Hi list, I need your advice on this:
Imagine there would be a new iptables table, independant of filter/mangle/nat. Let's call it the 'ctx' table. This new table has one chain, OUTPUT, and a subset of the current matches and targets is available in rules defined for that table. The ctx OUTPUT chain would work like the filter table OUTPUT chain, and probably come just before that. Next, imagine that we had a mechanism to group processes into so-called contexts [1]. The new 'ctx' table would be per-context, with copy-on-write sharing when new process contexts are created. Now, imagine that suser() non-CAP_NET_ADMIN processes, while disallowed to muddle with the filter, nat, and mangle tables, would be permitted to modify the new 'ctx' table. If it is shared with a parent context at the first modification, a copy is made private to the context of the calling process. Oh, and add a nonreversible mechanism to "lock" the context private table against further modifications. The questions to people who know the implementation innards, are: - can the incoming table validator in the kernel be trusted far enough? - same question for each match and target made available to iptable_ctx? - what are the matches/targets keeping global state? those would probably better not be available. thanks in advance for all your thoughts Patrick [1] ftp://ftp.solucorp.qc.ca/pub/vserver/
