[redhat-lspp] Re: [RFC][PATCH 2/2] MLSXFRM: Flow labeling outside of socket context
James Morris
jmorris at redhat.com
Sat Jul 8 15:14:29 UTC 2006
On Wed, 5 Jul 2006, Venkat Yekkirala wrote:
> The following aren't addressed in this round. These will however still be able to use
> single-labeled associations like they currently do as defined by policy, and as such
> I currently do not have any plans to add support for them.
>
> ipmr
> ip_gre
> ipip
> igmp
> sit
> sctp
> ip6_tunnel (IPv6 over IPv6 tunnel device)
> decnet
This seems problematic in that it's not a general solution and depends
always on hooking in at all of the right places in every protocol. Adding
a bunch of hooks to protocol-specific code is what got us in trouble with
the initial LSM submission.
What about using secmark and connection tracking for this, instead?
I'd also suggest moving this discussion to netdev, so other network
developers & maintainers can participate, or just keep track of the
discussion.
- James
--
James Morris
<jmorris at redhat.com>
More information about the redhat-lspp
mailing list