From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH 3/3] xt_owner match
Date: Mon, 19 Nov 2007 18:18:49 +0100 [thread overview]
Message-ID: <4741C579.2000503@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0711191810380.32378@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Nov 19 2007 18:08, Jan Engelhardt wrote:
>> On Nov 19 2007 17:56, Jan Engelhardt wrote:
>>>>> + if (skb->sk == NULL || skb->sk->sk_socket == NULL)
>>>>> + return false;
>>>>> +
>>>>> + filp = skb->sk->sk_socket->file;
>>>>> + if (filp == NULL)
>>>>> + return false;
>>>> What would be nice is to allow matching whether a socket exists,
>>>> without UID/GID. I had a patch for this for a long time, but
>>>> lost it somewhere.
>>> Do you mean xt_socket from TPROXY?
>> Ah, xt_socket is different. But yeah, what you suggest is already implemented.
>> It is a matter of adjusting the iptables part now to actually make use
>> of the feature (to match whether a socket exists, w/o owner/group).
>
> Speaking... xt_owner currently has
>
> .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING),
>
> All outgoing packets do have a socket, don't they?
Not necessarily, for example forwarded packets that are encapsulated
locally by ipip/ip_gre or IPsec don't have one.
> So the quest for
> "whether a socket exists" implies you want me to add (1 <<
> NF_INET_LOCAL_IN), (1 << NF_INET_PRE_ROUTING) and (1 <<
> NF_INET_FORWARD) too?
No, that would imply a lookup. See my previous mail.
next prev parent reply other threads:[~2007-11-19 17:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-16 13:00 [PATCH 1/3] xt_tos match Jan Engelhardt
2007-11-16 13:00 ` [PATCH 2/3] xt_TOS target Jan Engelhardt
2007-11-19 10:40 ` Patrick McHardy
2007-11-19 11:46 ` Jan Engelhardt
2007-11-16 13:01 ` [PATCH 3/3] xt_owner match Jan Engelhardt
2007-11-19 15:43 ` Patrick McHardy
2007-11-19 16:56 ` Jan Engelhardt
2007-11-19 17:08 ` Jan Engelhardt
2007-11-19 17:12 ` Jan Engelhardt
2007-11-19 17:18 ` Patrick McHardy [this message]
2007-11-19 17:10 ` Patrick McHardy
2007-11-19 10:37 ` [PATCH 1/3] xt_tos match Patrick McHardy
2007-11-19 11:39 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4741C579.2000503@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.