iptables: use OUTPUT table to block locally-generated packet

We was going to block a connections in both directions (v0.6-97-g0a1b70bb), but both iptable rules are added in the INPUT table. It's wrong, because the rule must be added to the OUTPUT table to block locally-generated packets Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>

iptables: use OUTPUT table to block locally-generated packet
We was going to block a connections in both directions (v0.6-97-g0a1b70bb), but both iptable rules are added in the INPUT table. It's wrong, because the rule must be added to the OUTPUT table to block locally-generated packets Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
522fa170 · Andrey Vagin · Pavel Emelyanov · 1fd180ca · 522fa170
Commit 522fa170 authored Sep 17, 2013 by Andrey Vagin Committed by Pavel Emelyanov Sep 17, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 8 deletions

netfilter.c netfilter.c +12 -8

No files found.
--- a/netfilter.c
+++ b/netfilter.c
@@ -20,13 +20,15 @@ static char buf[512];
 * ANy brave soul to write it using xtables-devel?
 */

-static const char *nf_conn_cmd = "%s -t filter %s INPUT --protocol tcp "
+static const char *nf_conn_cmd = "%s -t filter %s %s --protocol tcp "
 	"--source %s --sport %d --destination %s --dport %d -j DROP";

 static char iptable_cmd_ipv4[] = "iptables";
 static char iptable_cmd_ipv6[] = "ip6tables";

-static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32 *dst_addr, u16 dst_port, int lock)
+static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port,
+						u32 *dst_addr, u16 dst_port,
+						bool input, bool lock)
 {
 	char sip[INET_ADDR_LEN], dip[INET_ADDR_LEN];
 	char *cmd;
@@ -50,7 +52,9 @@ static int nf_connection_switch_raw(int family, u32 *src_addr, u16 src_port, u32
 		return -1;
 	}

-	snprintf(buf, sizeof(buf), nf_conn_cmd, cmd, lock ? "-A" : "-D",
+	snprintf(buf, sizeof(buf), nf_conn_cmd, cmd,
+			lock ? "-A" : "-D",
+			input ? "INPUT" : "OUTPUT",
 			dip, (int)dst_port, sip, (int)src_port);

 	pr_debug("\tRunning iptables [%s]\n", buf);
@@ -71,17 +75,17 @@ static int nf_connection_switch(struct inet_sk_desc *sk, int lock)

 	ret = nf_connection_switch_raw(sk->sd.family,
 			sk->src_addr, sk->src_port,
-			sk->dst_addr, sk->dst_port, lock);
+			sk->dst_addr, sk->dst_port, true, lock);
 	if (ret)
 		return -1;

 	ret = nf_connection_switch_raw(sk->sd.family,
 			sk->dst_addr, sk->dst_port,
-			sk->src_addr, sk->src_port, lock);
+			sk->src_addr, sk->src_port, false, lock);
 	if (ret) /* rollback */
 		nf_connection_switch_raw(sk->sd.family,
 			sk->src_addr, sk->src_port,
-			sk->dst_addr, sk->dst_port, !lock);
+			sk->dst_addr, sk->dst_port, true, !lock);
 	return ret;
 }

@@ -101,10 +105,10 @@ int nf_unlock_connection_info(struct inet_sk_info *si)

 	ret |= nf_connection_switch_raw(si->ie->family,
 			si->ie->src_addr, si->ie->src_port,
-			si->ie->dst_addr, si->ie->dst_port, 0);
+			si->ie->dst_addr, si->ie->dst_port, true, 0);
 	ret |= nf_connection_switch_raw(si->ie->family,
 			si->ie->dst_addr, si->ie->dst_port,
-			si->ie->src_addr, si->ie->src_port, 0);
+			si->ie->src_addr, si->ie->src_port, false, 0);
 	/*
 	 * rollback nothing in case of any error,
 	 * because nobody checks errors of this function