From 560ee653b67074b805f1b661988a72a0e58811a5 Mon Sep 17 00:00:00 2001 From: James Morris Date: Mon, 9 Jun 2008 15:57:24 -0700 Subject: netfilter: ip_tables: add iptables security table for mandatory access control rules The following patch implements a new "security" table for iptables, so that MAC (SELinux etc.) networking rules can be managed separately to standard DAC rules. This is to help with distro integration of the new secmark-based network controls, per various previous discussions. The need for a separate table arises from the fact that existing tools and usage of iptables will likely clash with centralized MAC policy management. The SECMARK and CONNSECMARK targets will still be valid in the mangle table to prevent breakage of existing users. Signed-off-by: James Morris Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns/ipv4.h') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 34ee348a2cf..6ef90b5fafb 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -36,6 +36,7 @@ struct netns_ipv4 { struct xt_table *iptable_mangle; struct xt_table *iptable_raw; struct xt_table *arptable_filter; + struct xt_table *iptable_security; #endif int sysctl_icmp_echo_ignore_all; -- cgit v1.2.3 From 39a23e75087ce815abbddbd565b9a2e567ac47da Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Sat, 5 Jul 2008 19:02:33 -0700 Subject: netns: register net.ipv4.route.flush in each namespace Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns/ipv4.h') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 6ef90b5fafb..a29adf1ba0f 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -18,6 +18,7 @@ struct netns_ipv4 { struct ctl_table_header *forw_hdr; struct ctl_table_header *frags_hdr; struct ctl_table_header *ipv4_hdr; + struct ctl_table_header *route_hdr; #endif struct ipv4_devconf *devconf_all; struct ipv4_devconf *devconf_dflt; -- cgit v1.2.3 From 9f5e97e53675caeda48e9988122a30470f4d309d Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Sat, 5 Jul 2008 19:02:59 -0700 Subject: netns: make rt_secret_rebuild timer per namespace Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 2 ++ 1 file changed, 2 insertions(+) (limited to 'include/net/netns/ipv4.h') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index a29adf1ba0f..356617f81be 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -46,5 +46,7 @@ struct netns_ipv4 { int sysctl_icmp_ratelimit; int sysctl_icmp_ratemask; int sysctl_icmp_errors_use_inbound_ifaddr; + + struct timer_list rt_secret_timer; }; #endif -- cgit v1.2.3 From e84f84f276473dcc673f360e8ff3203148bdf0e2 Mon Sep 17 00:00:00 2001 From: "Denis V. Lunev" Date: Sat, 5 Jul 2008 19:04:32 -0700 Subject: netns: place rt_genid into struct net Signed-off-by: Denis V. Lunev Signed-off-by: David S. Miller --- include/net/netns/ipv4.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include/net/netns/ipv4.h') diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 356617f81be..a6ed83853dc 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h @@ -48,5 +48,6 @@ struct netns_ipv4 { int sysctl_icmp_errors_use_inbound_ifaddr; struct timer_list rt_secret_timer; + atomic_t rt_genid; }; #endif -- cgit v1.2.3