>>> 1) Shorewall now uses the 'conntrack' utility for 'show connections' >>> if that utility is installed. Going forward, the Netfilter team >>> will be enhancing this interface rather than the /proc interface. >>> >>> >> Erm, No! >> >> The /proc interface will also be 'fixed' to include secctx field (i.e. >> secctx=system_u:object_r:packet_t:s0), which shows the correct SELinux >> context and the existing field secmark will be dropped. >> > > Jan Engelhardt (who I see as a possible successor to Patrick McHardy) is > championing that general direction, irrespective of what happens with > the current set of secmark issues. > I don't know what direction Jan is 'championing' with regards to the /proc interface, but the fact remains that, for the time being at least, the /proc interface will get the same treatment - as far as SELinux context is concerned - as the Netfilter interface (the point I've made in my previous reply). You know about these discussions - you've taken part in them on the netfilter mailing list.
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
