On Wed, 10 Jul 2002, Stephen Smalley wrote: > > James pointed out that we can remove the NetFilter IP hooks from LSM and > simply let the modules register them as necessary. Is anyone already > working on a patch for this? No, I was waiting to see if there would be any further feedback. > Do we also need to make the non-NetFilter IPv4 networking hooks > configurable? What about the skb hooks? The sock_rcv_skb hook? The > socket layer hooks? Does this need to be done prior to initial > submission of the LSM patch? > According to the gigabit Webstone benchmarks, we'd still have a 1-2% performance hit after removal of the netfilter hooks. However, it's not clear exactly what is causing this (note that the lmbench tcp bandwidth figures for the same setup show a hit of only %0.3), and making network hooks configurable for this reason might be premature at this stage. I would suggest that we don't make the network hooks configurable unless specifically asked to by the network maintainers. - James -- James Morris <jmorrisat_private> _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 17:02:54 PDT