ipt_owner and ICMP

Linux Netfilter discussions
 help / color / mirror / Atom feed

* ipt_owner and ICMP
@ 2006-03-18 18:34 jay
  2006-03-19  0:22 ` Alexandru Dragoi
  0 siblings, 1 reply; 3+ messages in thread
From: jay @ 2006-03-18 18:34 UTC (permalink / raw)
  To: netfilter

Hi,

I'm currently using the ipt_owner module to enforce stronger outgoing packet
filtering on certain daemons. I create a custom chain with the stronger
rules and use '-m owner' to jump packets into the chain.

This works fine for UDP and TCP, but my outgoing ICMP packets never match
the rule. I understand why incoming ICMP should fail to match, but why are
outgoing packets missing the filter?

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
acctboth   all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
apache-output  all  --  anywhere             anywhere            OWNER UID
match
 iptest

Chain apache-output (1 references)
target     prot opt source               destination
DROP       icmp --  anywhere             anywhere

(nothing in the acctboth chain causes a jump)

Any ideas?

-- 
Jay L.T. Cornwall, http://www.esuna.co.uk/~jay/
PhD Student
Imperial College London

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ipt_owner and ICMP
  2006-03-18 18:34 ipt_owner and ICMP jay
@ 2006-03-19  0:22 ` Alexandru Dragoi
  2006-03-19  0:26   ` Jay L.T. Cornwall
  0 siblings, 1 reply; 3+ messages in thread
From: Alexandru Dragoi @ 2006-03-19  0:22 UTC (permalink / raw)
  To: jay; +Cc: netfilter

jay@esuna.co.uk wrote:

>Hi,
>
>I'm currently using the ipt_owner module to enforce stronger outgoing packet
>filtering on certain daemons. I create a custom chain with the stronger
>rules and use '-m owner' to jump packets into the chain.
>
>This works fine for UDP and TCP, but my outgoing ICMP packets never match
>the rule. I understand why incoming ICMP should fail to match, but why are
>outgoing packets missing the filter?
>
>Chain OUTPUT (policy ACCEPT)
>target     prot opt source               destination
>acctboth   all  --  anywhere             anywhere
>ACCEPT     all  --  anywhere             anywhere
>apache-output  all  --  anywhere             anywhere            OWNER UID
>match
> iptest
>
>Chain apache-output (1 references)
>target     prot opt source               destination
>DROP       icmp --  anywhere             anywhere
>
>(nothing in the acctboth chain causes a jump)
>
>Any ideas?
>
>  
>
I think this is because icmp packets are just generated and sent away by
some part of the kernel after it received a syscall from a program with
uid 0 (only root can use icmp).


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ipt_owner and ICMP
  2006-03-19  0:22 ` Alexandru Dragoi
@ 2006-03-19  0:26   ` Jay L.T. Cornwall
  0 siblings, 0 replies; 3+ messages in thread
From: Jay L.T. Cornwall @ 2006-03-19  0:26 UTC (permalink / raw)
  To: netfilter

Alexandru Dragoi wrote:

>> This works fine for UDP and TCP, but my outgoing ICMP packets never match
>> the rule. I understand why incoming ICMP should fail to match, but why are
>> outgoing packets missing the filter?

> I think this is because icmp packets are just generated and sent away by
> some part of the kernel after it received a syscall from a program with
> uid 0 (only root can use icmp).

Oh, of course! *slaps head*

Ping was running as setuid root. I feel silly now, thanks for pointing 
that out. :)

-- 
Jay L.T. Cornwall, http://www.esuna.co.uk/~jay/
PhD Student
Imperial College London


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2006-03-19  0:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-18 18:34 ipt_owner and ICMP jay
2006-03-19  0:22 ` Alexandru Dragoi
2006-03-19  0:26   ` Jay L.T. Cornwall

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox