On Nov 19 2007 18:08, Jan Engelhardt wrote: >On Nov 19 2007 17:56, Jan Engelhardt wrote: >>> >>>> + if (skb->sk == NULL || skb->sk->sk_socket == NULL) >>>> + return false; >>>> + >>>> + filp = skb->sk->sk_socket->file; >>>> + if (filp == NULL) >>>> + return false; >>> >>> What would be nice is to allow matching whether a socket exists, >>> without UID/GID. I had a patch for this for a long time, but >>> lost it somewhere. >> >>Do you mean xt_socket from TPROXY? > >Ah, xt_socket is different. But yeah, what you suggest is already implemented. >It is a matter of adjusting the iptables part now to actually make use >of the feature (to match whether a socket exists, w/o owner/group). Speaking... xt_owner currently has .hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING), All outgoing packets do have a socket, don't they? So the quest for "whether a socket exists" implies you want me to add (1 << NF_INET_LOCAL_IN), (1 << NF_INET_PRE_ROUTING) and (1 << NF_INET_FORWARD) too? thanks, Jan - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html