bugzilla-daemon at netfilter.org
2013-Aug-24 11:15 UTC
[Bug 847] New: Owner matching fails on listening socket
https://bugzilla.netfilter.org/show_bug.cgi?id=847 Summary: Owner matching fails on listening socket Product: netfilter/iptables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: ip_tables (kernel) AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: phil at sanewall.org Estimated Hours: 0.0 It seems the netfilter matching of socket owner by UID has changed between kernel v3.2 and v3.10. In 3.2 the owner would be matched whether the connection was initiated from the firewall host or from the remote host. In 3.10 the the UID is matched only when the connection is initiated from the firewall host. The UID associated with the socket appears to not be that of the process which is listening for connections. Error results ************* Tested were the wheezy and wheezy-backports kernels: 3.2.0-4-amd64 and: 3.10-0.bpo.2-amd64 Both with iptables v1.4.14 This was originally reported to me between two hosts, but works equally well on the loopback device. Using a single user for both listener and connector, and starting with an empty firewall with everything set to ACCEPT: $ id -u 1000 Test 1a - Works on both 3.2 and 3.10 ------------------------------------ Verify connection without any firewall rules. Start a listener on port 8889 and start a connection from source port 8888. Connection established and data flows. $ nc -l -p 8889 | nc -p 8888 127.0.0.1 8889 | I can send data! I can send data! | | ^C Test 1b - Works on both 3.2 and 3.10 ------------------------------------ Verify connection without any firewall rules. Start a listener on port 8888 and start a connection from source port 8889. Connection established and data flows. $ nc -l -p 8888 | nc -p 8889 127.0.0.1 8888 | I can still send data! I can still send data! | | ^C Setup firewall rule ------------------- A single a rule which should stop any TCP packets from source port 8888 by our uid. sudo iptables -t filter -A OUTPUT -p tcp --sport 8888 \ -m owner --uid-owner 1000 -j REJECT Test 2a - works on both 3.2 and 3.10 ----------------------------------- Verify packets blocked by firewall rule. Start a listener on port 8889 and start a connection from source port 8888. Connection refused because our SYN packet is rejected. $ nc -l -p 8889 | nc -p 8888 127.0.0.1 8889 | (UNKNOWN) [127.0.0.1] 8889 (?) : Connection refused ^C | Test 2b - works on 3.2 but not 3.10 ----------------------------------- Verify packets blocked by firewall rule. Start a listener on port 8888 and start a connection from source port 8889. 3.2: connection prevented (SYN ACK dropped) $ nc -l -p 8888 | $ nc -p 8889 127.0.0.1 8888 | ^C (gave up) 3.10: can still connect and send data $ nc -l -p 8888 | $ nc -p 8889 127.0.0.1 8888 | Still sending...! Still sending...! | | ^C Extra Info ********** There is only one commit to in the owner matching code: git log v3.2..v3.10 -- net/netfilter/xt_owner.c (which was appplied for v3.7). commit 26711a791effbea125fea4284f4d1c4fa8f7bc73 Author: Eric W. Biederman <ebiederm at xmission.com> Date: Thu Feb 2 17:33:59 2012 -0800 userns: xt_owner: Add basic user namespace support. - Only allow adding matches from the initial user namespace - Add the appropriate conversion functions to handle matches against sockets in other user namespaces. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-24 11:15 UTC
[Bug 847] Owner matching fails on listening socket
https://bugzilla.netfilter.org/show_bug.cgi?id=847 phil at sanewall.org changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |normal -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-26 23:32 UTC
[Bug 847] Owner matching fails on listening socket
https://bugzilla.netfilter.org/show_bug.cgi?id=847 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |netfilter at linuxace.com --- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-08-27 01:32:15 CEST --- First, please use ports that don't differ by only one digit in your examples. Note how I used 7777 vs 8888 below, which make spotting the difference much easier. Anyhow - seems to work fine for me in 3.10+: # uname -r 3.10.0+ # iptables -V iptables v1.4.18 # iptables -A OUTPUT -p tcp --sport 8888 -m owner --uid-owner 1000 -j REJECT [phil at linuxace ~]$ id uid=1000(phil) gid=1000(phil) groups=1000(phil) [phil at linuxace ~]$ echo hi | nc -p 8888 bathroom.mit.edu 79 Ncat: Connection refused. [phil at linuxace ~]$ echo hi | nc -p 7777 bathroom.mit.edu 79 Random Hall Bathroom Server v2.1 ... -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-27 06:27 UTC
[Bug 847] Owner matching fails on listening socket
https://bugzilla.netfilter.org/show_bug.cgi?id=847 --- Comment #2 from phil at sanewall.org 2013-08-27 08:27:04 CEST --- Yes, it works fine when the uid is establishing the connection. It fails when the uid is listening. Host 1 # sudo iptables -A OUTPUT -p tcp -m owner --uid-owner 1000 -j REJECT pdw at compaq:~$ echo hi | nc bathroom.mit.edu 79 nw61-310-8.mit.edu [18.243.1.73] 79 (finger) : Connection refused pdw at compaq:~$ echo hi | nc -l -p 8888 Host 2 dell:~ bob$ echo "ho" | nc compaq 8888 -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-27 20:29 UTC
[Bug 847] Owner matching fails on listening socket
https://bugzilla.netfilter.org/show_bug.cgi?id=847 --- Comment #3 from Phil Oester <netfilter at linuxace.com> 2013-08-27 22:29:06 CEST --- Confirmed. Problematic commit is 90ba9b19 (tcp: tcp_make_synack() can use alloc_skb()). Discussing options. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Sep-01 14:58 UTC
[Bug 847] Owner matching fails on listening socket
https://bugzilla.netfilter.org/show_bug.cgi?id=847 Phil Oester <netfilter at linuxace.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #4 from Phil Oester <netfilter at linuxace.com> 2013-09-01 16:58:37 CEST --- This was fixed in commit eb8895deb (tcp: tcp_make_synack() should use sock_wmalloc). It should appear in 3.11 and -stable series kernels. Whitespace damaged version below: --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -2670,7 +2670,7 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst, int tcp_header_size; int mss; - skb = alloc_skb(MAX_TCP_HEADER + 15, sk_gfp_atomic(sk, GFP_ATOMIC)); + skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC); if (unlikely(!skb)) { dst_release(dst); return NULL; Closing. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Apparently Analagous Threads
- [Bug 823] New: IPv6 NAT memory leaking
- [Bug 877] New: nftables - Set - define core dumps
- [Bug 886] New: iptables-xml segfaults on "-APOSTROUTING"
- [Bug 857] New: ConnLimit unable to work properly
- [Bug 864] New: Verbose output options rejected when modifying chains