[Devel] [RFC][PATCH] IP address restricting cgroup subsystem

Paul Menage menage at google.com
Tue Jan 13 18:21:45 PST 2009


On Sun, Jan 11, 2009 at 2:19 AM, Grzegorz Nosek <root at localdomain.pl> wrote:
>
> So if I understand you right, your proposed solution would be something
> akin to ipt_cgroup (matching packets originating from a cgroup, like
> ipt_owner matches uid/gid) plus netfilter hooks for blocking/remapping
> addresses passed to connect() and/or bind()? Or maybe a dedicated
> netfilter table with per-cgroup chains?

Yes, something like one of those options. But it would never need to
be actually matching real packets in the data path - just
connect/bind/accept requests in the control path.

>
> Using the iptables API with connect() sending a fake packet, how would
> you represent "allow this connection, but bind() to 10.0.0.1 first"?
> Rewrite the source address in an iptables target?

Hmm, I hadn't considered that - I'd just been thinking of permit/deny
decisions. But you're right, a rewrite rule might be a natural way to
do this.

Clearly this feature would only use a small subset of the available
iptables API, so in that sense it might be overkill. But avoiding
inventing a complex new API seems worth the potential overkill.

I've attached the vague prototype that I was playing with a few months
ago. It's missing some of the bits that it would need:

- it uses the NF_INET_LOCAL_OUT table rather than a new
NF_INET_CONTROL table, because trying to edit/recompile the iptables
userspace binary to handle a new table proved to be too painful for
this prototype. (i.e. it currently does use the fast path checks, but
it really shouldn't ...)

- it only currently handles connect() - no bind() or accept()

- it doesn't have a cgroup-specific iptables filter yet - it just
provides a system-wide control over connections. Adding a per-group
filter would be pretty easy, I think

As it stands, it's sufficient to express complex rules like "disallow
connections to a remote sshd port, except on host H", etc.

Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: netfilter_control_hook.patch
Type: text/x-patch
Size: 11693 bytes
Desc: not available
URL: <http://lists.openvz.org/pipermail/devel/attachments/20090113/51c8129f/attachment-0001.bin>
-------------- next part --------------
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers


More information about the Devel mailing list