Török Edwin wrote:
> Patrick what is the status of solving the skfilter issues? Can I help with
> testing patches, etc.?
Not yet. If nothing gets in between I plan to get the patches ready
next week.
> On Monday 20 February 2006 18:42, Patrick McHardy wrote:
>
>>Confirmation of conntrack entri
On Sun, 23 Apr 2006, Török Edwin wrote:
> > This could be done with nfqueue, modular policy and a pretty simple tool.
> How do I determine if the policy needs to be changed? I.e. how do I determine
> if the packet would be dropped? You say packets are silently dropped, won't
> they generate an a
On Tuesday 18 April 2006 04:01, James Morris wrote:
> On Mon, 17 Apr 2006, [EMAIL PROTECTED] wrote:
> > Secmark, or skfilter is exactly what fireflier needs to solve the shared
> > socket issue. Thanks for working on this. If this gets integrated in
> > mainline, fireflier LSM will be dropped.
>
>
From: James Morris <[EMAIL PROTECTED]>
Date: Sun, 16 Apr 2006 01:10:50 -0400 (EDT)
> So, I propose to introduce a secmark field (per the patch below), which is
> only present when enabled as a sub-feature of LSM. That is, it does not
> have any effect at all for the default kernel. As an integ
On Mon, 17 Apr 2006, [EMAIL PROTECTED] wrote:
> Secmark, or skfilter is exactly what fireflier needs to solve the shared
> socket issue. Thanks for working on this. If this gets integrated in
> mainline, fireflier LSM will be dropped.
I think you probably need skfilter as a standalone option.
James Morris wrote:
> On Mon, 17 Apr 2006, Patrick McHardy wrote:
>
>
>>>From a pure netfilter POV it would still be nice to have the socket
>>hooks for userspace queueing in socket context and filtering hard
>>to track protocols. My only question is: if I would port the skfilter
>>patches to the
On Mon, 17 Apr 2006, Patrick McHardy wrote:
> >From a pure netfilter POV it would still be nice to have the socket
> hooks for userspace queueing in socket context and filtering hard
> to track protocols. My only question is: if I would port the skfilter
> patches to the current kernel today and f
Secmark, or skfilter is exactly what fireflier needs to solve the shared socket
issue. Thanks for working on this.
If this gets integrated in mainline, fireflier LSM will be dropped.
Is it possible to have an SELinux policy that reinjects the packets if didn't
match any rules?
I.e. if a progra
James Morris wrote:
> Last year, I posted a set of patches to allow iptables matching against
> associated processes for incoming packets. With this patch, I'm proposing
> a much simpler alternative and solictiting feedback on the idea from other
> networking developers.
>
> For the original p
On Sun, 16 Apr 2006, James Morris wrote:
> +static inline void skb_copy_secmark(struct sk_buff *to, struct sk_buff *from)
(Btw, I know the last param here needs to be const, fixed locally).
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev"
Last year, I posted a set of patches to allow iptables matching against
associated processes for incoming packets. With this patch, I'm proposing
a much simpler alternative and solictiting feedback on the idea from other
networking developers.
For the original patches and discussion, see:
http
11 matches
Mail list logo
