Re: [PATCH] xt_owner: enable xt_owner on INPUT chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 30, 2013 at 02:43:43PM +0200, valentina.giusti@xxxxxxxxxxxx wrote:
> From: Valentina Giusti <valentina.giusti@xxxxxxxxxxxx>
> 
> Since (41063e9 ipv4: Early TCP socket demux), we can apply the owner
> extension on the INPUT chain and match established TCP sockets.
> However, because of the same commit, we can have skb->sk pointing to a
> timewait socket, in which case accessing skb->sk->sk_socket is invalid.

This only works for established TCP sockets. Thus, this rule:

-A INPUT -m owner --socket-exists -j ACCEPT
-A OUTPUT -m owner --socket-exists -j ACCEPT

are semantically different depending on the path.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux