Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 2010-09-22 01:10, Eric Paris wrote:
>>>My current patch looks like so:
>>>
>>>cat /proc/net/nfs_conntrack
>>>
>>>ipv4   2 udp   Â17 8 src=10.11.231.82 dst=10.11.255.156
>>>sport=34095 dport=53 src=10.11.255.156 dst=10.11.231.82 sport=53
>>>dport=34095 mark=0 secmark=system_u:object_r:unlabeled_t:s0 use=2
>>
>> I think that rather than bloating ancient procfs files with more info,
>> the respective userspace tool should be augmented by secmark name
>> resolution instead. Then we would also not need change anything inside
>> the kernel, or its interfaces to userspace.
>
>It is not possible for userspace to resolve these numbers to something
>useful.  They are dynamically generated numbers which are just kernel
>internal helpers.

Ok so I had a misconception about how `ls -Z` worked. Guess the
UID/GID stuff misled pretty hard.

> This is the only known place that the kernel shows
>its underpants to in public and it should be fixed.  My only question
>is if fixing like this it is likely to break anything.
>
>  Otherwise I'm
>going to hard code those to 0 or 1 and export the label in a new
>field....

The allocated secmark nlattr value should not be reused;
it's easy to use a new nla id for the secname and omit
transmission of secmark in nl chatter.

For ye olde /proc/net/nf_conntrack, we can just remove secmark
altogether because userspace does not depend on it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux