Pid owner module

Pid owner module

[zze-FREDI POIROT N ext RD-MAPS-LAN]

Hello !
I'am trying to filter packet send from my PC according to pid,
(IPT_OWNER_PID) in order to log and exclude packets from a given app.

So I had a look to the iptables man page and tried to use the
--pid-owner feature with a rule like :
iptables -A OUTPUT -m owner --uid-owner $PID -j LOG --log-level 5
--log-prefix "[MyProcess]"


Unfortunately, on my kernel (see version bellow), this commands doesn't
work :
iptables: Unknown error 4294967295
And the trace in /var/log/messages :
Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command
matching not supported anymore

This functionnality seems to be not supported anymore, whereas on an
older kernel (2.6.12), it works perfectly...
Here is the kernel version : Linux l-dhcp-10337-2 2.6.17-5mdv #1 SMP Wed
Sep 13 14:32:31 EDT 2006 i686 Genuine Intel(R) CPU           T2300  @
1.66GHz GNU/Linux

A quick look in the source show me that it is not implemented anymore...

So, finally, here are my questions : 
1. is there still a functionality like this (PID filte) in iptables ? Is
there a replacement (another tool...) 2. How to activate (if possible)
the pid owner module ?
3. Since which kernel version has this module been disabled ?


Thanks for your help !
Nicolas

Re: Pid owner module

[Pascal Hambourg]

Hello,

zze-FREDI POIROT N ext RD-MAPS-LAN a écrit :
> Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command
> matching not supported anymore
[...]
> 3. Since which kernel version has this module been disabled ?

Found in Changelog-2.6.14 :
   [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

   Rip out cmd/sid/pid matching since its unfixable broken and stands in
   the way of locking changes to tasklist_lock.

RE: Pid owner module

[zze-FREDI POIROT N ext RD-MAPS-LAN]

Thanks for the answer !

Do you have any idea/suggestion of how I could achieve such a filter ? (application-based filtering) ???


 

-----Message d'origine-----
De : netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] De la part de Pascal Hambourg
Envoyé : mercredi 24 janvier 2007 11:16
À : netfilter@lists.netfilter.org
Objet : Re: Pid owner module

Hello,

zze-FREDI POIROT N ext RD-MAPS-LAN a écrit :
> Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command 
> matching not supported anymore
[...]
> 3. Since which kernel version has this module been disabled ?

Found in Changelog-2.6.14 :
   [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner

   Rip out cmd/sid/pid matching since its unfixable broken and stands in
   the way of locking changes to tasklist_lock.

RE: Pid owner module

[Jan Engelhardt]

>Do you have any idea/suggestion of how I could achieve such a filter ? (application-based filtering) ???

tuxguardian.sf.net



>
>
> 
>
>-----Message d'origine-----
>De : netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] De la part de Pascal Hambourg
>Envoyé : mercredi 24 janvier 2007 11:16
>À : netfilter@lists.netfilter.org
>Objet : Re: Pid owner module
>
>Hello,
>
>zze-FREDI POIROT N ext RD-MAPS-LAN a écrit :
>> Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command 
>> matching not supported anymore
>[...]
>> 3. Since which kernel version has this module been disabled ?
>
>Found in Changelog-2.6.14 :
>   [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
>
>   Rip out cmd/sid/pid matching since its unfixable broken and stands in
>   the way of locking changes to tasklist_lock.
>
>
>

	-`J'
-- 

Re: Pid owner module

[Jorge Davila]

May you want try a combination of DansGuardian and Squid.

Jorge.

On Wed, 24 Jan 2007 11:27:33 +0100
  "zze-FREDI POIROT N ext RD-MAPS-LAN" <npoirot.ext@orange-ftgroup.com> 
wrote:
> Thanks for the answer !
> 
> Do you have any idea/suggestion of how I could achieve such a filter ? 
>(application-based filtering) ???
> 
> 
> 
> 
> -----Message d'origine-----
> De : netfilter-bounces@lists.netfilter.org 
>[mailto:netfilter-bounces@lists.netfilter.org] De la part de Pascal 
>Hambourg
> Envoyé : mercredi 24 janvier 2007 11:16
> À : netfilter@lists.netfilter.org
> Objet : Re: Pid owner module
> 
> Hello,
> 
> zze-FREDI POIROT N ext RD-MAPS-LAN a écrit :
>> Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command 
>> matching not supported anymore
> [...]
>> 3. Since which kernel version has this module been disabled ?
> 
>Found in Changelog-2.6.14 :
>   [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
> 
>   Rip out cmd/sid/pid matching since its unfixable broken and stands in
>   the way of locking changes to tasklist_lock.
> 
> 

Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@nicaraguaopensource.com