Reputation: 13330
linux capabilities - iptables as child process
I have a process that fork-execlp "iptables-restore file.rules". It looks like it doesn't have the permission since I don't see some of the rules not listed like INPUT DROP after the process executes. When I run this process as a root, it seems to be fine but not when I run as a user with following capabilities:
parent process - cap_kill,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw+ei
child ( iptables-restore ) - cap_net_admin,cap_net_raw+ei
What is the capability that I am missing?
Upvotes: 2
Views: 1520
Answers (1)
Reputation: 1
I just got the same issue. My suspicion is that the issue is not about capabilities, but about simple filesystem permissions. The error I see is:
Fatal: can't open lock file /run/xtables.lock: Permission denied
The file is owned by root:root, and is RW only by the owner. So either change the file ownership to a group and chmod g+rw or use an alternative lock location using The XTABLES_LOCKFILE environment variable (based on iptables manual).
If anyone has a different solution I would love to hear about it.
Upvotes: 0
Related Questions
- Changing capabilities of the process
- iptables c++ control
- How can I programmatically manage iptables rules on the fly?
- create iptables rule per process/service
- fork and execve to inherit unprivileged parent process' capabilities
- Grant capabilities to a running process
- How to programmatically access iptables?
- Linux per program firewall similar to windows and mac counterparts
- assigning linux capability to one java process
- linux: suspend process at startup