On Wed, Dec 18, 2013 at 10:04 AM, <valentina.giusti@xxxxxxxxxxxx> wrote: > At the Linux Plumbers Conference 2013, there have been quite interesting > discussions on the topic of network statistics, and it was proposed that it > would make more sense to use NFQUEUE for this purpose, letting therefore > userspace use the UID/GID information for application-based statistics purposes. > This way the UID and GID information of the incoming TCP and UDP traffic is not > "wasted" and can be used for more refined statistics. Some things to keep in mind when doing these changes... For mobile devices, having the UID/GID is not sufficient when services are involved (download manager, http service, ...). Currently, Android's xt_qtaguid netfilter module supports the notion of "delegation" which is achieved by having the service "tag" a socket (tracked internally based on the struct sock address), via the file descriptor, with a UID of who should be blamed for the statistics. It would be nice if NFQUEUE presented/tracked some data related to the socket that could be used to that effect. This tagging of the socket needs to have the following properties: - a socket can stay open and be re-tagged (happens when pools are used or when a stream can be used for multiple reasons). - a socket can be tagged with a different UID only if the current UID/GID/pcap allows for it. - an app can have multiple sockets, each one belonging to different UIDs (so no UID to UID mapping). There are a few more, but those can be managed outside of the NFQUEUE changes. Concerning the comment about TCP_TIMEWAIT in some other thread: the sk is not a "struct sock" but "struct inet_timewait_sock" which is missing fields. So beware when manipulating it. xt_qtaguid had to ignore those struct sock. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
