Nftables and kernel level ids issue


I would like to open discussion about issue I found. It is not a problem if you would like to talk generally about configuring firewalls on LXC if you don’t like this idea. But in my opinion firewall on LXC follows isolation rule. It is much more easy to handle many containers with isolated rules.

But let me back to the issue. It is easy to explain problem by simple nftables output rule ‘skuid root drop’. This rule is equal to ‘skuid 0 drop’. The problem is that, we have an isolation leak, because kernel uses host-based ids. So the correct rule is like ‘skuid 100000 drop’ - depending on configured id map.

There is much more. As you know it is possible to run multiple containers with the same id maps. So how do you think how second container would be affected if we configure first container to block traffic for ID=100000?
The answer is nothing will happen because somehow there is still an isolation of host-based ids.

So, magically host-based ID=100000 of container A is different than the same host-based ID for container B but exactly the same if we set this rule on the host so in the result we block traffic from all root users from all containers of matching id maps.

My question - do you know about this issue yet? Where should I write or maybe it is correct?

Thanks :slight_smile: