On 09/19/2016 10:35 PM, Pablo Neira Ayuso wrote: > On Mon, Sep 19, 2016 at 09:30:02PM +0200, Daniel Mack wrote: >> On 09/19/2016 09:19 PM, Pablo Neira Ayuso wrote:
>>> Actually, did you look at Google's approach to this problem? They >>> want to control this at socket level, so you restrict what the process >>> can actually bind. That is enforcing the policy way before you even >>> send packets. On top of that, what they submitted is infrastructured >>> so any process with CAP_NET_ADMIN can access that policy that is being >>> applied and fetch a readable policy through kernel interface. >> >> Yes, I've seen what they propose, but I want this approach to support >> accounting, and so the code has to look at each and every packet in >> order to count bytes and packets. Do you know of any better place to put >> the hook then? > > Accounting is part of the usecase that fits into the "network > introspection" idea that has been mentioned here, so you can achieve > this by adding a hook that returns no verdict, so this becomes similar > to the tracing infrastructure. Why would we artificially limit the use-cases of this implementation if the way it stands, both filtering and introspection are possible? > Filtering packets with cgroups is braindead. Filtering is done via eBPF, and cgroups are just the containers. I don't see what's brain-dead in that approach. After all, accessing the cgroup once we have a local socket is really fast, so the idea is kinda obvious. > You have the means to ensure that processes send no packets via > restricting port binding, there is no reason to do this any later for > locally generated traffic. Yes, restricting port binding can be done on top, if people are worried about the performance overhead of a per-packet program. Thanks, Daniel
