Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 2010-09-23 22:56, Mr Dash Four wrote:
>
>>>> I use it a lot via 'cat' and Shorewall (via 'shorewall show
>>>> connections'). I use it for one particular reason - to track
>>>> SELinux contexts (text, NOT numbers!) on active connections. So, am
>>>> I going to see the SELinux context for each connection in text
>>>> without the need to use conntrack-utils or not (simple 'yes' or
>>>> 'no' answer will do)?
>>>>      
>>
>> That's like saying we need /proc/self/df just so that we can know the
>> fill state of disks without resorting to a userspace tool (oooh~ god forbid!).
> 
> What is that suppose to mean? Are you suggesting that for the dubious privilege
> of seeing secmark=<selctx> - the way it should have been developed in the first
> place - as oppose to secmark=XXX as was the case up until now, I have to
> install your set of tools? I don't think so!

The trend is clear. If we were procfs fanboys, we would not need
sysfs. Or securityfs. Or debugfs. We'd have everything in /proc.

You can think whatever you want. It's just hypocritical wanting to
add a feature to an infrastructure that practically every developer
consented to not abuse further.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux