[lug] iptables redirection
George Sexton
gsexton at mhsoftware.com
Tue Jan 9 08:44:36 MST 2007
Sean Reifschneider wrote:
> On Sun, Jan 07, 2007 at 11:05:37AM -0700, George Sexton wrote:
>
>> just be pure overhead. It would be simpler and more efficient to just
>> remove the requirement from the kernel, and run a custom kernel.
>>
>
> More efficient, probably, but simpler? As someone who has tracked custom
> kernels with my patches in them, I'm a skeptic. This always seems to be a
> big can of worms, particularly when the code you are patching changes.
>
>
Sometimes you get lucky. From net/ipv4/af_inet.c inet_bind()
err = -EACCES;
if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
goto out;
In general though, I agree. I have a patch for Samba that I use. If you
specify a force create mode, samba won't let you later change the file
to read-only. I've got a patch that fixes this. It's a pain to add the
patch and re-compile it.
If, on the other hand, the choices were this or introducing Apache
HTTPD/mod_jk, or some similarly bad thing, then it would look pretty good.
> You can probably do it with SELinux. However, on one box I have running
> it, I'm not getting SELinux alerts about it if I try to bind to <1024 as a
> user.
>
The jsvc approach seems to be working.
> Sean
>
--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL: http://www.mhsoftware.com/
More information about the LUG
mailing list