NPF : User/group id filtering #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closed

Emmankoko wants to merge 7 commits into NetBSD:trunk from Emmankoko:rid

Emmankoko commented Mar 29, 2025

No description provided.

Emmankoko added 2 commits

March 29, 2025 18:13


          Userland: npf rule parser for user and group id

5a9cecb


          Kernel: extract rule, lookup sockets ids, and process filtering

5e2d10d

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npfctl/npf_data.c Outdated

+               * both uid and gid are both uint32_t
+               */
+              struct r_id
+              npfctl_init_rid(uint32_t id1, uint32_t id2, uint8_t op)

Contributor

zoulasc Mar 29, 2025

pass the rid pointer to be initialized to avoid extra copies.

Emmankoko added 2 commits

March 30, 2025 18:10


          pass rid_t by ref and copy the values directly to rid

c9c4b5c


          npf_socket API

c7247a5

Emmankoko force-pushed the rid branch from ed55615 to c7247a5 Compare

April 1, 2025 11:45

Emmankoko force-pushed the rid branch 3 times, most recently from 20e7cfb to e402ccb Compare

May 23, 2025 22:40

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npfctl/npf_show.c Outdated

               		ctx->fpos += fprintf(ctx->fp, "all ");
               	}
+              	if (!npf_rule_getrid(&rid, rl, "r_user")) {
+              		ctx->fpos += fprintf(ctx->fp, "user \"%s\" ", print_guid(rid));

Contributor

zoulasc May 24, 2025

memory leaks

Emmankoko force-pushed the rid branch from 03e4957 to 2707f15 Compare

May 24, 2025 23:18


          npfctl show

308d994

Emmankoko force-pushed the rid branch 6 times, most recently from 024cdd6 to 7ae56f4 Compare

May 31, 2025 12:47

zoulasc reviewed

View reviewed changes

sys/net/npf/npf_handler.c Outdated

               		error = npf_rule_reverse(&npc, &mi, error);
               	}
-              	if (error) {
+              	/* sidewaysh handling of rejecting packets whose addr-port pair matches no sockets  */

Contributor

zoulasc May 31, 2025

I think this should be done in a separate commit and "sideways"?

zoulasc reviewed

View reviewed changes

sys/net/npf/npf_ruleset.c Outdated

               	}
-              	return matched;
+              	/* make sure if both uid and gid is set on rule, both must be mtching to agree */

Contributor

zoulasc May 31, 2025

"matching"

zoulasc reviewed

View reviewed changes

sys/net/npf/npf_ruleset.c Outdated

@@ @@ -1013,7 +1013,7 @@ int @@
               npf_rule_match_rid(npf_rule_t *rl, npf_cache_t *npc, int dir)
               {
               	uint32_t sock_gid, sock_uid;
-              	int matched = 0;
+              	int uid_matched = 0, gid_matched = 0;

Contributor

zoulasc May 31, 2025

perhaps bool and false?

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c

		@@ -0,0 +1,270 @@
		/*

Contributor

zoulasc May 31, 2025

Copyright, rcsid.

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c

+              		int id_match;
+              		id_match = npf_rule_match_rid(rl, npc, t->di);
+              		error = npf_rule_conclude(rl, &mi);

Contributor

zoulasc May 31, 2025

error gets overwritten below and not tested here.

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c Outdated

+              static struct socket *
+              test_socket(int dir, uid_t uid, gid_t gid)
+              {
+              	struct sockaddr_in Server;

Contributor

zoulasc May 31, 2025

Why caps?

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c Outdated

+              test_socket(int dir, uid_t uid, gid_t gid)
+              {
+              	struct sockaddr_in Server;
+              	struct lwp *cur =  curlwp;

Contributor

zoulasc May 31, 2025

single space.

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c Outdated

+              	struct socket *so;
+              	int error = socreate(AF_INET, &so, SOCK_DGRAM, 0, cur, NULL);
+              	if(error) {

Contributor

zoulasc May 31, 2025

Space after keyword (everywhere)

Contributor

zoulasc May 31, 2025

why printf instead of warn(3)?

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c

+              	sounlock(so);
+              	if((error = sobind(so, (struct sockaddr *)&Server, cur)) != 0) {
+              		printf("bind failed %d\n", error);

Contributor

zoulasc May 31, 2025

Again warn is better (everywhere)?

zoulasc reviewed

View reviewed changes

usr.sbin/npf/npftest/libnpftest/npf_rid_test.c Outdated

+              static bool
+              test_static(bool verbose)
+              {
+              	for (unsigned i = 0; i < __arraycount(test_cases); i++) {

Contributor

zoulasc May 31, 2025

size_t is prolly better.

zoulasc requested changes

View reviewed changes

Contributor

zoulasc left a comment

see inline comments.

Emmankoko force-pushed the rid branch from d00e495 to 89c60ce Compare

May 31, 2025 17:57


          testing

c2a18cd

in this testing, a socket is crafted in kernel to listen on any address( all interfaces) and port 65000 which is ideal for testing

to test,
run : npfctl debug -c $dir_to_npftest.conf -o ./npf.plist
npftest -c ./npf.plist -T guid -v

Emmankoko force-pushed the rid branch 5 times, most recently from 2d134c0 to 10b8936 Compare

June 1, 2025 17:15


          docs

36cc50b

Emmankoko force-pushed the rid branch from 8027a57 to 36cc50b Compare

June 1, 2025 17:33

Emmankoko closed this

Emmankoko deleted the rid branch

June 1, 2025 17:39

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet