diff options
| author | jooseong lee <jooseong.lee@samsung.com> | 2016-12-01 15:30:27 +0900 |
|---|---|---|
| committer | jooseong lee <jooseong.lee@samsung.com> | 2016-12-01 15:55:52 +0900 |
| commit | 803258cee1d310d351d6a5becb70e781abfb595a (patch) | |
| tree | 04607083b62106400f2223bb7d4efffa495990eb | |
| parent | 4eee0042c064d875e955e571fd97ca185f454beb (diff) | |
| download | nether-tizen_3.0.m2.tar.gz nether-tizen_3.0.m2.tar.bz2 nether-tizen_3.0.m2.zip | |
Set all packet's secmark to 'System' label on input iptablessubmit/tizen_3.0/20161205.010713submit/tizen_3.0.m2/20170104.093751submit/tizen/20161205.090948accepted/tizen/wearable/20161205.233709accepted/tizen/tv/20161205.233650accepted/tizen/mobile/20161205.233633accepted/tizen/ivi/20161205.233725accepted/tizen/3.0/wearable/20161205.065822accepted/tizen/3.0/tv/20161205.065808accepted/tizen/3.0/mobile/20161205.065747accepted/tizen/3.0/ivi/20161205.065828accepted/tizen/3.0/common/20161205.092154accepted/tizen/3.0.m2/wearable/20170104.142431accepted/tizen/3.0.m2/tv/20170104.142137accepted/tizen/3.0.m2/mobile/20170104.141804tizen_3.0.m2accepted/tizen_3.0.m2_wearableaccepted/tizen_3.0.m2_tvaccepted/tizen_3.0.m2_mobile
It is hard to change packet's secmark in specific IP scope
to avoid Smack denial. Nether provides access control for
input and output packet better than IP management.
Change-Id: I7a6da0d53c313a7987217d62fefb16ef2f0b8a0f
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
| -rw-r--r-- | conf/nether.rules | 3 | ||||
| -rw-r--r-- | conf/nether_ipv6.rules | 5 |
2 files changed, 2 insertions, 6 deletions
diff --git a/conf/nether.rules b/conf/nether.rules index f5b3c93..71b6464 100644 --- a/conf/nether.rules +++ b/conf/nether.rules @@ -23,8 +23,7 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [816152:74580343] :POSTROUTING ACCEPT [824147:75308906] -# ipv4 multicase address for "All CoAP Nodes" --A INPUT -d 224.0.1.187 -j SECMARK --selctx System +-A INPUT -j SECMARK --selctx System -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass COMMIT diff --git a/conf/nether_ipv6.rules b/conf/nether_ipv6.rules index 57a8900..cee3319 100644 --- a/conf/nether_ipv6.rules +++ b/conf/nether_ipv6.rules @@ -23,8 +23,5 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [816152:74580343] :POSTROUTING ACCEPT [824147:75308906] -# ipv6 multicase address for "All CoAP Nodes": Link-Local scope --A INPUT -d ff02::158 -j SECMARK --selctx System -# TODO: RULE FOR IOTCON PROVISIONING SHOULD BE REMOVED --A INPUT -d fe80::ae5a:14ff:fe0e:b2c0 -j SECMARK --selctx System +-A INPUT -j SECMARK --selctx System COMMIT |