On Nov 19 2007 16:43, Patrick McHardy wrote:
>
> Please keep both.
>
Right.
>> +config NETFILTER_XT_MATCH_OWNER
>> + tristate '"owner" match support'
>> + depends on NETFILTER_XTABLES
>> + ---help---
>> + Socket owner matching allows you to match locally-generated packets
>> + based on who created the socket: the user, group, process or session.
>
> Only user and group are supported.
>
>> + if (skb->sk == NULL || skb->sk->sk_socket == NULL)
>> + return false;
>> +
>> + filp = skb->sk->sk_socket->file;
>> + if (filp == NULL)
>> + return false;
>
> What would be nice is to allow matching whether a socket exists,
> without UID/GID. I had a patch for this for a long time, but
> lost it somewhere.
Do you mean xt_socket from TPROXY?
>> +static struct xt_match owner_mt_reg[] __read_mostly = {
>> + {
>> + .name = "owner",
>> + .revision = 0,
>> + .family = AF_INET,
>> + .match = owner_mt_v0,
>> + .matchsize = sizeof(struct ipt_owner_info),
>> + .checkentry = owner_mt_check_v0,
>> + .hooks = (1 << NF_IP_LOCAL_OUT) |
>> + (1 << NF_IP_POST_ROUTING),
>
> This needs to use NF_INET_...
>
> Please resend all your patches when you want me to apply them.
> Thanks.
>
Will do.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
