On Nov 19 2007 16:43, Patrick McHardy wrote: > > Please keep both. > Right. >> +config NETFILTER_XT_MATCH_OWNER >> + tristate '"owner" match support' >> + depends on NETFILTER_XTABLES >> + ---help--- >> + Socket owner matching allows you to match locally-generated packets >> + based on who created the socket: the user, group, process or session. > > Only user and group are supported. > >> + if (skb->sk == NULL || skb->sk->sk_socket == NULL) >> + return false; >> + >> + filp = skb->sk->sk_socket->file; >> + if (filp == NULL) >> + return false; > > What would be nice is to allow matching whether a socket exists, > without UID/GID. I had a patch for this for a long time, but > lost it somewhere. Do you mean xt_socket from TPROXY? >> +static struct xt_match owner_mt_reg[] __read_mostly = { >> + { >> + .name = "owner", >> + .revision = 0, >> + .family = AF_INET, >> + .match = owner_mt_v0, >> + .matchsize = sizeof(struct ipt_owner_info), >> + .checkentry = owner_mt_check_v0, >> + .hooks = (1 << NF_IP_LOCAL_OUT) | >> + (1 << NF_IP_POST_ROUTING), > > This needs to use NF_INET_... > > Please resend all your patches when you want me to apply them. > Thanks. > Will do. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html