* How to find origin PID of a sk_buff in iptables match?
@ 2008-09-04 8:32 Markku Savela
0 siblings, 0 replies; 3+ messages in thread
From: Markku Savela @ 2008-09-04 8:32 UTC (permalink / raw)
To: linux-kernel
Again playing with ubuntu kernel 2.6.24.
I'm trying to write a match rule for iptables, in this case for OUTPUT
direction, and need to know the PID of the process that originates the
packet (or something).
It seems that "skb->sk->sk_peercred.pid" is always zero.
Also, I noticed that in my match code in OUTPUT chain, the current
task seemed to the originator I want (ping test). However, I'm not
quite sure whether this is always true?
If I truly wanted to associate each packet with some specific process,
what are my options?
- I expect the solution is easier for outbound packets originating
from this host (e.g. possibly the OUTPUT chain is always executed in
the context of the sending process?)
- for INPUT the problem is probably pretty hard to solve. I would need
some IPTABLES rule to be run after the packet has been assinged to a
receiving user socket and get the PID of the receiving process,
which may be fuzzy as socket can have multiple reading processes?
ps. I did notice the iptables xt_owner match, and the comment there
saying that support for PID and SID match is not there.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to find origin PID of a sk_buff in iptables match?
[not found] <b8ixO-2NS-5@gated-at.bofh.it>
@ 2008-09-05 11:21 ` Markku Savela
2008-09-05 11:49 ` Markku Savela
1 sibling, 0 replies; 3+ messages in thread
From: Markku Savela @ 2008-09-05 11:21 UTC (permalink / raw)
To: linux-kernel
> Also, I noticed that in my match code in OUTPUT chain, the current
> task seemed to the originator I want (ping test). However, I'm not
> quite sure whether this is always true?
Well, nobody answered.
Anyway, as suspected with TCP connections it seems that current->pid
produces 0 very often after the first initial packet (SYN). I take
this to mean, that the TCP engine is being executed on some interrupt
context?
Now I'm wondering how SELINUX manages to get the secmark right, as the
code in iptables seems to eventually need the current task context?
Something tricky being made using the SECMARK and CONNSECMARK? It
seems to trust, that at least the first packet has the current task
context properly set and the remaining packets of the connection don't
need current task?
I guess I have to dug deeper in this (emulate what SELINUX does). Or
can someone point to a tutorial description on how to reliably
associate each outgoing packet with some originating task context?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to find origin PID of a sk_buff in iptables match?
[not found] <b8ixO-2NS-5@gated-at.bofh.it>
2008-09-05 11:21 ` How to find origin PID of a sk_buff in iptables match? Markku Savela
@ 2008-09-05 11:49 ` Markku Savela
1 sibling, 0 replies; 3+ messages in thread
From: Markku Savela @ 2008-09-05 11:49 UTC (permalink / raw)
To: linux-kernel
Actually, my problem can be reduced to a question:
Can someone explain why core/sock.c in function sock_init_data sets
sk->sk_peercred.pid = 0;
sk->sk_peercred.uid = -1;
sk->sk_peercred.pid = -1;
instead of assigning default values from the current task context?
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2008-09-05 11:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <b8ixO-2NS-5@gated-at.bofh.it>
2008-09-05 11:21 ` How to find origin PID of a sk_buff in iptables match? Markku Savela
2008-09-05 11:49 ` Markku Savela
2008-09-04 8:32 Markku Savela
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox