On Thursday 2010-09-23 22:18, Mr Dash Four wrote: >>> What happens to the new /nf(s)_conntrack >> >>If anything, secmark=x be removed. Abusing procfs is deprecated. No >>userspace program depends on it. > >I've just read the above again. Are you actually suggesting that no >program in userspace uses /proc/net/nf_conntrack? If so, you are >mistaken my friend! No program hard-depends on "secmark=" (not: no program depends on procfs/nfct). That field does not show up if you have SECMARK disabled - it is guarded by #ifdef - so any parsers out there have to cater for its absence. In other words, it is safe to remove the field from the output. >I use it a lot via 'cat' and Shorewall (via 'shorewall show connections'). I >use it for one particular reason - to track SELinux contexts (text, NOT >numbers!) on active connections. > >So, am I going to see the SELinux context for each connection in text without >the need to use conntrack-utils or not (simple 'yes' or 'no' answer will do)? I would prefer for the procfs interface to cease existing. At the very least to be not added to any more, per consensus http://markmail.org/message/h7qeomrtjjjtptio -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html