| To: | davem@xxxxxxxxxx (David S. Miller) |
|---|---|
| Subject: | Re: nfmark routing in ip_route_output() |
| From: | kuznet@xxxxxxxxxxxxx |
| Date: | Tue, 5 Sep 2000 20:57:16 +0400 (MSK DST) |
| Cc: | rusty@xxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, ges@xxxxxxxxxx, netfilter@xxxxxxxxxxxxx |
| In-reply-to: | <14766.59187.494713.745149@xxxxxxxxxxxxxxx> from "David S. Miller" at Aug 31, 0 04:16:03 pm |
| Sender: | owner-netdev@xxxxxxxxxxx |
Hello! > Alexey can complain next week when he comes back online. :-) Nothing to complain. 8) BTW, Paul, we can make one interesting thing now. Namely, something sort of setsockopt(SO_NFMARK). After this you can override socket(2) (f.e. with LD_PRELOAD or on application level) and select nfmark depending on some environment variable. The only problem is how to prevent user to override internal nfmarks (nat). Well, and security implications are to be analyzed. Probably, it is enough to add sysctl variable sort of nfmark_user_mask (set to zero by default) and allow to change nfmark via setsockopt() only if (nfmark_user_mask&nfmark) == nfmark. Alexey |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: nat-pt for ipv6/ipv4, Imran Patel |
|---|---|
| Next by Date: | Re: nfmark routing in ip_route_output(), Andi Kleen |
| Previous by Thread: | nat-pt for ipv6/ipv4, Imran Patel |
| Next by Thread: | Re: nfmark routing in ip_route_output(), Andi Kleen |
| Indexes: | [Date] [Thread] [Top] [All Lists] |