diff options
author | James Morris <jmorris@namei.org> | 2008-06-09 18:57:24 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-06-09 18:57:24 -0400 |
commit | 560ee653b67074b805f1b661988a72a0e58811a5 (patch) | |
tree | e480158d626854dde7421d87e76b1fa6443c457f /include | |
parent | a258860e01b80e8f554a4ab1a6c95e6042eb8b73 (diff) |
netfilter: ip_tables: add iptables security table for mandatory access control rules
The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.
This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.
The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.
The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/netfilter_ipv4.h | 1 | ||||
-rw-r--r-- | include/net/netns/ipv4.h | 1 |
2 files changed, 2 insertions, 0 deletions
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index 650318b0c405..29c7727ff0e8 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h | |||
@@ -60,6 +60,7 @@ enum nf_ip_hook_priorities { | |||
60 | NF_IP_PRI_MANGLE = -150, | 60 | NF_IP_PRI_MANGLE = -150, |
61 | NF_IP_PRI_NAT_DST = -100, | 61 | NF_IP_PRI_NAT_DST = -100, |
62 | NF_IP_PRI_FILTER = 0, | 62 | NF_IP_PRI_FILTER = 0, |
63 | NF_IP_PRI_SECURITY = 50, | ||
63 | NF_IP_PRI_NAT_SRC = 100, | 64 | NF_IP_PRI_NAT_SRC = 100, |
64 | NF_IP_PRI_SELINUX_LAST = 225, | 65 | NF_IP_PRI_SELINUX_LAST = 225, |
65 | NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, | 66 | NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, |
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 34ee348a2cf2..6ef90b5fafb3 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h | |||
@@ -36,6 +36,7 @@ struct netns_ipv4 { | |||
36 | struct xt_table *iptable_mangle; | 36 | struct xt_table *iptable_mangle; |
37 | struct xt_table *iptable_raw; | 37 | struct xt_table *iptable_raw; |
38 | struct xt_table *arptable_filter; | 38 | struct xt_table *arptable_filter; |
39 | struct xt_table *iptable_security; | ||
39 | #endif | 40 | #endif |
40 | 41 | ||
41 | int sysctl_icmp_echo_ignore_all; | 42 | int sysctl_icmp_echo_ignore_all; |