Hi,
On Tue, 2013-11-05 at 14:27 -0500, Glenn Schmottlach wrote:
> It seems that when a Session is created new
> rules are added to the iptable to "mark" these packets from a
> particular application based on the UID, GID, or SELinux context.
Yes.
> I want to set up additional filters on these same marked packets
> except I also want to add a field to mark a GID association in the
> same U32 netfilter value.
Why do you want to want to reuse the marker value?
What is your intention: do you need per UID stats, per GID stats (or per
SELinux context stats) or all of them at the same time? If you need
combined stats for some set of applications and another combined set of
stats for different (but possibly overlapping?) set of applications, is
it just easier to calculate that value based on the per UID stats (or
GID/SELinux) set up by ConnMan? With that any sets of group stats can be
created with any sets of overlaps.
> I need to know the netfilter mask I can use
> to mask off the fields Connman uses for each packet.
This starts to get awfully complicated...
> I expected that iptable rules for
> Session policies for the same UID/GID/SELinux context would "share"
> the same session (and thus statistics). So if two applications running
> as the same UID/GID/SELinux context requested a Connman Session, the
> first requestor would create it while the second application would get
> a "reference" to that session.
Only one session needs and can be created. This is done by the "main"
process with the rest of the forked off childred being automatically
accounted for as long as they keep the same UID/GID/SELinux context used
for identification purposes. Only if they change the identification they
need to open a new Session in order to get routing, notifications and
accounting set up properly.
Cheers,
Patrik
_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman
