Re: Which PID is a packet going to/coming from?

Paul Rusty Russell (Paul.Russell@rustcorp.com.au)
Mon, 03 May 1999 15:54:30 +0930

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Rogier Wolff: "DVD-ram patch."
Previous message: Davide Libenzi: "Re: [OT] Comments to WinNT Mag !!"
Maybe in reply to: Alistair Cunningham: "Which PID is a packet going to/coming from?"

In message <19990502121056.A255@ursa.sel.cam.ac.uk> you write:
>
> I'm working on an addition to ipchains to allow filtering on local UIDs -
> allowing rules like 'Only EUIDs less than 1000 may make outgoing
> connections to an SMTP server'. One thing has me beat:

Hi Alistair,

Early in the netfilter development, I implemented incoming and
outgoing UID checking. It gets difficult, and it turns out that to be
at all useful, it needs to have a userspace component. In practice,
people want to enable and disable certain ids at certain times, etc.

It's also a bitch to implement the lookup (eg. multiple
receivers are possible).

The answer, I concluded, was to filter SYN packets through
userspace, and do the lookup there (look up what process has that
source/dest socket, figure out whether it's OK or not), and then set
up an in-kernel rule to handle the rest of the packets and replies.
Of course, there's no nice way of reinjecting the packet if you decide
it's OK in linux 2.2 (hence netfilter for 2.3); if you can handle a
one second delay, then you can simply drop the packet.

Rusty.

-- Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999? http://www.linux.org.au/projects/calu

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/

Next message: Rogier Wolff: "DVD-ram patch."
Previous message: Davide Libenzi: "Re: [OT] Comments to WinNT Mag !!"
Maybe in reply to: Alistair Cunningham: "Which PID is a packet going to/coming from?"