On Mon, 17 Apr 2006, Patrick McHardy wrote: > >From a pure netfilter POV it would still be nice to have the socket > hooks for userspace queueing in socket context and filtering hard > to track protocols. My only question is: if I would port the skfilter > patches to the current kernel today and fix the unresolved issues, > would you still prefer this approach?
I think the newer model of marking the packets first via Netfilter then interpreting them at the socket layer is superior. i.e. skfilter is probably not preferred for SELinux now. However, it's still useful for incoming user matching for things like user-level firewalling. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
