From: Eric Paris <eparis@xxxxxxxxxx> Date: Wed, 17 Nov 2010 09:38:59 -0500 > On Wed, 2010-11-17 at 12:43 +0100, Patrick McHardy wrote: >> On 16.11.2010 22:52, Eric Paris wrote: >> > The SELinux netfilter hooks just return NF_DROP if they drop a packet. We >> > want to signal that a drop in this hook is a permanant fatal error and is not >> > transient. If we do this the error will be passed back up the stack in some >> > places and applications will get a faster interaction that something went >> > wrong. >> >> Looks good to me. I'd suggest to have these patches go through Dave's >> tree since I want to make use of the netfilter error propagation >> mechanism to return proper errno codes for netfilter re-routing >> failures. > > > I'd be happy if Dave pulled patches 1 and 2. I can resend patch #3 once > I can cajole another of the SELinux maintainers to look at it (I believe > he most likely one is on vacation this week) I think it's best to pull this all into net-next-2.6 now, so that's what I'm doing right now. If there are problems we can apply changes on top. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
