lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1387389844-5263-1-git-send-email-valentina.giusti@bmw-carit.de>
Date:	Wed, 18 Dec 2013 19:04:02 +0100
From:	valentina.giusti@...-carit.de
To:	netfilter-devel@...r.kernel.org
Cc:	netdev@...r.kernel.org, eric.dumazet@...il.com, tgraf@...hat.com,
	jpa@...gle.com, pablo@...filter.org, davem@...emloft.net,
	daniel.wagner@...-carit.de,
	Valentina Giusti <valentina.giusti@...-carit.de>
Subject: [PATCH 0/2] Add UID/GID info to NFQUEUE

From: Valentina Giusti <valentina.giusti@...-carit.de>

Hi,

this patchset adds the possibility to get the UID/GID of the socket they belong
with the NFQUEUE target.

The feature is meant to be a helper for network statistics made on a per
application basis.
In fact, letting userspace being able to associate a packet to a UID and GID
couple helps narrowing down the traffic to the application it belongs to.

One could argue that we already have this feature by means of the owner match,
but this is not true for incoming traffic. It could actually be partially true
thanks to commits 41063e9 (ipv4: Early TCP socket demux) and 421b388 (udp: 
ipv4: Add udp early demux), which allow to obtain socket information also for 
incoming TCP and UDP connections. However, as Pablo Neira Ayuso already pointed
out (http://www.spinics.net/lists/netfilter-devel/msg27952.html), enabling the
owner match on INPUT wouldn't be semantically equivalent to when it is used on
OUTPUT, even with the aforementioned early demux commits.

At the Linux Plumbers Conference 2013, there have been quite interesting 
discussions on the topic of network statistics, and it was proposed that it 
would make more sense to use NFQUEUE for this purpose, letting therefore 
userspace use the UID/GID information for application-based statistics purposes.
This way the UID and GID information of the incoming TCP and UDP traffic is not
"wasted" and can be used for more refined statistics.

For more information on what has been said at LPC2013, have a look at:

https://www.youtube.com/watch?v=ulIqVzsC03g
(Updates on 'New Challenges for Linux Network Support',
 Daniel Wagner, BMW Car IT GmbH)
https://www.youtube.com/watch?v=Fi_iyaF7Gw0
(Android netfilter changes,
 John Stultz, Linaro.org)

And also at this article:

https://lwn.net/Articles/517358/

With this patchset I am proposing an implementation that follows up the
discussions that have been made.
Please have a look at it, any comments are welcome.

-- 
Best Regards,
Val


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ