From: James Morris <[EMAIL PROTECTED]> Date: Thu, 27 Apr 2006 00:58:41 -0400 (EDT)
> On Thu, 27 Apr 2006, Rusty Russell wrote: > > > netfilter (similarly raw sockets, bonding, divert). Or, we could delay > > LOCAL_IN hook processing until we get to socket receive. > > This an idea proposed for skfilter [1], too, allowing packets to be > filtered by local endpoint. > > [1] http://people.redhat.com/jmorris/selinux/skfilter/ Moving forward this really is an important problem that we'll need to solve, and we'll need to solve it such that netfilter can be fully enabled in tandem with net channels doing their thing. It's simple, if we don't make them work together, then as a consequence the real life sites that would benefit the most from net channels will not see the benefit from them because they will use netfilter and they will have firewall rules enabled. Our work is largely wasteful if that's what happens. But let's move forward on the bits we can implement now, believing optimistically that we will find a way to deal with this issue properly. :-) - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
