Peter Memishian wrote:
We're not sure -- we've asked for Casper's thoughts on PRIV_NET_OBSERVABILITY as a whole, but he's on vacation at the moment.
Isn't "observability" a bit too broad here? I would assume observability includes packet counters (e.g., netstat -i) in addition to being able to look at the packet content.
I suspect for snoop-type activity we might over time need a range of visibility, just as I suspect we'll need a set of privileges around being able to send different degrees of raw packets. One way of approaching this is to define a small set of "raw" privileges that can separately capture being able to observe/receive and being able to transmit. Another way is to think of both observe/receive and transmit "raw" as a set of filters (IPFilter extended to support MAC layer filtering and ARP could be one implementation). The filtering approach is certainly more general, but begs the question of what the default behavior/filter should be.
Erik _______________________________________________ networking-discuss mailing list [email protected]
