Setuid doesn't matter, since that just affects EUID. The real UID is
still the same. And group membership is unaffected, if you're
checking that way. NFS: it's owned by the person who made the
filesystem request, obviously. Or you just ignore it and permit it to
everyone. (We don't use NFS, so it's not an issue for us.) ACKs are
handled in a different place in the TCP stack (or at least, they are
in the BSD stack).
Remember, you are not looking at this from the standpoint of a router,
you're looking at it from the standpoint of the system calls. You
have a lot more information at that layer than you do if you're just
looking at random IP datagrams.
> We don't have time to scan a list for each packet easily. Not unless you
> say "ok low speed only"
If you have profiling numbers to show that CPU time processing the
packet at this level is in the critical path for performance, okay.
But I doubt it is, and this sort of filtering is pretty inexpensive,
too. ACL enforcement only happens when a TCP socket is connected, or
a UDP datagram is sent; not on every IP datagram. You might as well
say "we don't have time to scan a list for each file open" and get rid
of file ACLs.
-Marc