On Fri, 29 Sep 2006, Paul Moore wrote: > > Say that the SA is labeled "secret" and you have two FTP clients > > connecting to a server via xinetd on this SA. Each client additionally > > labels their packets via CIPSO as secret:c1 and secret:c2 respectively. > > xinetd launches an FTP server for each at the correct level. > > I believe Venkat can address this.
Ok, I'd still really like to see a worked example of just Netlabel + secmark/connseckmark, to see what happens to the connection marks. It seems that the connection mark should always be correct, and restored to the packet. In which case, what happens when a CIPSO label on an established or related packet doesn't match, or you get no CIPSO label (e.g. ICMP from intermediate router) ? Or, is would you be always overwriting secmark/connsecmark labeling, and if so, how/why are you using them? Venkat, With xfrm labeling, the external packets are always going to be protocol ESP or AH, and we can't connection track the inner protocols. So, external labeling when using xfrm labeling seems somewhat superfluous, except for the case of setting a label based on the interface the packets arrived on. Correct? If so, all you can realistically do with the flow permissions is bind the ESP/AH packets to types of interfaces (which does seem useful for some folk). -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
