* Can Erkin Acar <[EMAIL PROTECTED]> [2008-03-06 22:43]: > > Hey > > > > so now I changed the tagging from tcp_output to ip_output. > > I also put an pf_tag_unref to so_free and sosetopt (in case that there > > is allready a tag set). > > I couldn't see a reason for a pf_tag_unref in the so_accept because > > the socket could be reused. > > Thanks to Henning for the ideas! > > > Any further ideas ? I'm in a good run :) > > Nice, you probably want to keep the application/kernel tag name spaces > distinct though. Otherwise it would be easy for any local user/program > to mess with pf.conf generated tags and bypass filtering etc. It could > be as easy as adding a prefix ("APP_" ?) to all application generated > tags.
actually you have a point here... sockets don't even require root. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam