exim tcp dport 25 accept
}
```

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180104/b860ec53/attachment.html>

More information about the netfilter-buglog mailing list