Hi Pablo,
thanks for having a look at this patch.
On 09/04/2013 02:34 PM, Pablo Neira Ayuso wrote:
On Fri, Aug 30, 2013 at 02:43:43PM +0200, valentina.giusti@xxxxxxxxxxxx wrote:
From: Valentina Giusti <valentina.giusti@xxxxxxxxxxxx>
Since (41063e9 ipv4: Early TCP socket demux), we can apply the owner
extension on the INPUT chain and match established TCP sockets.
However, because of the same commit, we can have skb->sk pointing to a
timewait socket, in which case accessing skb->sk->sk_socket is invalid.
This only works for established TCP sockets. Thus, this rule:
-A INPUT -m owner --socket-exists -j ACCEPT
-A OUTPUT -m owner --socket-exists -j ACCEPT
are semantically different depending on the path.
True, in fact my idea is to enable early demultiplexing also for other
kinds of sockets - as mentioned in the cover letter to this patch:
http://marc.info/?l=netfilter-devel&m=137786715327396&w=2.
Sorry, I should probably have made it clear that also this patch was
part of the [RFC], since of course I didn't mean to have it applied now.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html