Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 21, 2010 at 4:13 PM, Mr Dash Four
<mr.dash.four@xxxxxxxxxxxxxx> wrote:
>
>>> http://www.spinics.net/lists/netfilter/msg49106.html
>>>
>>> I don't think that approach is right.  Exporting a number at ALL is
>>> broken.  It should only ever say the name.
>>>
>>
>> I am aware of that and the proposed patch works as I did test it after Tom
>> released it yesterday.
>>
>> As for your comment above - it is better than NOTHING.
>>
>> If you think that the current scenario, when I see meaningless number in
>> the secmark field, helps me track the actual security context of the listed
>> connection, then think again, because there is NO way I could know what
>> number maps to which context.
>>
>> Tom's patch at least gives me that mapping when I list the mangle table,
>> so it is a start and it works. Again, - the patch, if applied, is better
>> than what currently exists in iptables. Also, 'exporting a number at all' is
>> NOT broken - look at Tom's patch again - it does not break anything.

No disagreement that Tom's patch is better than what we have today, I
just claim that what we have today is completely wrong, so this is
only slightly better   :)

sids, secids, secmarks, or whatever you want to call that u32 is just
a dynamically generated number which should only exist inside the
kernel and should never be shown to userspace.  Loading secmark rules
uses a full context string and then uses that string to generate a u32
which the kernel can efficiently use.  When we display things back to
userspace we should always be converting that u32 back to a string.
I'm working on a patch to do this (actually it's compiling while I
type)

-Eric
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux