Hi Alistair,
Early in the netfilter development, I implemented incoming and
outgoing UID checking. It gets difficult, and it turns out that to be
at all useful, it needs to have a userspace component. In practice,
people want to enable and disable certain ids at certain times, etc.
It's also a bitch to implement the lookup (eg. multiple
receivers are possible).
The answer, I concluded, was to filter SYN packets through
userspace, and do the lookup there (look up what process has that
source/dest socket, figure out whether it's OK or not), and then set
up an in-kernel rule to handle the rest of the packets and replies.
Of course, there's no nice way of reinjecting the packet if you decide
it's OK in linux 2.2 (hence netfilter for 2.3); if you can handle a
one second delay, then you can simply drop the packet.
Rusty.
-- Tridge, Raster, DaveM, Cort, maddog... Where will you be 9-11 July 1999? http://www.linux.org.au/projects/calu- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/