lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Oct 2013 16:09:22 +0100 From: Daniel Wagner <wagi@...om.org> To: Daniel Borkmann <dborkman@...hat.com>, "Eric W. Biederman" <ebiederm@...ssion.com> CC: pablo@...filter.org, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, Tejun Heo <tj@...nel.org>, cgroups@...r.kernel.org Subject: Re: [PATCH nf-next] netfilter: xtables: lightweight process control group matching Hi Daniel On 10/19/2013 08:16 AM, Daniel Borkmann wrote: > On 10/19/2013 01:21 AM, Eric W. Biederman wrote: > >> I am coming to this late. But two concrete suggestions. >> >> 1) process groups and sessions don't change as frequently as pids. >> >> 2) It is possible to put a set of processes in their own network >> namespace and pipe just the packets you want those processes to >> use into that network namespace. Using an ingress queueing filter >> makes that process very efficient even if you have to filter by port. > > Actually in our case we're filtering outgoing traffic, based on which > local socket that originated from; so you wouldn't need all of that > construct. Also, you wouldn't even need to have an a-prio knowledge of > the application internals regarding their use of particular use of ports > or protocols. I don't think that such a setup will have the same > efficiency, ease of use, and power to distinguish the application the > traffic came from in such a lightweight, protocol independent and easy way. Sorry for beeing late as well (and also stupid question) Couldn't you use something from the LSM? I mean you allow the application to create the socket etc and then block later the traffic originated from that socket. Wouldn't it make more sense to block early? cheers, daniel -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists