From: Topi Miettinen <toiwoton@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Support for loading firewall rules with cgroup(v2) expressions early
Date: Mon, 28 Mar 2022 17:08:32 +0300 [thread overview]
Message-ID: <418f6461-4504-4707-5ec2-61227af2ad27@gmail.com> (raw)
In-Reply-To: <YkDXwaPwYf8NgKT+@salvia>
On 28.3.2022 0.31, Pablo Neira Ayuso wrote:
> Hi,
>
> On Sat, Mar 26, 2022 at 12:09:26PM +0200, Topi Miettinen wrote:
>> Hi,
>>
>> I'd like to use cgroupv2 expressions in firewall rules. But since the rules
>> are loaded very early in the boot, the expressions are rejected since the
>> target cgroups are not realized until much later.
>>
>> Would it be possible to add new cgroupv2 expressions which defer the check
>> until actual use? For example, 'cgroupv2name' (like iifname etc.) would
>> check the cgroup path string at rule use time?
>>
>> Another possibility would be to hook into cgroup directory creation logic in
>> kernel so that when the cgroup is created, part of the path checks are
>> performed or something else which would allow non-existent cgroups to be
>> used. Then the NFT syntax would not need changing, but the expressions would
>> "just work" even when loaded early.
>
> Could you use inotify/dnotify/eventfd to track these updates from
> userspace and update the nftables sets accordingly? AFAIK, this is
> available to cgroupsv2.
It's possible, there's for example:
https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager
https://github.com/helsinki-systems/nft_cgroupv2/
But I think that with this approach, depending on system load, there
could be a vulnerable time window where the rules aren't loaded yet but
the process which is supposed to be protected by the rules has already
started running. This isn't desirable for firewalls, so I'd like to have
a way for loading the firewall rules as early as possible.
-Topi
>
>> Indirection through sets ('socket cgroupv2 level @lvl @cgname drop') might
>> work in some cases, but it would need support from cgroup manager like
>> systemd which would manage the sets. This would also probably not be
>> scalable to unprivileged users or containers.
>>
>> This also applies to old cgroup (v1) expression but that's probably not
>> worth improving anymore.
>>
>> Related work on systemd side:
>> https://github.com/systemd/systemd/issues/22527
>>
>> -Topi
next prev parent reply other threads:[~2022-03-28 14:08 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-26 10:09 Support for loading firewall rules with cgroup(v2) expressions early Topi Miettinen
2022-03-27 21:31 ` Pablo Neira Ayuso
2022-03-28 14:08 ` Topi Miettinen [this message]
2022-03-28 15:05 ` Pablo Neira Ayuso
2022-03-28 17:46 ` Topi Miettinen
2022-03-29 18:20 ` Topi Miettinen
2022-03-29 22:25 ` Pablo Neira Ayuso
2022-03-30 2:53 ` Pablo Neira Ayuso
2022-04-02 8:12 ` Topi Miettinen
2022-04-03 18:32 ` Topi Miettinen
2022-04-05 22:00 ` Pablo Neira Ayuso
2022-04-06 13:57 ` Topi Miettinen
2022-03-30 16:37 ` Topi Miettinen
2022-03-30 21:47 ` Pablo Neira Ayuso
2022-03-31 15:10 ` Topi Miettinen
2022-04-05 22:18 ` Pablo Neira Ayuso
2022-04-06 14:02 ` Topi Miettinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=418f6461-4504-4707-5ec2-61227af2ad27@gmail.com \
--to=toiwoton@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).