bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-14 19:18 UTC
[Bug 449] New: [patch] mount-point+inode ipt_owner patch (created 18 months ago)
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=449 Summary: [patch] mount-point+inode ipt_owner patch (created 18 months ago) Product: netfilter/iptables Version: linux-2.6.x Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ip_tables (kernel) AssignedTo: laforge@netfilter.org ReportedBy: lkcl@lkcl.net hi, somehow this patch has been lost and/or never picked up. it's a patch that adds a means by which ipt_owner can filter on additional information, namely the mount point, an inode, or both. the mount-point match on its own is particularly useful: it allows you to e.g. add in packet filtering rules based on whether you are running programs from an nfs mount-point or from /bin; or giving specific firewall rules to /usr/bin/mozilla and different ones to /usr/bin/kmail. in combination with ipt_owner by uid or gid you could even give different permissions to users of specific programs. this is _not_ the same as that (rather daft) netfilter module - the one, oh what does it do... it checks the name of the program but only the "filename" bit, which is more than useless it's a dangerous sense of security. this patch goes by inode+mountpoint name: martin maurer's "fireflier" can therefore utilise this code (or it _could_ have, back in version 1.5, if this patch had damn well been noticed) to allow per-program on-demand packet filtering. _yes_ martin maurer's fireflier does inode-walking that then uses that information in a really horrible way that misses _all_ sorts of TCP state-dependent packets, because he has to do the same thing as this simple patch as a _userspace_ filter, where he is unable to receive TCP reset packets so his program is REALLY annoying because every time you get a TCP reset you get a damn popup notification. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon@bugzilla.netfilter.org
2006-Feb-14 19:18 UTC
[Bug 449] New: [patch] mount-point+inode ipt_owner patch (created 18 months ago)
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=449 Summary: [patch] mount-point+inode ipt_owner patch (created 18 months ago) Product: netfilter/iptables Version: linux-2.6.x Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ip_tables (kernel) AssignedTo: laforge@netfilter.org ReportedBy: lkcl@lkcl.net hi, somehow this patch has been lost and/or never picked up. it's a patch that adds a means by which ipt_owner can filter on additional information, namely the mount point, an inode, or both. the mount-point match on its own is particularly useful: it allows you to e.g. add in packet filtering rules based on whether you are running programs from an nfs mount-point or from /bin; or giving specific firewall rules to /usr/bin/mozilla and different ones to /usr/bin/kmail. in combination with ipt_owner by uid or gid you could even give different permissions to users of specific programs. this is _not_ the same as that (rather daft) netfilter module - the one, oh what does it do... it checks the name of the program but only the "filename" bit, which is more than useless it's a dangerous sense of security. this patch goes by inode+mountpoint name: martin maurer's "fireflier" can therefore utilise this code (or it _could_ have, back in version 1.5, if this patch had damn well been noticed) to allow per-program on-demand packet filtering. _yes_ martin maurer's fireflier does inode-walking that then uses that information in a really horrible way that misses _all_ sorts of TCP state-dependent packets, because he has to do the same thing as this simple patch as a _userspace_ filter, where he is unable to receive TCP reset packets so his program is REALLY annoying because every time you get a TCP reset you get a damn popup notification. -- Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You reported the bug, or are watching the reporter.