On Tue, Sep 21, 2010 at 4:13 PM, Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> wrote: > >>> http://www.spinics.net/lists/netfilter/msg49106.html >>> >>> I don't think that approach is right. Exporting a number at ALL is >>> broken. It should only ever say the name. >>> >> >> I am aware of that and the proposed patch works as I did test it after Tom >> released it yesterday. >> >> As for your comment above - it is better than NOTHING. >> >> If you think that the current scenario, when I see meaningless number in >> the secmark field, helps me track the actual security context of the listed >> connection, then think again, because there is NO way I could know what >> number maps to which context. >> >> Tom's patch at least gives me that mapping when I list the mangle table, >> so it is a start and it works. Again, - the patch, if applied, is better >> than what currently exists in iptables. Also, 'exporting a number at all' is >> NOT broken - look at Tom's patch again - it does not break anything. No disagreement that Tom's patch is better than what we have today, I just claim that what we have today is completely wrong, so this is only slightly better :) sids, secids, secmarks, or whatever you want to call that u32 is just a dynamically generated number which should only exist inside the kernel and should never be shown to userspace. Loading secmark rules uses a full context string and then uses that string to generate a u32 which the kernel can efficiently use. When we display things back to userspace we should always be converting that u32 back to a string. I'm working on a patch to do this (actually it's compiling while I type) -Eric -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
