iptables and queue

Submit your RBAC policies or suggest policy improvements

iptables and queue

Postby shaman » Wed Jun 16, 2004 3:26 pm

Hi.
Problem with iptables and queue. My rules:
$IPTABLES -t mangle -A POSTROUTING -p all -j QUEUE
$IPTABLES -t mangle -A PREROUTING -p all -j QUEUE

After activate grsec i can't connect to anywhere. In kern.log:

Jun 17 11:28:58 mail kernel: NET: 10 messages suppressed.
Jun 17 11:28:58 mail kernel: ip_queue: full at 1024 entries, dropping packet(s).
Jun 17 11:28:58 mail last message repeated 9 times
Jun 17 11:29:03 mail kernel: NET: 60 messages suppressed.
Jun 17 11:29:03 mail kernel: ip_queue: full at 1024 entries, dropping packet(s).

If i disable this rules i can connect.
Can anyone help me?
shaman
 
Posts: 7
Joined: Wed Jun 02, 2004 7:27 am

Postby torne » Wed Jun 16, 2004 9:08 pm

I'd be suprised if you could connect to anywhere *before* activating grsecurity.. you are queueing all packets on your system to userspace both before and after routing, and I can't think of any daemon that needs packets from both sides of routing. Are you running a userspace networking daemon for some weird routing config/unsupported protocol/etc?

The log message 'ip_queue: full at 1024 entries, dropping packet(s)' means that 1024 packets have been put into the queue to go to userspace but no daemon has picked them up, so there is no room to add any more. If you have a daemon expecting them, then it's misconfigured and is not reading them.

What are you expecting those rules to do?
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby shaman » Wed Jun 16, 2004 9:45 pm

OK. I use NeTAMS http://www.netams.com and this rules for NeTAMS.
Packets from interface come to queue, then NeTAMS analyzing it.

Before activating grsec it's work.

my acl for netams (after learning):

/usr/bin/netams o {
/var/www/localhost/netams rw
/var/www/localhost
/var/www
/var/run/mysqld/mysqld.sock rw
/var
/usr/bin/netams x
/
-CAP_ALL
}
shaman
 
Posts: 7
Joined: Wed Jun 02, 2004 7:27 am

Postby torne » Thu Jun 17, 2004 10:04 am

The first thing that comes to mind is if a capability is needed to use netlink sockets..
torne
 
Posts: 54
Joined: Mon Aug 12, 2002 12:52 pm

Postby spender » Thu Jun 17, 2004 10:21 am

CAP_NET_ADMIN is needed.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby shaman » Thu Jun 17, 2004 2:00 pm

spender wrote:CAP_NET_ADMIN is needed.

-Brad

You right! It's work. Thank you!
shaman
 
Posts: 7
Joined: Wed Jun 02, 2004 7:27 am


Return to RBAC policy development