* iptables --log-uid patch for 2.6
@ 2004-11-27 22:30 John Lange
0 siblings, 0 replies; 5+ messages in thread
From: John Lange @ 2004-11-27 22:30 UTC (permalink / raw)
To: netfilter-develop
[-- Attachment #1: Type: text/plain, Size: 4293 bytes --]
Here are patches against the userspace and the kernel which allows the
logging of the uid that generated the (outgoing) packet.
This patch was originally the work of Martin Josefsson for the 2.4
kernel but was never incorporated into the main code base. My work here
simply ports it to the 2.6 kernel and the current version of netfilter
(iptables).
It is useful for figuring out which users might have had their accounts
compromised by spam relays, IRC bots or other such things.
I've been running this patch on a production server since Oct 30 without
any problems.
--- linux-2.6.9/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-18 16:55:07.000000000 -0500
+++
linux-2.6.9-jl1/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-30
16:42:12.000000000 -0500
@@ -4,7 +4,8 @@
#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
-#define IPT_LOG_MASK 0x07
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket
*/
+#define IPT_LOG_MASK 0x0f
struct ipt_log_info {
unsigned char level;
--- linux-2.6.9/net/ipv4/netfilter/ipt_LOG.c 2004-10-18
16:55:06.000000000 -0500
+++ linux-2.6.9-jl1/net/ipv4/netfilter/ipt_LOG.c 2004-10-30
19:21:12.000000000 -0500
@@ -384,6 +384,8 @@
}
dump_packet(loginfo, skb, 0);
+ if ((loginfo->logflags & IPT_LOG_UID) && skb->sk &&
skb->sk->sk_socket && skb->sk->sk_socket->file)
+ printk("UID=%u ", skb->sk->sk_socket->file->f_uid);
printk("\n");
spin_unlock_bh(&log_lock);
}
--- iptables-1.2.11/extensions/libipt_LOG.c 2004-06-14
17:02:16.000000000 -0500
+++ iptables-1.2.11-jl/extensions/libipt_LOG.c 2004-10-30
16:39:16.000000000 -0500
@@ -21,7 +21,8 @@
" --log-prefix prefix Prefix log messages with this
prefix.\n\n"
" --log-tcp-sequence Log TCP sequence numbers.\n\n"
" --log-tcp-options Log TCP options.\n\n"
-" --log-ip-options Log IP options.\n\n",
+" --log-ip-options Log IP options.\n\n"
+" --log-uid Log UID owning the local socket.\n\n",
IPTABLES_VERSION);
}
@@ -31,6 +32,7 @@
{ .name = "log-tcp-sequence", .has_arg = 0, .flag = 0, .val =
'1' },
{ .name = "log-tcp-options", .has_arg = 0, .flag = 0, .val =
'2' },
{ .name = "log-ip-options", .has_arg = 0, .flag = 0, .val =
'3' },
+ { .name = "log-uid", .has_arg = 0, .flag = 0, .val =
'4' },
{ .name = 0 }
};
@@ -98,6 +100,7 @@
#define IPT_LOG_OPT_TCPSEQ 0x04
#define IPT_LOG_OPT_TCPOPT 0x08
#define IPT_LOG_OPT_IPOPT 0x10
+#define IPT_LOG_OPT_UID 0x20
/* Function which parses command options; returns true if it
ate an option */
@@ -168,6 +171,15 @@
*flags |= IPT_LOG_OPT_IPOPT;
break;
+ case '4':
+ if (*flags & IPT_LOG_OPT_UID)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --log-uid twice");
+
+ loginfo->logflags |= IPT_LOG_UID;
+ *flags |= IPT_LOG_OPT_UID;
+ break;
+
default:
return 0;
}
@@ -211,6 +223,8 @@
printf("tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("uid ");
if (loginfo->logflags & ~(IPT_LOG_MASK))
printf("unknown-flags ");
}
@@ -238,6 +252,8 @@
printf("--log-tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("--log-ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("--log-uid ");
}
static
--- iptables-1.2.11/extensions/libipt_LOG.man 2004-01-22
09:04:24.000000000 -0600
+++ iptables-1.2.11-jl/extensions/libipt_LOG.man 2004-10-30
19:28:09.000000000 -0500
@@ -26,3 +26,6 @@
.TP
.B --log-ip-options
Log options from the IP packet header.
+.TP
+.B --log-uid
+Log the userid of the process which generated the packet.
--
John Lange
OpenIT ltd.
(204) 885 0872
[-- Attachment #2: ipt_LOG-uid.patch --]
[-- Type: text/x-patch, Size: 961 bytes --]
--- linux-2.6.9/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-18 16:55:07.000000000 -0500
+++ linux-2.6.9-jl1/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-30 16:42:12.000000000 -0500
@@ -4,7 +4,8 @@
#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
-#define IPT_LOG_MASK 0x07
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
+#define IPT_LOG_MASK 0x0f
struct ipt_log_info {
unsigned char level;
--- linux-2.6.9/net/ipv4/netfilter/ipt_LOG.c 2004-10-18 16:55:06.000000000 -0500
+++ linux-2.6.9-jl1/net/ipv4/netfilter/ipt_LOG.c 2004-10-30 19:21:12.000000000 -0500
@@ -384,6 +384,8 @@
}
dump_packet(loginfo, skb, 0);
+ if ((loginfo->logflags & IPT_LOG_UID) && skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
+ printk("UID=%u ", skb->sk->sk_socket->file->f_uid);
printk("\n");
spin_unlock_bh(&log_lock);
}
[-- Attachment #3: ipt_LOG-uid.userspace.patch --]
[-- Type: text/x-patch, Size: 2148 bytes --]
--- iptables-1.2.11/extensions/libipt_LOG.c 2004-06-14 17:02:16.000000000 -0500
+++ iptables-1.2.11-jl/extensions/libipt_LOG.c 2004-10-30 16:39:16.000000000 -0500
@@ -21,7 +21,8 @@
" --log-prefix prefix Prefix log messages with this prefix.\n\n"
" --log-tcp-sequence Log TCP sequence numbers.\n\n"
" --log-tcp-options Log TCP options.\n\n"
-" --log-ip-options Log IP options.\n\n",
+" --log-ip-options Log IP options.\n\n"
+" --log-uid Log UID owning the local socket.\n\n",
IPTABLES_VERSION);
}
@@ -31,6 +32,7 @@
{ .name = "log-tcp-sequence", .has_arg = 0, .flag = 0, .val = '1' },
{ .name = "log-tcp-options", .has_arg = 0, .flag = 0, .val = '2' },
{ .name = "log-ip-options", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = "log-uid", .has_arg = 0, .flag = 0, .val = '4' },
{ .name = 0 }
};
@@ -98,6 +100,7 @@
#define IPT_LOG_OPT_TCPSEQ 0x04
#define IPT_LOG_OPT_TCPOPT 0x08
#define IPT_LOG_OPT_IPOPT 0x10
+#define IPT_LOG_OPT_UID 0x20
/* Function which parses command options; returns true if it
ate an option */
@@ -168,6 +171,15 @@
*flags |= IPT_LOG_OPT_IPOPT;
break;
+ case '4':
+ if (*flags & IPT_LOG_OPT_UID)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --log-uid twice");
+
+ loginfo->logflags |= IPT_LOG_UID;
+ *flags |= IPT_LOG_OPT_UID;
+ break;
+
default:
return 0;
}
@@ -211,6 +223,8 @@
printf("tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("uid ");
if (loginfo->logflags & ~(IPT_LOG_MASK))
printf("unknown-flags ");
}
@@ -238,6 +252,8 @@
printf("--log-tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("--log-ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("--log-uid ");
}
static
--- iptables-1.2.11/extensions/libipt_LOG.man 2004-01-22 09:04:24.000000000 -0600
+++ iptables-1.2.11-jl/extensions/libipt_LOG.man 2004-10-30 19:28:09.000000000 -0500
@@ -26,3 +26,6 @@
.TP
.B --log-ip-options
Log options from the IP packet header.
+.TP
+.B --log-uid
+Log the userid of the process which generated the packet.
^ permalink raw reply [flat|nested] 5+ messages in thread
* iptables --log-uid patch for 2.6
@ 2004-11-28 18:55 John Lange
2004-12-08 4:33 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: John Lange @ 2004-11-28 18:55 UTC (permalink / raw)
To: netfilter-develop
[-- Attachment #1: Type: text/plain, Size: 4398 bytes --]
I sent this to the list yesterday but I don't think it made it through.
Apologies if it is a duplicate.
Here are patches against the userspace and the kernel which allows the
logging of the uid that generated the (outgoing) packet.
This patch was originally the work of Martin Josefsson for the 2.4
kernel but was never incorporated into the main code base. My work here
simply ports it to the 2.6 kernel and the current version of netfilter
(iptables).
It is useful for figuring out which users might have had their accounts
compromised by spam relays, IRC bots or other such things.
I've been running this patch on a production server since Oct 30 without
any problems.
--- linux-2.6.9/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-18 16:55:07.000000000 -0500
+++
linux-2.6.9-jl1/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-30
16:42:12.000000000 -0500
@@ -4,7 +4,8 @@
#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
-#define IPT_LOG_MASK 0x07
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket
*/
+#define IPT_LOG_MASK 0x0f
struct ipt_log_info {
unsigned char level;
--- linux-2.6.9/net/ipv4/netfilter/ipt_LOG.c 2004-10-18
16:55:06.000000000 -0500
+++ linux-2.6.9-jl1/net/ipv4/netfilter/ipt_LOG.c 2004-10-30
19:21:12.000000000 -0500
@@ -384,6 +384,8 @@
}
dump_packet(loginfo, skb, 0);
+ if ((loginfo->logflags & IPT_LOG_UID) && skb->sk &&
skb->sk->sk_socket && skb->sk->sk_socket->file)
+ printk("UID=%u ", skb->sk->sk_socket->file->f_uid);
printk("\n");
spin_unlock_bh(&log_lock);
}
--- iptables-1.2.11/extensions/libipt_LOG.c 2004-06-14
17:02:16.000000000 -0500
+++ iptables-1.2.11-jl/extensions/libipt_LOG.c 2004-10-30
16:39:16.000000000 -0500
@@ -21,7 +21,8 @@
" --log-prefix prefix Prefix log messages with this
prefix.\n\n"
" --log-tcp-sequence Log TCP sequence numbers.\n\n"
" --log-tcp-options Log TCP options.\n\n"
-" --log-ip-options Log IP options.\n\n",
+" --log-ip-options Log IP options.\n\n"
+" --log-uid Log UID owning the local socket.\n\n",
IPTABLES_VERSION);
}
@@ -31,6 +32,7 @@
{ .name = "log-tcp-sequence", .has_arg = 0, .flag = 0, .val =
'1' },
{ .name = "log-tcp-options", .has_arg = 0, .flag = 0, .val =
'2' },
{ .name = "log-ip-options", .has_arg = 0, .flag = 0, .val =
'3' },
+ { .name = "log-uid", .has_arg = 0, .flag = 0, .val =
'4' },
{ .name = 0 }
};
@@ -98,6 +100,7 @@
#define IPT_LOG_OPT_TCPSEQ 0x04
#define IPT_LOG_OPT_TCPOPT 0x08
#define IPT_LOG_OPT_IPOPT 0x10
+#define IPT_LOG_OPT_UID 0x20
/* Function which parses command options; returns true if it
ate an option */
@@ -168,6 +171,15 @@
*flags |= IPT_LOG_OPT_IPOPT;
break;
+ case '4':
+ if (*flags & IPT_LOG_OPT_UID)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --log-uid twice");
+
+ loginfo->logflags |= IPT_LOG_UID;
+ *flags |= IPT_LOG_OPT_UID;
+ break;
+
default:
return 0;
}
@@ -211,6 +223,8 @@
printf("tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("uid ");
if (loginfo->logflags & ~(IPT_LOG_MASK))
printf("unknown-flags ");
}
@@ -238,6 +252,8 @@
printf("--log-tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("--log-ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("--log-uid ");
}
static
--- iptables-1.2.11/extensions/libipt_LOG.man 2004-01-22
09:04:24.000000000 -0600
+++ iptables-1.2.11-jl/extensions/libipt_LOG.man 2004-10-30
19:28:09.000000000 -0500
@@ -26,3 +26,6 @@
.TP
.B --log-ip-options
Log options from the IP packet header.
+.TP
+.B --log-uid
+Log the userid of the process which generated the packet.
--
John Lange
OpenIT ltd.
(204) 885 0872
[-- Attachment #2: ipt_LOG-uid.patch --]
[-- Type: text/x-patch, Size: 961 bytes --]
--- linux-2.6.9/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-18 16:55:07.000000000 -0500
+++ linux-2.6.9-jl1/include/linux/netfilter_ipv4/ipt_LOG.h 2004-10-30 16:42:12.000000000 -0500
@@ -4,7 +4,8 @@
#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
-#define IPT_LOG_MASK 0x07
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
+#define IPT_LOG_MASK 0x0f
struct ipt_log_info {
unsigned char level;
--- linux-2.6.9/net/ipv4/netfilter/ipt_LOG.c 2004-10-18 16:55:06.000000000 -0500
+++ linux-2.6.9-jl1/net/ipv4/netfilter/ipt_LOG.c 2004-10-30 19:21:12.000000000 -0500
@@ -384,6 +384,8 @@
}
dump_packet(loginfo, skb, 0);
+ if ((loginfo->logflags & IPT_LOG_UID) && skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
+ printk("UID=%u ", skb->sk->sk_socket->file->f_uid);
printk("\n");
spin_unlock_bh(&log_lock);
}
[-- Attachment #3: ipt_LOG-uid.userspace.patch --]
[-- Type: text/x-patch, Size: 2148 bytes --]
--- iptables-1.2.11/extensions/libipt_LOG.c 2004-06-14 17:02:16.000000000 -0500
+++ iptables-1.2.11-jl/extensions/libipt_LOG.c 2004-10-30 16:39:16.000000000 -0500
@@ -21,7 +21,8 @@
" --log-prefix prefix Prefix log messages with this prefix.\n\n"
" --log-tcp-sequence Log TCP sequence numbers.\n\n"
" --log-tcp-options Log TCP options.\n\n"
-" --log-ip-options Log IP options.\n\n",
+" --log-ip-options Log IP options.\n\n"
+" --log-uid Log UID owning the local socket.\n\n",
IPTABLES_VERSION);
}
@@ -31,6 +32,7 @@
{ .name = "log-tcp-sequence", .has_arg = 0, .flag = 0, .val = '1' },
{ .name = "log-tcp-options", .has_arg = 0, .flag = 0, .val = '2' },
{ .name = "log-ip-options", .has_arg = 0, .flag = 0, .val = '3' },
+ { .name = "log-uid", .has_arg = 0, .flag = 0, .val = '4' },
{ .name = 0 }
};
@@ -98,6 +100,7 @@
#define IPT_LOG_OPT_TCPSEQ 0x04
#define IPT_LOG_OPT_TCPOPT 0x08
#define IPT_LOG_OPT_IPOPT 0x10
+#define IPT_LOG_OPT_UID 0x20
/* Function which parses command options; returns true if it
ate an option */
@@ -168,6 +171,15 @@
*flags |= IPT_LOG_OPT_IPOPT;
break;
+ case '4':
+ if (*flags & IPT_LOG_OPT_UID)
+ exit_error(PARAMETER_PROBLEM,
+ "Can't specify --log-uid twice");
+
+ loginfo->logflags |= IPT_LOG_UID;
+ *flags |= IPT_LOG_OPT_UID;
+ break;
+
default:
return 0;
}
@@ -211,6 +223,8 @@
printf("tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("uid ");
if (loginfo->logflags & ~(IPT_LOG_MASK))
printf("unknown-flags ");
}
@@ -238,6 +252,8 @@
printf("--log-tcp-options ");
if (loginfo->logflags & IPT_LOG_IPOPT)
printf("--log-ip-options ");
+ if (loginfo->logflags & IPT_LOG_UID)
+ printf("--log-uid ");
}
static
--- iptables-1.2.11/extensions/libipt_LOG.man 2004-01-22 09:04:24.000000000 -0600
+++ iptables-1.2.11-jl/extensions/libipt_LOG.man 2004-10-30 19:28:09.000000000 -0500
@@ -26,3 +26,6 @@
.TP
.B --log-ip-options
Log options from the IP packet header.
+.TP
+.B --log-uid
+Log the userid of the process which generated the packet.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: iptables --log-uid patch for 2.6
2004-11-28 18:55 iptables --log-uid patch for 2.6 John Lange
@ 2004-12-08 4:33 ` Patrick McHardy
2004-12-08 6:10 ` John Lange
0 siblings, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2004-12-08 4:33 UTC (permalink / raw)
To: John Lange; +Cc: netfilter-develop
[-- Attachment #1: Type: text/plain, Size: 747 bytes --]
John Lange wrote:
>I sent this to the list yesterday but I don't think it made it through.
>Apologies if it is a duplicate.
>
>Here are patches against the userspace and the kernel which allows the
>logging of the uid that generated the (outgoing) packet.
>
>This patch was originally the work of Martin Josefsson for the 2.4
>kernel but was never incorporated into the main code base. My work here
>simply ports it to the 2.6 kernel and the current version of netfilter
>(iptables).
>
Thanks, I've fixed locking (packets with skb->sk set may reach ipt_LOG
without the socket lock held through tunnel devices, so we need extra
locking) and added this patch to my tree. I'm going to add the userspace
patch when SVN is up again.
Regards
Patrick
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1918 bytes --]
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/12/08 04:53:15+01:00 kaber@coreworks.de
# [NETFILTER]: Add --log-uid option to ipt_LOG
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# net/ipv4/netfilter/ipt_LOG.c
# 2004/12/08 04:53:08+01:00 kaber@coreworks.de +8 -0
# [NETFILTER]: Add --log-uid option to ipt_LOG
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
# include/linux/netfilter_ipv4/ipt_LOG.h
# 2004/12/08 04:53:08+01:00 kaber@coreworks.de +2 -1
# [NETFILTER]: Add --log-uid option to ipt_LOG
#
# Signed-off-by: Patrick McHardy <kaber@trash.net>
#
diff -Nru a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
--- a/include/linux/netfilter_ipv4/ipt_LOG.h 2004-12-08 05:26:20 +01:00
+++ b/include/linux/netfilter_ipv4/ipt_LOG.h 2004-12-08 05:26:20 +01:00
@@ -4,7 +4,8 @@
#define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
#define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
#define IPT_LOG_IPOPT 0x04 /* Log IP options */
-#define IPT_LOG_MASK 0x07
+#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
+#define IPT_LOG_MASK 0x0f
struct ipt_log_info {
unsigned char level;
diff -Nru a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
--- a/net/ipv4/netfilter/ipt_LOG.c 2004-12-08 05:26:20 +01:00
+++ b/net/ipv4/netfilter/ipt_LOG.c 2004-12-08 05:26:20 +01:00
@@ -327,6 +327,14 @@
printk("PROTO=%u ", ih->protocol);
}
+ /* Max length: 15 "UID=4294967295 " */
+ if ((info->logflags & IPT_LOG_UID) && !iphoff && skb->sk) {
+ read_lock_bh(&skb->sk->sk_callback_lock);
+ if (skb->sk->sk_socket && skb->sk->sk_socket->file)
+ printk("UID=%u ", skb->sk->sk_socket->file->f_uid);
+ read_unlock_bh(&skb->sk->sk_callback_lock);
+ }
+
/* Proto Max log string length */
/* IP: 40+46+6+11+127 = 230 */
/* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: iptables --log-uid patch for 2.6
2004-12-08 4:33 ` Patrick McHardy
@ 2004-12-08 6:10 ` John Lange
2004-12-08 17:07 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: John Lange @ 2004-12-08 6:10 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-develop
Thanks for response Patrick.
One small note...
I believe there is a limitation to this approach that makes it tricky
for blocking outbound packets. I hope you have a work-around.
Specifically, there is no way to allow packets that have no UID set such
as packets generated directly by the kernel.
The following rules were designed to block users from (accidentally)
installing spam relays on their web accounts (bad CGI scripts for
example).
I hope this example makes some sense:
e.g.
# first allow root (this allows root, but NOT the kernel!)
iptables -A OUTPUT -p ALL -m owner --uid-owner 0 -j ACCEPT
# allow anyone in the mail group
iptables -A OUTPUT -p tcp -m owner --gid-owner 102 --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j LOG --log-uid
iptables -A OUTPUT -p tcp --dport 25 -j DROP
----
Packets generated directly by the kernel (like RST packets) have no UID
set and therefore get blocked....
I suppose you could allow based on the type of packet but its not
exactly what you expect.
--
John Lange
OpenIT ltd.
(204) 885 0872
On Tue, 2004-12-07 at 22:33, Patrick McHardy wrote:
> John Lange wrote:
>
> >I sent this to the list yesterday but I don't think it made it through.
> >Apologies if it is a duplicate.
> >
> >Here are patches against the userspace and the kernel which allows the
> >logging of the uid that generated the (outgoing) packet.
> >
> >This patch was originally the work of Martin Josefsson for the 2.4
> >kernel but was never incorporated into the main code base. My work here
> >simply ports it to the 2.6 kernel and the current version of netfilter
> >(iptables).
> >
> Thanks, I've fixed locking (packets with skb->sk set may reach ipt_LOG
> without the socket lock held through tunnel devices, so we need extra
> locking) and added this patch to my tree. I'm going to add the userspace
> patch when SVN is up again.
>
> Regards
> Patrick
>
>
> ______________________________________________________________________
> # This is a BitKeeper generated diff -Nru style patch.
> #
> # ChangeSet
> # 2004/12/08 04:53:15+01:00 kaber@coreworks.de
> # [NETFILTER]: Add --log-uid option to ipt_LOG
> #
> # Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> # net/ipv4/netfilter/ipt_LOG.c
> # 2004/12/08 04:53:08+01:00 kaber@coreworks.de +8 -0
> # [NETFILTER]: Add --log-uid option to ipt_LOG
> #
> # Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> # include/linux/netfilter_ipv4/ipt_LOG.h
> # 2004/12/08 04:53:08+01:00 kaber@coreworks.de +2 -1
> # [NETFILTER]: Add --log-uid option to ipt_LOG
> #
> # Signed-off-by: Patrick McHardy <kaber@trash.net>
> #
> diff -Nru a/include/linux/netfilter_ipv4/ipt_LOG.h b/include/linux/netfilter_ipv4/ipt_LOG.h
> --- a/include/linux/netfilter_ipv4/ipt_LOG.h 2004-12-08 05:26:20 +01:00
> +++ b/include/linux/netfilter_ipv4/ipt_LOG.h 2004-12-08 05:26:20 +01:00
> @@ -4,7 +4,8 @@
> #define IPT_LOG_TCPSEQ 0x01 /* Log TCP sequence numbers */
> #define IPT_LOG_TCPOPT 0x02 /* Log TCP options */
> #define IPT_LOG_IPOPT 0x04 /* Log IP options */
> -#define IPT_LOG_MASK 0x07
> +#define IPT_LOG_UID 0x08 /* Log UID owning local socket */
> +#define IPT_LOG_MASK 0x0f
>
> struct ipt_log_info {
> unsigned char level;
> diff -Nru a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
> --- a/net/ipv4/netfilter/ipt_LOG.c 2004-12-08 05:26:20 +01:00
> +++ b/net/ipv4/netfilter/ipt_LOG.c 2004-12-08 05:26:20 +01:00
> @@ -327,6 +327,14 @@
> printk("PROTO=%u ", ih->protocol);
> }
>
> + /* Max length: 15 "UID=4294967295 " */
> + if ((info->logflags & IPT_LOG_UID) && !iphoff && skb->sk) {
> + read_lock_bh(&skb->sk->sk_callback_lock);
> + if (skb->sk->sk_socket && skb->sk->sk_socket->file)
> + printk("UID=%u ", skb->sk->sk_socket->file->f_uid);
> + read_unlock_bh(&skb->sk->sk_callback_lock);
> + }
> +
> /* Proto Max log string length */
> /* IP: 40+46+6+11+127 = 230 */
> /* TCP: 10+max(25,20+30+13+9+32+11+127) = 252 */
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: iptables --log-uid patch for 2.6
2004-12-08 6:10 ` John Lange
@ 2004-12-08 17:07 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2004-12-08 17:07 UTC (permalink / raw)
To: John Lange; +Cc: netfilter-develop
John Lange wrote:
>Thanks for response Patrick.
>
>One small note...
>
>I believe there is a limitation to this approach that makes it tricky
>for blocking outbound packets. I hope you have a work-around.
>
>Specifically, there is no way to allow packets that have no UID set such
>as packets generated directly by the kernel.
>
>The following rules were designed to block users from (accidentally)
>installing spam relays on their web accounts (bad CGI scripts for
>example).
>
>I hope this example makes some sense:
>
>e.g.
>
># first allow root (this allows root, but NOT the kernel!)
>iptables -A OUTPUT -p ALL -m owner --uid-owner 0 -j ACCEPT
>
># allow anyone in the mail group
>iptables -A OUTPUT -p tcp -m owner --gid-owner 102 --dport 25 -j ACCEPT
>
>iptables -A OUTPUT -p tcp --dport 25 -j LOG --log-uid
>iptables -A OUTPUT -p tcp --dport 25 -j DROP
>
>----
>
>Packets generated directly by the kernel (like RST packets) have no UID
>set and therefore get blocked....
>
>
I have a patch that lets you match "--owner" or "! --owner", this
should be enough. I'm going to merge it some time soon. You can
also use connection tracking, this should catch packets generated
by the kernel.
Regards
Patrick
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-12-08 17:07 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-28 18:55 iptables --log-uid patch for 2.6 John Lange
2004-12-08 4:33 ` Patrick McHardy
2004-12-08 6:10 ` John Lange
2004-12-08 17:07 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2004-11-27 22:30 John Lange
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.