Bug 1269914 - can't firewall packets coming through raw sockets
Summary: can't firewall packets coming through raw sockets
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Neil Horman
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: dualstack
TreeView+ depends on / blocked
 
Reported: 2015-10-08 13:31 UTC by Pavel Šimerda (pavlix)
Modified: 2016-10-19 10:55 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-17 19:06:46 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Pavel Šimerda (pavlix) 2015-10-08 13:31:42 UTC 
When testing IPv4 and IPv6 networking I'm using iptables to block or redirect certain services. I recently realized I can't do that with dhclient and I learned from jpopelka and online sources that packets coming through raw sockets aren't affected by iptables rules.

I also sense a potential security problem here as administrators tend to rely on firewall features and may not be aware that some common software packages bypass it entirely. But my primary motivation is still the networking testing and I am interested in any workarounds to get DHCP and similar services rejected, dropped and redirected.
Comment 1 Pavel Šimerda (pavlix) 2015-10-08 13:36:29 UTC 
Some resources...

 * http://lists.netfilter.org/pipermail/netfilter-devel/2003-March/010826.html
 * http://louwrentius.com/why-filtering-dhcp-traffic-is-not-always-possible-with-iptables.html
 * https://kb.isc.org/article/AA-00379/0/How-DHCP-uses-raw-sockets.html
Comment 2 Laura Abbott 2016-09-23 19:33:14 UTC 
*********** MASS BUG UPDATE **************
 
We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 23 kernel bugs.
 
Fedora 23 has now been rebased to 4.7.4-100.fc23.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.
 
If you have moved on to Fedora 24 or 25, and are still experiencing this issue, please change the version to Fedora 24 or 25.
 
If you experience different issues, please open a new bug report for those.
Comment 3 Neil Horman 2016-10-17 19:06:46 UTC 
Raw sockets hook in at the OUTPUT chain, so you can use iptables at that point in the control flow of an ip packet, but not the pre or post routing chains.  You can also use ebtables to control some traffic if your output device is a bridge.

Of course, this precludes using AF_PACKET sockets as well, which bypass the entire stack and are unaffected by iptables, as well as user space controlled devices (via libraries like DPDK).

The short version of the story is that iptables is really only meant to operate fully on AF_INET SOCK_STREAM or SOCK_DGRAM sockets.  Any other sockets, even those that partially represent ipv4 traffic, have only limited visibility into the ip stack.
Comment 4 Neil Horman 2016-10-17 19:07:58 UTC 
Raw sockets hook in at the OUTPUT chain, so you can use iptables at that point in the control flow of an ip packet, but not the pre or post routing chains.  You can also use ebtables to control some traffic if your output device is a bridge.

Of course, this precludes using AF_PACKET sockets as well, which bypass the entire stack and are unaffected by iptables, as well as user space controlled devices (via libraries like DPDK).

The short version of the story is that iptables is really only meant to operate fully on AF_INET SOCK_STREAM or SOCK_DGRAM sockets.  Any other sockets, even those that partially represent ipv4 traffic, have only limited visibility into the ip stack.
Note You need to log in before you can comment on or make changes to this bug.