Re: [Fireflier-devel] Re: [PATCH][RFC] Security marking

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: "Török Edwin" <edwin@gurde.com>
Cc: netdev@vger.kernel.org, James Morris <jmorris@namei.org>,
	fireflier-devel@lists.sourceforge.net
Subject: Re: [Fireflier-devel] Re: [PATCH][RFC] Security marking
Date: Fri, 28 Apr 2006 09:19:04 +0200	[thread overview]
Message-ID: <4451C1E8.9040104@trash.net> (raw)
In-Reply-To: <200604232157.59758.edwin@gurde.com>

Török Edwin wrote:
> Patrick what is the status of solving the skfilter issues? Can I help with 
> testing patches,  etc.?

Not yet. If nothing gets in between I plan to get the patches ready
next week.

> On Monday 20 February 2006 18:42, Patrick McHardy wrote:
> 
>>Confirmation of conntrack entries. They shouldn't be confirmed before
>>packets have passed the socket hooks. This is the tricky part because
>>we don't know if packets will be delivered to a raw socket or not
>>when calling the regular LOCAL_IN hook.
>>The only way to solve this 
>>seems to be to use the socket hooks for all incoming packets, that
>>way we can defer confirmation unconditionally.
> 
> Are there any problems with using socket hooks for all packets?

Not really, just that some protocols don't use sockets, so its a bit
pointless for them. OTOH it should make rule management easier if
everything can be done in the same table.

>>The nicest way would 
>>be to just move the regular LOCAL_IN hook to the socket hooks, but
>>this doesn't work with SNAT in LOCAL_IN because the socket lookup
>>needs the already NATed address.
> 
> Move just the non SNAT part of LOCAL_IN to socket hooks?(does this make 
> sense?)

That would be my prefered way, but it changes user-visible behaviour.
Currently filtering is done before SNAT, this change would reverse
that.

     prev parent reply	other threads:[~2006-04-28  7:19 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-04-17 18:40 [PATCH][RFC] Security marking edwin
2006-04-18  1:01 ` James Morris
2006-04-23 18:57   ` [Fireflier-devel] " Török Edwin
2006-04-24 12:56     ` James Morris
2006-04-28  7:19     ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4451C1E8.9040104@trash.net \
    --to=kaber@trash.net \
    --cc=edwin@gurde.com \
    --cc=fireflier-devel@lists.sourceforge.net \
    --cc=jmorris@namei.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.