-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Martin" == Martin Josefsson <gandalf@xxxxxxxxxxxxxx> writes:
Martin> [1 <text/plain; US-ASCII (7bit)>]
Martin> On Fri, 26 Oct 2001, Manon F. Goo wrote:
>>
>> >
>> > Aha, RGB! a customer for the skb->{security,ipcb,fwmark} mechanism.
>> > Well maybe.
>> > skb->security (16-bit)
>> > skb->nfmark (much contention for this field)
>>
>> is it planed to be able to set nfmark value per connecction for later
>> processing with iptables ?
Martin> There is an iptablesmodule called CONNMARK for this purpose :)
Martin> you mark the connection with a mark and all packets in that
connection
Martin> inherit that mark. But I don't think CONNMARK is part of the
patch-o-matic
Martin> :( So you'll have to search the netfilter-devel archives I think.
The term "connection" as used by Manon referes to an IPsec SA. The packets
that emerge from the IPsec tunnel have never been seen by the system before
(they were hidden by encryption)
Conntrack will likely prove useful to short-circuit IPsec SPD (inbound)
tunnel processing, particularly for Opportunistic Encryption (which is
/32<->/32) uses, but we need to convince ourselves that there are no cache
coherency problems with this.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBO9mJTYqHRg3pndX9AQFykwQAvP2OE4UbgPB4cuIWGxGm+a9hLhznmQS9
GL0/FBBGLD+atE9By0x1qj5cd8sazRwMLuVLAY27xsyNL2x2MlGTr2Wkf6PKPmxH
E9mNY3VRYayUn7A+JqVh8ti89Op8ljyzPsiX6D0UybmLhXYTLxq7uH2N6iUGAuRH
9Jv2QHhtxx0=
=FDUE
-----END PGP SIGNATURE-----
|