Re: [PATCH] SMACK netfilter smacklabel socket match

From: Casey Schaufler
Date: Wed Feb 18 2009 - 12:09:38 EST

Next message: Mike Frysinger: "Re: [s390] next Feb 18: defconfig build break"
Previous message: Oliver Neukum: "Re: [RFD] Automatic suspend"
In reply to: Paul Moore: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Next in thread: etienne: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Moore wrote:
> On Wednesday 18 February 2009 02:23:24 am etienne wrote:
>
>> ... anyway, I think the cleanest way would be to, well, sort smk_netlbladdr
>> by mask on insertion (perf doesn't matter here) and this way
>> smack_host_label can stop the loop on first match. Plus, it would give a
>> nicer /smack/netlabel ouptut :)
>>
>
> Agreed.
>

Yes, it would make it nicer. You'll need to do a better job
on the list management than I've been doing. It's probably well
past time to introduce the Standard list management scheme to
Smack, and you'll need to do so if you want to do insertions
and/or deletions.

>> so, how should we handle it? apply the patches (with whitespaces damages
>> corrected ;) ) now (as it corrects a bug) an elaborate the cleaner way
>> later?
>>
>
> Well, since you have some time and willingness to do things "the right way" I
> would recommend dropping these patches (which are really just band-aids) and
> working on the right solution to stored the addresses/masks in a sorted list
> with the mask already applied.
>
> FWIW, the NetLabel code (net/netlabel) has to do very similar things with
> sorted address lists so I built an address list construct which builds on the
> list.h ideas and operates in a similar way. You may find it helpful.
>
>
>> I think this should go to stable too?
>>
>
> I would worry about getting the patches developed, tested and in an acceptable
> form first, then we can worry about where they should be applied ;)
>
>

I would be delighted to see these changes. When you have preliminary
versions I would be eager to see them and give them a try in the
Smack test laboratory.

Etienne, thank you very much for the work you've done so far. Paul,
thank you for your recommendations.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mike Frysinger: "Re: [s390] next Feb 18: defconfig build break"
Previous message: Oliver Neukum: "Re: [RFD] Automatic suspend"
In reply to: Paul Moore: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Next in thread: etienne: "Re: [PATCH] SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]