From: Patrick McHardy <kaber@trash.net>
To: James Morris <jmorris@namei.org>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Stephen Smalley <sds@tycho.nsa.gov>,
Chris Wright <chrisw@sous-sol.org>
Subject: Re: [PATCH][RFC] Security marking
Date: Mon, 17 Apr 2006 19:51:54 +0200 [thread overview]
Message-ID: <4443D5BA.6060605@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0604160012500.16600@d.namei>
James Morris wrote:
> Last year, I posted a set of patches to allow iptables matching against
> associated processes for incoming packets. With this patch, I'm proposing
> a much simpler alternative and solictiting feedback on the idea from other
> networking developers.
>
> For the original patches and discussion, see:
> http://marc.theaimsgroup.com/?l=linux-netdev&m=113027175208707&w=2
> and
> http://people.redhat.com/jmorris/selinux/skfilter/
>
> The purpose of the patches was to allow incoming owner matching to work
> cleanly, as well as allow integration of SELinux and Netfilter apps
> (iptables, conntrack etc). This would also allow the existing SELinux
> networking hooks to be replaced in a more powerful and expressive way.
>
> The skfilter patches posted are quite invasive, and probably require
> moving all Netfilter 'input' processing to the socket layer, with several
> unresolved issues.
Moving the netfilter input processing to the socket layer would actually
be a nice solution in my opinion, but its unfortunately not possible
without changing user-visible behaviour. SNAT is performed in LOCAL_IN
before filtering, but we need the already SNATed packet for the
socket lookup. So I concluded that the only possibility is to keep the
existing hooks and have a seperate skfilter INPUT chain. The conntrack
confirmation problem can be solved by registering the ip_confirm hook
with the socket hooks when they are compiled in.
>From a pure netfilter POV it would still be nice to have the socket
hooks for userspace queueing in socket context and filtering hard
to track protocols. My only question is: if I would port the skfilter
patches to the current kernel today and fix the unresolved issues,
would you still prefer this approach?
next prev parent reply other threads:[~2006-04-17 17:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-16 5:10 [PATCH][RFC] Security marking James Morris
2006-04-16 5:28 ` James Morris
2006-04-17 17:51 ` Patrick McHardy [this message]
2006-04-17 18:43 ` James Morris
2006-04-17 18:55 ` Patrick McHardy
2006-04-19 22:49 ` David S. Miller
-- strict thread matches above, loose matches on Subject: below --
2006-04-17 18:40 edwin
2006-04-18 1:01 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4443D5BA.6060605@trash.net \
--to=kaber@trash.net \
--cc=chrisw@sous-sol.org \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.