Summary: | net-firewall/nftables-0.9.0-r5 reads from stdin on system boot | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | thomasb <gentoo-bugzilla> |
Component: | SELinux | Assignee: | SE Linux Bugs <selinux> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | base-system, kfm, klondike, prometheanfire |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
thomasb
2019-12-29 16:09:17 UTC
Hi Thomas! The change isn't as easy from nftables side as you think. The script makes uses of pipes (and stdin reading) to load the ruleset because it needs to ensure the prior ruleset is flushed and it needs to do so atomically (on modern kernels). There is no warranty that the ruleset starts with a "flush ruleset" statement so we ensure that is the case by using that and an include statement. Any other approach would either be too complicated (requiring a temporary file that will fail as per https://bugs.gentoo.org/704184 or a static file that will not permit changing the configuration variables to specify which file to load). Similarly the panic actions behave in a similar way by injecting a set of rules that prevent new connections (and or established ones) as the only ruleset and those will require also their own files. We decided to skip that to avoid increasing the complexity for the users (with more files and therefore more points of failure and to debug when things misbehave). So it would instead be preferable to allow initrc_t fifo access as you did. Hi Thomas, based on the feedback on #789306 I will make stdin use (during loads only) optional. I have posted a new script, init.d and conf.d files which I'd appreciate if you could test and give me some feedback on. This does not solve the problem with panics which still need stdin to work. |