[Devel] [RFC][PATCH] IP address restricting cgroup subsystem
Paul Menage
menage at google.com
Tue Jan 13 18:21:45 PST 2009
On Sun, Jan 11, 2009 at 2:19 AM, Grzegorz Nosek <root at localdomain.pl> wrote:
>
> So if I understand you right, your proposed solution would be something
> akin to ipt_cgroup (matching packets originating from a cgroup, like
> ipt_owner matches uid/gid) plus netfilter hooks for blocking/remapping
> addresses passed to connect() and/or bind()? Or maybe a dedicated
> netfilter table with per-cgroup chains?
Yes, something like one of those options. But it would never need to
be actually matching real packets in the data path - just
connect/bind/accept requests in the control path.
>
> Using the iptables API with connect() sending a fake packet, how would
> you represent "allow this connection, but bind() to 10.0.0.1 first"?
> Rewrite the source address in an iptables target?
Hmm, I hadn't considered that - I'd just been thinking of permit/deny
decisions. But you're right, a rewrite rule might be a natural way to
do this.
Clearly this feature would only use a small subset of the available
iptables API, so in that sense it might be overkill. But avoiding
inventing a complex new API seems worth the potential overkill.
I've attached the vague prototype that I was playing with a few months
ago. It's missing some of the bits that it would need:
- it uses the NF_INET_LOCAL_OUT table rather than a new
NF_INET_CONTROL table, because trying to edit/recompile the iptables
userspace binary to handle a new table proved to be too painful for
this prototype. (i.e. it currently does use the fast path checks, but
it really shouldn't ...)
- it only currently handles connect() - no bind() or accept()
- it doesn't have a cgroup-specific iptables filter yet - it just
provides a system-wide control over connections. Adding a per-group
filter would be pretty easy, I think
As it stands, it's sufficient to express complex rules like "disallow
connections to a remote sshd port, except on host H", etc.
Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: netfilter_control_hook.patch
Type: text/x-patch
Size: 11693 bytes
Desc: not available
Url : http://lists.linux-foundation.org/pipermail/containers/attachments/20090113/51c8129f/attachment.bin
More information about the Containers
mailing list