Daniel Mack <daniel@xxxxxxxxxx> wrote:
> Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the
> input demux is complete and the final destination socket (if any)
> has been determined.
>
> This helps filtering packets based on information stored in the
> destination socket, such as cgroup controller supplied net class IDs.
This still seems like the 'x y' problem ("want to do X, think Y is
correct solution; ask about Y, but thats a strange thing to do").
There is nothing that this offers over INPUT *except* that sk is
available. But there is zero benefit as far as I am concerned --
why would you want to do any meaningful filtering based on the sk at
that point...?
Drop? Makes no sense, else application would not be running in the first
place.
Allowing response packets? Can already do that with conntrack.
So the only 'benefit' is that netcls id is available; but
a) why is that even needed and
b) is such a huge sledgehammer just for net cgroup accounting
worth it?
Another question is what other strange things come up once we would
open this door.
> listening on a specific task, the resulting error code that is sent
> back to the remote peer can't be controlled with rules in
> NF_INET_LOCAL_SOCKET_IN chains.
Right, and that makes this even weirder.
For deterministic ingress filtering you can only rely on what
is contained in the packet.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
