On Wednesday 2009-01-21 09:15, Peter Dolding wrote: > >I really don't see the need for special here other than improving iptables. > >LSM module is over kill. This leads to double processing of packet requests. > >netfilter already can operate as either MAC or DAC all depending on >the rules passed into it and the outside LSM applied. But it cannot be used for personal firewalls at this time. Incoming packets have no process context because they are processed before that is determined, and similarly, outgoing packets have already left most of the process context behind them. Additionally, Netfilter cannot reject bind() calls *at all*. That is the reason this is done as an LSM in the first place. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
