linux/Documentation
Daniel Borkmann 82a37132f3 netfilter: x_tables: lightweight process control group matching
It would be useful e.g. in a server or desktop environment to have
a facility in the notion of fine-grained "per application" or "per
application group" firewall policies. Probably, users in the mobile,
embedded area (e.g. Android based) with different security policy
requirements for application groups could have great benefit from
that as well. For example, with a little bit of configuration effort,
an admin could whitelist well-known applications, and thus block
otherwise unwanted "hard-to-track" applications like [1] from a
user's machine. Blocking is just one example, but it is not limited
to that, meaning we can have much different scenarios/policies that
netfilter allows us than just blocking, e.g. fine grained settings
where applications are allowed to connect/send traffic to, application
traffic marking/conntracking, application-specific packet mangling,
and so on.

Implementation of PID-based matching would not be appropriate
as they frequently change, and child tracking would make that
even more complex and ugly. Cgroups would be a perfect candidate
for accomplishing that as they associate a set of tasks with a
set of parameters for one or more subsystems, in our case the
netfilter subsystem, which, of course, can be combined with other
cgroup subsystems into something more complex if needed.

As mentioned, to overcome this constraint, such processes could
be placed into one or multiple cgroups where different fine-grained
rules can be defined depending on the application scenario, while
e.g. everything else that is not part of that could be dropped (or
vice versa), thus making life harder for unwanted processes to
communicate to the outside world. So, we make use of cgroups here
to track jobs and limit their resources in terms of iptables
policies; in other words, limiting, tracking, etc what they are
allowed to communicate.

In our case we're working on outgoing traffic based on which local
socket that originated from. Also, one doesn't even need to have
an a-prio knowledge of the application internals regarding their
particular use of ports or protocols. Matching is *extremly*
lightweight as we just test for the sk_classid marker of sockets,
originating from net_cls. net_cls and netfilter do not contradict
each other; in fact, each construct can live as standalone or they
can be used in combination with each other, which is perfectly fine,
plus it serves Tejun's requirement to not introduce a new cgroups
subsystem. Through this, we result in a very minimal and efficient
module, and don't add anything except netfilter code.

One possible, minimal usage example (many other iptables options
can be applied obviously):

 1) Configuring cgroups if not already done, e.g.:

  mkdir /sys/fs/cgroup/net_cls
  mount -t cgroup -o net_cls net_cls /sys/fs/cgroup/net_cls
  mkdir /sys/fs/cgroup/net_cls/0
  echo 1 > /sys/fs/cgroup/net_cls/0/net_cls.classid
  (resp. a real flow handle id for tc)

 2) Configuring netfilter (iptables-nftables), e.g.:

  iptables -A OUTPUT -m cgroup ! --cgroup 1 -j DROP

 3) Running applications, e.g.:

  ping 208.67.222.222  <pid:1799>
  echo 1799 > /sys/fs/cgroup/net_cls/0/tasks
  64 bytes from 208.67.222.222: icmp_seq=44 ttl=49 time=11.9 ms
  [...]
  ping 208.67.220.220  <pid:1804>
  ping: sendmsg: Operation not permitted
  [...]
  echo 1804 > /sys/fs/cgroup/net_cls/0/tasks
  64 bytes from 208.67.220.220: icmp_seq=89 ttl=56 time=19.0 ms
  [...]

Of course, real-world deployments would make use of cgroups user
space toolsuite, or own custom policy daemons dynamically moving
applications from/to various cgroups.

  [1] http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: cgroups@vger.kernel.org
Acked-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2014-01-03 23:41:44 +01:00
..
ABI Main batch of InfiniBand/RDMA changes for 3.13: 2013-11-18 15:36:04 -08:00
accounting Documentation/accounting/getdelays.c: avoid strncpy in accounting tool 2013-07-03 16:08:06 -07:00
acpi gpiolib / ACPI: document the GPIO descriptor based interface 2013-10-19 23:32:50 +02:00
aoe aoe: remove do-nothing NAME="%k" term from example udev rules 2013-09-11 15:59:28 -07:00
arm Allwinner sunXi SoCs machine additions for 3.13 2013-10-28 10:19:38 -07:00
arm64 arm64: Use 42-bit address space with 64K pages 2013-11-05 17:23:52 +00:00
auxdisplay
backlight backlight: lp855x_bl: support new LP8555 device 2013-11-13 12:09:14 +09:00
blackfin
block block: change config option name for cmdline partition parsing 2013-09-30 14:31:02 -07:00
blockdev floppy: Correct documentation of driver options when used as a module. 2013-11-08 09:10:31 -07:00
bus-devices
cdrom
cgroups netfilter: x_tables: lightweight process control group matching 2014-01-03 23:41:44 +01:00
connector connector - documentation: simplify netlink message length assignment 2013-10-02 16:03:51 -04:00
console TTY:console: update document console.txt 2013-05-21 10:21:57 -07:00
cpu-freq cpufreq: Implement light weight ->target_index() routine 2013-10-25 22:42:24 +02:00
cpuidle cpuidle: remove cpuidle_unregister_governor() 2013-10-30 01:21:24 +01:00
cris
crypto drivers/dma: remove unused support for MEMSET operations 2013-07-03 16:07:42 -07:00
development-process Documentation: development-process: Update -mm and -next URLs 2013-07-25 12:37:24 +02:00
device-mapper dm cache: resolve small nits and improve Documentation 2013-11-12 13:11:09 -05:00
devicetree Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-12-09 20:20:14 -05:00
DocBook doc: fix generation of device-drivers 2013-11-27 20:40:04 -08:00
driver-model spi: Updates for v3.13 2013-11-12 15:01:39 +09:00
dvb
early-userspace Documentation: remove reference to 2.7 kernel in early-userspace 2013-08-20 12:47:28 +02:00
EDID drm: Add 1600x1200 (UXGA) screen resolution to the built-in EDIDs 2013-04-12 14:06:16 +10:00
extcon extcon: Simplify extcon_dev_register() prototype by removing unnecessary parameter 2013-09-27 09:37:01 +09:00
fault-injection
fb Documentation/fb/viafb.modes fix a typo 2013-08-20 12:41:11 +02:00
filesystems Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2013-11-22 08:38:55 -08:00
firmware_class
fmc doc: Fix typo "is is" in Documentations 2013-08-27 10:50:52 +02:00
frv
gpio Documentation: gpiolib: document new interface 2013-11-25 09:02:30 +01:00
hid HID: uhid: use generic hidinput_input_event() 2013-07-31 10:33:05 +02:00
hwmon Merge branch 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging 2013-11-15 16:35:10 -08:00
i2c i2c: i801: Add Device IDs for Intel Wildcat Point-LP PCH 2013-11-14 18:38:04 +01:00
i2o
ia64 Fix example error_injection_tool 2013-04-02 09:39:55 -07:00
ide
infiniband
input Input: clarify gamepad API ABS values 2013-10-15 23:42:07 -07:00
ioctl ALSA: add DICE driver 2013-10-17 21:18:32 +02:00
isdn
ja_JP HOWTO ja_JP sync 2013-07-24 22:06:34 -07:00
kbuild Documentation/kbuild/kconfig.txt: 'make listnewconfig' replaces: yes "" | make oldconfig 2013-10-08 23:51:50 +02:00
kdump Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-07-04 11:40:58 -07:00
ko_KR Correct unfaithful translation on HOWTO in ko_KR 2013-08-12 17:43:13 -07:00
laptops thinkpad-acpi: Add mute and mic-mute LED functionality 2013-10-17 14:38:44 +02:00
leds Documentation: leds-lp5521,lp5523: update device attribute information 2013-08-26 17:22:13 -07:00
m68k block: remove refs to XD disks from documentation 2013-05-17 15:17:12 +02:00
make
memory-devices
metag doc: fix misspellings with 'codespell' tool 2013-05-28 12:02:12 +02:00
mic misc: mic: Enable OSPM suspend and resume support. 2013-10-05 18:01:42 -07:00
mips
misc-devices doc: fix misspellings with 'codespell' tool 2013-05-28 12:02:12 +02:00
mmc mmc: core: Add in support to expose PRV for v4 MMCs 2013-03-22 12:10:42 -04:00
mn10300
mtd doc: Fix typo "is is" in Documentations 2013-08-27 10:50:52 +02:00
namespaces userns: Recommend use of memory control groups. 2013-01-26 22:20:06 -08:00
netlabel
networking filter: doc: improve BPF documentation 2013-12-11 20:28:35 -05:00
nfc
parisc parisc: document the shadow registers 2013-07-09 22:09:19 +02:00
PCI PCI: Update pci_find_slot() description in pci.txt 2013-09-25 15:43:33 -06:00
pcmcia
power More ACPI and power management updates for 3.13-rc1 2013-11-20 13:25:04 -08:00
powerpc powerpc: Update the 00-Index in Documentation/powerpc 2013-08-27 14:44:27 +10:00
pps USB: serial: invoke dcd_change ldisc's handler. 2013-09-26 09:45:40 -07:00
prctl
pti
ptp ptp: add the PTP_SYS_OFFSET ioctl to the testptp program 2013-09-23 16:46:17 -04:00
rapidio doc: Fix typo in doucmentations 2013-07-25 12:34:15 +02:00
RCU rcu: Fix occurrence of "the the" in checklist.txt 2013-09-25 10:07:02 -07:00
s390 s390/s390dbf: add debug_level_enabled() function 2013-10-24 17:16:53 +02:00
scheduler H8/300 has been dead for several years, the kernel for it has 2013-11-12 14:13:14 +09:00
scsi SCSI misc on 20130915 2013-09-15 17:41:30 -04:00
security ima: new templates management mechanism 2013-10-25 17:17:04 -04:00
serial serial: core: delete .set_wake() callback 2013-10-16 13:16:19 -07:00
sh
sound ALSA: Fix typo in documentation/alsa 2013-10-29 11:38:04 +01:00
spi spi/documentation: Fix usage of __initdata 2013-08-20 12:52:28 +02:00
sysctl vsprintf: check real user/group id for %pK 2013-11-13 12:09:14 +09:00
target target: Remove TF_CIT_TMPL macro 2013-10-16 13:35:02 -07:00
thermal thermal: thermal_core: allow binding with limits on bind_params 2013-09-03 09:10:24 -04:00
timers doc: add missing files to timers/00-INDEX 2013-10-27 21:55:50 +00:00
tpm drivers/tpm: add xen tpmfront interface 2013-08-09 10:57:06 -04:00
trace Documentation/trace/tracepoints.txt: add links to TRACE_EVENT documentation 2013-11-13 12:09:32 +09:00
usb doc: usb: Fix typo in Documentation/usb/gadget_configs.txt 2013-10-31 13:31:39 +01:00
vDSO
video4linux [media] V4L: Add support for integer menu controls with standard menu items 2013-08-18 07:12:59 -03:00
virtual Merge branch 'kvm-ppc-queue' of git://github.com/agraf/linux-2.6 into queue 2013-11-04 10:20:57 +02:00
vm x86, mm: do not leak page->ptl for pmd page tables 2013-11-21 16:42:28 -08:00
w1 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-07-04 11:40:58 -07:00
watchdog watchdog: delete mpcore_wdt driver 2013-07-11 21:47:58 +02:00
wimax
x86 Merge branch 'x86-efi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-11-12 10:48:30 +09:00
xtensa xtensa: document MMUv3 setup sequence 2013-05-09 01:07:09 -07:00
zh_CN Documentation/zh_CN/SubmittingPatches fix a typo 2013-08-20 12:41:25 +02:00
.gitignore
00-INDEX doc: fix a typo in Documentation/00-INDEX 2013-08-27 10:53:07 +02:00
applying-patches.txt
assoc_array.txt Add a generic associative array implementation. 2013-09-24 10:35:17 +01:00
atomic_ops.txt
bad_memory.txt
basic_profiling.txt
bcache.txt Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-07-04 11:40:58 -07:00
binfmt_misc.txt
braille-console.txt
bt8xxgpio.txt
btmrvl.txt
BUG-HUNTING
bus-virt-phys-mapping.txt
cachetlb.txt Documentation: fix typo and update version in cachetlb.txt 2013-08-20 12:46:52 +02:00
Changes remove obsolete references to powertweak 2013-11-27 20:34:32 -08:00
circular-buffers.txt
clk.txt clk: add support for clock reparent on set_rate 2013-08-19 12:27:17 -07:00
coccinelle.txt Coccinelle: Update information about the minimal version required 2013-07-03 22:58:20 +02:00
CodingStyle Documentation/CodingStyle: allow multiple return statements per function 2013-07-03 16:08:01 -07:00
cpu-hotplug.txt MAINTAINERS: update Zwane Mwaikambo's e-mail address 2013-11-13 12:09:14 +09:00
cpu-load.txt
cputopology.txt doc: Documentation/cputopology.txt fix typo 2013-09-04 12:59:47 +02:00
crc32.txt
dcdbas.txt
debugging-modules.txt
debugging-via-ohci1394.txt
dell_rbu.txt
devices.txt cuse: add fix minor number to /dev/cuse 2013-10-01 16:44:54 +02:00
digsig.txt
DMA-API-HOWTO.txt DMA-API: provide a helper to set both DMA and coherent DMA masks 2013-09-17 15:32:37 +01:00
DMA-API.txt DMA-API: provide a helper to set both DMA and coherent DMA masks 2013-09-17 15:32:37 +01:00
DMA-attributes.txt doc: Documentation/DMA-attributes.txt fix typo 2013-10-14 15:50:53 +02:00
dma-buf-sharing.txt dma-buf: Expose buffer size to userspace (v2) 2013-09-10 11:36:45 +05:30
DMA-ISA-LPC.txt
dmaengine.txt
dmatest.txt dmatest: add a 'wait' parameter 2013-11-14 11:04:40 -08:00
dontdiff
dynamic-debug-howto.txt doc: fix misspellings with 'codespell' tool 2013-05-28 12:02:12 +02:00
edac.txt
efi-stub.txt EFI stub documentation updates 2013-09-25 12:34:32 +01:00
eisa.txt
email-clients.txt
flexible-arrays.txt
futex-requeue-pi.txt
gcov.txt gcov: compile specific gcov implementation based on gcc version 2013-11-13 12:09:34 +09:00
highuid.txt
HOWTO Documentation: Updated broken link in HOWTO 2013-06-03 14:22:57 -07:00
hw_random.txt hwrng: Fix a wrong comment in Documentation/hw_random.txt 2013-03-10 18:16:36 +08:00
hwspinlock.txt doc: documentation/hwspinlock.txt fix typo 2013-08-27 10:46:02 +02:00
init.txt
initrd.txt
intel_txt.txt
Intel-IOMMU.txt
io_ordering.txt
io-mapping.txt
iostats.txt iostats.txt: add easy-to-find description for field 6 2013-04-29 15:18:50 +02:00
IPMI.txt ipmi: add options to disable openfirmware and PCI scanning 2013-02-27 19:10:21 -08:00
IRQ-affinity.txt doc: fix a typo about irq affinity 2013-08-20 12:59:18 +02:00
IRQ-domain.txt
IRQ.txt
irqflags-tracing.txt
isapnp.txt
java.txt
kernel-doc-nano-HOWTO.txt kernel-doc: Update references to SGML to refs to XML instead. 2013-05-28 12:02:11 +02:00
kernel-docs.txt
kernel-parameters.txt Merge branch 'for-linus2' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2013-11-21 19:46:00 -08:00
kernel-per-CPU-kthreads.txt kthread: Add pointer to vmstat-avoidance patch 2013-09-25 06:49:46 -07:00
kmemcheck.txt Documentation/kmemcheck: update kmemcheck documentation 2013-08-27 10:47:05 +02:00
kmemleak.txt
kobject.txt
kprobes.txt
kref.txt
ldm.txt
local_ops.txt
lockdep-design.txt
lockstat.txt lockstat: Report avg wait and hold times 2013-10-09 08:19:08 +02:00
lockup-watchdogs.txt
logo.gif
logo.txt
magic-number.txt wanrouter: completely decouple obsolete code from kernel. 2013-01-31 19:20:33 -05:00
Makefile
ManagementStyle
md.txt md: remove doubled description for sync_max, merging it within sync_min/sync_max 2013-07-03 09:43:28 +10:00
media-framework.txt Merge branch 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media 2013-07-13 12:09:57 -07:00
memory-barriers.txt doc: Fix memory-barrier control-dependency example 2013-08-19 21:39:42 -07:00
memory-hotplug.txt Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-09-06 09:36:28 -07:00
mono.txt
mutex-design.txt locking/doc: Update references to kernel/mutex.c 2013-11-11 12:41:33 +01:00
nommu-mmap.txt
numastat.txt
oops-tracing.txt
padata.txt
parport-lowlevel.txt
parport.txt
percpu-rw-semaphore.txt
phy.txt drivers: phy: add generic PHY framework 2013-09-27 17:35:41 -07:00
pi-futex.txt
pinctrl.txt pinctrl: add documentation for pinctrl_get_group_pins() 2013-10-16 15:35:21 +02:00
pnp.txt
preempt-locking.txt
printk-formats.txt Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2013-09-06 09:36:28 -07:00
pwm.txt Documentation/pwm: Fix trivial typos 2013-10-24 10:51:33 +02:00
ramoops.txt
rbtree.txt
remoteproc.txt
rfkill.txt
robust-futex-ABI.txt
robust-futexes.txt
rpmsg.txt
rt-mutex-design.txt sched: Rename sched.c as sched/core.c in comments and Documentation 2013-06-19 12:58:42 +02:00
rt-mutex.txt
rtc.txt rtc: add ability to push out an existing wakealarm using sysfs 2013-07-03 16:07:54 -07:00
SAK.txt
SecurityBugs
serial-console.txt
sgi-ioc4.txt
sgi-visws.txt
SM501.txt
smsc_ece1099.txt
sparse.txt
spinlocks.txt sched: Rename sched.c as sched/core.c in comments and Documentation 2013-06-19 12:58:42 +02:00
stable_api_nonsense.txt
stable_kernel_rules.txt
static-keys.txt
SubmitChecklist Finally eradicate CONFIG_HOTPLUG 2013-06-03 14:20:18 -07:00
SubmittingDrivers
SubmittingPatches Documentation/SubmittingPatches: Request summaries for commit references 2013-08-20 12:58:15 +02:00
svga.txt
sysfs-rules.txt doc: Fix typo in doucmentations 2013-07-25 12:34:15 +02:00
sysrq.txt sysrq: Allow magic SysRq key functions to be disabled through Kconfig 2013-10-16 13:01:44 -07:00
this_cpu_ops.txt percpu: add documentation on this_cpu operations 2013-04-04 10:24:53 -07:00
unaligned-memory-access.txt ether_addr_equal: Optimize implementation, remove unused compare_ether_addr 2013-12-06 16:37:43 -05:00
unicode.txt
unshare.txt
vfio.txt vfio: fix documentation 2013-09-05 16:36:21 -06:00
VGA-softcursor.txt
vgaarbiter.txt
video-output.txt
vme_api.txt
volatile-considered-harmful.txt
workqueue.txt workqueue: Correct/Drop references to gcwq in Documentation 2013-08-21 10:32:09 -04:00
ww-mutex-design.txt mutex: Add support for wound/wait style locks 2013-06-26 12:10:56 +02:00
xz.txt
zorro.txt