On Thursday 03 January 2008 11:45:49 pm David Miller wrote: > From: Paul Moore <[EMAIL PROTECTED]> > Date: Thu, 03 Jan 2008 12:25:39 -0500 > > > Add an inet_sys_snd_skb() LSM hook to allow the LSM to provide > > packet level access control for all outbound packets. Using the > > existing postroute_last netfilter hook turns out to be problematic > > as it is can be invoked multiple times for a single packet, e.g. > > individual IPsec transforms, adding unwanted overhead and > > complicating the security policy. > > > > Signed-off-by: Paul Moore <[EMAIL PROTECTED]> > > I disagree with this change. > > The packet is different each time you see it in the postrouting hook, > and also the new hook is thus redundant.
Well, thanks for taking a look. > If it's a performance issue and you can classify the security early, > mark the SKB as "seen" and then on subsequent hooks you can just > return immediately if that flag is set. Unfortunately, it's not quite that easy at present. The only field we have in the skb where we could possibly set a flag is the secmark field which is already taken. Granted, there is the possibility of segmenting the secmark field to some degree but that brings about a new set of problems involving the number of unique labels, backwards compatibility, etc. Regardless, back to the drawing board. I'll have to think a bit harder about a way to make the netfilter hooks work ... -- paul moore linux security @ hp -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
