On 9/20/2018 12:18 AM, Christian Göttsche wrote:
>> I've only had a cursory look at your patch, but how is it
>> different from what's in xt_SECMARK.c ?
> xt_SEXMARK.c is for xtables, use-able in iptables; this is for nftables (nft)
Thank you. I am enlightened.
__
Casey Schaufler wrote:
> On 9/19/2018 4:14 PM, Christian Göttsche wrote:
> > Add the ability to set the security context of packets within the nf_tables
> > framework.
> > Add a nft_object for holding security contexts in the kernel and
> > manipulating packets on the wire.
> > The contexts are
Christian Göttsche wrote:
> > Fixes should go into nf.git whereas feature goes to nf-next.git.
>
> No, that should not be a unroll fix.
> Currently there are no objects registered by the main nf_tables
> module, so for nft_secmark_obj_type I had to introduce this new logic.
I see, ok.
> > > > +
> > > + for (i = 0; i < ARRAY_SIZE(nft_basic_objects); i++) {
> > > + err = nft_register_obj(nft_basic_objects[i]);
> > > + if (err)
> > > + goto err;
> > > + }
> > >
> > > - for (i = 0; i < ARRAY_SIZE(nft_basic_types); i++) {
> > > - err = nft_
On Thu, Sep 20, 2018 at 10:50:48AM +0200, Florian Westphal wrote:
> Casey Schaufler wrote:
> > On 9/19/2018 4:14 PM, Christian Göttsche wrote:
> > > Add the ability to set the security context of packets within the
> > > nf_tables framework.
> > > Add a nft_object for holding security contexts in
> I've only had a cursory look at your patch, but how is it
> different from what's in xt_SECMARK.c ?
xt_SEXMARK.c is for xtables, use-able in iptables; this is for nftables (nft)
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email
On 9/19/2018 4:14 PM, Christian Göttsche wrote:
> Add the ability to set the security context of packets within the nf_tables
> framework.
> Add a nft_object for holding security contexts in the kernel and manipulating
> packets on the wire.
> The contexts are kept as strings and are evaluated to
