<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 21 December 2014 at 09:28, Björn Persson <span dir="ltr"><<a href="mailto:Bjorn@rombobjörn.se" target="_blank">Bjorn@rombobjörn.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Mattia Verga wrote:<br>
>The alternative could be a "open approach" from Firewalld, where an<br>
>application, when it's executed, can inform firewalld that needs to<br>
>open a port, firewalld asks the user if it should grant access to the<br>
>application and then opens the port... but this needs to be<br>
>implemented in the source of every application, it can eventually be<br>
>sponsored to become a standard in the linux world.<br>
<br>
There is already a way for an application to inform the operating system<br>
that it needs to open a port. It's called the Berkeley socket API, and<br>
every program that communicates across a network already uses it. Why<br>
don't you guys patch GlibC's implementations of bind and connect to<br>
notify FirewallD and get it automatically enabled in every program,<br>
instead of requiring every communicating program to call a second API in<br>
addition to the Berkeley socket API?<br>
<br></blockquote><div><br></div><div>I am expecting because the patch would break other things and would be something that upstream would not want accept to glibc. With Fedora not wanting to put in patches not accepted by upstream it would be less accepted that firewalld is.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Alternatively, cut out the packet filter and have GlibC ask the user<br>
whether the call to bind or connect shall be allowed to succeed (or<br>
automatically allow or deny the call if so configured). This has the<br>
advantage that the program is informed that it's not allowed to<br>
communicate.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Björn Persson<br>
</font></span><br>--<br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct" target="_blank">http://fedoraproject.org/code-of-conduct</a><br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">Stephen J Smoogen.<br><br></div></div>
</div></div>