On 9/21/10 1:26 PM, Eric Paris wrote: > On Tue, Sep 21, 2010 at 4:13 PM, Mr Dash Four > <mr.dash.four@xxxxxxxxxxxxxx> wrote: >> >>>> http://www.spinics.net/lists/netfilter/msg49106.html >>>> >>>> I don't think that approach is right. Exporting a number at ALL is >>>> broken. It should only ever say the name. >>>> >>> >>> I am aware of that and the proposed patch works as I did test it after Tom >>> released it yesterday. >>> >>> As for your comment above - it is better than NOTHING. >>> >>> If you think that the current scenario, when I see meaningless number in >>> the secmark field, helps me track the actual security context of the listed >>> connection, then think again, because there is NO way I could know what >>> number maps to which context. >>> >>> Tom's patch at least gives me that mapping when I list the mangle table, >>> so it is a start and it works. Again, - the patch, if applied, is better >>> than what currently exists in iptables. Also, 'exporting a number at all' is >>> NOT broken - look at Tom's patch again - it does not break anything. > > No disagreement that Tom's patch is better than what we have today, I > just claim that what we have today is completely wrong, so this is > only slightly better :) My patch took two minutes to concoct and I make no claim of excellence :) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
Attachment:
signature.asc
Description: OpenPGP digital signature