Date: Fri, 6 Jun 2025 07:33:37 +0000
From: Emmanuel Nyarko <emmankoko...@gmail.com>
Message-ID: <b1af582e-be81-48ba-8ec7-120b764b3...@gmail.com>
| But the reason is I want to add this support is for NPF to be able to
| give a user based security to Unix servers in network layer.
Personally, I think your design is flawed from the outset, and looks to
be more a way to justify the addition you made to npf rather than anything
that can realistically work (for any practical benefit).
If you want to control user's network access, the time to control it
would be when the local user is connecting a socket, or binding to one
for receiving (or in sendto()/recvfrom() for UDP packets) - rather than
packet by packet as they're being sent/received over the network.
Just possibly rate limiting might be possible using the local user ID,
and packet streams, but that wouldn't be easy either.
For remote users, the time to say yes/no would be when they're authenticating
themselves to your local system - when using some protocol which doesn't
do that, then you simply cannot do per user control, as there is no way
to know who is out there.
All the discussion about user domain sockets, is, perhaps, because readers
of this thread simply assumed that's what you were talking about, as that
is a place where uids and ownership of the sockets makes some sense.
But as you say, that's not what you mean. I just don't believe that the
way you're trying to do things can possibly work.
kre
