From: Patrick McHardy <kaber@trash.net>
To: James Morris <jmorris@namei.org>
Cc: "Török Edwin" <edwin.torok@level7.ro>,
netfilter-devel@lists.netfilter.org,
fireflier-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, martinmaurer@gmx.at
Subject: Re: [PATCH 2.6.15.4 1/1][RFC] ipt_owner: inode match supporting both incoming and outgoing packets
Date: Mon, 20 Feb 2006 17:42:21 +0100 [thread overview]
Message-ID: <43F9F16D.4060802@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0602201122330.21034@excalibur.intercode>
James Morris wrote:
> Have a look at my skfilter patches:
> http://people.redhat.com/jmorris/selinux/skfilter/kernel/
>
> These implement a scheme for matching incoming packets against sockets by
> adding a new hook in the socket layer.
>
> For upstream merge, the issues are:
> - should the new socket hook be used for all incoming packets?
> - ensure IP queuing still works
>
> Patrick: any other issues?
Confirmation of conntrack entries. They shouldn't be confirmed before
packets have passed the socket hooks. This is the tricky part because
we don't know if packets will be delivered to a raw socket or not
when calling the regular LOCAL_IN hook. The only way to solve this
seems to be to use the socket hooks for all incoming packets, that
way we can defer confirmation unconditionally. The nicest way would
be to just move the regular LOCAL_IN hook to the socket hooks, but
this doesn't work with SNAT in LOCAL_IN because the socket lookup
needs the already NATed address.
I'll probably continue to work on this soon unless someone beats
me to the punch.
next prev parent reply other threads:[~2006-02-20 16:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-18 12:10 [PATCH 2.6.15.4 1/1][RFC] ipt_owner: inode match supporting both incoming and outgoing packets Török Edwin
2006-02-18 12:25 ` Christoph Hellwig
2006-02-18 12:32 ` Török Edwin
2006-02-18 12:37 ` Christoph Hellwig
2006-02-18 12:47 ` Török Edwin
2006-02-18 13:10 ` Arjan van de Ven
2006-02-18 14:15 ` Török Edwin
2006-02-20 16:26 ` James Morris
2006-02-20 16:42 ` Patrick McHardy [this message]
2006-02-20 17:40 ` Török Edwin
2006-02-20 20:06 ` James Morris
-- strict thread matches above, loose matches on Subject: below --
2006-02-18 12:20 Török Edwin
2006-02-18 19:28 ` Patrick McHardy
2006-02-18 20:03 ` Török Edwin
2006-02-18 20:07 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43F9F16D.4060802@trash.net \
--to=kaber@trash.net \
--cc=edwin.torok@level7.ro \
--cc=fireflier-devel@lists.sourceforge.net \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martinmaurer@gmx.at \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox