* Owner on Input table
@ 2005-02-13 0:26 Egon Phillips
2005-02-14 7:29 ` Patrick Schaaf
2005-02-14 7:41 ` Jonas Berlin
0 siblings, 2 replies; 3+ messages in thread
From: Egon Phillips @ 2005-02-13 0:26 UTC (permalink / raw)
To: netfilter-devel
I read in the docs that the owner match as described below is not
available on the input chain.
This module attempts to match various
characteristics of the packet creator,
for locally-generated packets. It is
only valid in the OUTPUT chain, and even
this some packets (such as ICMP ping responses)
may have no owner, and hence never match.
Are there any plans to change this policy? If not, is this a limitation
of the software or of the OS? Is it not possible to use the destination
ports process id to determine the owner?
____________________________________________________
The Brockton Initiative (http://brockton.dyndns.org)
Egon Phillips, Chair
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Owner on Input table
2005-02-13 0:26 Owner on Input table Egon Phillips
@ 2005-02-14 7:29 ` Patrick Schaaf
2005-02-14 7:41 ` Jonas Berlin
1 sibling, 0 replies; 3+ messages in thread
From: Patrick Schaaf @ 2005-02-14 7:29 UTC (permalink / raw)
To: Egon Phillips; +Cc: netfilter-devel
> This module attempts to match various
> characteristics of the packet creator,
> for locally-generated packets. It is
> only valid in the OUTPUT chain, and even
> this some packets (such as ICMP ping responses)
> may have no owner, and hence never match.
>
> Are there any plans to change this policy? If not, is this a limitation
> of the software or of the OS? Is it not possible to use the destination
> ports process id to determine the owner?
It may be possible - after all, the kernel will do it some milliseconds
later - but would you really want your packet processing halted until
it is decided WHICH userlevel apache process will finally accept()
this incoming SYN packet?
In other words: it is neither easy, nor the right place, nor a unique
decision. Thus the policy of "better don't even try".
best regards
Patrick
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Owner on Input table
2005-02-13 0:26 Owner on Input table Egon Phillips
2005-02-14 7:29 ` Patrick Schaaf
@ 2005-02-14 7:41 ` Jonas Berlin
1 sibling, 0 replies; 3+ messages in thread
From: Jonas Berlin @ 2005-02-14 7:41 UTC (permalink / raw)
To: Egon Phillips, netfilter-devel
Egon Phillips wrote:
>I read in the docs that the owner match as described below is not
>available on the input chain.
>
> This module attempts to match various
> characteristics of the packet creator,
> for locally-generated packets. It is
> only valid in the OUTPUT chain, and even
> this some packets (such as ICMP ping responses)
> may have no owner, and hence never match.
>
>Are there any plans to change this policy? If not, is this a limitation
>of the software or of the OS? Is it not possible to use the destination
>ports process id to determine the owner?
>____________________________________________________
>The Brockton Initiative (http://brockton.dyndns.org)
>Egon Phillips, Chair
>
>
Afaik the owner-socketlookup patch in patch-o-matic-ng does what you are
asking for. It has been around for over a year now.
<snip>
The patch allows you to use the owner match in the INPUT chain to match
properties of the receiving socket. It is mainly intended to help filter
weird
protocols like H.323 or IIOB without conntrack helpers, but could also come
handy for local user traffic accounting and similar stuff.
</snip>
--
- xkr47
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-02-14 7:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-02-13 0:26 Owner on Input table Egon Phillips
2005-02-14 7:29 ` Patrick Schaaf
2005-02-14 7:41 ` Jonas Berlin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.