On 06/02/2011 10:55 AM, Mr Dash Four wrote: > >> It is NEW *or* INVALID. >> > That may pose a problem then. The existing catch-all I have has ctstate > NEW and slaps an "unauthorised_t" mark on every NEW packet regardless > what happens down the chain. > > Since the mark listed in my security alert log has this packet marked as > "unlabeled_t" (that is an indication that no secure marking was applied > to that packet), that makes me think the ctstate was not new and that > the packet may have been invalid, hence escaping my catch-all secmark > statement. > > That is fine and I suspect your patch would work if that was the case, > but this would present a problem with packets which are NEW *and* > INVALID
That is impossible! A packet is in one and only one state. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
