Am Donnerstag, den 25.01.2007, 10:23 +0100 schrieb Sebastian Claßen: > Hi... > > Kernel: 2.6.20-rc5 > Iptables: v1.3.7-20070118 > > The owner-Match seems not to match TCP-Packets any more. Can be tested > by inserting the rule: > iptables -I OUTPUT -m owner --uid-owner test-user -j LOG > > Simply su to the specified user and using netcat (nc) to send UDP and > TCP packets shows only log entried with PROTO=UDP but none with TCP. > > Anyone can reproduce this and pearhaps got a solution?? > > Greets > Sebastian. > Hi again... I've just found out where the problem is. In 2.6.20-rc1 changelog the following thing was modified: [TCP]: Don't set SKB owner in tcp_transmit_skb(). That seems to break the owner-match for TCP packets. I was able to undo the change with the attached one-line patch which fixed the problem for me. Greets Sebastian.
--- linux-2.6.20-rc5.orig/net/ipv4/tcp_output.c 2007-01-25 20:10:04.000000000 +0100 +++ linux-2.6.20-rc5/net/ipv4/tcp_output.c 2007-01-25 14:43:48.000000000 +0100 @@ -467,6 +467,7 @@ static int tcp_transmit_skb(struct sock th = (struct tcphdr *) skb_push(skb, tcp_header_size); skb->h.th = th; + skb_set_owner_w(skb, sk); /* Build TCP header and checksum it. */ th->source = inet->sport;
