* Linux kernel 5 different behavior
@ 2019-08-25 16:59 Vasili Pupkin
2019-08-25 18:52 ` Jason A. Donenfeld
0 siblings, 1 reply; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-25 16:59 UTC (permalink / raw)
To: wireguard
In the newest kernel version, Wireguard encrypted packets are sent
from the same user credentials as the user that created original
packets. I have a firewall setup that limits programs run from a
particular user to wireguard tun interface, it worked in kernel 4.18
and is broken in kernel 5.0. In the new kernel encrypted packets are
also marked as owned by this user and routed to the tun interface
generating a recursion.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux kernel 5 different behavior
2019-08-25 16:59 Linux kernel 5 different behavior Vasili Pupkin
@ 2019-08-25 18:52 ` Jason A. Donenfeld
2019-08-25 19:03 ` Vasili Pupkin
0 siblings, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-08-25 18:52 UTC (permalink / raw)
To: Vasili Pupkin; +Cc: WireGuard mailing list
Could you clarify? Do you mean that inner and outer packets were
marked differently in Linux < 5 but are now marked as belonging to the
same UID in Linux==5?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux kernel 5 different behavior
2019-08-25 18:52 ` Jason A. Donenfeld
@ 2019-08-25 19:03 ` Vasili Pupkin
2019-08-25 19:07 ` Jason A. Donenfeld
0 siblings, 1 reply; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-25 19:03 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
Yes. On kernel version 4, outer packets (i.e. encrypted packets) are
sent from privileged user
account credentials so they pass the iptables sandbox. On kernel 5
they inherit owner id of the user who sent unencrypted packets.
.
On Sun, Aug 25, 2019 at 9:52 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Could you clarify? Do you mean that inner and outer packets were
> marked differently in Linux < 5 but are now marked as belonging to the
> same UID in Linux==5?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux kernel 5 different behavior
2019-08-25 19:03 ` Vasili Pupkin
@ 2019-08-25 19:07 ` Jason A. Donenfeld
2019-08-25 20:04 ` Vasili Pupkin
0 siblings, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-08-25 19:07 UTC (permalink / raw)
To: Vasili Pupkin; +Cc: WireGuard mailing list
On Sun, Aug 25, 2019 at 1:03 PM Vasili Pupkin <diggest@gmail.com> wrote:
> Yes. On kernel version 4, outer packets (i.e. encrypted packets) are
> sent from privileged user
> account credentials so they pass the iptables sandbox. On kernel 5
> they inherit owner id of the user who sent unencrypted packets.
Can you use the `fwmark` option and adjust your rules to match on
!1234 or the like?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux kernel 5 different behavior
2019-08-25 19:07 ` Jason A. Donenfeld
@ 2019-08-25 20:04 ` Vasili Pupkin
2019-08-26 2:08 ` Jason A. Donenfeld
0 siblings, 1 reply; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-25 20:04 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
Usage of fwmark is my current workaround. If the same user id of an
outer packets is not a bug then ignore it.
On Sun, Aug 25, 2019 at 10:07 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Sun, Aug 25, 2019 at 1:03 PM Vasili Pupkin <diggest@gmail.com> wrote:
> > Yes. On kernel version 4, outer packets (i.e. encrypted packets) are
> > sent from privileged user
> > account credentials so they pass the iptables sandbox. On kernel 5
> > they inherit owner id of the user who sent unencrypted packets.
>
> Can you use the `fwmark` option and adjust your rules to match on
> !1234 or the like?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux kernel 5 different behavior
2019-08-25 20:04 ` Vasili Pupkin
@ 2019-08-26 2:08 ` Jason A. Donenfeld
2019-08-26 9:29 ` Vasili Pupkin
0 siblings, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-08-26 2:08 UTC (permalink / raw)
To: Vasili Pupkin; +Cc: WireGuard mailing list
On Sun, Aug 25, 2019 at 2:04 PM Vasili Pupkin <diggest@gmail.com> wrote:
>
> Usage of fwmark is my current workaround. If the same user id of an
> outer packets is not a bug then ignore it.
I can see arguments both ways. Do you recall off hand the last kernel
version that had the prior behavior? I'd like to try to find the
commit and read the rationale upstream.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Linux kernel 5 different behavior
2019-08-26 2:08 ` Jason A. Donenfeld
@ 2019-08-26 9:29 ` Vasili Pupkin
0 siblings, 0 replies; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-26 9:29 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list
On Mon, Aug 26, 2019 at 5:09 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > Usage of fwmark is my current workaround. If the same user id of an
> > outer packets is not a bug then ignore it.
>
> I can see arguments both ways. Do you recall off hand the last kernel
> version that had the prior behavior? I'd like to try to find the
> commit and read the rationale upstream.
I see the difference now between 4.18.0 and 5.0.0 kernels, the closest
I can get with readily compiled kernels on my distro. According to
`iptables -t mangle -A OUTPUT -j LOG --log-uid` on kernel 4.18 outer
packets have UID=0 if original packets were sent from system processes
and do not have associated UID at all if original packets were sent by
the user. On kernel 5.0 they always inherit UID.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-08-26 12:28 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-25 16:59 Linux kernel 5 different behavior Vasili Pupkin
2019-08-25 18:52 ` Jason A. Donenfeld
2019-08-25 19:03 ` Vasili Pupkin
2019-08-25 19:07 ` Jason A. Donenfeld
2019-08-25 20:04 ` Vasili Pupkin
2019-08-26 2:08 ` Jason A. Donenfeld
2019-08-26 9:29 ` Vasili Pupkin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).