> It makes sense to me to be able to use uid/gid as a selector in > firewall rules.
It superficially seems to make sense. But it gets messy when you consider that multiple proceses with potentially different IDs may have descriptors on a socket - and that linking network packets to sockets is at least something of a layering violation to begin with. If you want what most of this thread seems to think this is for (let only user U handle traffic on port P), I think the time to do it is connect()/accept(), possibly (depending on exactly what you want) with related code in fork, set*id, and/or SCM_RIGHTS. Maybe sosend() and sorecv(). But not, I would say, per-packet filtering. And, of course, I'm armchair quarterbacking here. Whatever is implemented here, it won't be by me. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
