Why does the cgroup iptables extension not work generally with the INPUT chain?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Why does the cgroup iptables extension not work generally with the INPUT chain?
- From: Anselm Schüler <mail@xxxxxxxxxxxxxxxxxx>
- Date: Sun, 20 Aug 2023 23:44:37 +0200
- Ui-outboundreport: notjunk:1;M01:P0:kk7nyJ942bQ=;d05OmqHOi6sOShs6m12V0fttIbw mvQFsgBmmDnoAJb8Qjw1ul1bHByS57ZOGYmff+5nHwyxtwNSmadztOaQELTziAGeQpMAuVSbi HCWqXe5asrOwPoTb2n5kh/7iY9ZQQxF25s7gEyz4rzxSqtFOR4xNYzOEZRP/DnStdPjA5q9EA MgRzEhhJBr56fMk25G+zTng6Hhz4qzb69baoEPaSGuvwXhXoTowiJ5SYqZ7yyU+AMiVF13YMo Z3RNyr/TyC82fofjGN6gTbRUz/LP5goVVd13PefXsXoznmjoDeJOwrZ3JZN5KmWOH5UUjeVFO qMFkhKMT4vIKbKHba7KhPFwH3dNju9gPbCwi4nOBzlIXJvbFWdXv4MamxhuJN0UX+1IhB+kZ2 UTrcm2Llaa0dg2/UNGVBMDPxrY8JiZO+N+2hGU/b5U0nb0h2D6P6LAksUOUhKbF8Uk5p7iG3T Q0Jn9xQGDWDLZY0wEktek0FIn9kSI2kYdIqlFbSOKDOPbR4Hl5n4pLOfn5PwuN5SaHeNF+oHy Mg565K1F0zkf1yfq2tUrTyPQYo7nDFLqag3Hv990IYM4zAD1OqhLaufnl9DI1oKj9FL6Py+3G 1LtscMxPGpzi5dvC0q3yrxqptxasdPg634jXvy9r2gct4QgRuzB5U3Mg0BUw5TQEM1LI4yyJS gKVsYW1H7H6JWg23alBpy985Ti/LcSQssbJaam1eZbMOwN77e4X9JvKEyK4Wn3PaJiDYMZZkj ummfE2AuwjakEz3A6pXyt4GdbCka8VV4XCpVpRyjCo79isyztQnm62qe9Jgy6qxfj0JXlOgiz sTuU5xctpmbYqsvHq8biLuHHszs5fGwoGVe8YWOyXvWPDsbygoVVvYzhjaTTt+3jfaZEN/ddR K/hvMS/b1vsfqAw==
- User-agent: Mozilla Thunderbird
Note: This question concerns the kernel component part of the iptables
system. I am not sure if this is the appropriate place for discussion on
this or if it's only for the userland utilities. If this message is not
in the right place, please inform me.
I recently wanted to use the cgroup iptables extension to allow incoming
traffic for ports with a certain cgroup listening on them. Unfortunately
I discovered the disclaimer in iptables-extensions(8), which states that
the extension "will only match on packets that are processed for local
sockets through early socket demuxing" on the INPUT chain. I must
confess I do not know precisely what early socket demuxing is, but brief
testing seemed to reveal that my packets weren't doing it. This leads me
to ask: Why is this the case? Is there a workaround? Could this be fixed?
A cursory glance through the kernel git tree revealed to the novice's
eye no obvious hacky logic or similar that might lead to this. Is there
some general iptables-extensions-specific configuration logic that
requires some conditions, not in the logic, but in the infrastructure
code (extension registration or what have you) for this to work?
I considered attempting to fix the problem myself but I realized I can't
without even knowing what the issue is.
Preempting X/Y problem accusations, here is the motivation: I use
iptables to operate a generic home user firewall for my system but I
want to allow GNOME file sharing (which doesn't use a designated port,
but is assigned to a cgroup by systemd) through the firewall.
I am currently not subscribed to the netfilter mailing list. If
subscribing is necessary to participate please let me know.
[Index of Archives]
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Netem]
[Berkeley Packet Filter]
[Linux Kernel Development]
[Advanced Routing & Traffice Control]
[Bugtraq]
