netfilter buglog - Jan 2018 - [Bug 1210] New: nftables gets confused by user namespaces when meta skuid is used

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

            Bug ID: 1210
           Summary: nftables gets confused by user namespaces when meta
                    skuid is used
           Product: nftables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: bugz at yalis.fr

(for reference: https://github.com/systemd/systemd/issues/7800)

### versions, the issue has been seen with

linux v4.14.9
nftables v0.8
systemd v236.0

OS : Up-to-date Archlinux (as of 2017-12-31)

### Expected behaviour

`sudo -u exim telnet smtp.bbox.fr 25` should be able to connect.

### Actual behaviour

`sudo -u exim telnet smtp.bbox.fr 25` times out.

### Steps to reproduce the problem

The setup is such:
* Archlinux host
* Archlinux systemd-nspawn guest (named `seuil3`), launched with the standard
`systemd-nspawn at .service` launcher, plus the following drop-in:
```
[Service]
ExecStartExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot
--link-journal=guest -U --settings=override --machine=%i
```

By changing `-U` (== with user namespace) with `--private-users=0
--private-users-chown` (== without user namespace) in the drop-in, the above
`telnet` works.

#### Host-specific configuration

`/etc/systemd/nspawn/seuil3.nspawn`:
```
[Exec]
NotifyReady=yes
Capability=CAP_NET_ADMIN

[Network]
Bridge=wire
```

`/etc/systemd/network/wired.network`:
```
[Match]
Name=en*

[Network]
Bridge=wire
```

`/etc/systemd/network/bridge.netdev`:
```
[NetDev]
Name=wire
Kind=bridge
```

`/etc/systemd/network/bridge.network`:
```
[Match]
Name=wire

[Network]
IPForward=yes
Address=XXX.XXX.XXX.aaa/mm
Gateway=XXX.XXX.XXX.1
```

Outgoing nftables rules:
```
chain FilterOut {
  type filter hook output priority 0
  policy accept
}
```

#### Guest-specific configuration

`/etc/systemd/network/00-wired.network`:
```
[Match]
Name=host*
Virtualization=container

[Network]
Address=XXX.XXX.XXX.bbb/mm
Gateway=XXX.XXX.XXX.1
LLDP=yes
EmitLLDP=customer-bridge
```

Outgoing nftables rules:
```
chain FilterOut {
  type filter hook output priority 0
  policy drop
  ct state {established, related} accept
  meta oif lo accept
  ip daddr /* LAN, DNS, NTP… */ accept
  …
  meta skuid exim tcp dport 25 accept
}
```

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180104/b860ec53/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

--- Comment #1 from Yves <bugz at yalis.fr> ---
I forgot to mention that the nspawn container is not a single (Docker-like)
contained process, but is instead a full Archlinux OS (minus the kernel, of
course). So:

1. the host and guest are mostly independent OSes, and each has its own IP
address, and its own nftables firewall;
2. the guest-specific nftables rules above are loaded by the in-containter
nftables.service, in the process of booting the guest Archlinux;
3. the exim user is a system user of the guest in-container Archlinux;
4. the telnet command being used to showcase the problem is run in a guest
in-container shell, by root (the container’s root).

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180104/e00f9fb9/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Created attachment 526
  --> https://bugzilla.netfilter.org/attachment.cgi?id=526&action=edit
grab user_ns from sock_net()

Could you give a try to this kernel patch? Thanks!

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180202/a7384c42/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180202/9f27d48b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

--- Comment #3 from Yves <bugz at yalis.fr> ---
I will try and create the needed nspawn container to test that. The container I
was using when I reported the issue has since switched to not using user
namespaces (in part due to this bug) and I cannot switch it back.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180205/cba20126/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

--- Comment #4 from Yves <bugz at yalis.fr> ---
nspawn container with user namespace set up; problem reproduced; new kernel
compiling (with patch)… I’ll let you know :-)

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180218/531e8d81/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

--- Comment #5 from Yves <bugz at yalis.fr> ---
I built the new kernel using the instructions here:
https://wiki.archlinux.org/index.php/Kernels/Arch_Build_System
and adding the providing patch as the first step of the build.

I see no change: when nftables is stopped, exim can telnet to port 25; when
nftables is started, exim cannot anymore.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180219/55ee010f/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #6 from Phil Sutter <phil at nwl.cc> ---
Hi,

(In reply to Yves from comment #5)
> I built the new kernel using the instructions here:
> https://wiki.archlinux.org/index.php/Kernels/Arch_Build_System
> and adding the providing patch as the first step of the build.
> 
> I see no change: when nftables is stopped, exim can telnet to port 25; when
> nftables is started, exim cannot anymore.
Can you please try again with an up to date system? I can't reproduce the
skuid
matching problem on my testing VM (running current kernel and nftables). Maybe
it really is a problem of uid resolution in container? Did you make sure that
'nft -nn list ruleset' shows the same uid as 'id -u exim'?

Thanks, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/7487a56f/attachment-0001.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|pablo at netfilter.org         |phil at nwl.cc

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190712/09185d8a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1210

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pablo at netfilter.org
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from Pablo Neira Ayuso <pablo at netfilter.org> ---
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20200904152532.2320-1-pablo
at netfilter.org/

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200908/8c34ee65/attachment.html>