Re: [PATCH] xt_owner: enable xt_owner on INPUT chain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Pablo,

thanks for having a look at this patch.

On 09/04/2013 02:34 PM, Pablo Neira Ayuso wrote:
On Fri, Aug 30, 2013 at 02:43:43PM +0200, valentina.giusti@xxxxxxxxxxxx wrote:
From: Valentina Giusti <valentina.giusti@xxxxxxxxxxxx>

Since (41063e9 ipv4: Early TCP socket demux), we can apply the owner
extension on the INPUT chain and match established TCP sockets.
However, because of the same commit, we can have skb->sk pointing to a
timewait socket, in which case accessing skb->sk->sk_socket is invalid.
This only works for established TCP sockets. Thus, this rule:

-A INPUT -m owner --socket-exists -j ACCEPT
-A OUTPUT -m owner --socket-exists -j ACCEPT

are semantically different depending on the path.

True, in fact my idea is to enable early demultiplexing also for other kinds of sockets - as mentioned in the cover letter to this patch: http://marc.info/?l=netfilter-devel&m=137786715327396&w=2.

Sorry, I should probably have made it clear that also this patch was part of the [RFC], since of course I didn't mean to have it applied now.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux