launches and assigns programs to cgroup-specific iptables-rules
Dosyaya git
Albert S. 7cd1fcfb76 update README 2019-08-11 12:08:54 +02:00
profiles first commit 2018-01-02 16:38:14 +01:00
src remove warnings about unused imports/variables 2019-08-11 12:02:42 +02:00
Cargo.lock retire C version 2019-08-11 11:59:47 +02:00
Cargo.toml retire C version 2019-08-11 11:59:47 +02:00 update README 2019-08-11 12:08:54 +02:00


qsni (quite simple network isolation) allows for simple assignment of per cgroup iptables rules to programs.

While you can also achieve this (and more) using network namespaces, the setup is not as simple/easy.


You need an iptables version that supports cgroup matching (e. g. version >= 1.6) and rust/cargo to build the binary

The following kernel config parameters must be set:



$ qsni blocked ping
ping: unknown host
$ qsni lan bash
$ ping
PING ( 56(84) bytes of data.
ping: sendmsg: Operation not permitted
$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.127 ms
$ qsni someprofile bash
already assigned to a net class, thus you can't use this binary to change that


If cgroup_root isn't mounted to /sys/fs/cgroup, do it or change the constant in the source to the correct path.

cargo build --release 
cp target/release/qsni /usr/bin/
chmod o=rx /usr/bin/qsni
chown root:root /usr/bin/qsni
setcap 'cap_setuid=ep cap_setgid=ep' /usr/bin/qsni

mkdir /etc/qsni.d
chmod o=rx /etc/qsni.d
cp profiles/blocked /etc/qsni.d/blocked
chmod o=r /etc/qsni.d/blocked

Every profile must have its own unique CGROUP_ID value in the profile file.

Security discussion

This alone is not a satisfactory way to prevent misbehaving programs to contact destinations you don't want them to. While the restrictions also apply to the children of the launched programs, at a minimum, file system isolation is also necessary and perhaps IPC etc.

qsni however does not aim to be a complete "jailing/isolation" solution. Nevertheless, I have use cases for it, hence its existence.

¹ name is preliminary