On Fri, 7 Mar 2008, Konrad wrote:
>>> Nice, you probably want to keep the application/kernel tag name spaces
>>> distinct though. Otherwise it would be easy for any local user/program
>>> to mess with pf.conf generated tags and bypass filtering etc. It could
>>> be as easy as adding a prefix ("APP_" ?) to all application generated
>>> tags.
>
>>actually you have a point here... sockets don't even require root.
>
>That is true, my point is that to change the tags in the kernel is not
>a nice way. A programm which set the tag "VPN1" and will get
>"APP_VPN1" ?? This is not a good behavior, IMHO.
Why not just require that any application-generated tag must start with
some fixed string ("APP_" or "@" or whatever)?
Dave
--
Dave Anderson
<[EMAIL PROTECTED]>
