Hi All, I have added a networking subsystem to SB2. It is bit like a firewall - adds rules for controlling IP address operations: What addresses can be connected to, and what addresses the listeners can use. Same kind of rules that are used to virtualize your filesystem namespace, but now applied to a slightly different domain.
This feature is available in version 2.3.2 in the "2.3_development" branch (http://maemo.gitorious.org/scratchbox2/). It should be considered incomplete, under-development stuff, just as everything else in the 2.3-series. Unlike typical firewalls, that have most focus on protecting you from unwanted incoming traffic, the primary motivation for this was to control outgoing connections. We have seen that there are really strange, unexpected outgoing connections from various places, even while building some OSS packages. So, now it is possible to execute the builds like $ sb2 -n offline dpkg-buildpackage ...and the network appears to be offline for all processes that run inside the SB2 session (but see "limitations" below). Or, you can test your software with $ sb2 -e -n localhost ./yourprogram ...and "yourprogram" will observe that it will be able to connect to local addresses only. Another useful feature is logging: Set level to "net", and SB2 logs network-related events. Together with the "nomap" filesystem mapping mode, you can also test what ordinary programs (programs that belong to the host OS) are doing. For example: $ sb2 -m nomap -n localhost -L net nc www.nokia.com 80 ...and you should see some denied connection attempts to port 53 (dns), at least. Standard networking modes include "online" (which is the default, unless the new "-n" option is used), "offline", "localhost" and "online_privatenets". I hope that the names are descriptive enough.. These networking modes can be freely mixed with the filesystem mapping modes ("emulate", "simple", etc). It should be quite straightforward to add more rulesets, if needed. For example, the "online_privatenets" mode uses rules like {address = "10.0.0.0/8", allow = true}, and these should be easy to extend by anyone who have written any firewalling rules, I think. How it works internally: SB2 attaches to connect(), bind(), sendto() and sendmsg() functions and examines socket address structures whenever needed. It isn't a real firewall, which would process each IP packet separately. Other limitations, missing things and bugs: The biggest one is that this is currently limited to IPv4 addresses. Support for IPv6 address filtering is easy to add, but won't happen immediately (unless someone volunteers to do it?) The implementation is somewhat connection-oriented. For example, receiving UDP packets with recvfrom() is still possible regardless of networking mode. Another limitation (or a feature that would be useful, but doesn't exist) is that it doesn't process names, i.e. gethostbyname(), getaddrinfo(), etc could be handled by SB2, and then it could make decisions based on names - a somewhat higher level than what is possible with raw IP addresses. But that haven't been impelemented. Bugs? Probably. Please send bug reports and comments, both positive or negative, to this list. Lauri PS. I didn't have time to update the manual page, sorry. That means that currently the documentation == this mail... _______________________________________________ Scratchbox-devel mailing list [email protected] http://lists.scratchbox.org/cgi-bin/mailman/listinfo/scratchbox-devel
