From: Patrick McHardy <kaber@trash.net>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: Netfilter Developer Mailing List <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH 4/4] iptables: libxt_owner
Date: Sun, 25 Nov 2007 17:02:47 +0100 [thread overview]
Message-ID: <47499CA7.4070000@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0711251623160.9477@fbirervta.pbzchgretzou.qr>
Jan Engelhardt wrote:
> On Nov 25 2007 16:22, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> +static void owner_mt_help(void)
>>> +{
>>> + printf(
>>> +"owner match v%s options:\n"
>>> +"[!] --uid-owner userid Match local UID\n"
>>> +"[!] --gid-owner groupid Match local GID\n"
>>> +"[!] --socket-exists Match if socket exists\n"
>>> +"[!] --filp-exists Match if filp exists\n"
>>> +"\n",
>>> +IPTABLES_VERSION);
>> The filp-exists option strikes me as useless, what would the
>> use case be? For the socket-exists option, I'd prefer for the
>> owner match to simply accept no further option, i.e. "-m owner".
>>
>
>
> hasSocket hasFilp whatCouldItBe
> ===============================
> 0 0 forwarded packet
> 1 0 ping, nfs client, nfsd
> 1 1 real connection
>
> However, you mentioned that encapsulated (socket=1,filp=1) traffic
> will show up without a "socket", but did you actually mean socket
> or filp?
No, I was talking about forwarded encapsulated traffic showing
up in the output chain (we were talking about locally outgoing
packets). These packets have neither.
> I just checked, and xfrm'ed traffic has the same properties as before
> the transformation.
>
> So actually socket-exists is the useless one, as there is always a
> socket in any normal case.
>
> What do you think?
I think both (together) expose too much of the internals and are
not very useful. There is no guarantee that nfsd will behave the
same way tommorrow. The "socket exists" option is IMO useful for
one single purpose, distinguish packets that originate from
local sockets from packets that are forwarded in the OUTPUT
and POSTROUTING chains in cases where the source address can't
be used, like tunneling. But before it gets too ugly I'd
rather not support it.
next prev parent reply other threads:[~2007-11-25 16:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-25 1:05 [PATCH 1/4] iptables: fix check_inverse() call Jan Engelhardt
2007-11-25 1:06 ` [PATCH 2/4] iptables: move manpage Jan Engelhardt
2007-11-25 15:18 ` Patrick McHardy
2007-11-26 6:21 ` Yasuyuki KOZAKAI
[not found] ` <200711260621.lAQ6LIT7023820@toshiba.co.jp>
2007-11-26 6:25 ` Patrick McHardy
2007-11-25 1:06 ` [PATCH 3/4] iptables: always print mask in iptables-save Jan Engelhardt
2007-11-25 15:19 ` Patrick McHardy
2007-11-25 1:07 ` [PATCH 4/4] iptables: libxt_owner Jan Engelhardt
2007-11-25 1:15 ` Jan Engelhardt
2007-11-25 15:22 ` Patrick McHardy
2007-11-25 15:55 ` Jan Engelhardt
2007-11-25 16:02 ` Patrick McHardy [this message]
2007-11-25 1:08 ` [PATCH] netfilter: xt_owner Jan Engelhardt
2007-11-25 15:16 ` [PATCH 1/4] iptables: fix check_inverse() call Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47499CA7.4070000@trash.net \
--to=kaber@trash.net \
--cc=jengelh@computergmbh.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).