nft rules processed in wrong network namespace

Message ID	20150610152855.GA3406@acer.localdomain
State	RFC
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> Date: Wed, 10 Jun 2015 17:28:55 +0200 From: Patrick McHardy <kaber@trash.net> To: Andreas Schultz <aschultz@warp10.net> Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org Subject: Re: nft rules processed in wrong network namespace Message-ID: <20150610152855.GA3406@acer.localdomain> References: <CAASN2uOcjOKkXamC=FkYJKCJDTcA9nQUa5=OSn6YyUJ8SGvRfg@mail.gmail.com> <20150610140143.GA31977@salvia> <CAASN2uOP76OfF9QfaRFRMyuch2o5w02spf1=u+UkEoMs3znyHw@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <CAASN2uOP76OfF9QfaRFRMyuch2o5w02spf1=u+UkEoMs3znyHw@mail.gmail.com> User-Agent: Mutt/1.5.23.1 (2014-03-12) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

20150610152855.GA3406@acer.localdomain

State

RFC

Delegated to:

Pablo Neira

Headers

Date: Wed, 10 Jun 2015 17:28:55 +0200
From: Patrick McHardy <kaber@trash.net>
To: Andreas Schultz <aschultz@warp10.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: nft rules processed in wrong network namespace
Message-ID: <20150610152855.GA3406@acer.localdomain>
References: <CAASN2uOcjOKkXamC=FkYJKCJDTcA9nQUa5=OSn6YyUJ8SGvRfg@mail.gmail.com>
	<20150610140143.GA31977@salvia>
	<CAASN2uOP76OfF9QfaRFRMyuch2o5w02spf1=u+UkEoMs3znyHw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAASN2uOP76OfF9QfaRFRMyuch2o5w02spf1=u+UkEoMs3znyHw@mail.gmail.com>
User-Agent: Mutt/1.5.23.1 (2014-03-12)
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Patrick McHardy June 10, 2015, 3:28 p.m. UTC

On 10.06, Andreas Schultz wrote:
> On Wed, Jun 10, 2015 at 4:01 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Wed, Jun 10, 2015 at 12:07:27PM +0200, Andreas Schultz wrote:
> > [...]
> >> I think I have found the root cause why this happends.
> >>
> >> With iptables only the hooks defined by the ipt modules can ever exist and
> >> they do apply to all namespaces. Thus hooks are registered in the global list
> >> nf_hooks.
> >
> > I have an incomplete patchset here to introduce pernet hooks. Will
> > send this for review at some point.
> 
> Please, Could you share those patches? I have started on making nf_hooks
> into a pernet structure, but having something to start from would make this
> much simpler.
> 
> Also, in it's current form having netns and nftables support enabled at the
> same time can lead to some horribly broken (insecure) setups, e.g. I could
> intercept traffic for the host from within a docker container.
> 
> Shouldn't Kconfig be changed to prevent this?

If my understanding of the problem is correct, this (totally untested)
patch should prevent the problem until we have a proper fix.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Andreas Schultz June 11, 2015, 11:26 a.m. UTC | #1

On Wed, Jun 10, 2015 at 5:28 PM, Patrick McHardy <kaber@trash.net> wrote:

[...]

> If my understanding of the problem is correct, this (totally untested)
> patch should prevent the problem until we have a proper fix.

Yes is does prevent the execution of the chains from the wrong
netns. Some targets are still broken when used in a netns, for
example queue rules instantiated in a netns will not work at
all.

Andreas

>
> diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
> index f153b07..62e371a 100644
> --- a/net/netfilter/nf_tables_core.c
> +++ b/net/netfilter/nf_tables_core.c
> @@ -124,6 +124,12 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
>         int rulenum;
>         unsigned int gencursor = nft_genmask_cur(net);
>
> +       /* Workaround for processing in incorrect namespace until we have
> +        * per net hooks.
> +        */
> +       if (read_pnet(&(pkt->in ? : pkt->out)->nd_net) != net)
> +               return NF_ACCEPT;
> +
>  do_chain:
>         rulenum = 0;
>         rule = list_entry(&chain->rules, struct nft_rule, list);
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index f153b07..62e371a 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -124,6 +124,12 @@  nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 	int rulenum;
 	unsigned int gencursor = nft_genmask_cur(net);
 
+	/* Workaround for processing in incorrect namespace until we have
+	 * per net hooks.
+	 */
+	if (read_pnet(&(pkt->in ? : pkt->out)->nd_net) != net)
+		return NF_ACCEPT;
+
 do_chain:
 	rulenum = 0;
 	rule = list_entry(&chain->rules, struct nft_rule, list);

nft rules processed in wrong network namespace

Commit Message

Comments

Patch