From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Maciej_=C5=BBenczykowski?= Subject: Re: Add a SOCK_DESTROY operation to close sockets from userspace Date: Thu, 19 Nov 2015 17:00:39 -0800 Message-ID: References: <20151119.005318.838757439536205791.davem@davemloft.net> <20151119.195504.2050784646947745419.davem@davemloft.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Cc: Lorenzo Colitti , Hannes Frederic Sowa , Eric Dumazet , Stephen Hemminger , Linux NetDev , Eric Dumazet , Erik Kline , Dmitry Torokhov To: David Miller Return-path: Received: from mail-io0-f170.google.com ([209.85.223.170]:36288 "EHLO mail-io0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1161118AbbKTBAk (ORCPT ); Thu, 19 Nov 2015 20:00:40 -0500 Received: by iofh3 with SMTP id h3so108622542iof.3 for ; Thu, 19 Nov 2015 17:00:39 -0800 (PST) In-Reply-To: <20151119.195504.2050784646947745419.davem@davemloft.net> Sender: netdev-owner@vger.kernel.org List-ID: >> In this case, userspace knows that that app's connections are now >> unusable because it configured an iptables rule to block them. The >> kernel doesn't really know until it the time comes to send a packet, >> and maybe not even then. > > Netfilter could perform signalling on skb->sk when it drops packets. > > Your example is actually a argument _for_ doing this in the kernel. That only (currently) works if a socket actually tries to send something. Idle sockets (for example a socket used for push notification from the remote server) still end up blocking forever. If you were to, whenever the firewall configuration is changed, iterate through all sockets in the system and generate a pair of fake 0-data packets (for both directions) for every socket to see if it would get blocked by the firewall... but that seems quite insane.