Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




http://www.spinics.net/lists/netfilter/msg49106.html

I don't think that approach is right.  Exporting a number at ALL is
broken.  It should only ever say the name.
I am aware of that and the proposed patch works as I did test it after Tom released it yesterday.

As for your comment above - it is better than NOTHING.

If you think that the current scenario, when I see meaningless number in the secmark field, helps me track the actual security context of the listed connection, then think again, because there is NO way I could know what number maps to which context.

Tom's patch at least gives me that mapping when I list the mangle table, so it is a start and it works. Again, - the patch, if applied, is better than what currently exists in iptables. Also, 'exporting a number at all' is NOT broken - look at Tom's patch again - it does not break anything.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux