On Friday 21 April 2006 18:26, Mikado wrote:
> Does your module get into below problem?
>
> http://lkml.org/lkml/2006/4/20/132
Nope.
A short test:
On host:
sudo iptables -A INPUT -p tcp --dport 81 -j DROP
In qemu:
#iptables -t skfilter -A OUTPUT -m fireflier_match --inode-owner
24392 --dev-owner /dev/root -j LOG --log-prefix test_out2
#netcat 172.20.0.1 81
[4295327.547000] test_out2:IN= OUT=eth0 SRC=172.20.0.10 DST=172.20.0.1 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=11865 DF PROTO=TCP SPT=34945 DPT=81 WINDOW=5840
RES=0x00 SYN URGP=0
[4295327.549000] test_out2:IN= OUT=eth0 SRC=172.20.0.10 DST=172.20.0.1 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=11865 DF PROTO=TCP SPT=34945 DPT=81 WINDOW=5840
RES=0x00 SYN URGP=0
[4295330.550000] test_out2:IN= OUT=eth0 SRC=172.20.0.10 DST=172.20.0.1 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=11866 DF PROTO=TCP SPT=34945 DPT=81 WINDOW=5840
RES=0x00 SYN URGP=0
As you can see several packets are sent out, and each one is matched (24392 is
the inode of netcat here).
Please note that using fireflier LSM is not recomended, as I am working on
writing SELinux policies that do the same (fireflier LSM is itself using code
from hooks.c from selinux).
See: http://lkml.org/lkml/2006/4/17/81
Also take a look at James Morris's skfilter patches (which are used in
fireflier too), they allow you to match at socket level, and also allow to
match based on selinux context.
Cheers,
Edwin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]