Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




My current patch looks like so:

cat /proc/net/nfs_conntrack

ipv4     2 udp      17 8 src=10.11.231.82 dst=10.11.255.156
sport=34095 dport=53 src=10.11.255.156 dst=10.11.231.82 sport=53
dport=34095 mark=0 secmark=system_u:object_r:unlabeled_t:s0 use=2
Bravo! It even says 'unlabeled' (wrong spelling you see, though I know that is not your fault, relax - I won't blame you for that). I assume that meaningless secmark number was 0, is that correct?

It appears that we send this information up some netlink socket in
nf_conntrack_netlink.c.  I'm not sure what is consuming this data so
I'm not sure how to test.  Anyone have any pointers?  I'm also worried
what such a change will do to users of this interface....
My guess would be that whoever needed it would have been using the kernel functions to do anything meaningful with it, unless, of course, a simple check for does it/does it not have SELinux context defined (i.e. secmark<>0).

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux