Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




No disagreement that Tom's patch is better than what we have today, I
just claim that what we have today is completely wrong, so this is
only slightly better   :)
No argument there!

sids, secids, secmarks, or whatever you want to call that u32 is just
a dynamically generated number which should only exist inside the
kernel and should never be shown to userspace.  Loading secmark rules
uses a full context string and then uses that string to generate a u32
which the kernel can efficiently use.  When we display things back to
userspace we should always be converting that u32 back to a string.
I'm working on a patch to do this (actually it's compiling while I
type)
Again, we are in agreement - 100%

What baffles me really is how has this survived for so long?

The secmark field number has been there, I assume, for ages and yet nobody could make sense of that number let alone, as you rightly pointed out, raise the issue that this number should not be there in the first place!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux