On Tuesday 2010-06-22 10:18, Patrick McHardy wrote: >> >>> no idea ? maybe i didn't explain very well :/ >>> >>> i saw that when using LOG target in OUTPUT policy, there is the user's uid >>> who >>> send packet. >> >> That is not the user's uid, but the uid of the socket's creator. > > Filtering based on UID is best done using the owner match. The owner match, too, uses the socket's creator ;-) In most cases that is sufficient, but _real_ filtering by UID needs to be done by things like snet LSM. > nfnetlink_queue > currently doesn't supply the UID/GID, but it could be added easily. http://bugzilla.netfilter.org/show_bug.cgi?id=600 patch has been lingering there for long. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
