Török Edwin wrote:
Patrick what is the status of solving the skfilter issues? Can I help with
testing patches, etc.?
Not yet. If nothing gets in between I plan to get the patches ready
next week.
On Monday 20 February 2006 18:42, Patrick McHardy wrote:
Confirmation of conntrack entries.
On Sun, 23 Apr 2006, Török Edwin wrote:
This could be done with nfqueue, modular policy and a pretty simple tool.
How do I determine if the policy needs to be changed? I.e. how do I determine
if the packet would be dropped? You say packets are silently dropped, won't
they generate an avc
On Tuesday 18 April 2006 04:01, James Morris wrote:
On Mon, 17 Apr 2006, [EMAIL PROTECTED] wrote:
Secmark, or skfilter is exactly what fireflier needs to solve the shared
socket issue. Thanks for working on this. If this gets integrated in
mainline, fireflier LSM will be dropped.
I think
From: James Morris [EMAIL PROTECTED]
Date: Sun, 16 Apr 2006 01:10:50 -0400 (EDT)
So, I propose to introduce a secmark field (per the patch below), which is
only present when enabled as a sub-feature of LSM. That is, it does not
have any effect at all for the default kernel. As an integer
James Morris wrote:
Last year, I posted a set of patches to allow iptables matching against
associated processes for incoming packets. With this patch, I'm proposing
a much simpler alternative and solictiting feedback on the idea from other
networking developers.
For the original
Secmark, or skfilter is exactly what fireflier needs to solve the shared socket
issue. Thanks for working on this.
If this gets integrated in mainline, fireflier LSM will be dropped.
Is it possible to have an SELinux policy that reinjects the packets if didn't
match any rules?
I.e. if a
James Morris wrote:
On Mon, 17 Apr 2006, Patrick McHardy wrote:
From a pure netfilter POV it would still be nice to have the socket
hooks for userspace queueing in socket context and filtering hard
to track protocols. My only question is: if I would port the skfilter
patches to the current
On Mon, 17 Apr 2006, [EMAIL PROTECTED] wrote:
Secmark, or skfilter is exactly what fireflier needs to solve the shared
socket issue. Thanks for working on this. If this gets integrated in
mainline, fireflier LSM will be dropped.
I think you probably need skfilter as a standalone option.
Last year, I posted a set of patches to allow iptables matching against
associated processes for incoming packets. With this patch, I'm proposing
a much simpler alternative and solictiting feedback on the idea from other
networking developers.
For the original patches and discussion, see:
On Sun, 16 Apr 2006, James Morris wrote:
+static inline void skb_copy_secmark(struct sk_buff *to, struct sk_buff *from)
(Btw, I know the last param here needs to be const, fixed locally).
--
James Morris
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe netdev in
10 matches
Mail list logo
