* Can Erkin Acar <[EMAIL PROTECTED]> [2008-03-06 22:43]:
> > Hey
> >
> > so now I changed the tagging from tcp_output to ip_output.
> > I also put an pf_tag_unref to so_free and sosetopt (in case that there
> > is allready a tag set).
> > I couldn't see a reason for a pf_tag_unref in the so_accept because
> > the socket could be reused.
> > Thanks to Henning for the ideas!
>
> > Any further ideas ? I'm in a good run :)
>
> Nice, you probably want to keep the application/kernel tag name spaces
> distinct though. Otherwise it would be easy for any local user/program
> to mess with pf.conf generated tags and bypass filtering etc. It could
> be as easy as adding a prefix ("APP_" ?) to all application generated
> tags.
actually you have a point here... sockets don't even require root.
--
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
