Weekly Edition
Return to the Kernel pageRecent Features
| ||||||||||||||||
[PATCH 0/18] skfilter - Netfilter socket filtering and SELinux integration
This patchset implements a Netfilter hook at the socket layer, and new
skfilter tables for IPv4 and IPv6. These changes allow iptables to match
incoming packets against the destination socket (so the incoming owner
match will work, for example), and also allow SELinux to make use of
iptables.
The patches here add the Netfilter and iptables infrastructure for hooking
and filtering packets at the socket layer, then add support for the
incoming owner match, as well as adding SELinux security context logging
and matching. The latter is a first step in allowing SELinux to fully
utilize iptables and Netfilter features.
The Netfilter and iptables infrastructure code is based on work originally
by Patrick McHardy, which has now been simplified to use sk_filter() as a
hook point rather than putting hooks into each protocol.
Here's an example of a simple SELinux security context match:
# iptables -t skfilter -A SOCKET -p tcp --dport 80 \
-m owner --ctx-owner system_u:system_r:httpd_t -j ACCEPT
This can be used to ensure that only the httpd_t domain can receive
packets on port 80.
People may also find it useful to log SELinux security contexts:
# ip6tables -t skfilter -A SOCKET -p tcp --dport 80 -j LOG --log-context
The state match is particularly useful with SELinux, as it simplifies
rules, and automatically caters to ephemeral ports, FTP data connections,
related ICMP messages etc.
Simplified example for an FTP server:
# iptables -t skfilter -A SOCKET -p tcp --dport 21 -m owner \
--ctx-owner system_u:system_r:ftpd_t -m state --state NEW -j ACCEPT
# iptables -t skfilter -A SOCKET -p tcp -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# iptables -t skfilter -A OUTPUT -p tcp -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# iptables -t skfilter -A SOCKET -p icmp -m state --state \
RELATED -j ACCEPT
# iptables -t skfilter -A OUTPUT -p icmp -m state --state \
RELATED -j ACCEPT
A further phase in this development may be to further extend SELinux
support so that matches can be made against abstract SELinux policy types
(e.g. 'intranet_netif_t' instead of just 'eth0'), and for the existing
SELinux network packet controls to be deprecated and removed.
These patches are intended for upstream inclusion after review and
feedback. Harald (or anyone), please suggest which tree to base further
submissions on (I know this will clash with x_tables, but am not sure how
close you are to upstream merging).
Userspace changes, example rulesets and full patches are available at
http://people.redhat.com/jmorris/selinux/skfilter/
A full diffstat is included below.
Comments welcome.
include/linux/netfilter.h | 38 +++++
include/linux/netfilter_ipv4.h | 5
include/linux/netfilter_ipv4/ip_tables.h | 3
include/linux/netfilter_ipv4/ipt_LOG.h | 3
include/linux/netfilter_ipv4/ipt_owner.h | 3
include/linux/netfilter_ipv6.h | 5
include/linux/netfilter_ipv6/ip6_tables.h | 3
include/linux/netfilter_ipv6/ip6t_LOG.h | 3
include/linux/netfilter_ipv6/ip6t_owner.h | 3
include/linux/netfilter_logging.h | 2
include/linux/selinux.h | 87 +++++++++++
include/net/sock.h | 6
net/ipv4/ip_input.c | 4
net/ipv4/netfilter/Kconfig | 12 +
net/ipv4/netfilter/Makefile | 1
net/ipv4/netfilter/ip_conntrack_proto_icmp.c | 9 -
net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 18 +-
net/ipv4/netfilter/ip_conntrack_proto_udp.c | 6
net/ipv4/netfilter/ip_nat_rule.c | 4
net/ipv4/netfilter/ip_tables.c | 12 +
net/ipv4/netfilter/ipt_CLASSIFY.c | 1
net/ipv4/netfilter/ipt_CLUSTERIP.c | 1
net/ipv4/netfilter/ipt_CONNMARK.c | 1
net/ipv4/netfilter/ipt_DSCP.c | 1
net/ipv4/netfilter/ipt_ECN.c | 1
net/ipv4/netfilter/ipt_LOG.c | 47 +++++-
net/ipv4/netfilter/ipt_MARK.c | 2
net/ipv4/netfilter/ipt_MASQUERADE.c | 1
net/ipv4/netfilter/ipt_NETMAP.c | 1
net/ipv4/netfilter/ipt_NFQUEUE.c | 1
net/ipv4/netfilter/ipt_NOTRACK.c | 1
net/ipv4/netfilter/ipt_REDIRECT.c | 1
net/ipv4/netfilter/ipt_REJECT.c | 1
net/ipv4/netfilter/ipt_SAME.c | 1
net/ipv4/netfilter/ipt_TCPMSS.c | 1
net/ipv4/netfilter/ipt_TOS.c | 1
net/ipv4/netfilter/ipt_TTL.c | 6
net/ipv4/netfilter/ipt_ULOG.c | 2
net/ipv4/netfilter/ipt_addrtype.c | 6
net/ipv4/netfilter/ipt_ah.c | 1
net/ipv4/netfilter/ipt_comment.c | 1
net/ipv4/netfilter/ipt_connbytes.c | 1
net/ipv4/netfilter/ipt_connmark.c | 1
net/ipv4/netfilter/ipt_conntrack.c | 1
net/ipv4/netfilter/ipt_dccp.c | 1
net/ipv4/netfilter/ipt_dscp.c | 6
net/ipv4/netfilter/ipt_ecn.c | 6
net/ipv4/netfilter/ipt_esp.c | 1
net/ipv4/netfilter/ipt_hashlimit.c | 1
net/ipv4/netfilter/ipt_helper.c | 1
net/ipv4/netfilter/ipt_iprange.c | 1
net/ipv4/netfilter/ipt_length.c | 1
net/ipv4/netfilter/ipt_limit.c | 1
net/ipv4/netfilter/ipt_mac.c | 1
net/ipv4/netfilter/ipt_mark.c | 1
net/ipv4/netfilter/ipt_multiport.c | 2
net/ipv4/netfilter/ipt_owner.c | 72 ++++++++-
net/ipv4/netfilter/ipt_physdev.c | 1
net/ipv4/netfilter/ipt_pkttype.c | 1
net/ipv4/netfilter/ipt_realm.c | 1
net/ipv4/netfilter/ipt_recent.c | 4
net/ipv4/netfilter/ipt_sctp.c | 1
net/ipv4/netfilter/ipt_state.c | 1
net/ipv4/netfilter/ipt_string.c | 1
net/ipv4/netfilter/ipt_tcpmss.c | 1
net/ipv4/netfilter/ipt_tos.c | 1
net/ipv4/netfilter/ipt_ttl.c | 6
net/ipv4/netfilter/iptable_filter.c | 4
net/ipv4/netfilter/iptable_mangle.c | 4
net/ipv4/netfilter/iptable_raw.c | 2
net/ipv4/netfilter/iptable_skfilter.c | 179 ++++++++++++++++++++++++
net/ipv6/netfilter/Kconfig | 13 +
net/ipv6/netfilter/Makefile | 1
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/ip6t_HL.c | 1
net/ipv6/netfilter/ip6t_LOG.c | 50 +++++-
net/ipv6/netfilter/ip6t_MARK.c | 1
net/ipv6/netfilter/ip6t_NFQUEUE.c | 1
net/ipv6/netfilter/ip6t_REJECT.c | 1
net/ipv6/netfilter/ip6t_ah.c | 1
net/ipv6/netfilter/ip6t_dst.c | 1
net/ipv6/netfilter/ip6t_esp.c | 1
net/ipv6/netfilter/ip6t_eui64.c | 1
net/ipv6/netfilter/ip6t_frag.c | 1
net/ipv6/netfilter/ip6t_hbh.c | 1
net/ipv6/netfilter/ip6t_hl.c | 6
net/ipv6/netfilter/ip6t_ipv6header.c | 1
net/ipv6/netfilter/ip6t_length.c | 9 +
net/ipv6/netfilter/ip6t_limit.c | 1
net/ipv6/netfilter/ip6t_mac.c | 1
net/ipv6/netfilter/ip6t_mark.c | 1
net/ipv6/netfilter/ip6t_multiport.c | 1
net/ipv6/netfilter/ip6t_owner.c | 76 +++++++++-
net/ipv6/netfilter/ip6t_physdev.c | 1
net/ipv6/netfilter/ip6t_rt.c | 1
net/ipv6/netfilter/ip6table_filter.c | 4
net/ipv6/netfilter/ip6table_mangle.c | 4
net/ipv6/netfilter/ip6table_raw.c | 2
net/ipv6/netfilter/ip6table_skfilter.c | 198 +++++++++++++++++++++++++++
net/ipv6/tcp_ipv6.c | 2
net/netfilter/Makefile | 2
net/netfilter/core.c | 88 +++++++++++-
net/netfilter/nf_log.c | 3
net/netfilter/nf_sk.c | 43 +++++
net/netfilter/nfnetlink_log.c | 1
security/selinux/Makefile | 2
security/selinux/exports.c | 45 ++++++
security/selinux/hooks.c | 37 +++--
security/selinux/include/security.h | 5
security/selinux/ss/services.c | 4
110 files changed, 1115 insertions(+), 123 deletions(-)
- James
--
James Morris
<jmorris@namei.org>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||||||||||||||