Re: [Vserver] ipt_owner patch fo vserver

[Gregory (Grisha) Trubetskoy]

Any chance that this will get rolled in to 1.29?
This could be very useful when you have a back-end network that you do not 
vservers to have access to...

Grisha
On Fri, 30 Jul 2004, Herbert Poetzl wrote:
On Fri, Jul 30, 2004 at 04:28:02PM +0200, Pavel Semerad wrote:
Hello,
I am long time using patch for vserver (now 1.2.28), which
adds to ipt_owner possibility to match vx_id of socket owner. I am using it
to restrict where services in security contexts can connect to (so when
somebody breaks into service, he cannot connect to other computer).
It can be usefull also for others, so sending it.
Usage:
iptables -m owner --ctx-owner 0 ...
interesting ... are you the author of this patch?
why not join the irc channel (#vserver @ irc.oftc.net)
and chat a little about the future implementations
(ngn) and how this could/should be integrated ...
thanks,
Herbert
Pavel Semerad
Patch to 2.4.26 kernel with 1.2.28 vserver:
--- ./net/ipv4/netfilter/ipt_owner.c.vs-iptables2004-07-29 15:06:37.0 
+0200
+++ ./net/ipv4/netfilter/ipt_owner.c2004-07-30 15:27:10.0 +0200
@@ -152,8 +152,14 @@ match(const struct sk_buff *skb,
}
}
-   if (!sk || !sk-socket || !sk-socket-file)
+   if (!sk || !sk-socket || !sk-socket-file) {
+   if (info-match == IPT_OWNER_VS  sk  sk-socket)
+   /* perhaps kernel thread - use vx_id -1 */
+   if((-1 == info-vx_id) ^
+   !!(info-invert  IPT_OWNER_VS))
+   ret = 1;
goto out;
+   }
if(info-match  IPT_OWNER_UID) {
if((sk-socket-file-f_uid != info-uid) ^
@@ -185,6 +191,12 @@ match(const struct sk_buff *skb,
goto out;
}
+   if(info-match  IPT_OWNER_VS) {
+   if((sk-vx_id != info-vx_id) ^
+   !!(info-invert  IPT_OWNER_VS))
+   goto out;
+   }
+
ret = 1;
 out:
--- ./include/linux/netfilter_ipv4/ipt_owner.h.vs-iptables  2002-11-29 
00:53:15.0 +0100
+++ ./include/linux/netfilter_ipv4/ipt_owner.h  2004-07-29 15:11:28.0 +0200
@@ -7,6 +7,7 @@
 #define IPT_OWNER_PID  0x04
 #define IPT_OWNER_SID  0x08
 #define IPT_OWNER_COMM 0x10
+#define IPT_OWNER_VS   0x80
 struct ipt_owner_info {
 uid_t uid;
@@ -14,6 +15,7 @@ struct ipt_owner_info {
 pid_t pid;
 pid_t sid;
 char comm[16];
+int vx_id;
 u_int8_t match, invert;/* flags */
 };

And patch to iptables:
--- ./extensions/libipt_owner.c.ps  2003-01-06 13:40:33.0 +0100
+++ ./extensions/libipt_owner.c 2003-06-04 14:24:55.0 +0200
@@ -22,6 +22,7 @@ help(void)
 [!] --pid-owner processid  Match local pid\n
 [!] --sid-owner sessionid  Match local sid\n
 [!] --cmd-owner name   Match local command name\n
+[!] --ctx-owner ctxMatch local security context\n
 \n,
 IPTABLES_VERSION);
 #else
@@ -31,6 +32,7 @@ IPTABLES_VERSION);
 [!] --gid-owner groupidMatch local gid\n
 [!] --pid-owner processid  Match local pid\n
 [!] --sid-owner sessionid  Match local sid\n
+[!] --ctx-owner ctxMatch local security context\n
 \n,
 IPTABLES_VERSION);
 #endif /* IPT_OWNER_COMM */
@@ -44,6 +46,7 @@ static struct option opts[] = {
 #ifdef IPT_OWNER_COMM
{ cmd-owner, 1, 0, '5' },
 #endif
+   { ctx-owner, 1, 0, '6' },
{0}
 };
@@ -136,6 +139,17 @@ parse(int c, char **argv, int invert, un
break;
 #endif
+   case '6':
+   check_inverse(optarg, invert, optind, 0);
+   ownerinfo-vx_id = strtoul(optarg, end, 0);
+   if (*end != '\0' || end == optarg)
+   exit_error(PARAMETER_PROBLEM, Bad OWNER CTX value `%s', 
optarg);
+   if (invert)
+   ownerinfo-invert |= IPT_OWNER_VS;
+   ownerinfo-match |= IPT_OWNER_VS;
+   *flags = 1;
+   break;
+
default:
return 0;
}
@@ -188,6 +202,9 @@ print_item(struct ipt_owner_info *info,
printf(%.*s , (int)sizeof(info-comm), info-comm);
break;
 #endif
+   case IPT_OWNER_VS:
+   printf(%d , info-vx_id);
+   break;
default:
break;
}
@@ -218,6 +235,7 @@ print(const struct ipt_ip *ip,
 #ifdef IPT_OWNER_COMM
print_item(info, IPT_OWNER_COMM, numeric, OWNER CMD match );
 #endif
+   print_item(info, IPT_OWNER_VS, numeric, OWNER CTX match );
 }
 /* Saves the union ipt_matchinfo in parsable form to stdout. */
@@ -233,6 +251,7 @@ save(const struct ipt_ip *ip, const stru
 #ifdef IPT_OWNER_COMM
print_item(info, IPT_OWNER_COMM, 0, --cmd-owner );
 #endif
+   print_item(info, IPT_OWNER_VS, 0, --ctx-owner );
 }
 static
___
Vserver mailing list
[EMAIL PROTECTED]

[Vserver] ipt_owner patch fo vserver

[Pavel Semerad]

Hello,
I am long time using patch for vserver (now 1.2.28), which
adds to ipt_owner possibility to match vx_id of socket owner. I am using it
to restrict where services in security contexts can connect to (so when
somebody breaks into service, he cannot connect to other computer).
It can be usefull also for others, so sending it.

Usage:
iptables -m owner --ctx-owner 0 ...


Pavel Semerad


Patch to 2.4.26 kernel with 1.2.28 vserver:

--- ./net/ipv4/netfilter/ipt_owner.c.vs-iptables2004-07-29 15:06:37.0 
+0200
+++ ./net/ipv4/netfilter/ipt_owner.c2004-07-30 15:27:10.0 +0200
@@ -152,8 +152,14 @@ match(const struct sk_buff *skb,
}
} 

-   if (!sk || !sk-socket || !sk-socket-file)
+   if (!sk || !sk-socket || !sk-socket-file) {
+   if (info-match == IPT_OWNER_VS  sk  sk-socket)
+   /* perhaps kernel thread - use vx_id -1 */
+   if((-1 == info-vx_id) ^
+   !!(info-invert  IPT_OWNER_VS))
+   ret = 1;
goto out;
+   }
 
if(info-match  IPT_OWNER_UID) {
if((sk-socket-file-f_uid != info-uid) ^
@@ -185,6 +191,12 @@ match(const struct sk_buff *skb,
goto out;
}
 
+   if(info-match  IPT_OWNER_VS) {
+   if((sk-vx_id != info-vx_id) ^
+   !!(info-invert  IPT_OWNER_VS))
+   goto out;
+   }
+
ret = 1;
 
 out:
--- ./include/linux/netfilter_ipv4/ipt_owner.h.vs-iptables  2002-11-29 
00:53:15.0 +0100
+++ ./include/linux/netfilter_ipv4/ipt_owner.h  2004-07-29 15:11:28.0 +0200
@@ -7,6 +7,7 @@
 #define IPT_OWNER_PID  0x04
 #define IPT_OWNER_SID  0x08
 #define IPT_OWNER_COMM 0x10
+#define IPT_OWNER_VS   0x80
 
 struct ipt_owner_info {
 uid_t uid;
@@ -14,6 +15,7 @@ struct ipt_owner_info {
 pid_t pid;
 pid_t sid;
 char comm[16];
+int vx_id;
 u_int8_t match, invert;/* flags */
 };
 


And patch to iptables:

--- ./extensions/libipt_owner.c.ps  2003-01-06 13:40:33.0 +0100
+++ ./extensions/libipt_owner.c 2003-06-04 14:24:55.0 +0200
@@ -22,6 +22,7 @@ help(void)
 [!] --pid-owner processid  Match local pid\n
 [!] --sid-owner sessionid  Match local sid\n
 [!] --cmd-owner name   Match local command name\n
+[!] --ctx-owner ctxMatch local security context\n
 \n,
 IPTABLES_VERSION);
 #else
@@ -31,6 +32,7 @@ IPTABLES_VERSION);
 [!] --gid-owner groupidMatch local gid\n
 [!] --pid-owner processid  Match local pid\n
 [!] --sid-owner sessionid  Match local sid\n
+[!] --ctx-owner ctxMatch local security context\n
 \n,
 IPTABLES_VERSION);
 #endif /* IPT_OWNER_COMM */
@@ -44,6 +46,7 @@ static struct option opts[] = {
 #ifdef IPT_OWNER_COMM
{ cmd-owner, 1, 0, '5' },
 #endif
+   { ctx-owner, 1, 0, '6' },
{0}
 };
 
@@ -136,6 +139,17 @@ parse(int c, char **argv, int invert, un
break;
 #endif
 
+   case '6':
+   check_inverse(optarg, invert, optind, 0);
+   ownerinfo-vx_id = strtoul(optarg, end, 0);
+   if (*end != '\0' || end == optarg)
+   exit_error(PARAMETER_PROBLEM, Bad OWNER CTX value `%s', 
optarg);
+   if (invert)
+   ownerinfo-invert |= IPT_OWNER_VS;
+   ownerinfo-match |= IPT_OWNER_VS;
+   *flags = 1;
+   break;
+
default:
return 0;
}
@@ -188,6 +202,9 @@ print_item(struct ipt_owner_info *info, 
printf(%.*s , (int)sizeof(info-comm), info-comm);
break;
 #endif
+   case IPT_OWNER_VS:
+   printf(%d , info-vx_id);
+   break;
default:
break;
}
@@ -218,6 +235,7 @@ print(const struct ipt_ip *ip,
 #ifdef IPT_OWNER_COMM
print_item(info, IPT_OWNER_COMM, numeric, OWNER CMD match );
 #endif
+   print_item(info, IPT_OWNER_VS, numeric, OWNER CTX match );
 }
 
 /* Saves the union ipt_matchinfo in parsable form to stdout. */
@@ -233,6 +251,7 @@ save(const struct ipt_ip *ip, const stru
 #ifdef IPT_OWNER_COMM
print_item(info, IPT_OWNER_COMM, 0, --cmd-owner );
 #endif
+   print_item(info, IPT_OWNER_VS, 0, --ctx-owner );
 }
 
 static
___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] ipt_owner patch fo vserver [scanned]

[Veit Wahlich]

Hi Pavel!

I gave lectures about virtualization and the current stable branch of
vservers at CCC-Z23/CCC-RP where I had to refer to by-IP chains for each
vserver for both incoming and outgoing packets and I had to admit it
becomes impracticable if using CAP_NET_RAW or shared IPs.

The only useful idea to solve this problem was exactly what you
implemented now. Since that time extending ipt_owner was one thing on my
todo list... Great thing, thank you. :)

@Herbert:
What about exporting environment variables containing useful data (read:
at least context id) when /etc/vservers/*.sh are executed? Doing so we
could exec some kinf of iptables wrapper from *.sh or configure iptables
directly from *.sh without the need of using fixed context ids. This
also satisfies other per-context-id configuration needs.
Maybe this is also done but I have not noticed yet... ;)

Best regards,
// Veit

___
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver