-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henrik Nordstrom wrote: > On Fri, 7 Oct 2005, Benjamin Schieder wrote: >> I'm currently writing an application that makes heavy use of the >> ipt_owner >> module and the owner-socketlookup patch from patch-o-matic. >> Now I'm at a point where using --pid-owner becomes necessary. >> My machine is a dual P3 800 SMP machine, which results in: >> >> ipt_owner: pid, sid and command matching is broken on SMP. > > > Yes. The owner match need to violate too many layers of the Linux > networking, making assumptions which is not true in an SMP system. > >> Is there any way to fix this so I can use this feature or do I have >> to work around this brokenness somehow with ipt_comment? > > > No good approach on how to even attempt to fix the owner match for SMP > is known at this date. The networking stack is simply not designed with > this in mind. I see. Well, I've found another way to achieve the desired effect, maybe someone else can also make good use from it: I use -m comment --comment 'inode:$inode' to add an easily parseable information to the rule. $inode is the inode part read from /proc/net/tcp, tcp6, udp or udp6. This is also available in /proc/<pid>/fd/<one of this> in the form: socket:[inode]. This information is checked against each other and so I get the PID of the process. Greetings, Benjamin - -- ____ _ _ ____ _ _ _ _____ __ __ / ___|| | / \ / ___|| | | ( ) ____| \/ | \___ \| | / _ \ \___ \| |_| |/| _| | |\/| | ___) | |___ / ___ \ ___) | _ | | |___| | | | |____/|_____/_/ \_\____/|_| |_| |_____|_| |_| play online: telnet://slashem.crash-override.net view scores: http://slashem.crash-override.net watch deaths: irc://irc.freenode.net#slashem -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFDRsBA7Wabow2Um2YRAjZ2AKCQzoiYiNc6C7uLzdaCCsRO2NxaQwCgo7Bh 6LLK9xK4yIsmdcjeqw2p3Os= =9wwy -----END PGP SIGNATURE-----
