Currently LSMs need to use a netfilter post routing hook to catch outbound packets and subject them to access control. This works reasonably well but has always been a bit awkward when IPsec or similar mechanisms were used because the same packet would end up going through the same LSM hook multiple times. For obvious reasons this often resulted in unnecessary overhead and additional headaches when trying to determining the correct LSM security policy.
This patch attempts to fix this problem by adding a new hook into both the IPv4 and IPv6 output path. The motiviation behind this new hook is a request from users to provide packet level ingress/egress access control for all packets on the system, not just packets that are locally consumed or generated. I know new networking LSM hooks are frowned upon but there has been a lot of thought and discussion put into this and we haven't been able to find a better solution. I've trimmed the rest of the patchset from this posting as it isn't really relevant for this discussion (the full patchset has been under discussion on the SELinux and LSM lists), but those who are curious can find the patches online here (this will see another update later today): * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing Thanks. -- paul moore linux security @ hp -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
