||3 yıl önce|
|profiles||5 yıl önce|
|src||3 yıl önce|
|Cargo.lock||3 yıl önce|
|Cargo.toml||3 yıl önce|
|README.md||3 yıl önce|
qsni (quite simple network isolation) allows for simple assignment of per cgroup iptables rules to programs.
While you can also achieve this (and more) using network namespaces, the setup is not as simple/easy.
You need an iptables version that supports cgroup matching (e. g. version >= 1.6) and rust/cargo to build the binary
The following kernel config parameters must be set:
$ qsni blocked ping google.com ping: unknown host google.com
$ qsni lan bash $ ping 188.8.131.52 PING 184.108.40.206 (220.127.116.11) 56(84) bytes of data. ping: sendmsg: Operation not permitted $ ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.127 ms $ qsni someprofile bash already assigned to a net class, thus you can't use this binary to change that $
If cgroup_root isn't mounted to /sys/fs/cgroup, do it or change the constant in the source to the correct path.
cargo build --release cp target/release/qsni /usr/bin/ chmod o=rx /usr/bin/qsni chown root:root /usr/bin/qsni setcap 'cap_setuid=ep cap_setgid=ep' /usr/bin/qsni mkdir /etc/qsni.d chmod o=rx /etc/qsni.d cp profiles/blocked /etc/qsni.d/blocked chmod o=r /etc/qsni.d/blocked
Every profile must have its own unique CGROUP_ID value in the profile file.
This alone is not a satisfactory way to prevent misbehaving programs to contact destinations you don't want them to. While the restrictions also apply to the children of the launched programs, at a minimum, file system isolation is also necessary and perhaps IPC etc.
qsni however does not aim to be a complete "jailing/isolation" solution. Nevertheless, I have use cases for it, hence its existence.
¹ name is preliminary