|
|
|
|
|
|
by vbernat
3441 days ago
|
|
|
Netfilter can delegate the fate of a packet to userland. It can be done for all packets or only the first packet of each connection (thanks to conntrack). Userland can there easily match the packet with a local connection or a local application listening socket. There is nothing bundled inside Netfilter for this anymore because this is racy: several unrelated processes can use the same socket. The processes may come and go whenever they want. There is also some prior art (but it's a dead project): NuFirewall. |
|
|