[Bug 449] New: [patch] mount-point+inode ipt_owner patch (created 18 months ago)

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Tue Feb 14 19:18:32 CET 2006


https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=449

           Summary: [patch] mount-point+inode ipt_owner patch (created 18
                    months ago)
           Product: netfilter/iptables
           Version: linux-2.6.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ip_tables (kernel)
        AssignedTo: laforge at netfilter.org
        ReportedBy: lkcl at lkcl.net


hi,

somehow this patch has been lost and/or never picked up.

it's a patch that adds a means by which ipt_owner can filter
on additional information, namely the mount point, an inode,
or both.

the mount-point match on its own is particularly useful: it
allows you to e.g. add in packet filtering rules based on whether
you are running programs from an nfs mount-point or from /bin;
or giving specific firewall rules to /usr/bin/mozilla and different
ones to /usr/bin/kmail.

in combination with ipt_owner by uid or gid you could even give different
permissions to users of specific programs.

this is _not_ the same as that (rather daft) netfilter module - the
one, oh what does it do... it checks the name of the program but only
the "filename" bit, which is more than useless it's a dangerous sense
of security.

this patch goes by inode+mountpoint name: martin maurer's "fireflier"
can therefore utilise this code (or it _could_ have, back in version
1.5, if this patch had damn well been noticed) to allow per-program
on-demand packet filtering.

_yes_ martin maurer's fireflier does inode-walking that then uses
that information in a really horrible way that misses _all_ sorts of
TCP state-dependent packets, because he has to do the same thing as
this simple patch as a _userspace_ filter, where he is unable to
receive TCP reset packets so his program is REALLY annoying because
every time you get a TCP reset you get a damn popup notification.

-- 
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the netfilter-buglog mailing list