Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/21/10 1:26 PM, Eric Paris wrote:
> On Tue, Sep 21, 2010 at 4:13 PM, Mr Dash Four
> <mr.dash.four@xxxxxxxxxxxxxx> wrote:
>>
>>>> http://www.spinics.net/lists/netfilter/msg49106.html
>>>>
>>>> I don't think that approach is right.  Exporting a number at ALL is
>>>> broken.  It should only ever say the name.
>>>>
>>>
>>> I am aware of that and the proposed patch works as I did test it after Tom
>>> released it yesterday.
>>>
>>> As for your comment above - it is better than NOTHING.
>>>
>>> If you think that the current scenario, when I see meaningless number in
>>> the secmark field, helps me track the actual security context of the listed
>>> connection, then think again, because there is NO way I could know what
>>> number maps to which context.
>>>
>>> Tom's patch at least gives me that mapping when I list the mangle table,
>>> so it is a start and it works. Again, - the patch, if applied, is better
>>> than what currently exists in iptables. Also, 'exporting a number at all' is
>>> NOT broken - look at Tom's patch again - it does not break anything.
> 
> No disagreement that Tom's patch is better than what we have today, I
> just claim that what we have today is completely wrong, so this is
> only slightly better   :)

My patch took two minutes to concoct and I make no claim of excellence :)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux