Shorewall devel - Jan 2004 - [PATCH] Marking packets according to user in tcrules

Hi,

First of all, thanks to all shorewall developers. Shorewall is really
great.

Here is a patch to add the following feature :
This patch allows you to mark packets according to the user name under
which the program generating output is running.
To do so, the patch will allow you to write rules in the tcrules file
looking like that :
#MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
#                                          PORT(S)
30       fw       -        all     -       -       10000

This will generate an iptables command looking like that :
iptables <...Snip...> -m owner --uid-owner 10000 -j MARK --set-mark 30

This patch is not perhaps "production quality" and can certainly be
improved (using a user group instead of a user name for example).
But before improving it, i wish to know if you are interested by this
feature. Any kind of feedback will be appreciated.

Regards,

Fred.

PS: Please CC me, I read this lists only via the web archives.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patched-tcrules-owner
Type: text/x-patch
Size: 2222 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20040120/14fc7af5/patched-tcrules-owner.bin

Here is another version of my patch that implements an idea from Steve
Herber.
Now you can use GID or UID in the rules. It also works with user name
and group name. Here is an example of tcrules files :

#MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
#                                          PORT(S)
30       fw       -        all     -       -       U:john
30       fw       -        all     -       -       G:netaccess

Regards,
Fred.

On Tue, 2004-01-20 at 20:53, Fr?d?ric LESPEZ wrote:
> Hi,
> 
> First of all, thanks to all shorewall developers. Shorewall is really
> great.
> 
> Here is a patch to add the following feature :
> This patch allows you to mark packets according to the user name under
> which the program generating output is running.
> To do so, the patch will allow you to write rules in the tcrules file
> looking like that :
> #MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
> #                                          PORT(S)
> 30       fw       -        all     -       -       10000
> 
> This will generate an iptables command looking like that :
> iptables <...Snip...> -m owner --uid-owner 10000 -j MARK --set-mark
30
> 
> This patch is not perhaps "production quality" and can certainly
be
> improved (using a user group instead of a user name for example).
> But before improving it, i wish to know if you are interested by this
> feature. Any kind of feedback will be appreciated.
> 
> Regards,
> 
> Fred.
> 
> PS: Please CC me, I read this lists only via the web archives.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patched-tcrule-owner_V2.txt
Type: text/x-patch
Size: 2265 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20040121/4fbe3d73/patched-tcrule-owner_V2.bin

On Wednesday 21 January 2004 01:07 pm, Fr?d?ric LESPEZ
wrote:
> Here is another version of my patch that implements an idea from Steve
> Herber.
> Now you can use GID or UID in the rules. It also works with user name
> and group name. Here is an example of tcrules files :
>
> #MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
> #                                          PORT(S)
> 30       fw       -        all     -       -       U:john
> 30       fw       -        all     -       -       G:netaccess
>
I think it would be less confusing if you followed the convention established 
in the rules file (and you can probably share the parsing code).

To designate a user, either just include the user name/number or optionally 
follow with a colon.

examples:

	john
	44
	fred:

To designate a group, precede the group name/number by ":"

examples:

	:admins
	:root

To designate a user *and* group separate the names/numbers by a colon:

example

	john:admins

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wednesday 21 January 2004 01:16 pm, Tom Eastep wrote:
> On Wednesday 21 January 2004 01:07 pm, Fr?d?ric LESPEZ wrote:
> > Here is another version of my patch that implements an idea from Steve
> > Herber.
> > Now you can use GID or UID in the rules. It also works with user name
> > and group name. Here is an example of tcrules files :
> >
> > #MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
> > #                                          PORT(S)
> > 30       fw       -        all     -       -       U:john
> > 30       fw       -        all     -       -       G:netaccess
>
> I think it would be less confusing if you followed the convention
> established in the rules file (and you can probably share the parsing
> code).
>
> To designate a user, either just include the user name/number or optionally
> follow with a colon.
>
Note that isn''t quite what happens in the rules file - in that file, if
no
colon is present then the name is assumed to be a Userset name defined in 
/etc/shorewall/usersets.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2004-01-21 at 22:26, Tom Eastep wrote:
> On Wednesday 21 January 2004 01:16 pm, Tom Eastep wrote:
> > On Wednesday 21 January 2004 01:07 pm, Fr?d?ric LESPEZ wrote:
> > > Here is another version of my patch that implements an idea from
Steve
> > > Herber.
> > > Now you can use GID or UID in the rules. It also works with user
name
> > > and group name. Here is an example of tcrules files :
> > >
> > > #MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
> > > #                                          PORT(S)
> > > 30       fw       -        all     -       -       U:john
> > > 30       fw       -        all     -       -       G:netaccess
> >
> > I think it would be less confusing if you followed the convention
> > established in the rules file (and you can probably share the parsing
> > code).
> >
> > To designate a user, either just include the user name/number or
optionally
> > follow with a colon.
> >
> 
> Note that isn''t quite what happens in the rules file - in that
file, if no
> colon is present then the name is assumed to be a Userset name defined in 
> /etc/shorewall/usersets.
Thanks for feedback.
I made the changes you have suggested : The syntax now follows the
convention of the rules file. I made the colon mandatory. I don''t know
if it is the best choice.
Examples of rules :
#MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
#                                          PORT(S)
30       fw       -        all     -       -       john:
30       fw       -        all     -       -       :netaccess
30       fw       -        all     -       -       john:netaccess
And the following one is illegal :
30       fw       -        all     -       -       john

Regards,
Fred.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patched-tcrule-owner_V3
Type: text/x-patch
Size: 2286 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20040122/41fe04af/patched-tcrule-owner_V3.bin

On Thursday 22 January 2004 11:04 am, Fr?d?ric LESPEZ wrote:
>
> Thanks for feedback.
> I made the changes you have suggested : The syntax now follows the
> convention of the rules file. I made the colon mandatory. I don''t
know
> if it is the best choice.
> Examples of rules :
> #MARK    SOURCE   DEST     PROTO   PORT(S) CLIENT  USER
> #                                          PORT(S)
> 30       fw       -        all     -       -       john:
> 30       fw       -        all     -       -       :netaccess
> 30       fw       -        all     -       -       john:netaccess
> And the following one is illegal :
> 30       fw       -        all     -       -       john
>
I think that it is ok to make the last entry legal -- it is unlikely that we 
will ever want to allow usersets in this file given the way that usersets are 
implemented in Shorewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Sorry forgot the list... :-(

-----Forwarded Message-----
> From: Fr?d?ric LESPEZ <frederic.lespez@free.fr>
> To: Tom Eastep <teastep@shorewall.net>
> Subject: Re: [Shorewall-devel] Re: [PATCH] Marking packets according to
user in tcrules
> Date: Thu, 22 Jan 2004 20:29:50 +0100
> 
> On Thu, 2004-01-22 at 20:11, Tom Eastep wrote:
> > On Thursday 22 January 2004 11:04 am, Fr?d?ric LESPEZ wrote:
> > > And the following one is illegal :
> > > 30       fw       -        all     -       -       john
> > >
> > 
> > I think that it is ok to make the last entry legal -- it is unlikely
that we
> > will ever want to allow usersets in this file given the way that
usersets are
> > implemented in Shorewall.
> 
> Ok, that''s fine for me. I made the change. New version !
> 
> Regards,
> Fred.
>