Any chance that this will get rolled in to 1.29?
This could be very useful when you have a back-end network that you do not vservers to have access to...
Grisha
On Fri, 30 Jul 2004, Herbert Poetzl wrote:
On Fri, Jul 30, 2004 at 04:28:02PM +0200, Pavel Semerad wrote:
Hello, I am long time using patch for vserver (now 1.2.28), which adds to ipt_owner possibility to match vx_id of socket owner. I am using it to restrict where services in security contexts can connect to (so when somebody breaks into service, he cannot connect to other computer). It can be usefull also for others, so sending it.
Usage: iptables -m owner --ctx-owner 0 ...
interesting ... are you the author of this patch?
why not join the irc channel (#vserver @ irc.oftc.net) and chat a little about the future implementations (ngn) and how this could/should be integrated ...
thanks, Herbert
Pavel Semerad
Patch to 2.4.26 kernel with 1.2.28 vserver:
--- ./net/ipv4/netfilter/ipt_owner.c.vs-iptables 2004-07-29 15:06:37.000000000 +0200 +++ ./net/ipv4/netfilter/ipt_owner.c 2004-07-30 15:27:10.000000000 +0200 @@ -152,8 +152,14 @@ match(const struct sk_buff *skb, } }
- if (!sk || !sk->socket || !sk->socket->file) + if (!sk || !sk->socket || !sk->socket->file) { + if (info->match == IPT_OWNER_VS && sk && sk->socket) + /* perhaps kernel thread -> use vx_id -1 */ + if((-1 == info->vx_id) ^ + !!(info->invert & IPT_OWNER_VS)) + ret = 1; goto out; + }
if(info->match & IPT_OWNER_UID) { if((sk->socket->file->f_uid != info->uid) ^ @@ -185,6 +191,12 @@ match(const struct sk_buff *skb, goto out; }
+ if(info->match & IPT_OWNER_VS) { + if((sk->vx_id != info->vx_id) ^ + !!(info->invert & IPT_OWNER_VS)) + goto out; + } + ret = 1;
out: --- ./include/linux/netfilter_ipv4/ipt_owner.h.vs-iptables 2002-11-29 00:53:15.000000000 +0100 +++ ./include/linux/netfilter_ipv4/ipt_owner.h 2004-07-29 15:11:28.000000000 +0200 @@ -7,6 +7,7 @@ #define IPT_OWNER_PID 0x04 #define IPT_OWNER_SID 0x08 #define IPT_OWNER_COMM 0x10 +#define IPT_OWNER_VS 0x80
struct ipt_owner_info { uid_t uid; @@ -14,6 +15,7 @@ struct ipt_owner_info { pid_t pid; pid_t sid; char comm[16]; + int vx_id; u_int8_t match, invert; /* flags */ };
And patch to iptables:
--- ./extensions/libipt_owner.c.ps 2003-01-06 13:40:33.000000000 +0100 +++ ./extensions/libipt_owner.c 2003-06-04 14:24:55.000000000 +0200 @@ -22,6 +22,7 @@ help(void) "[!] --pid-owner processid Match local pid\n" "[!] --sid-owner sessionid Match local sid\n" "[!] --cmd-owner name Match local command name\n" +"[!] --ctx-owner ctx Match local security context\n" "\n", IPTABLES_VERSION); #else @@ -31,6 +32,7 @@ IPTABLES_VERSION); "[!] --gid-owner groupid Match local gid\n" "[!] --pid-owner processid Match local pid\n" "[!] --sid-owner sessionid Match local sid\n" +"[!] --ctx-owner ctx Match local security context\n" "\n", IPTABLES_VERSION); #endif /* IPT_OWNER_COMM */ @@ -44,6 +46,7 @@ static struct option opts[] = { #ifdef IPT_OWNER_COMM { "cmd-owner", 1, 0, '5' }, #endif + { "ctx-owner", 1, 0, '6' }, {0} };
@@ -136,6 +139,17 @@ parse(int c, char **argv, int invert, un break; #endif
+ case '6': + check_inverse(optarg, &invert, &optind, 0); + ownerinfo->vx_id = strtoul(optarg, &end, 0); + if (*end != '\0' || end == optarg) + exit_error(PARAMETER_PROBLEM, "Bad OWNER CTX value `%s'", optarg); + if (invert) + ownerinfo->invert |= IPT_OWNER_VS; + ownerinfo->match |= IPT_OWNER_VS; + *flags = 1; + break; + default: return 0; } @@ -188,6 +202,9 @@ print_item(struct ipt_owner_info *info, printf("%.*s ", (int)sizeof(info->comm), info->comm); break; #endif + case IPT_OWNER_VS: + printf("%d ", info->vx_id); + break; default: break; } @@ -218,6 +235,7 @@ print(const struct ipt_ip *ip, #ifdef IPT_OWNER_COMM print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match "); #endif + print_item(info, IPT_OWNER_VS, numeric, "OWNER CTX match "); }
/* Saves the union ipt_matchinfo in parsable form to stdout. */ @@ -233,6 +251,7 @@ save(const struct ipt_ip *ip, const stru #ifdef IPT_OWNER_COMM print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner "); #endif + print_item(info, IPT_OWNER_VS, 0, "--ctx-owner "); }
static _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver_______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver