?

Log in

No account? Create an account
netfilter - brad's life — LiveJournal [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

netfilter [Jun. 9th, 2003|11:57 pm]
Brad Fitzpatrick
I want to run a memcached process on a shared server (goathack), listening on 127.0.0.1:11211, but memcached doesn't have any sort of authentication (maybe later), so I have to restrict its access to just connections from the "ljtest" user.

I thought this would be easy with netfilter:

# iptables -A OUTPUT -p tcp -d 127.0.0.1 --dport 11211 -m owner \! --uid-owner 1033 -j DROP

But....

iptables: Invalid argument

So, I find Debian stable's is old (1.2.6a). I build the latest version and get:

iptables v1.2.8: Unknown arg `--dport'

(but --dport should be loaded implicitly by -p tcp)

So I look at the relevant code and find:
/* If you listen carefully, you can
   actually hear this code suck. */

/* some explanations (after four different bugs
 * in 3 different releases): If we encounter a
 * parameter, that has not been parsed yet,
 ... [snipped] ....

Great. *yawn*

Update: This order works with 1.2.8:
# iptables -A OUTPUT -m owner \! --uid-owner ljtest -p tcp --dport 11211 -d 127.0.0.1 -j DROP

Update #2: But it can't reload this config later. Filed a bug.
LinkReply

Comments:
From: kw34hd1
2003-06-10 12:33 am (UTC)
I've spent entire -days- wrangling netfilter before.

I'd like an hour alone with Rusty Russel and a staplegun.

-j
(Reply) (Thread)
[User Picture]From: brad
2003-06-10 12:42 am (UTC)
Well, if there were something better we'd be using it, right?

**waits for ipfw people to tell us how much Linux sucks**
(Reply) (Parent) (Thread)
From: kw34hd1
2003-06-10 12:47 am (UTC)
well, yeah. i just wish that when they did the entire filtering rewrite for 2.4 that resulted in netfilter (kernelside) and iptables (userspace), they had taken a hint from someone who had managed to get it right.

maybe one day i'll get around to writing that script i've been meaning to make that will convert cisco acls to iptables lines so i'll never have to think about it again.

-j
(Reply) (Parent) (Thread)
[User Picture]From: greck
2003-06-19 11:30 pm (UTC)
well, when I started looking for a fix for this problem, this was not where I expected to find it.

next time, I'll just assume you know everything, and send you an email first. =)
(Reply) (Thread)
[User Picture]From: brad
2003-06-19 11:38 pm (UTC)
... it's ... a small Net ... affff-ter all.....
(Reply) (Parent) (Thread)