Complaint - pid-owner Support Removed (CONFIG_NETFILTER_XT_MATCH_OWNER)

Complaint - pid-owner Support Removed (CONFIG_NETFILTER_XT_MATCH_OWNER)

[C. Schmid]

Hello,

i want to complain about the removal of the --pid-owner Support for 
iptables.

As far as i understand it this support was just removed without replacement.

I would have expected, that if anything you would have improved the 
support for pid's and especially for desktop firewalls.

But it seems that some rumors, like you only care for 'big iron' are not 
that easily dismissed.

I would encourage you to at least try to keep up with essential feature 
support, especially when it comes to desktop firewalls (for example 
zonealarm).

I believe focusing on server infrastucture while abandoning desktop 
infrastructure will not do much good in mid and long term.



Sincerly


Christian Schmid

Re: Complaint - pid-owner Support Removed (CONFIG_NETFILTER_XT_MATCH_OWNER)

[NeilBrown]

[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]

On Mon, 30 Jul 2012 21:22:10 +0200 "C. Schmid" <christian.schmid81@gmx.de>
wrote:

> Hello,
> 
> i want to complain about the removal of the --pid-owner Support for 
> iptables.
> 
> As far as i understand it this support was just removed without replacement.

Yes, 7 years ago.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=34b4a4a624bafe089107966a6c56d2a1aca026d4

"Unfixably broken"

What problem are you trying to solve?  I suspect you would be able to solve
it by dedicating a group-id to the program that you want to allow through the
firewall, and making sure it runs with that group-id.

(ignoring remainder of email as it seems to be more emotional than factual).

NeilBrown



> 
> I would have expected, that if anything you would have improved the 
> support for pid's and especially for desktop firewalls.
> 
> But it seems that some rumors, like you only care for 'big iron' are not 
> that easily dismissed.
> 
> I would encourage you to at least try to keep up with essential feature 
> support, especially when it comes to desktop firewalls (for example 
> zonealarm).
> 
> I believe focusing on server infrastucture while abandoning desktop 
> infrastructure will not do much good in mid and long term.
> 
> 
> 
> Sincerly
> 
> 
> Christian Schmid
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

Re: Complaint - pid-owner Support Removed (CONFIG_NETFILTER_XT_MATCH_OWNER)

[valdis.kletnieks]

[-- Attachment #1: Type: text/plain, Size: 956 bytes --]

On Tue, 31 Jul 2012 12:41:21 +1000, NeilBrown said:
> On Mon, 30 Jul 2012 21:22:10 +0200 "C. Schmid" <christian.schmid81@gmx.de> wrote:
> > i want to complain about the removal of the --pid-owner Support for iptables.
> > As far as i understand it this support was just removed without replacement.
>
> Yes, 7 years ago.

> "Unfixably broken"

Even *before* it was removed, it declared itself "broken on SMP" (which is a
good hint on exactly *why* it was unfixable), and why it's not applicable to
most modern desktop systems anyhow - even an iPad is a dual-core.

And to be honest, the "Linux only cares about big iron not the desktop" is a
total red herring - if anything, many laptops *are* essentially a single-user
environment, while big iron boxes are even *more* concerned about per-user
issues.  I just checked one of the compute clusters across the hall, 1100+
actual users defined.  How often do desktops/laptops have that many real live
users?


[-- Attachment #2: Type: application/pgp-signature, Size: 865 bytes --]