From: Patrick McHardy <kaber@trash.net>
To: James Morris <jmorris@namei.org>
Cc: selinux@tycho.nsa.gov, netdev@vger.kernel.org,
netfilter-devel@lists.netfilter.org,
Stephen Smalley <sds@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>,
Karl MacMillan <kmacmillan@tresys.com>,
"David S. Miller" <davem@davemloft.net>,
Thomas Bleher <bleher@informatik.uni-muenchen.de>
Subject: Re: [RFC] SECMARK 1.1
Date: Mon, 15 May 2006 07:29:55 +0200 [thread overview]
Message-ID: <446811D3.5080905@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0605150004590.645@d.namei>
James Morris wrote:
> On Sun, 14 May 2006, Patrick McHardy wrote:
>
>
>>James Morris wrote:
>>
>>>@@ -135,6 +175,9 @@ static int __init xt_secmark_init(void)
>>> {
>>> int err;
>>>
>>>+ if (tracking_enabled())
>>>+ need_conntrack();
>>>+
>>
>>This will load the conntrack modules even if the track flag is not set.
>
>
> I guess need_conntrack() could be moved to checkentry() and only called
> if the track flag is set.
That won't help, the function itself does nothing, its just a symbol
dependency.
>>Wouldn't it be better to put everything related to connection marking
>>in the CONNSECMARK target?
>
>
> It's more efficient this way, and simpler to manage.
>
> Currently, after security marking, the chain should normally terminate
> with a -j ACCEPT. Requiring the use of CONNSECMARK to label connections
> means inserting another rule before terminating the chain.
>
> Also, security marking for connections only occurs in the context of
> copying the security mark from packets, so there's no reason to build a
> general feature to do this into CONNSECMARK.
>
> Another possibility would be to get rid of CONNSECMARK completely and have
> SECMARK copy security marks from connections to packets via the use of a
> different flag (perhaps change --track into --save-state and then have
> --restore-state, or similar).
The reason why I'm asking is because my understanding is that SECMARK
would also be useful without conntrack, but automatically pulling in
the module leaves no option not to use conntrack except not to compile
this part in.
next prev parent reply other threads:[~2006-05-15 5:29 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-07 15:31 [RFC] SECMARK 1.0 James Morris
2006-05-07 15:33 ` [RFC] [SECMARK 01/08] Add secmark support to core networking James Morris
2006-05-07 15:34 ` [RFC][SECMARK 02/08] Export selinux_string_to_sid from SELinux James Morris
2006-05-07 15:35 ` [RFC][SECMARK 03/08] Add xtables SECMARK target James Morris
2006-05-10 6:03 ` Patrick McHardy
2006-05-10 13:30 ` James Morris
2006-05-11 7:06 ` Patrick McHardy
2006-05-07 15:36 ` [RFC][SECMARK 04/08] Add new flask definitions to SELinux James Morris
2006-05-07 15:37 ` [RFC][SECMARK 05/08] Add new packet controls " James Morris
2006-05-07 15:38 ` [RFC][SECMARK 06/08] Define a relabelto permission in the SELinux packet class James Morris
2006-05-07 15:39 ` [RFC][SECMARK 07/08] Add selinux_relabel_packet_permission() to SELinux API James Morris
2006-05-07 15:40 ` [RFC][SECMARK 08/08] Add selinux_relabel_packet_permission() check to xt_SECMARK James Morris
2006-05-08 17:54 ` Karl MacMillan
2006-05-08 21:19 ` James Morris
2006-05-07 15:42 ` [RFC][SECMARK userland 01/03] Add libselinux support James Morris
2006-05-07 15:43 ` [RFC][SECMARK userland 02/03] Add libipt_SECMARK James Morris
2006-05-07 15:44 ` [RFC][SECMARK userland 03/03] Add libip6t_SECMARK James Morris
2006-05-07 17:04 ` [RFC] SECMARK 1.0 Joshua Brindle
2006-05-07 17:43 ` James Morris
2006-05-08 17:41 ` Karl MacMillan
2006-05-08 21:29 ` James Morris
2006-05-09 13:24 ` Karl MacMillan
2006-05-09 16:40 ` James Morris
2006-05-09 17:06 ` Karl MacMillan
2006-05-09 18:56 ` James Morris
2006-05-09 17:11 ` Stephen Smalley
2006-05-07 17:44 ` James Morris
2006-05-14 6:03 ` [RFC] SECMARK 1.1 James Morris
2006-05-14 18:37 ` Patrick McHardy
2006-05-15 4:24 ` James Morris
2006-05-15 5:29 ` Patrick McHardy [this message]
2006-05-15 5:57 ` James Morris
2006-05-15 6:04 ` Patrick McHardy
2006-05-15 6:22 ` James Morris
2006-05-15 6:26 ` Patrick McHardy
2006-05-15 6:37 ` James Morris
2006-05-15 6:42 ` James Morris
2006-05-15 6:43 ` Patrick McHardy
2006-05-15 12:35 ` Karl MacMillan
2006-05-17 13:36 ` Thomas Bleher
2006-05-17 14:56 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=446811D3.5080905@trash.net \
--to=kaber@trash.net \
--cc=bleher@informatik.uni-muenchen.de \
--cc=davem@davemloft.net \
--cc=dwalsh@redhat.com \
--cc=jmorris@namei.org \
--cc=kmacmillan@tresys.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).