Debian Bug report logs - #492284
[kernel] iptables: Error cmd-owner

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: ivan <ivan1986@list.ru>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: iptables: Error cmd-owner

Date: Fri, 25 Jul 2008 01:37:47 +0400

Package: iptables
Version: 1.4.1.1-1
Severity: normal
Tags: patch

%sudo iptables -A OUTPUT -o ppp1 -m owner --cmd-owner uTorrent.exe -j DROP
iptables v1.4.1.1: Unknown arg `--cmd-owner'
Try `iptables -h' or 'iptables --help' for more information.

Patch:

diff -urN iptables-1.4.1.1.orig/extensions/libxt_owner.c
iptables-1.4.1.1/extensions/libxt_owner.c
--- iptables-1.4.1.1.orig/extensions/libxt_owner.c	2008-06-16 
17:12:40.000000000 +0400
+++ iptables-1.4.1.1/extensions/libxt_owner.c	2008-07-25 00:43:20.000000000 
+0400
@@ -591,6 +591,6 @@
 {
 	xtables_register_match(&owner_mt_reg_v0);
 	xtables_register_match(&owner_mt6_reg_v0);
-	xtables_register_match(&owner_mt_reg);
-	xtables_register_match(&owner_mt6_reg);
+	//xtables_register_match(&owner_mt_reg);
+	//xtables_register_match(&owner_mt6_reg);
 }


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26 (PREEMPT)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iptables depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries

iptables recommends no packages.

-- no debconf information

Message #8 received at 492284-submitter@bugs.debian.org (full text, mbox, reply):

From: Jan Engelhardt <jengelh@medozas.de>

To: 492284-submitter@bugs.debian.org

Subject: --cmd-owner

Date: Sun, 27 Jul 2008 06:22:34 +0200 (CEST)

--cmd-owner has been removed in Linux 2.6.14 already.
-> WONTFIX

In fact, sockets may not even be attached to a particular program 
(example: kernel-level nfs server), and searching the process list is 
anything but efficient.

I can suggest you use an LSM-based interceptor such as TuxGuardian for 
matching on process names, but I since that has not been updated for a 
while, I do not know how well it works with current kernels.


This is the linux kernel commit in case you want to know:
commit 34b4a4a624bafe089107966a6c56d2a1aca026d4
Author: Christoph Hellwig <hch@lst.de>
Date:   Sun Aug 14 17:33:59 2005 -0700

    [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

Message #13 received at 492284-quiet@bugs.debian.org (full text, mbox, reply):

From: ivan <ivan1986@list.ru>

To: Jan Engelhardt <jengelh@medozas.de>, 492284-quiet@bugs.debian.org

Subject: Re: Bug#492284: --cmd-owner

Date: Sun, 27 Jul 2008 14:53:24 +0400

> --cmd-owner has been removed in Linux 2.6.14 already.
> -> WONTFIX
>
> I can suggest you use an LSM-based interceptor such as TuxGuardian for
> matching on process names, but I since that has not been updated for a
> while, I do not know how well it works with current kernels.
>
>

I not found TuxGuardian in packages and 
not found any firewals when search LSM, and
not found any firewals not used iptables, and
TuxGuardian not build from sources - error: linux/config.h - no file

mb no del this function when in work on single proc?

--- xt_owner.c.orig	2008-07-14 23:04:01.000000000 +0400
+++ xt_owner.c	2008-07-15 01:55:43.000000000 +0400
@@ -14,12 +14,115 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/file.h>
+#include <linux/fdtable.h>
 #include <net/sock.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_owner.h>
 #include <linux/netfilter_ipv4/ipt_owner.h>
 #include <linux/netfilter_ipv6/ip6t_owner.h>
 
+
+static int
+match_comm(const struct sk_buff *skb, const char *comm)
+{
+	struct task_struct *g, *p;
+	struct files_struct *files;
+	int i;
+
+	read_lock(&tasklist_lock);
+	do_each_thread(g, p) {
+		if(strncmp(p->comm, comm, sizeof(p->comm)))
+			continue;
+
+		task_lock(p);
+		files = p->files;
+		if(files) {
+			spin_lock(&files->file_lock);
+			for (i=0; i < files->fdt->max_fds; i++) {
+				if (fcheck_files(files, i) ==
+				    skb->sk->sk_socket->file) {
+					spin_unlock(&files->file_lock);
+					task_unlock(p);
+					read_unlock(&tasklist_lock);
+					return 1;
+				}
+			}
+			spin_unlock(&files->file_lock);
+		}
+		task_unlock(p);
+	} while_each_thread(g, p);
+	read_unlock(&tasklist_lock);
+	return 0;
+}
+
+static int
+match_pid(const struct sk_buff *skb, pid_t pid)
+{
+	struct task_struct *p;
+	struct files_struct *files;
+	int i;
+
+	read_lock(&tasklist_lock);
+	p = find_task_by_pid(pid);
+	if (!p)
+		goto out;
+	task_lock(p);
+	files = p->files;
+	if(files) {
+		spin_lock(&files->file_lock);
+		for (i=0; i < files->fdt->max_fds; i++) {
+			if (fcheck_files(files, i) ==
+			    skb->sk->sk_socket->file) {
+				spin_unlock(&files->file_lock);
+				task_unlock(p);
+				read_unlock(&tasklist_lock);
+				return 1;
+			}
+		}
+		spin_unlock(&files->file_lock);
+	}
+	task_unlock(p);
+out:
+	read_unlock(&tasklist_lock);
+	return 0;
+}
+
+static int
+match_sid(const struct sk_buff *skb, pid_t sid)
+{
+	struct task_struct *g, *p;
+	struct file *file = skb->sk->sk_socket->file;
+	int i, found=0;
+
+	read_lock(&tasklist_lock);
+	do_each_thread(g, p) {
+		struct files_struct *files;
+		if (p->signal->session != sid)
+			continue;
+
+		task_lock(p);
+		files = p->files;
+		if (files) {
+			spin_lock(&files->file_lock);
+			for (i=0; i < files->fdt->max_fds; i++) {
+				if (fcheck_files(files, i) == file) {
+					found = 1;
+					break;
+				}
+			}
+			spin_unlock(&files->file_lock);
+		}
+		task_unlock(p);
+		if (found)
+			goto out;
+	} while_each_thread(g, p);
+out:
+	read_unlock(&tasklist_lock);
+
+	return found;
+}
+
+
 static bool
 owner_mt_v0(const struct sk_buff *skb, const struct net_device *in,
             const struct net_device *out, const struct xt_match *match,
@@ -46,6 +149,24 @@
 		    !!(info->invert & IPT_OWNER_GID))
 			return false;
 
+	if(info->match & IPT_OWNER_PID) {
+		if (!match_pid(skb, info->pid) ^
+		    !!(info->invert & IPT_OWNER_PID))
+			return false;
+	}
+
+	if(info->match & IPT_OWNER_SID) {
+		if (!match_sid(skb, info->sid) ^
+		    !!(info->invert & IPT_OWNER_SID))
+			return false;
+	}
+
+	if(info->match & IPT_OWNER_COMM) {
+		if (!match_comm(skb, info->comm) ^
+		    !!(info->invert & IPT_OWNER_COMM))
+			return false;
+	}
+
 	return true;
 }
 
@@ -123,12 +244,20 @@
 {
 	const struct ipt_owner_info *info = matchinfo;
 
-	if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
-		printk(KERN_WARNING KBUILD_MODNAME
-		       ": PID, SID and command matching is not "
-		       "supported anymore\n");
+	if (hook_mask
+	    & ~((1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING))) {
+		printk("ipt_owner: only valid for LOCAL_OUT or POST_ROUTING.\n");
+		return false;
+	}
+
+#ifdef CONFIG_SMP
+	/* files->file_lock can not be used in a BH */
+	if (info->match & (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
+		printk("ipt_owner: pid, sid and command matching is broken "
+		       "on SMP.\n");
 		return false;
 	}
+#endif
 
 	return true;
 }

Message #18 received at 492284@bugs.debian.org (full text, mbox, reply):

From: Jan Engelhardt <jengelh@medozas.de>

To: 492284@bugs.debian.org

Subject: Re: Bug#492284: --cmd-owner

Date: Tue, 29 Jul 2008 11:36:07 -0400 (EDT)

This is at best a Linux bug, not an iptables bug.

Message #29 received at 492284-done@bugs.debian.org (full text, mbox, reply):

From: ivan <ivan1986@list.ru>

To: 492284-done@bugs.debian.org

Subject: Done: [kernel] iptables: Error cmd-owner

Date: Mon, 16 Feb 2009 02:45:50 +0300

[Message part 1 (text/plain, inline)]

Package: iptables
Version: 1.4.2-6

Nafig :(

--- Please enter the report below this line. ---

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.