Stephen Hemminger wrote:
On Thu, 25 May 2006 16:06:01 -0400
Paul Moore <[EMAIL PROTECTED]> wrote:
This patch introduces a new kernel feature designed to support labeled
networking protocols such as RIPSO and CIPSO. These protocols are required to
interoperate with existing "trusted" operating systems such as Trusted Solaris.
I am posting the patch now not because I feel it is ready for inclusion into
any of the main kernel trees but because it is usable and I would like to
solicit comments from the community sooner rather than later.
Maybe this would be easier and better done via existing netfilter
infrastructure?
I think this would be rather difficult on the outbound side as protocols like
CIPSO and RIPSO add IP options to the packet. I may be wrong but I thought
that adding to the size of the packet was a no-no in netfilter? Also, doesn't
netfilter get the packet after the checksum has been calculated and the packet
has gone through the xfrm infrastructure?
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
