On Wed, 2010-11-17 at 12:43 +0100, Patrick McHardy wrote: > On 16.11.2010 22:52, Eric Paris wrote: > > The SELinux netfilter hooks just return NF_DROP if they drop a packet. We > > want to signal that a drop in this hook is a permanant fatal error and is not > > transient. If we do this the error will be passed back up the stack in some > > places and applications will get a faster interaction that something went > > wrong. > > Looks good to me. I'd suggest to have these patches go through Dave's > tree since I want to make use of the netfilter error propagation > mechanism to return proper errno codes for netfilter re-routing > failures. I'd be happy if Dave pulled patches 1 and 2. I can resend patch #3 once I can cajole another of the SELinux maintainers to look at it (I believe he most likely one is on vacation this week) -Eric -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
