mir/criu
2
0
Fork 0
mirror of https://github.com/checkpoint-restore/criu synced 2025-08-30 05:48:05 +00:00
Code Issues Releases Wiki Activity

iptables: use OUTPUT table to block locally-generated packet

Browse Source 
We was going to block a connections in both directions (v0.6-97-g0a1b70b),
but both iptable rules are added in the INPUT table. It's wrong, because
the rule must be added to the OUTPUT table to block locally-generated packets

Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
This commit is contained in:
Andrey Vagin 2013-09-17 23:55:08 +04:00 committed by Pavel Emelyanov
parent 1fd180ca6c
commit 522fa17071
1 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
netfilter.c
View File

@ -20,13 +20,15 @@ static char buf[512];
* ANy brave soul to write it using xtables-devel?
*/
static const char *nf_conn_cmd = "%s -t filter %s INPUT --protocol tcp "
static const char *nf_conn_cmd = "%s -t filter %s %s --protocol tcp "
"--source %s --sport %d --destination %s --dport %d -j DROP";
static char iptable_cmd_ipv4[] = "iptables";
static char iptable_cmd_ipv6[] = "ip6tables";
static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32 *dst_addr, u16 dst_port, int lock)
static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
u32 *dst_addr, u16 dst_port,
bool input, bool lock)
{
char sip[INET_ADDR_LEN], dip[INET_ADDR_LEN];
char *cmd;
@ -50,7 +52,9 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
return -1;
}
snprintf(buf, sizeof(buf), nf_conn_cmd, cmd, lock ? "-A" : "-D",
snprintf(buf, sizeof(buf), nf_conn_cmd, cmd,
lock ? "-A" : "-D",
input ? "INPUT" : "OUTPUT",
dip, (int)dst_port, sip, (int)src_port);
pr_debug("\tRunning iptables [%s]\n", buf);
@ -71,17 +75,17 @@ static int nf_connection_switch(struct inet_sk_desc *sk, int lock)
ret = nf_connection_switch_raw(sk->sd.family,
sk->src_addr, sk->src_port,
sk->dst_addr, sk->dst_port, lock);
sk->dst_addr, sk->dst_port, true, lock);
if (ret)
return -1;
ret = nf_connection_switch_raw(sk->sd.family,
sk->dst_addr, sk->dst_port,
sk->src_addr, sk->src_port, lock);
sk->src_addr, sk->src_port, false, lock);
if (ret) /* rollback */
nf_connection_switch_raw(sk->sd.family,
sk->src_addr, sk->src_port,
sk->dst_addr, sk->dst_port, !lock);
sk->dst_addr, sk->dst_port, true, !lock);
return ret;
}
@ -101,10 +105,10 @@ int nf_unlock_connection_info(struct inet_sk_info *si)
ret |= nf_connection_switch_raw(si->ie->family,
si->ie->src_addr, si->ie->src_port,
si->ie->dst_addr, si->ie->dst_port, 0);
si->ie->dst_addr, si->ie->dst_port, true, 0);
ret |= nf_connection_switch_raw(si->ie->family,
si->ie->dst_addr, si->ie->dst_port,
si->ie->src_addr, si->ie->src_port, 0);
si->ie->src_addr, si->ie->src_port, false, 0);
/*
* rollback nothing in case of any error,
* because nobody checks errors of this function