| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKP4w2SuiJej0pWF_=V0XoMuTxxPN5Do--1=wVTDxp4koNLt5w@mail.gmail.com> Date: Mon, 30 Dec 2013 14:39:30 -0800 From: JP Abgrall <jpa@...gle.com> To: valentina.giusti@...-carit.de Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, eric.dumazet@...il.com, tgraf@...hat.com, Pablo Neira Ayuso <pablo@...filter.org>, davem@...emloft.net, daniel.wagner@...-carit.de Subject: Re: [PATCH 0/2] Add UID/GID info to NFQUEUE On Wed, Dec 18, 2013 at 10:04 AM, <valentina.giusti@...-carit.de> wrote: > At the Linux Plumbers Conference 2013, there have been quite interesting > discussions on the topic of network statistics, and it was proposed that it > would make more sense to use NFQUEUE for this purpose, letting therefore > userspace use the UID/GID information for application-based statistics purposes. > This way the UID and GID information of the incoming TCP and UDP traffic is not > "wasted" and can be used for more refined statistics. Some things to keep in mind when doing these changes... For mobile devices, having the UID/GID is not sufficient when services are involved (download manager, http service, ...). Currently, Android's xt_qtaguid netfilter module supports the notion of "delegation" which is achieved by having the service "tag" a socket (tracked internally based on the struct sock address), via the file descriptor, with a UID of who should be blamed for the statistics. It would be nice if NFQUEUE presented/tracked some data related to the socket that could be used to that effect. This tagging of the socket needs to have the following properties: - a socket can stay open and be re-tagged (happens when pools are used or when a stream can be used for multiple reasons). - a socket can be tagged with a different UID only if the current UID/GID/pcap allows for it. - an app can have multiple sockets, each one belonging to different UIDs (so no UID to UID mapping). There are a few more, but those can be managed outside of the NFQUEUE changes. Concerning the comment about TCP_TIMEWAIT in some other thread: the sk is not a "struct sock" but "struct inet_timewait_sock" which is missing fields. So beware when manipulating it. xt_qtaguid had to ignore those struct sock. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists