On 10.09.2013 01:54, Pascal Hambourg wrote:
> Lars Noodén a écrit :
>>
>> Vincent's link suggests that --cmd-owner was removed from iptables
>> entirely.
>
> Actually it was removed from the kernel part of iptables, not from the
> iptables userland.
>
>> It would be important to find a more authoritative source on
>> that like the netfilter list or the kernel list.
>
> Is the Linux 2.6.14 changelog authoritative enough ?
That would do it. :)
> commit 34b4a4a624bafe089107966a6c56d2a1aca026d4
> Author: Christoph Hellwig <h...@lst.de>
> Date: Sun Aug 14 17:33:59 2005 -0700
>
> [NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
>
> Rip out cmd/sid/pid matching since its unfixable broken and stands
> in the way of locking changes to tasklist_lock.
2.6.14 was a while ago, so I guess it's not coming back. Is it the
concept itself that is broken or the implementation? FWIW BSD's PF
doesn't have that option either, so I'm guessing the former.
One work-around would be to make a unique user or group for the process
which shall be filtered and then use that with owner match options
--uid-owner or --gid-owner.
Regards,
/Lars
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/522ee763.1090...@gmail.com
