Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > I just think that having some clear use case for this is important. > > If you're original idea is just to attach labels to help sysadmins to > understand what's going on through the gateway, then we can leave this > as is and add some new specific extension for nfgrep once it comes > into place. No, I intend for userspace to assign labels to connections, e.g. via NFQUEUE. Also, labels should also be made available via ctnetlink, e.g. for logging/accounting. Example: Conntracks are interface agnostic, so you would be able to provide "came in via interface X" information via connlabels. My main problem is currently understanding what nfgrep needs. Since you suggested to do all labelname<->number mapping in userspace, how would the nfgrep part assign a label? Is that also done via netfilter rules, or via some "module magic" feature? It would be nice to come up with something that fits nfgrep needs, too. Best regards, Florian -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
