Chris Vance wrote: >To that end, we are going to see what we can do with >the netfilter code rather than directly modifying the ip input/ouput >routines or modifying the sk_buff structure (which apparently would be >difficult to gain approval for). Sounds like a great idea, and I'd love to see a way to make it work. As far as I'm aware, though, one difficulty with such an approach would appear to be dealing with incoming packets: I believe netfilter gets invoked before the packet is demultiplexed enough to be aware what process/uid the packet is destined for, and so it's not clear to me how to do per-process or per-uid filtering. I'd love to see a solution... _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 22:31:23 PDT