From: Alin Dobre <alin.dobre-1hSFou9RDDldEee+Cai+ZQ@public.gmane.org>
To: netfilter-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Jan Engelhardt <jengelh-nopoi9nDyk+ELgA04lAiVw@public.gmane.org>
Subject: Netfilter owner matching inside user namespace
Date: Tue, 20 May 2014 17:16:54 +0100 [thread overview]
Message-ID: <537B7FF6.9050103@elastichosts.com> (raw)
Hello,
I am trying to run the following command inside an image using user
namespaces via contain [1], a very simplistic implementation of linux
containers:
contain /path/to/image /bin/bash
Although the host kernel does have support for owner matching and it
works with no errors, running the following iptables command inside the
container:
iptables -A OUTPUT -m owner --uid-owner root -j ACCEPT
returns the error "Invalid argument".
The last commit for the netfilter xt_owner module is exactly Eric's
basic support for user namespaces, but there might be some other recent
changes either in the namespaces area or netfilter in general, which
brought the module in an unusable state inside containers - at least for
the above command usage.
I can try to send the image I used for testing to anyone who desires,
but a handy shortcut should be "deboostrap trusty /path/to/image" and
"chroot /path/to/image apt-get install iptables".
The host kernel is 3.14.4, iptables version on the host is 1.4.15 and
inside the Ubuntu container is 1.4.18. I have tried with Ubuntu 13.* and
Ubuntu 14.04, but I don't think the userspace has anything to do with this.
I can provide with any additional information needed.
Any insights on this?
Cheers,
Alin.
[1] https://github.com/arachsys/containers
next reply other threads:[~2014-05-20 16:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-20 16:16 Alin Dobre [this message]
2014-05-21 21:04 ` Netfilter owner matching inside user namespace Eric W. Biederman
[not found] ` <877g5eg7wy.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-05-22 3:35 ` Marian Marinov
[not found] ` <537D706D.4010303-108MBtLGafw@public.gmane.org>
2014-05-22 23:03 ` Eric W. Biederman
2014-05-25 7:39 ` [RFC][PATCH] net: Allow xt_owner in any " Eric W. Biederman
2014-05-25 7:39 ` Eric W. Biederman
2014-05-26 8:28 ` Jan Engelhardt
[not found] ` <87vbsus3wb.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-05-26 8:28 ` Jan Engelhardt
2014-05-29 13:39 ` Alin Dobre
2014-06-09 21:00 ` Alin Dobre
2014-06-09 21:00 ` Alin Dobre
2014-05-22 23:03 ` Netfilter owner matching inside " Eric W. Biederman
[not found] ` <537B7FF6.9050103-1hSFou9RDDldEee+Cai+ZQ@public.gmane.org>
2014-05-21 21:04 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=537B7FF6.9050103@elastichosts.com \
--to=alin.dobre-1hsfou9rddldeee+cai+zq@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=jengelh-nopoi9nDyk+ELgA04lAiVw@public.gmane.org \
--cc=netfilter-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.