On Tuesday 2010-09-28 00:48, Pablo Neira Ayuso wrote: >On 27/09/10 21:25, Eric Paris wrote: >> I see it as having 3 options. lets assume was have a packet with >> selinux sid=121 and selinux context=packet_t. We can >> >> 1) secmark=121 secctx=packet_t >> This continues to send secmark like we do and people might continue to >> be baffled by the 121. >> >> 2) secmark=1 secctx=packet_t >> This sends a secmark field to userspace so if an application which >> reads this exists (I doubt such an application actually exists in in the >> real world) it will still get all of the information it got before but >> noone will be baffled by what the number means. 1/0 is pretty obvious. > >In netlink, we can obsolete fields without breaking backward >compatibility. Applications parsing the /proc entry may break, but they >should use stable interfaces (like netlink) instead. Which I take as a pro stance on not adding any more procfs fields. >BTW, if we finally stop including CTA_SECMARK in netlink messages, >please add a small comment on the right of the definition in >nfnetlink_conntrack.h (something like /* obsolete */ or /* unused */). >Thanks! Mh, I prefer "obsolete". A lot of times in the kernel there is "unused" and it reads like, "if it's unused, why is is there?" (it /is/ used, though as a filler). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html