From patchwork Sun Aug 13 23:21:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Volf X-Patchwork-Id: 52802 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 773D827BBE9; Mon, 14 Aug 2023 00:23:27 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_ADSP_ALL, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3E03127BBE2 for ; Mon, 14 Aug 2023 00:23:25 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1qVKQP-0007pS-B8; Sun, 13 Aug 2023 19:23:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qVKQI-0007pC-T0 for guix-patches@gnu.org; Sun, 13 Aug 2023 19:23:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qVKQI-0000xI-Ky for guix-patches@gnu.org; Sun, 13 Aug 2023 19:23:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1qVKQI-0000Xl-Gl for guix-patches@gnu.org; Sun, 13 Aug 2023 19:23:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#65275] [PATCH] services: %default-nftables-ruleset: Tighten the rules. Resent-From: Tomas Volf Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Aug 2023 23:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 65275 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 65275@debbugs.gnu.org Cc: Tomas Volf X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16919689251981 (code B ref -1); Sun, 13 Aug 2023 23:23:02 +0000 Received: (at submit) by debbugs.gnu.org; 13 Aug 2023 23:22:05 +0000 Received: from localhost ([127.0.0.1]:60422 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qVKPM-0000Vs-M8 for submit@debbugs.gnu.org; Sun, 13 Aug 2023 19:22:04 -0400 Received: from lists.gnu.org ([2001:470:142::17]:41380) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qVKPL-0000VO-5s for submit@debbugs.gnu.org; Sun, 13 Aug 2023 19:22:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qVKPF-0007iy-Vj for guix-patches@gnu.org; Sun, 13 Aug 2023 19:21:58 -0400 Received: from wolfsden.cz ([37.205.8.62]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qVKPB-0000fo-DV for guix-patches@gnu.org; Sun, 13 Aug 2023 19:21:56 -0400 Received: by wolfsden.cz (Postfix, from userid 104) id 2A7AF26BD74; Sun, 13 Aug 2023 23:21:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1691968907; bh=Q6gk0PTPOy5vg6Ob7NRAD+qHutfhBV30iG2nlJEDiuM=; h=From:To:Cc:Subject:Date; b=UOVodJjgQLtztSRndTeXEw8JipKfiUkYCUlvakqW1FtB7g7xxdIPqTR1Fj5JUF+CA S/99ZUMneOxkBvNFvd2Ah9YyquSf52Juv1xOqx+jCrDrNRdb51vrU+1KT71nAyobBW kGFfBddaIw41OsCtWWpCDa6KkFwcxoiVl6LiwlS2imD9+t9KVkz1gQBEq98nUAKB0F ZgSkM7VUvTbn1FSZvZkBqmNByXYtAHxv+ONhU0v1B9ouAnNjKvOAewpVktBZZypiDD iEuWfakfGBER5eZ2J+juEEg/pQOG2Vr9UBc/V7tZrokXqg+EON5qdaheCis7TWh2Fm eN2uVhp3rNC2a0MDKUtmzzj9jgrNLKrjHYZnBdvADNc4It0tNtMhy9ibx1deNwauCf bNxY3oUaOmmsF/PvS/GTTxCXG/aDavSF5oZGsCcrf3bBSqlhcFUfw+XVMwI028rzyc zGGz0+nvncoNe+TWhZNpilMwr90lnPPYf1/AFafeSavUIHdkbptLhDlOQfp7PxMpEd J6kTLJIKfzBNwpW/7+DYx3HcLZraMAsNqzsoOI2hDNf/ge6OvuuhD1rKDTaJeWLUoh ESOnvoJmVAHMpBKBmay0jNsPkDhQdaU0Bem4TdOOeUHslHTCcHi0ttISkeReeau/cS SS2jE1Zcvr1kyNwazSWQeKUA= Received: from localhost (unknown [193.32.127.142]) by wolfsden.cz (Postfix) with ESMTPSA id 6D62A273D95; Sun, 13 Aug 2023 23:21:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wolfsden.cz; s=mail; t=1691968906; bh=Q6gk0PTPOy5vg6Ob7NRAD+qHutfhBV30iG2nlJEDiuM=; h=From:To:Cc:Subject:Date; b=CjJJpbdtao8/s8rd6nQHWNh/5rEIJZ+mSlM3yqEtTRAi89nAQkSf1PeY2OofDzZbC zUw3Tz9GaRcsi/UioVCZVcZeszFcKAdOCDhCDLLxISBNcbzsGVBR2E4RhC6ELpRaBP uF66ocHlGFqgkBSASCkKFiKOdsX/aqCLj/5s5VNfCHetOzMHIGuPwhrGmKnvrx34Ms mGF7fF2ANEzk8p3uE7AXCu4dQplenSj661d3D8t9/gRA5OQC2gf9Hgp+heea6+0E2J f+CwVMLiJHXhh4m09taGoWotdny2izq9RTawGyeDLAl9kxE+IdQJwWWfFrAxYeYAu5 K7rf4oPHZaA/jdQBuJqNy0vcL3tK/eXAFzjX9Sp0PDqGGSLpnmzMW7nqW7iCKxbIX7 MQxRuUIu6VWnIP30VbzngKXcP6so93ZiDWkHGguhaeTFi4hs1rdlcPBLqGfaC2JFlo hMuEXxdns0tFQxgyLPUSbaiaGXOR14KszLljJtd4vGQp7LREmcClwa+9N4zwC0U0E9 tAhJEPwrRqHp0HQxPoF8rZutbXLuzE1BHOsaT98gCb+wxSKK8z/TRiSSrk6mjq6DmK o3w8/5F9sLyx9PBdZETfyO02U2N98N1vaCWOe9lUKS0S30jFR9QBpnKNd01EYcHjlw ouVfnHHCUv9/JglRyFnYcWGM= Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id 3b4867b5; Sun, 13 Aug 2023 23:21:45 +0000 (UTC) From: Tomas Volf Date: Mon, 14 Aug 2023 01:21:33 +0200 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Received-SPF: none client-ip=37.205.8.62; envelope-from=ws@wolfsnet.cz; helo=wolfsden.cz X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Packets for local host IP ranges should be coming only over lo. If that is not the case, we should drop them. Use iif for the check instead of iifname, lo is guaranteed to exists, and iif is faster. * gnu/services/networking.scm: Tighten the rules. --- gnu/services/networking.scm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) base-commit: be6f5edd445850720dfcec2642db643b84fc0645 diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 5657b141d9..e24d2a876a 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -1804,7 +1804,10 @@ (define %default-nftables-ruleset ct state { established, related } accept # allow from loopback - iifname lo accept + iif lo accept + # drop connections to lo not coming from lo + iif != lo ip daddr 127.0.0.1/8 drop + iif != lo ip6 daddr ::1/128 drop # allow icmp ip protocol icmp accept