[riobard]

Is it just me or Linux seems to have too many non-orthogonal ways to restrict processes? Like why Landlock does TCP filtering based on port only? What about non-TCP traffic and maybe IP based restrictions is more useful? How does it interact with Netfilter? Puzzling.

[l0kod]

It takes time to develop theses features, but Landlock is gaining new network filtering features. We are working in a way to control socket creation according to their protocols, and also a way to filter UDP (which makes sense to developers and users).

From the point of view of an app developer, it might not make sense to filters peers but services (ports) instead, and filtering peers without their names would not be ideal (the kernel doesn't know about DNS, only IPs). Anyway, this feature might come one day if someone want to work on it, but we follow well-tested incremental development.

Netfiler is a privileged network feature that allows to do almost anything with the network, which makes it unsuitable for (app/unprivileged) sandboxing.

[gnoack]

+1

A rough description of upcoming network restriction features in Landlock and how they map to the BSD socket API is in the talk at https://youtu.be/K2onopkMhuM?start=2025 starting around 33:45

I really hope we can get back to these features soon :) I think these would be very useful.

[77pt77]

What about restricting UDP, or only allowing connections to some IPs?

[kevincox]

Technically IP doesn't have ports. TCP and UDP (and others) individually have the concept of port. So it makes sense if you want a port filter it is a TCP specific rule.

...of course it is common enough that it would make sense to abstract over the different protocols that have more or less the same concept of ports.