WireGuard Archive on lore.kernel.org
 help / color / Atom feed
* Linux kernel 5 different behavior
@ 2019-08-25 16:59 Vasili Pupkin
  2019-08-25 18:52 ` Jason A. Donenfeld
  0 siblings, 1 reply; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-25 16:59 UTC (permalink / raw)
  To: wireguard

In the newest kernel version, Wireguard encrypted packets are sent
from the same user credentials as the user that created original
packets. I have a firewall setup that limits programs run from a
particular user to wireguard tun interface, it worked in kernel 4.18
and is broken in kernel 5.0. In the new kernel encrypted packets are
also marked as owned by this user and routed to the tun interface
generating a recursion.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux kernel 5 different behavior
  2019-08-25 16:59 Linux kernel 5 different behavior Vasili Pupkin
@ 2019-08-25 18:52 ` Jason A. Donenfeld
  2019-08-25 19:03   ` Vasili Pupkin
  0 siblings, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-08-25 18:52 UTC (permalink / raw)
  To: Vasili Pupkin; +Cc: WireGuard mailing list

Could you clarify? Do you mean that inner and outer packets were
marked differently in Linux < 5 but are now marked as belonging to the
same UID in Linux==5?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux kernel 5 different behavior
  2019-08-25 18:52 ` Jason A. Donenfeld
@ 2019-08-25 19:03   ` Vasili Pupkin
  2019-08-25 19:07     ` Jason A. Donenfeld
  0 siblings, 1 reply; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-25 19:03 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

Yes. On kernel version 4, outer packets (i.e. encrypted packets) are
sent from privileged user
account credentials so they pass the iptables sandbox. On kernel 5
they inherit owner id of the user who sent unencrypted packets.

.

On Sun, Aug 25, 2019 at 9:52 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Could you clarify? Do you mean that inner and outer packets were
> marked differently in Linux < 5 but are now marked as belonging to the
> same UID in Linux==5?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux kernel 5 different behavior
  2019-08-25 19:03   ` Vasili Pupkin
@ 2019-08-25 19:07     ` Jason A. Donenfeld
  2019-08-25 20:04       ` Vasili Pupkin
  0 siblings, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-08-25 19:07 UTC (permalink / raw)
  To: Vasili Pupkin; +Cc: WireGuard mailing list

On Sun, Aug 25, 2019 at 1:03 PM Vasili Pupkin <diggest@gmail.com> wrote:
> Yes. On kernel version 4, outer packets (i.e. encrypted packets) are
> sent from privileged user
> account credentials so they pass the iptables sandbox. On kernel 5
> they inherit owner id of the user who sent unencrypted packets.

Can you use the `fwmark` option and adjust your rules to match on
!1234 or the like?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux kernel 5 different behavior
  2019-08-25 19:07     ` Jason A. Donenfeld
@ 2019-08-25 20:04       ` Vasili Pupkin
  2019-08-26  2:08         ` Jason A. Donenfeld
  0 siblings, 1 reply; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-25 20:04 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

Usage of fwmark is my current workaround. If the same user id of an
outer packets is not a bug then ignore it.

On Sun, Aug 25, 2019 at 10:07 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Sun, Aug 25, 2019 at 1:03 PM Vasili Pupkin <diggest@gmail.com> wrote:
> > Yes. On kernel version 4, outer packets (i.e. encrypted packets) are
> > sent from privileged user
> > account credentials so they pass the iptables sandbox. On kernel 5
> > they inherit owner id of the user who sent unencrypted packets.
>
> Can you use the `fwmark` option and adjust your rules to match on
> !1234 or the like?
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux kernel 5 different behavior
  2019-08-25 20:04       ` Vasili Pupkin
@ 2019-08-26  2:08         ` Jason A. Donenfeld
  2019-08-26  9:29           ` Vasili Pupkin
  0 siblings, 1 reply; 7+ messages in thread
From: Jason A. Donenfeld @ 2019-08-26  2:08 UTC (permalink / raw)
  To: Vasili Pupkin; +Cc: WireGuard mailing list

On Sun, Aug 25, 2019 at 2:04 PM Vasili Pupkin <diggest@gmail.com> wrote:
>
> Usage of fwmark is my current workaround. If the same user id of an
> outer packets is not a bug then ignore it.

I can see arguments both ways. Do you recall off hand the last kernel
version that had the prior behavior? I'd like to try to find the
commit and read the rationale upstream.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Linux kernel 5 different behavior
  2019-08-26  2:08         ` Jason A. Donenfeld
@ 2019-08-26  9:29           ` Vasili Pupkin
  0 siblings, 0 replies; 7+ messages in thread
From: Vasili Pupkin @ 2019-08-26  9:29 UTC (permalink / raw)
  To: Jason A. Donenfeld; +Cc: WireGuard mailing list

On Mon, Aug 26, 2019 at 5:09 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> > Usage of fwmark is my current workaround. If the same user id of an
> > outer packets is not a bug then ignore it.
>
> I can see arguments both ways. Do you recall off hand the last kernel
> version that had the prior behavior? I'd like to try to find the
> commit and read the rationale upstream.

I see the difference now between 4.18.0 and 5.0.0 kernels, the closest
I can get with readily compiled kernels on my distro. According to
`iptables -t mangle -A OUTPUT -j LOG --log-uid` on kernel 4.18 outer
packets have UID=0 if original packets were sent from system processes
and do not have associated UID at all if original packets were sent by
the user. On kernel 5.0 they always inherit UID.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-25 16:59 Linux kernel 5 different behavior Vasili Pupkin
2019-08-25 18:52 ` Jason A. Donenfeld
2019-08-25 19:03   ` Vasili Pupkin
2019-08-25 19:07     ` Jason A. Donenfeld
2019-08-25 20:04       ` Vasili Pupkin
2019-08-26  2:08         ` Jason A. Donenfeld
2019-08-26  9:29           ` Vasili Pupkin

WireGuard Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/wireguard/0 wireguard/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 wireguard wireguard/ https://lore.kernel.org/wireguard \
		wireguard@lists.zx2c4.com zx2c4-wireguard@archiver.kernel.org
	public-inbox-index wireguard


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.zx2c4.lists.wireguard


AGPL code for this site: git clone https://public-inbox.org/ public-inbox