Re: owner based routing - Patrick Schaaf

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick Schaaf <bof@bof.de>
To: Ignatich <ignatich@gmail.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: owner based routing
Date: Mon, 10 Oct 2005 07:05:05 +0200	[thread overview]
Message-ID: <20051010050505.GD9644@oknodo.bof.de> (raw)
In-Reply-To: <226310304.20051010005011@gmail.com>

> Is it possible to configure owner-based routing via some other way?

It is possible to solve what you described without any reference
to who owns which processes on the router...

You want to learn about policy routing. Read all of www.lartc.org.
When you still have problems, ask a _users_ mailing list or newsgroup.

Roughly, you want to formulate a solution to your task which is based on
looking at IP addresses, and network interface names, only.

The best you can do with owner, and the overall concept of a
process-identity-based firewall functionality, is to forget about it.

> If  not then how much work required to make ipt_owner work in PREROUTING
> table?

Very much work. At PREROUTING, we don't even know whether the packet
will be for the local machine or another one behind the router...

> Does netfilter team plan to add such functionality?

As far as I know, no. To the contrary: functionality is removed.

> I'm no
> linux kernel programmer but experienced with C so I might be able to
> help if that's not very complicated.

It is very complicated.

When processing packets in the kernel, especially for receive, the concept
of a user level process does not make much sense, if you look at it in
detail. At the moment the packet is received (and netfiltered), there
isn't even a guarantee that the process that will ultimately handle it,
already exists!

best regards
  Patrick

next prev parent reply	other threads:[~2005-10-10  5:05 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-10-09 20:50 owner based routing Ignatich
2005-10-10  5:05 ` Patrick Schaaf [this message]
  -- strict thread matches above, loose matches on Subject: below --
2005-10-11 13:57 Ignatich
2005-10-11 14:07 ` /dev/rob0
2005-10-12 20:57 ` Henrik Nordstrom
2005-10-11 14:25 Ignatich
2005-10-11 14:46 ` /dev/rob0
2005-10-11 22:46 Ignatich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20051010050505.GD9644@oknodo.bof.de \
    --to=bof@bof.de \
    --cc=ignatich@gmail.com \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.