* Pid owner module [not found] <9772C290CD0BDF4B91356C9102BA886A033DB22B@ftrdmel1.rd.francetelecom.fr> @ 2007-01-24 9:37 ` zze-FREDI POIROT N ext RD-MAPS-LAN 2007-01-24 10:15 ` Pascal Hambourg 0 siblings, 1 reply; 5+ messages in thread From: zze-FREDI POIROT N ext RD-MAPS-LAN @ 2007-01-24 9:37 UTC (permalink / raw) To: netfilter Hello ! I'am trying to filter packet send from my PC according to pid, (IPT_OWNER_PID) in order to log and exclude packets from a given app. So I had a look to the iptables man page and tried to use the --pid-owner feature with a rule like : iptables -A OUTPUT -m owner --uid-owner $PID -j LOG --log-level 5 --log-prefix "[MyProcess]" Unfortunately, on my kernel (see version bellow), this commands doesn't work : iptables: Unknown error 4294967295 And the trace in /var/log/messages : Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command matching not supported anymore This functionnality seems to be not supported anymore, whereas on an older kernel (2.6.12), it works perfectly... Here is the kernel version : Linux l-dhcp-10337-2 2.6.17-5mdv #1 SMP Wed Sep 13 14:32:31 EDT 2006 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz GNU/Linux A quick look in the source show me that it is not implemented anymore... So, finally, here are my questions : 1. is there still a functionality like this (PID filte) in iptables ? Is there a replacement (another tool...) 2. How to activate (if possible) the pid owner module ? 3. Since which kernel version has this module been disabled ? Thanks for your help ! Nicolas ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Pid owner module 2007-01-24 9:37 ` Pid owner module zze-FREDI POIROT N ext RD-MAPS-LAN @ 2007-01-24 10:15 ` Pascal Hambourg 2007-01-24 10:27 ` zze-FREDI POIROT N ext RD-MAPS-LAN 0 siblings, 1 reply; 5+ messages in thread From: Pascal Hambourg @ 2007-01-24 10:15 UTC (permalink / raw) To: netfilter Hello, zze-FREDI POIROT N ext RD-MAPS-LAN a écrit : > Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command > matching not supported anymore [...] > 3. Since which kernel version has this module been disabled ? Found in Changelog-2.6.14 : [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock. ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Pid owner module 2007-01-24 10:15 ` Pascal Hambourg @ 2007-01-24 10:27 ` zze-FREDI POIROT N ext RD-MAPS-LAN 2007-01-24 12:50 ` Jan Engelhardt 2007-01-24 22:19 ` Jorge Davila 0 siblings, 2 replies; 5+ messages in thread From: zze-FREDI POIROT N ext RD-MAPS-LAN @ 2007-01-24 10:27 UTC (permalink / raw) To: netfilter Thanks for the answer ! Do you have any idea/suggestion of how I could achieve such a filter ? (application-based filtering) ??? -----Message d'origine----- De : netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] De la part de Pascal Hambourg Envoyé : mercredi 24 janvier 2007 11:16 À : netfilter@lists.netfilter.org Objet : Re: Pid owner module Hello, zze-FREDI POIROT N ext RD-MAPS-LAN a écrit : > Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command > matching not supported anymore [...] > 3. Since which kernel version has this module been disabled ? Found in Changelog-2.6.14 : [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner Rip out cmd/sid/pid matching since its unfixable broken and stands in the way of locking changes to tasklist_lock. ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Pid owner module 2007-01-24 10:27 ` zze-FREDI POIROT N ext RD-MAPS-LAN @ 2007-01-24 12:50 ` Jan Engelhardt 2007-01-24 22:19 ` Jorge Davila 1 sibling, 0 replies; 5+ messages in thread From: Jan Engelhardt @ 2007-01-24 12:50 UTC (permalink / raw) To: zze-FREDI POIROT N ext RD-MAPS-LAN; +Cc: netfilter >Do you have any idea/suggestion of how I could achieve such a filter ? (application-based filtering) ??? tuxguardian.sf.net > > > > >-----Message d'origine----- >De : netfilter-bounces@lists.netfilter.org [mailto:netfilter-bounces@lists.netfilter.org] De la part de Pascal Hambourg >Envoyé : mercredi 24 janvier 2007 11:16 >À : netfilter@lists.netfilter.org >Objet : Re: Pid owner module > >Hello, > >zze-FREDI POIROT N ext RD-MAPS-LAN a écrit : >> Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command >> matching not supported anymore >[...] >> 3. Since which kernel version has this module been disabled ? > >Found in Changelog-2.6.14 : > [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner > > Rip out cmd/sid/pid matching since its unfixable broken and stands in > the way of locking changes to tasklist_lock. > > > -`J' -- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Pid owner module 2007-01-24 10:27 ` zze-FREDI POIROT N ext RD-MAPS-LAN 2007-01-24 12:50 ` Jan Engelhardt @ 2007-01-24 22:19 ` Jorge Davila 1 sibling, 0 replies; 5+ messages in thread From: Jorge Davila @ 2007-01-24 22:19 UTC (permalink / raw) To: zze-FREDI POIROT N ext RD-MAPS-LAN, netfilter May you want try a combination of DansGuardian and Squid. Jorge. On Wed, 24 Jan 2007 11:27:33 +0100 "zze-FREDI POIROT N ext RD-MAPS-LAN" <npoirot.ext@orange-ftgroup.com> wrote: > Thanks for the answer ! > > Do you have any idea/suggestion of how I could achieve such a filter ? >(application-based filtering) ??? > > > > > -----Message d'origine----- > De : netfilter-bounces@lists.netfilter.org >[mailto:netfilter-bounces@lists.netfilter.org] De la part de Pascal >Hambourg > Envoyé : mercredi 24 janvier 2007 11:16 > À : netfilter@lists.netfilter.org > Objet : Re: Pid owner module > > Hello, > > zze-FREDI POIROT N ext RD-MAPS-LAN a écrit : >> Jan 24 10:25:47 localhost kernel: ipt_owner: pid, sid and command >> matching not supported anymore > [...] >> 3. Since which kernel version has this module been disabled ? > >Found in Changelog-2.6.14 : > [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner > > Rip out cmd/sid/pid matching since its unfixable broken and stands in > the way of locking changes to tasklist_lock. > > Jorge Isaac Davila Lopez Nicaragua Open Source davila@nicaraguaopensource.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-01-24 22:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <9772C290CD0BDF4B91356C9102BA886A033DB22B@ftrdmel1.rd.francetelecom.fr>
2007-01-24 9:37 ` Pid owner module zze-FREDI POIROT N ext RD-MAPS-LAN
2007-01-24 10:15 ` Pascal Hambourg
2007-01-24 10:27 ` zze-FREDI POIROT N ext RD-MAPS-LAN
2007-01-24 12:50 ` Jan Engelhardt
2007-01-24 22:19 ` Jorge Davila
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox