----- Original Message ----
> From: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
> >I'd like to use libnetfilter_conntrack to track connections per UID
> >and/or by PID, ...
>
> You are facing the same issues as xt_socket (currently, and
> unfortunately, still named xt_owner) - in that sockets do not
> necessarily have an owner, much less exactly one associated PID.
That doesn't surprise me too much, given how e.g. sshd handles connections (sockets are uid 0). Is this mainly a setuid issue, or is there something else interesting going on behind the scenes?
I'm attempting to make an auto-updating tcpdump filter, so unprivileged users could tcpdump their own connections without compromising privacy. For those purposes having the largest possible subset of connections 'owned/initiated' by a given user will do-- better something than nothing. In the cases where there isn't a known PID/UID, 0 would suffice (maybe -1 for PID since it appears to be a signed int). There are probably other applications this wouldn't work too well for, e.g. using the firewall to prevent any new connections by a user. But there are probably better ways to do that.
It doesn't look like nfnetlink_log does any special handling in case the real uid isn't known. Is distinguishing between 'unknown/not set' and 0 important enough to handle specially (e.g. with a separate flag)?
BTW, I see that in 2.6.23, net/netfilter/nfnetlink_log.c:505 just grabs the uid directly out of the skb->.... Should that use sock_i_uid(skb) instead? That chain of macros/functions uses vfs_inode instead of sk_socket->file->f_uid, FWIW.
Justin
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
