Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On 10/02/2015 01:07 PM, Pablo Neira Ayuso wrote: > On Thu, Oct 01, 2015 at 11:07:30PM +0200, Daniel Mack wrote: > [...] >> That, however, got rejected because it doesn't work for multicast. This >> patch set implements one of the things Pablo suggested in his reply. > > People are rising valid

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On Thu, Oct 01, 2015 at 11:07:30PM +0200, Daniel Mack wrote: [...] > That, however, got rejected because it doesn't work for multicast. This > patch set implements one of the things Pablo suggested in his reply. People are rising valid concerns here, so far we got a RFC where you say that you

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On Wed, Sep 30, 2015 at 09:24:21AM +0200, Daniel Mack wrote: > On 09/29/2015 11:19 PM, Florian Westphal wrote: > > Daniel Mack wrote: > >> Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the > >> input demux is complete and the final destination socket (if any)

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On 10/01/2015 07:13 PM, Marcelo Ricardo Leitner wrote: > On Wed, Sep 30, 2015 at 09:24:21AM +0200, Daniel Mack wrote: >> On 09/29/2015 11:19 PM, Florian Westphal wrote: >>> Daniel Mack wrote: Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the input

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On Thu, Oct 01, 2015 at 11:07:30PM +0200, Daniel Mack wrote: > On 10/01/2015 07:13 PM, Marcelo Ricardo Leitner wrote: > > On Wed, Sep 30, 2015 at 09:24:21AM +0200, Daniel Mack wrote: > >> On 09/29/2015 11:19 PM, Florian Westphal wrote: > >>> Daniel Mack wrote: > Add a new

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

Hi Florian, On 09/30/2015 11:48 PM, Florian Westphal wrote: > Daniel Mack wrote: >> Of course you can drop certain packets at this point, depending on other >> details. Say, for instance, you want to match all packets that are >> received by a certain task and that are

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On 09/30/2015 09:40 AM, Jan Engelhardt wrote: > > On Wednesday 2015-09-30 09:24, Daniel Mack wrote: >> >>> Drop? Makes no sense, else application would not be running in the first >>> place. >> >> Of course you can drop certain packets at this point, depending on other >> details. Say, for

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On 09/29/2015 11:19 PM, Florian Westphal wrote: > Daniel Mack wrote: >> Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the >> input demux is complete and the final destination socket (if any) >> has been determined. >> >> This helps filtering packets based on

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

On Wednesday 2015-09-30 09:24, Daniel Mack wrote: > >> Drop? Makes no sense, else application would not be running in the first >> place. > >Of course you can drop certain packets at this point, depending on other >details. Say, for instance, you want to match all packets that are >received by a

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

Daniel Mack wrote: > Of course you can drop certain packets at this point, depending on other > details. Say, for instance, you want to match all packets that are > received by a certain task and that are originated from IP addresses of > a specific subnet, and drop the rest.

[PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the input demux is complete and the final destination socket (if any) has been determined. This helps filtering packets based on information stored in the destination socket, such as cgroup controller supplied net class IDs. Note

Re: [PATCH RFC 3/7] netfilter: add NF_INET_LOCAL_SOCKET_IN chain type

Daniel Mack wrote: > Add a new chain type NF_INET_LOCAL_SOCKET_IN which is ran after the > input demux is complete and the final destination socket (if any) > has been determined. > > This helps filtering packets based on information stored in the > destination socket, such as