> I'm betting that the AVC is only issued at the socket level (incoming > and outgoing). So DROPped packets would not trigger it. > I will have the opportunity to try this and will find one way or another, but consider this: I currently have Drop in my fw2vpn chain. There is dropInvalid in it (albeit not audited, though if I knew what I will discover I might as well triggered it - hindsight is 20-20 as they say, eh?). The packet to which this AVC relates would have been dropped, but AVC was issued instead. Why?
> At any rate, here's a patch that implements ':I'. > Thanks. How do I treat my existing SAVE and RESTORE statements: should I include the invalid state as well do you think (I think I should, but then again, I am not an expert)? ------------------------------------------------------------------------------ Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
