Jan Engelhardt wrote:
On Nov 19 2007 18:08, Jan Engelhardt wrote:
On Nov 19 2007 17:56, Jan Engelhardt wrote:
+ if (skb->sk == NULL || skb->sk->sk_socket == NULL)
+ return false;
+
+ filp = skb->sk->sk_socket->file;
+ if (filp == NULL)
+ return false;
What would be nice is to allow matching whether a socket exists,
without UID/GID. I had a patch for this for a long time, but
lost it somewhere.
Do you mean xt_socket from TPROXY?
Ah, xt_socket is different. But yeah, what you suggest is already implemented.
It is a matter of adjusting the iptables part now to actually make use
of the feature (to match whether a socket exists, w/o owner/group).
Speaking... xt_owner currently has
.hooks = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING),
All outgoing packets do have a socket, don't they?
Not necessarily, for example forwarded packets that are encapsulated
locally by ipip/ip_gre or IPsec don't have one.
So the quest for
"whether a socket exists" implies you want me to add (1 <<
NF_INET_LOCAL_IN), (1 << NF_INET_PRE_ROUTING) and (1 <<
NF_INET_FORWARD) too?
No, that would imply a lookup. See my previous mail.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
