My current patch looks like so:
cat /proc/net/nfs_conntrack
ipv4 2 udp 17 8 src=10.11.231.82 dst=10.11.255.156
sport=34095 dport=53 src=10.11.255.156 dst=10.11.231.82 sport=53
dport=34095 mark=0 secmark=system_u:object_r:unlabeled_t:s0 use=2
Bravo! It even says 'unlabeled' (wrong spelling you see, though I know
that is not your fault, relax - I won't blame you for that). I assume
that meaningless secmark number was 0, is that correct?
It appears that we send this information up some netlink socket in
nf_conntrack_netlink.c. I'm not sure what is consuming this data so
I'm not sure how to test. Anyone have any pointers? I'm also worried
what such a change will do to users of this interface....
My guess would be that whoever needed it would have been using the
kernel functions to do anything meaningful with it, unless, of course, a
simple check for does it/does it not have SELinux context defined (i.e.
secmark<>0).
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html