* Dave Anderson <[EMAIL PROTECTED]> [2008-03-07 17:34]:
> On Fri, 7 Mar 2008, Konrad wrote:
>
> >>> Nice, you probably want to keep the application/kernel tag name spaces
> >>> distinct though. Otherwise it would be easy for any local user/program
> >>> to mess with pf.conf generated tags and bypass filtering etc. It could
> >>> be as easy as adding a prefix ("APP_" ?) to all application generated
> >>> tags.
> >
> >>actually you have a point here... sockets don't even require root.
> >
> >That is true, my point is that to change the tags in the kernel is not
> >a nice way. A programm which set the tag "VPN1" and will get
> >"APP_VPN1" ?? This is not a good behavior, IMHO.
>
> Why not just require that any application-generated tag must start with
> some fixed string ("APP_" or "@" or whatever)?
not enough, you don't want an app started by joe random to assign the
same packet as, say, ftp-proxy...
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
