LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LCE: Challenges for Linux networking

LCE: Challenges for Linux networking

Posted Nov 8, 2012 3:03 UTC (Thu) by dlang (✭ supporter ✭, #313)
Parent article: LCE: Challenges for Linux networking

> reconfiguring the firewall involves clearing the old configuration and leaving things open for a period

This is only the case if you are doing it wrong.

the right way to do this is to set the default policies to 'drop everything', then flush the rules (at this point, nothing goes through), then set the new rules, and if needed, change the default policies.

by setting the default policies to 'drop' not 'reject' packets sent by anything will just be silently dropped, and will retry in a little bit (by which time the new rules should be in place)

In addition to this, it is possible to insert or remove rules into the existing ruleset, but figuring the right way to do this is hard.

There is also the 'owner' module that lets you set rules by a number of criteria

from man iptables

owner
This module attempts to match various characteristics of the packet
creator, for locally generated packets. This match is only valid in the
OUTPUT and POSTROUTING chains. Forwarded packets do not have any socket
associated with them. Packets from kernel threads do have a socket, but
usually no owner.

[!] --uid-owner username

[!] --uid-owner userid[-userid]
Matches if the packet socket's file structure (if it has one) is
owned by the given user. You may also specify a numerical UID,
or an UID range.

[!] --gid-owner groupname

[!] --gid-owner groupid[-groupid]
Matches if the packet socket's file structure is owned by the
given group. You may also specify a numerical GID, or a GID
range.

[!] --socket-exists
Matches if the packet is associated with a socket.

In addition to this I see refrences to --cmd-owner that lets you set rules based on the name of the program running it.

(Log in to post comments)

LCE: Challenges for Linux networking

Posted Nov 8, 2012 9:47 UTC (Thu) by smurf (subscriber, #17840) [Link]

It's even easier than that.

You simply create real-input-company and real-input-internetcafe and ... rules, then redirect everything from INPUT to real-input-whatever.

Switching between rulesets is an atomic "delete old redirect, insert new"; do this for all built-in rules, commit". Not exactly rocket science.

The interesting bit is, of course, per-application routing ("no, online games may not use the company WLAN") or even per-connection routing (i.e. "keep the existing connections on the old default route, but run everything else on the new route"). We can't do that. Yet. (Owner rules might work on Android, but not on a desktop where everything runs as the same user.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds