Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2010-09-23 22:18, Mr Dash Four wrote:
>>> What happens to the new /nf(s)_conntrack
>>
>>If anything, secmark=x be removed. Abusing procfs is deprecated. No
>>userspace program depends on it.
>
>I've just read the above again. Are you actually suggesting that no
>program in userspace uses /proc/net/nf_conntrack? If so, you are
>mistaken my friend!

No program hard-depends on "secmark=" (not: no program depends on
procfs/nfct). That field does not show up if you have SECMARK
disabled - it is guarded by #ifdef - so any parsers out there
have to cater for its absence. In other words, it is safe to
remove the field from the output.

>I use it a lot via 'cat' and Shorewall (via 'shorewall show connections'). I
>use it for one particular reason - to track SELinux contexts (text, NOT
>numbers!) on active connections.
>
>So, am I going to see the SELinux context for each connection in text without
>the need to use conntrack-utils or not (simple 'yes' or 'no' answer will do)?

I would prefer for the procfs interface to cease existing. At the
very least to be not added to any more, per consensus
http://markmail.org/message/h7qeomrtjjjtptio
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux