Is there any way to be able to:
echo +192.98.11.112 > /proc/net/xt_recent/content
in a unprivileged container, to utilise xt_recent kernel module?
I did a quick test outside of LXD to see if it’s a kernel restriction:
stgraber@dakara:~$ unshare -U -r -m -n -p -f
root@dakara:~# mount -t sysfs sysfs /sys
root@dakara:~# mount -t proc proc /proc
root@dakara:~# ip link add dev blah type dummy
root@dakara:~# ls -lh /sys/class/net/
total 0
lrwxrwxrwx 1 root root 0 Aug 24 10:38 blah -> ../../devices/virtual/net/blah
lrwxrwxrwx 1 nobody nogroup 0 Aug 24 10:38 lo -> ../../devices/virtual/net/lo
root@dakara:~# ls -lh /proc/net/xt_recent/
total 0
root@dakara:~# mount -t tmpfs tmpfs /run
root@dakara:~# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
root@dakara:~# ls -lh /proc/net/xt_recent/
total 0
-rw-r--r-- 1 nobody nogroup 0 Aug 24 10:40 badguy
root@dakara:~# echo +192.98.11.112 > /proc/net/xt_recent/badguy
-bash: /proc/net/xt_recent/badguy: Permission denied
root@dakara:~#
So the conclusion here is that this iptables module seems to be only partly namespaced.
The actual lists are properly namespaced and iptables can be used to set one up in the current network namespace.
But their kernel API to update the list, is not namespace aware and so prevent writing to the list.
This is effectively a kernel bug. It shouldn’t be a difficult one to fix for someone familiar with iptables modules though.
1 Like
Thank you for extensive analysis, I’ll try to log a kernel bug then.
As a workaround, you can do this from the host:
nsenter -n -t $(lxc info $CONTAINER | awk '/^PID:/ {print $2}') -- sh -c 'echo +192.98.11.112 > /proc/net/xt_recent/content'
Please report back on the Launchpad URL when you have it, thanks!
1 Like