On Mon, 8 May 2006, Karl MacMillan wrote: > Glad that you added this. This only checks on the addition of rules, > correct? Obviously changes that don't include an addition (e.g., > removal) could change the labeling behavior. Is it possible / needed to > try to provide anything like the relabelto/relabelfrom pairing that is > present for files?
The xtables target knows nothing of rule deletion, so we can't detect anything there. All operations require cap_net_admin, though. so we do at least have that. There's also no way to do relabelfrom, as a single rule update actually causes the entire 'table' to be replaced, and we have no linkage between old and new rules, or in fact, any way to look at the previous state. It turns out that we don't need a relabelfrom anyway, as packets which enter the system are inherently unlabeled, and all that SECMARK does is add a label, so we know implicitly that setting a label on a packet is always a 'relabelfrom unlabeled'. - James -- James Morris <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
