Bug 1269914 - can't firewall packets coming through raw sockets
can't firewall packets coming through raw sockets
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Neil Horman
Fedora Extras Quality Assurance
:
Depends On:
Blocks: dualstack
  Show dependency treegraph
 
Reported: 2015-10-08 09:31 EDT by Pavel Šimerda (pavlix)
Modified: 2016-10-19 06:55 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-17 15:06:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pavel Šimerda (pavlix) 2015-10-08 09:31:42 EDT
When testing IPv4 and IPv6 networking I'm using iptables to block or redirect certain services. I recently realized I can't do that with dhclient and I learned from jpopelka and online sources that packets coming through raw sockets aren't affected by iptables rules.

I also sense a potential security problem here as administrators tend to rely on firewall features and may not be aware that some common software packages bypass it entirely. But my primary motivation is still the networking testing and I am interested in any workarounds to get DHCP and similar services rejected, dropped and redirected.
Comment 2 Laura Abbott 2016-09-23 15:33:14 EDT
*********** MASS BUG UPDATE **************
 
We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 23 kernel bugs.
 
Fedora 23 has now been rebased to 4.7.4-100.fc23.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.
 
If you have moved on to Fedora 24 or 25, and are still experiencing this issue, please change the version to Fedora 24 or 25.
 
If you experience different issues, please open a new bug report for those.
Comment 3 Neil Horman 2016-10-17 15:06:46 EDT
Raw sockets hook in at the OUTPUT chain, so you can use iptables at that point in the control flow of an ip packet, but not the pre or post routing chains.  You can also use ebtables to control some traffic if your output device is a bridge.

Of course, this precludes using AF_PACKET sockets as well, which bypass the entire stack and are unaffected by iptables, as well as user space controlled devices (via libraries like DPDK).

The short version of the story is that iptables is really only meant to operate fully on AF_INET SOCK_STREAM or SOCK_DGRAM sockets.  Any other sockets, even those that partially represent ipv4 traffic, have only limited visibility into the ip stack.
Comment 4 Neil Horman 2016-10-17 15:07:58 EDT
Raw sockets hook in at the OUTPUT chain, so you can use iptables at that point in the control flow of an ip packet, but not the pre or post routing chains.  You can also use ebtables to control some traffic if your output device is a bridge.

Of course, this precludes using AF_PACKET sockets as well, which bypass the entire stack and are unaffected by iptables, as well as user space controlled devices (via libraries like DPDK).

The short version of the story is that iptables is really only meant to operate fully on AF_INET SOCK_STREAM or SOCK_DGRAM sockets.  Any other sockets, even those that partially represent ipv4 traffic, have only limited visibility into the ip stack.

Note You need to log in before you can comment on or make changes to this bug.