-m owner for incoming packets

-m owner for incoming packets

[octane indice]

Hello

the man says that -m owner is here for locally generated packet.
Is it possible to use it for incoming packet?

As of:
iptables -A INPUT -p tcp -m owner --cmd-owner /usr/local/sbin/myprog -j ACCEPT

Thanks

Tout doux les dépenses santé. Votre Assurance Santé à partir de 18€ par mois : http://www.alinto.com/pub/

Re: -m owner for incoming packets

[Amin Azez]

* octane indice wrote, On 05/03/07 23:09:
> Hello
> 
> the man says that -m owner is here for locally generated packet.
> Is it possible to use it for incoming packet?
> 
> As of:
> iptables -A INPUT -p tcp -m owner --cmd-owner /usr/local/sbin/myprog -j ACCEPT
> 

No. Until a packet has actually been received by a process it is
impossible to tell which process may receive it. The process that
finally receives it might not even be running (or have an open socket)
at the point at which iptables handles the packet.  There may be more
than one running process, all of which appear to be candidates to
receive the packet, but only one will.

Consider the case of the apache webserver where many processes are
ACCEPT'ing on the same socket, but only one of the will receive the
packet. It so happens that with apache all the processes have the same
owner but it need not be the case.

The final reason (apart from it not being meaningful) is that it can't
actually be done; the task table may not be safe to examine during
iptables interrupt time even if we were able to work out which process
would receive the packet.

The only answer that fits your model is to invent a new chain that was
fakingly called from the kernel as an application's system call to read
the packet was being processed. Probably the only available targets
would be drop or accept or return.

Sam