-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Manon" == Manon F Goo <manon@xxxxxxxx> writes:
>> Aha, RGB! a customer for the skb->{security,ipcb,fwmark} mechanism.
>> Well maybe.
skb-> security (16-bit)
skb-> nfmark (much contention for this field)
Manon> is it planed to be able to set nfmark value per connecction for
later
Manon> processing with iptables ?
No. The value that we would need to set is a 16-bit or more value. Setting
a single bit is meaningless since different tunnels may have different
policies. The intention is that you can use "security" (or whatever field is
decided) to do filtering.
(If pushed into a corner, we may resort to stomping on most of nfmark,
which would be unfriendly, but nfmark has to be fixed...)
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBO9mGZ4qHRg3pndX9AQEzLgP/c5D5NW1OHMPXfACnd5fALj76De1W/T+d
rEJCFA+dhMeAGPblcLdSED2HgJ+pzgLa6ZzxWpSPx5XHlxd5F8hiawpuYr3TQUKl
vgU3UW78lrIHqLZNL0Nmmv5NU6ZRxjwqUr8XIgdZNHfbjVz6nrekNZGiA+8jxZUU
7w/NvypTjpc=
=vRC9
-----END PGP SIGNATURE-----
|