On Fri, Aug 30, 2013 at 02:43:43PM +0200, valentina.giusti@xxxxxxxxxxxx wrote: > From: Valentina Giusti <valentina.giusti@xxxxxxxxxxxx> > > Since (41063e9 ipv4: Early TCP socket demux), we can apply the owner > extension on the INPUT chain and match established TCP sockets. > However, because of the same commit, we can have skb->sk pointing to a > timewait socket, in which case accessing skb->sk->sk_socket is invalid. This only works for established TCP sockets. Thus, this rule: -A INPUT -m owner --socket-exists -j ACCEPT -A OUTPUT -m owner --socket-exists -j ACCEPT are semantically different depending on the path. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html