Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-85373

RestrictNetworkInterfaces from systemd.resource-control is not working

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • rhel-9.5.z
    • systemd
    • No
    • Moderate
    • rhel-systemd
    • ssg_core_services
    • 5
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      I would like to use the option `RestrictNetworkInterfaces=` from `systemd.resource-control(5)` to limit services to interfaces specified in the allow-list. How ever this option does not work, as I'm still able to use interfaces that are not in the allow-list.

      What is the impact of this issue to you?

      I'm reproducing this issue for one of my customers. They user servers mit multiple network interfaces, e.g. production-interface and backup-interface. They would like to restrict their backup.service to only use the backup interface. As the option is ignored the backup.service is using the production-interface and impacting other user traffic on this host.

      Please provide the package NVR for which the bug is seen:

      • systemd-252-46.el9_5.3.x86_64

      How reproducible is this bug?: Every time trying to apply that option. I created a simple reproducer to show the issue.

      Steps to reproduce

      1.  $ sudo systemd-run -p RestrictNetworkInterfaces=lo ping -c 4 8.8.8.8

      Expected results

      • The `ping` command should fail as it's only allowed to use the interface 'lo'

      Actual results

      The command completes successfully:

      $ sudo journalctl -u run-re4845a779ec7442b81a750021be958fe.service
Mar 28 11:44:38 rhel9-1 systemd[1]: Started /sbin/ping -c 4 8.8.8.8.
Mar 28 11:44:39 rhel9-1 ping[1889]: PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
Mar 28 11:44:39 rhel9-1 ping[1889]: 64 bytes from 8.8.8.8: icmp_seq=1 ttl=53 time=243 ms
Mar 28 11:44:39 rhel9-1 ping[1889]: 64 bytes from 8.8.8.8: icmp_seq=2 ttl=53 time=40.3 ms
Mar 28 11:44:40 rhel9-1 ping[1889]: 64 bytes from 8.8.8.8: icmp_seq=3 ttl=53 time=37.8 ms
Mar 28 11:44:41 rhel9-1 ping[1889]: 64 bytes from 8.8.8.8: icmp_seq=4 ttl=53 time=40.5 ms
Mar 28 11:44:41 rhel9-1 ping[1889]: --- 8.8.8.8 ping statistics ---
Mar 28 11:44:41 rhel9-1 ping[1889]: 4 packets transmitted, 4 received, 0% packet loss, time 3005ms
Mar 28 11:44:41 rhel9-1 ping[1889]: rtt min/avg/max/mdev = 37.803/90.372/242.858/88.044 ms
Mar 28 11:44:41 rhel9-1 systemd[1]: run-re4845a779ec7442b81a750021be958fe.service: Deactivated successfully.

      Please see the following codeblock as confirmation that the `ping` command fails as expected when specifying the interface 'lo' on the command line.

      $ ping -c 2 -I lo 8.8.8.8
ping: Warning: source address might be selected on device other than: lo
PING 8.8.8.8 (8.8.8.8) from 192.168.122.125 lo: 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1058ms

      Additional information

      • Fedora Bug: https://bugzilla.redhat.com/show_bug.cgi?id=2035608
      • So far I can confirm that the bug is fixed in systemd-256.12-1.fc41.x86_64
      • I did not check and verify the versions between  systemd-252-46.el9_5.3.x86_64 and systemd-256.12-1.fc41.x86_64
      • RHEL 10-beta with systemd-256-14.el10.x86_64 is not affected

              msekleta@redhat.com Michal Sekletar
              rhn-support-jkastnin Joerg Kastning
              systemd maint mailing list systemd maint mailing list
              Frantisek Sumsal Frantisek Sumsal
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: