Date: Fri, 6 Jun 2025 07:33:37 +0000 From: Emmanuel Nyarko <emmankoko...@gmail.com> Message-ID: <b1af582e-be81-48ba-8ec7-120b764b3...@gmail.com>
| But the reason is I want to add this support is for NPF to be able to | give a user based security to Unix servers in network layer. Personally, I think your design is flawed from the outset, and looks to be more a way to justify the addition you made to npf rather than anything that can realistically work (for any practical benefit). If you want to control user's network access, the time to control it would be when the local user is connecting a socket, or binding to one for receiving (or in sendto()/recvfrom() for UDP packets) - rather than packet by packet as they're being sent/received over the network. Just possibly rate limiting might be possible using the local user ID, and packet streams, but that wouldn't be easy either. For remote users, the time to say yes/no would be when they're authenticating themselves to your local system - when using some protocol which doesn't do that, then you simply cannot do per user control, as there is no way to know who is out there. All the discussion about user domain sockets, is, perhaps, because readers of this thread simply assumed that's what you were talking about, as that is a place where uids and ownership of the sockets makes some sense. But as you say, that's not what you mean. I just don't believe that the way you're trying to do things can possibly work. kre