diff options
| author | James Morris <jmorris@namei.org> | 2008-06-09 18:57:24 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-06-09 18:57:24 -0400 |
| commit | 560ee653b67074b805f1b661988a72a0e58811a5 (patch) | |
| tree | e480158d626854dde7421d87e76b1fa6443c457f /net/netfilter | |
| parent | a258860e01b80e8f554a4ab1a6c95e6042eb8b73 (diff) | |
netfilter: ip_tables: add iptables security table for mandatory access control rules
The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.
This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.
The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.
The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/xt_CONNSECMARK.c | 10 | ||||
| -rw-r--r-- | net/netfilter/xt_SECMARK.c | 10 |
2 files changed, 14 insertions, 6 deletions
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 211189eb2b67..76ca1f2421eb 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c | |||
| @@ -8,7 +8,7 @@ | |||
| 8 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> | 8 | * Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com> |
| 9 | * by Henrik Nordstrom <hno@marasystems.com> | 9 | * by Henrik Nordstrom <hno@marasystems.com> |
| 10 | * | 10 | * |
| 11 | * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> | 11 | * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> |
| 12 | * | 12 | * |
| 13 | * This program is free software; you can redistribute it and/or modify | 13 | * This program is free software; you can redistribute it and/or modify |
| 14 | * it under the terms of the GNU General Public License version 2 as | 14 | * it under the terms of the GNU General Public License version 2 as |
| @@ -94,6 +94,12 @@ connsecmark_tg_check(const char *tablename, const void *entry, | |||
| 94 | { | 94 | { |
| 95 | const struct xt_connsecmark_target_info *info = targinfo; | 95 | const struct xt_connsecmark_target_info *info = targinfo; |
| 96 | 96 | ||
| 97 | if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) { | ||
| 98 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " | ||
| 99 | "or \'security\' tables, not \'%s\'.\n", tablename); | ||
| 100 | return false; | ||
| 101 | } | ||
| 102 | |||
| 97 | switch (info->mode) { | 103 | switch (info->mode) { |
| 98 | case CONNSECMARK_SAVE: | 104 | case CONNSECMARK_SAVE: |
| 99 | case CONNSECMARK_RESTORE: | 105 | case CONNSECMARK_RESTORE: |
| @@ -126,7 +132,6 @@ static struct xt_target connsecmark_tg_reg[] __read_mostly = { | |||
| 126 | .destroy = connsecmark_tg_destroy, | 132 | .destroy = connsecmark_tg_destroy, |
| 127 | .target = connsecmark_tg, | 133 | .target = connsecmark_tg, |
| 128 | .targetsize = sizeof(struct xt_connsecmark_target_info), | 134 | .targetsize = sizeof(struct xt_connsecmark_target_info), |
| 129 | .table = "mangle", | ||
| 130 | .me = THIS_MODULE, | 135 | .me = THIS_MODULE, |
| 131 | }, | 136 | }, |
| 132 | { | 137 | { |
| @@ -136,7 +141,6 @@ static struct xt_target connsecmark_tg_reg[] __read_mostly = { | |||
| 136 | .destroy = connsecmark_tg_destroy, | 141 | .destroy = connsecmark_tg_destroy, |
| 137 | .target = connsecmark_tg, | 142 | .target = connsecmark_tg, |
| 138 | .targetsize = sizeof(struct xt_connsecmark_target_info), | 143 | .targetsize = sizeof(struct xt_connsecmark_target_info), |
| 139 | .table = "mangle", | ||
| 140 | .me = THIS_MODULE, | 144 | .me = THIS_MODULE, |
| 141 | }, | 145 | }, |
| 142 | }; | 146 | }; |
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index c0284856ccd4..94f87ee7552b 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c | |||
| @@ -5,7 +5,7 @@ | |||
| 5 | * Based on the nfmark match by: | 5 | * Based on the nfmark match by: |
| 6 | * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> | 6 | * (C) 1999-2001 Marc Boucher <marc@mbsi.ca> |
| 7 | * | 7 | * |
| 8 | * (C) 2006 Red Hat, Inc., James Morris <jmorris@redhat.com> | 8 | * (C) 2006,2008 Red Hat, Inc., James Morris <jmorris@redhat.com> |
| 9 | * | 9 | * |
| 10 | * This program is free software; you can redistribute it and/or modify | 10 | * This program is free software; you can redistribute it and/or modify |
| 11 | * it under the terms of the GNU General Public License version 2 as | 11 | * it under the terms of the GNU General Public License version 2 as |
| @@ -89,6 +89,12 @@ secmark_tg_check(const char *tablename, const void *entry, | |||
| 89 | { | 89 | { |
| 90 | struct xt_secmark_target_info *info = targinfo; | 90 | struct xt_secmark_target_info *info = targinfo; |
| 91 | 91 | ||
| 92 | if (strcmp(tablename, "mangle") && strcmp(tablename, "security")) { | ||
| 93 | printk(KERN_INFO PFX "target only valid in the \'mangle\' " | ||
| 94 | "or \'security\' tables, not \'%s\'.\n", tablename); | ||
| 95 | return false; | ||
| 96 | } | ||
| 97 | |||
| 92 | if (mode && mode != info->mode) { | 98 | if (mode && mode != info->mode) { |
| 93 | printk(KERN_INFO PFX "mode already set to %hu cannot mix with " | 99 | printk(KERN_INFO PFX "mode already set to %hu cannot mix with " |
| 94 | "rules for mode %hu\n", mode, info->mode); | 100 | "rules for mode %hu\n", mode, info->mode); |
| @@ -127,7 +133,6 @@ static struct xt_target secmark_tg_reg[] __read_mostly = { | |||
| 127 | .destroy = secmark_tg_destroy, | 133 | .destroy = secmark_tg_destroy, |
| 128 | .target = secmark_tg, | 134 | .target = secmark_tg, |
| 129 | .targetsize = sizeof(struct xt_secmark_target_info), | 135 | .targetsize = sizeof(struct xt_secmark_target_info), |
| 130 | .table = "mangle", | ||
| 131 | .me = THIS_MODULE, | 136 | .me = THIS_MODULE, |
| 132 | }, | 137 | }, |
| 133 | { | 138 | { |
| @@ -137,7 +142,6 @@ static struct xt_target secmark_tg_reg[] __read_mostly = { | |||
| 137 | .destroy = secmark_tg_destroy, | 142 | .destroy = secmark_tg_destroy, |
| 138 | .target = secmark_tg, | 143 | .target = secmark_tg, |
| 139 | .targetsize = sizeof(struct xt_secmark_target_info), | 144 | .targetsize = sizeof(struct xt_secmark_target_info), |
| 140 | .table = "mangle", | ||
| 141 | .me = THIS_MODULE, | 145 | .me = THIS_MODULE, |
| 142 | }, | 146 | }, |
| 143 | }; | 147 | }; |