From: Paul Moore <[EMAIL PROTECTED]> Date: Thu, 03 Jan 2008 12:25:39 -0500
> Add an inet_sys_snd_skb() LSM hook to allow the LSM to provide packet level > access control for all outbound packets. Using the existing postroute_last > netfilter hook turns out to be problematic as it is can be invoked multiple > times for a single packet, e.g. individual IPsec transforms, adding unwanted > overhead and complicating the security policy. > > Signed-off-by: Paul Moore <[EMAIL PROTECTED]> I disagree with this change. The packet is different each time you see it in the postrouting hook, and also the new hook is thus redundant. If it's a performance issue and you can classify the security early, mark the SKB as "seen" and then on subsequent hooks you can just return immediately if that flag is set. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
