All of lore.kernel.org
 help / color / mirror / Atom feed
* problem getting uid in nfqueue
@ 2010-06-17 13:37 beluc.mailing
  2010-06-21 20:51 ` Beluc
  0 siblings, 1 reply; 6+ messages in thread
From: beluc.mailing @ 2010-06-17 13:37 UTC (permalink / raw)
  To: netfilter

Hi all,
i finaly managed to get packet from NFQUEUE to some userspace program using
perl IPTables::IPv4::IPQueue.
my problem is that uid/gid is not present in what i receive in perl.
is it normal or i did something wrong?

(what i want to do is some advanced firewalling based on user id)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: problem getting uid in nfqueue
  2010-06-17 13:37 problem getting uid in nfqueue beluc.mailing
@ 2010-06-21 20:51 ` Beluc
  2010-06-22  8:03   ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: Beluc @ 2010-06-21 20:51 UTC (permalink / raw)
  To: netfilter

no idea ? maybe i didn't explain very well :/

i saw that when using LOG target in OUTPUT policy, there is the user's 
uid who send packet.
what i want to do is to get that uid when using QUEUE/NFQUEUE target ...

Le 17/06/2010 15:37, beluc.mailing@free.fr a écrit :
> Hi all,
> i finaly managed to get packet from NFQUEUE to some userspace program using
> perl IPTables::IPv4::IPQueue.
> my problem is that uid/gid is not present in what i receive in perl.
> is it normal or i did something wrong?
>
> (what i want to do is some advanced firewalling based on user id)
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>    

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: problem getting uid in nfqueue
  2010-06-21 20:51 ` Beluc
@ 2010-06-22  8:03   ` Jan Engelhardt
  2010-06-22  8:18     ` Patrick McHardy
  0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2010-06-22  8:03 UTC (permalink / raw)
  To: Beluc; +Cc: netfilter

On Monday 2010-06-21 22:51, Beluc wrote:

> no idea ? maybe i didn't explain very well :/
>
> i saw that when using LOG target in OUTPUT policy, there is the user's uid who
> send packet.

That is not the user's uid, but the uid of the socket's creator.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: problem getting uid in nfqueue
  2010-06-22  8:03   ` Jan Engelhardt
@ 2010-06-22  8:18     ` Patrick McHardy
  2010-06-22  8:45       ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: Patrick McHardy @ 2010-06-22  8:18 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Beluc, netfilter

Jan Engelhardt wrote:
> On Monday 2010-06-21 22:51, Beluc wrote:
>
>   
>> no idea ? maybe i didn't explain very well :/
>>
>> i saw that when using LOG target in OUTPUT policy, there is the user's uid who
>> send packet.
>>     
>
> That is not the user's uid, but the uid of the socket's creator.


Filtering based on UID is best done using the owner match. nfnetlink_queue
currently doesn't supply the UID/GID, but it could be added easily.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: problem getting uid in nfqueue
  2010-06-22  8:18     ` Patrick McHardy
@ 2010-06-22  8:45       ` Jan Engelhardt
  2010-06-22  8:49         ` Patrick McHardy
  0 siblings, 1 reply; 6+ messages in thread
From: Jan Engelhardt @ 2010-06-22  8:45 UTC (permalink / raw)
  To: Patrick McHardy; +Cc: Beluc, netfilter

On Tuesday 2010-06-22 10:18, Patrick McHardy wrote:
>>  
>>> no idea ? maybe i didn't explain very well :/
>>>
>>> i saw that when using LOG target in OUTPUT policy, there is the user's uid
>>> who
>>> send packet.
>>
>> That is not the user's uid, but the uid of the socket's creator.
>
> Filtering based on UID is best done using the owner match.

The owner match, too, uses the socket's creator ;-)
In most cases that is sufficient, but _real_ filtering by UID needs to 
be done by things like snet LSM.

> nfnetlink_queue
> currently doesn't supply the UID/GID, but it could be added easily.

http://bugzilla.netfilter.org/show_bug.cgi?id=600
patch has been lingering there for long.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: problem getting uid in nfqueue
  2010-06-22  8:45       ` Jan Engelhardt
@ 2010-06-22  8:49         ` Patrick McHardy
  0 siblings, 0 replies; 6+ messages in thread
From: Patrick McHardy @ 2010-06-22  8:49 UTC (permalink / raw)
  To: Jan Engelhardt; +Cc: Beluc, netfilter

Jan Engelhardt wrote:
> On Tuesday 2010-06-22 10:18, Patrick McHardy wrote:
>   
>
>> nfnetlink_queue
>> currently doesn't supply the UID/GID, but it could be added easily.
>>     
>
> http://bugzilla.netfilter.org/show_bug.cgi?id=600
> patch has been lingering there for long.
>   

Feel free to make an official submission :)


^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2010-06-22  8:49 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-17 13:37 problem getting uid in nfqueue beluc.mailing
2010-06-21 20:51 ` Beluc
2010-06-22  8:03   ` Jan Engelhardt
2010-06-22  8:18     ` Patrick McHardy
2010-06-22  8:45       ` Jan Engelhardt
2010-06-22  8:49         ` Patrick McHardy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.