Hi,
For example: iptables -t mangle -A OUTPUT -m owner 1.1 \ -j MARK --set-mark 258A APP creates a session, and uses the above rule to route the network. In this APP, if I create a socket to access the internet, I don't understand how kernel knows this socket has created by user 1.1 , and can access the internet.
Looks like you need to take a look at linux kernel internals, your question is far to broad. Basically: in the kernel your process runs under a uid/gid, when it opens a socket it owns it (as any kind of stuff it can manipulate, it's part of its ressource). The relationship is direct. On network traffic itself it's more complicated than that: depends on network configuration, iptables and routing rules. There is no such information telling directly "this process can access this network".
About Session API, the idea here is to ensure the output traffic of application gets routed to the proper network. To quickly summarize, iptables cannot touch the packet at routing step: it can do things before or after (which is too late then). Thus session use iptables to mark application's packet before routing (see init_firewall_session() ) so that in routing, such mark will be used to route the packet to proper gateway. (see add_default_route() )
Tomasz _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
