Categories
DSSP2

Another pointless example of NFT, Secmark and DSSP2-Standard

I was just playing with things to get a little bit more used to the NFT syntax. In the example below I only allow the firefox instances of users in the wheel group to access the local DNS server and the rt.com website. Everything else is allowed.

#!/usr/sbin/nft -f

# nft -f <file>

#(in dns (block client (blockinherit net.packet.obj_template)))
#(block rt (block client (blockinherit net.packet.obj_template)))
#(typeattribute dns_clients_minus_wheel_seamonkey)
#(typeattributeset dns_clients_minus_wheel_seamonkey (and dns.client_subj_type_attribute (not seamonkey.wheel.subj)))
#(call sys.invalid.packet_send (dns_clients_minus_wheel_seamonkey))
#(call sys.invalid.packet_recv (dns_clients_minus_wheel_seamonkey))
#(call dns.client.packet_recv (dns.client_subj_type_attribute))
#(call dns.client.packet_send (dns.client_subj_type_attribute))
#(call rt.client.packet_recv (dns.client_subj_type_attribute))
#(call rt.client.packet_send (dns.client_subj_type_attribute))

# setsebool sys.recv_and_send_invalid_packets off

table inet mysecmark {

    secmark dns_client {
        "sys.id:sys.role:dns.client.packet:s0"
    }
    secmark rt_client {
        "sys.id:sys.role:rt.client.packet:s0"
    }

    map secmapping_4_out {
        type ipv4_addr . inet_service : secmark
        elements = { 192.168.1.1 . 53 : "dns_client", 207.244.80.166 . 80 : "rt_client", 207.244.80.166 . 443 : "rt_client", 92.223.126.251 . 80 : "rt_client", 92.223.126.251 . 443 : "rt_client" }
    }

    map secmapping_6_out {
        type ipv6_addr . inet_service : secmark
        elements = { fd18:5480:168d::1 . 53 : "dns_client", 2001:1af8:4700:b220::112 . 80 : "rt_client", 2001:1af8:4700:b220::112 . 443 : "rt_client", 2a03:90c0:9997::9997 . 80 : "rt_client", 2a03:90c0:9997::9997 . 443 : "rt_client" }
    }

    chain input {
        type filter hook input priority -225;

        # label new incoming packets and add to connection
        ct state new ct secmark set meta secmark

        # set label for est/rel packets from connection
        ct state established,related meta secmark set ct secmark
    }

    chain output {
        type filter hook output priority 225;

        # label new outgoing packets and add to connection
        ct state new meta secmark set ip daddr . tcp dport map @secmapping_4_out
        ct state new meta secmark set ip daddr . udp dport map @secmapping_4_out
        ct state new meta secmark set ip6 daddr . tcp dport map @secmapping_6_out
        ct state new meta secmark set ip6 daddr . udp dport map @secmapping_6_out
        ct state new ct secmark set meta secmark

        # set label for est/rel packets from connection
        ct state established,related meta secmark set ct secmark
    }
}

This stuff is more powerful than systemd IPAddressAllow= and IPaddressDeny= though (If BPF is not disabled due to Kernel Lock-down in the first place), as you can also leverage other attributes like protocol, source and destination port and address.

Demo time:

Leave a Reply

Your email address will not be published. Required fields are marked *