Re: ipt_owner patch fo vserver

Any chance that this will get rolled in to 1.29?

This could be very useful when you have a back-end network that you do not 
vservers to have access to...

Grisha


On Fri, 30 Jul 2004, Herbert Poetzl wrote:

> On Fri, Jul 30, 2004 at 04:28:02PM +0200, Pavel Semerad wrote:
> > Hello,
> > I am long time using patch for vserver (now 1.2.28), which
> > adds to ipt_owner possibility to match vx_id of socket owner. I am using it
> > to restrict where services in security contexts can connect to (so when
> > somebody breaks into service, he cannot connect to other computer).
> > It can be usefull also for others, so sending it.
> >
> > Usage:
> > iptables -m owner --ctx-owner 0 ...
>
> interesting ... are you the author of this patch?
>
> why not join the irc channel (#vserver @ irc.oftc.net)
> and chat a little about the future implementations
> (ngn) and how this could/should be integrated ...
>
> thanks,
> Herbert
>
> > Pavel Semerad
> >
> > Patch to 2.4.26 kernel with 1.2.28 vserver:
> >
> > --- ./net/ipv4/netfilter/ipt_owner.c.vs-iptables        2004-07-29 
> > 15:06:37.000000000 +0200
> > +++ ./net/ipv4/netfilter/ipt_owner.c    2004-07-30 15:27:10.000000000 +0200
> > @@ -152,8 +152,14 @@ match(const struct sk_buff *skb,
> >                 }
> >         }
> >
> > -       if (!sk || !sk->socket || !sk->socket->file)
> > +       if (!sk || !sk->socket || !sk->socket->file) {
> > +               if (info->match == IPT_OWNER_VS && sk && sk->socket)
> > +                       /* perhaps kernel thread -> use vx_id -1 */
> > +                       if((-1 == info->vx_id) ^
> > +                           !!(info->invert & IPT_OWNER_VS))
> > +                               ret = 1;
> >                 goto out;
> > +       }
> >
> >         if(info->match & IPT_OWNER_UID) {
> >                 if((sk->socket->file->f_uid != info->uid) ^
> > @@ -185,6 +191,12 @@ match(const struct sk_buff *skb,
> >                         goto out;
> >         }
> >
> > +       if(info->match & IPT_OWNER_VS) {
> > +               if((sk->vx_id != info->vx_id) ^
> > +                   !!(info->invert & IPT_OWNER_VS))
> > +                       goto out;
> > +       }
> > +
> >         ret = 1;
> >
> >  out:
> > --- ./include/linux/netfilter_ipv4/ipt_owner.h.vs-iptables      2002-11-29 
> > 00:53:15.000000000 +0100
> > +++ ./include/linux/netfilter_ipv4/ipt_owner.h  2004-07-29 15:11:28.000000000 
> > +0200
> > @@ -7,6 +7,7 @@
> >  #define IPT_OWNER_PID  0x04
> >  #define IPT_OWNER_SID  0x08
> >  #define IPT_OWNER_COMM 0x10
> > +#define IPT_OWNER_VS   0x80
> >
> >  struct ipt_owner_info {
> >      uid_t uid;
> > @@ -14,6 +15,7 @@ struct ipt_owner_info {
> >      pid_t pid;
> >      pid_t sid;
> >      char comm[16];
> > +    int vx_id;
> >      u_int8_t match, invert;    /* flags */
> >  };
> >
> >
> >
> > And patch to iptables:
> >
> > --- ./extensions/libipt_owner.c.ps      2003-01-06 13:40:33.000000000 +0100
> > +++ ./extensions/libipt_owner.c 2003-06-04 14:24:55.000000000 +0200
> > @@ -22,6 +22,7 @@ help(void)
> >  "[!] --pid-owner processid  Match local pid\n"
> >  "[!] --sid-owner sessionid  Match local sid\n"
> >  "[!] --cmd-owner name       Match local command name\n"
> > +"[!] --ctx-owner ctx        Match local security context\n"
> >  "\n",
> >  IPTABLES_VERSION);
> >  #else
> > @@ -31,6 +32,7 @@ IPTABLES_VERSION);
> >  "[!] --gid-owner groupid    Match local gid\n"
> >  "[!] --pid-owner processid  Match local pid\n"
> >  "[!] --sid-owner sessionid  Match local sid\n"
> > +"[!] --ctx-owner ctx        Match local security context\n"
> >  "\n",
> >  IPTABLES_VERSION);
> >  #endif /* IPT_OWNER_COMM */
> > @@ -44,6 +46,7 @@ static struct option opts[] = {
> >  #ifdef IPT_OWNER_COMM
> >         { "cmd-owner", 1, 0, '5' },
> >  #endif
> > +       { "ctx-owner", 1, 0, '6' },
> >         {0}
> >  };
> >
> > @@ -136,6 +139,17 @@ parse(int c, char **argv, int invert, un
> >                 break;
> >  #endif
> >
> > +       case '6':
> > +               check_inverse(optarg, &invert, &optind, 0);
> > +               ownerinfo->vx_id = strtoul(optarg, &end, 0);
> > +               if (*end != '\0' || end == optarg)
> > +                       exit_error(PARAMETER_PROBLEM, "Bad OWNER CTX value 
> > `%s'", optarg);
> > +               if (invert)
> > +                       ownerinfo->invert |= IPT_OWNER_VS;
> > +               ownerinfo->match |= IPT_OWNER_VS;
> > +               *flags = 1;
> > +               break;
> > +
> >         default:
> >                 return 0;
> >         }
> > @@ -188,6 +202,9 @@ print_item(struct ipt_owner_info *info,
> >                         printf("%.*s ", (int)sizeof(info->comm), info->comm);
> >                         break;
> >  #endif
> > +               case IPT_OWNER_VS:
> > +                       printf("%d ", info->vx_id);
> > +                       break;
> >                 default:
> >                         break;
> >                 }
> > @@ -218,6 +235,7 @@ print(const struct ipt_ip *ip,
> >  #ifdef IPT_OWNER_COMM
> >         print_item(info, IPT_OWNER_COMM, numeric, "OWNER CMD match ");
> >  #endif
> > +       print_item(info, IPT_OWNER_VS, numeric, "OWNER CTX match ");
> >  }
> >
> >  /* Saves the union ipt_matchinfo in parsable form to stdout. */
> > @@ -233,6 +251,7 @@ save(const struct ipt_ip *ip, const stru
> >  #ifdef IPT_OWNER_COMM
> >         print_item(info, IPT_OWNER_COMM, 0, "--cmd-owner ");
> >  #endif
> > +       print_item(info, IPT_OWNER_VS, 0, "--ctx-owner ");
> >  }
> >
> >  static
> > _______________________________________________
> > Vserver mailing list
> > Vserver@xxxxxxxxxxxxxxxxxxxxxx
> > http://list.linux-vserver.org/mailman/listinfo/vserver
> _______________________________________________
> Vserver mailing list
> Vserver@xxxxxxxxxxxxxxxxxxxxxx
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver@xxxxxxxxxxxxxxxxxxxxxx
http://list.linux-vserver.org/mailman/listinfo/vserver