* [RFC] IPv4 Netfilter hook priorities for SELinux @ 2004-01-06 16:01 James Morris 2004-01-06 19:13 ` Harald Welte 0 siblings, 1 reply; 4+ messages in thread From: James Morris @ 2004-01-06 16:01 UTC (permalink / raw) To: netdev; +Cc: netfilter-devel, David S. Miller, Stephen Smalley SELinux needs to use some Netfilter hooks, and I'd like to propose the hook priorities below for the mainline kernel. As SELinux is a mandatory access control system, it needs to be able to look at packets before and after they may have been modified. Two priorities are thus required. The SELINUX_LAST priority is straightforward: this is after all mangling and NAT has occurred. The SELINUX_FIRST priority needs to be located before any packet modification hooks, although it is also potentially useful if located prior to conntrack so that SELinux has an opportunity to reject packets before they enter the conntrack code. Does anyone have any objections to the patch below (which I'd propose for 2.6.2), or other comments? - James -- James Morris <jmorris@redhat.com> diff -urN -X dontdiff linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h --- linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h 2003-09-27 20:50:51.000000000 -0400 +++ linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h 2004-01-06 10:14:59.503138800 -0500 @@ -51,6 +51,7 @@ enum nf_ip_hook_priorities { NF_IP_PRI_FIRST = INT_MIN, + NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175, NF_IP_PRI_MANGLE = -150, @@ -58,6 +59,7 @@ NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT = -50, NF_IP_PRI_FILTER = 0, NF_IP_PRI_NAT_SRC = 100, + NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_LAST = INT_MAX, }; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] IPv4 Netfilter hook priorities for SELinux 2004-01-06 16:01 [RFC] IPv4 Netfilter hook priorities for SELinux James Morris @ 2004-01-06 19:13 ` Harald Welte 2004-01-06 20:05 ` James Morris 0 siblings, 1 reply; 4+ messages in thread From: Harald Welte @ 2004-01-06 19:13 UTC (permalink / raw) To: James Morris; +Cc: netdev, netfilter-devel, David S. Miller, Stephen Smalley [-- Attachment #1: Type: text/plain, Size: 686 bytes --] On Tue, Jan 06, 2004 at 11:01:03AM -0500, James Morris wrote: > Does anyone have any objections to the patch below (which I'd propose for > 2.6.2), or other comments? Thanks James, I am perfectly fine with your patch. Feel free to put them into netfilter_arp.h and netfilter_ipv6.h, too. > - James -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] IPv4 Netfilter hook priorities for SELinux 2004-01-06 19:13 ` Harald Welte @ 2004-01-06 20:05 ` James Morris 2004-01-07 5:36 ` David S. Miller 0 siblings, 1 reply; 4+ messages in thread From: James Morris @ 2004-01-06 20:05 UTC (permalink / raw) To: Harald Welte; +Cc: netdev, netfilter-devel, David S. Miller, Stephen Smalley On Tue, 6 Jan 2004, Harald Welte wrote: > On Tue, Jan 06, 2004 at 11:01:03AM -0500, James Morris wrote: > > > Does anyone have any objections to the patch below (which I'd propose for > > 2.6.2), or other comments? > > Thanks James, I am perfectly fine with your patch. Feel free to put > them into netfilter_arp.h and netfilter_ipv6.h, too. Ok, here is the patch with support for IPv4 and IPv6. I've not added anything for ARP yet as SELinux does not have any ARP controls at this stage (and probably won't in the near future). Please apply. - James -- James Morris <jmorris@redhat.com> diff -urN -X dontdiff linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h --- linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv4.h 2003-09-27 20:50:51.000000000 -0400 +++ linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv4.h 2004-01-06 10:14:59.000000000 -0500 @@ -51,6 +51,7 @@ enum nf_ip_hook_priorities { NF_IP_PRI_FIRST = INT_MIN, + NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_BRIDGE_SABOTAGE_FORWARD = -175, NF_IP_PRI_MANGLE = -150, @@ -58,6 +59,7 @@ NF_IP_PRI_BRIDGE_SABOTAGE_LOCAL_OUT = -50, NF_IP_PRI_FILTER = 0, NF_IP_PRI_NAT_SRC = 100, + NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_LAST = INT_MAX, }; diff -urN -X dontdiff linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv6.h linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv6.h --- linux-2.6.1-rc1-mm2.pending/include/linux/netfilter_ipv6.h 2003-09-27 20:50:51.000000000 -0400 +++ linux-2.6.1-rc1-mm2.w1/include/linux/netfilter_ipv6.h 2004-01-06 14:41:30.000000000 -0500 @@ -56,11 +56,13 @@ enum nf_ip6_hook_priorities { NF_IP6_PRI_FIRST = INT_MIN, + NF_IP6_PRI_SELINUX_FIRST = -225, NF_IP6_PRI_CONNTRACK = -200, NF_IP6_PRI_MANGLE = -150, NF_IP6_PRI_NAT_DST = -100, NF_IP6_PRI_FILTER = 0, NF_IP6_PRI_NAT_SRC = 100, + NF_IP6_PRI_SELINUX_LAST = 225, NF_IP6_PRI_LAST = INT_MAX, }; ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC] IPv4 Netfilter hook priorities for SELinux 2004-01-06 20:05 ` James Morris @ 2004-01-07 5:36 ` David S. Miller 0 siblings, 0 replies; 4+ messages in thread From: David S. Miller @ 2004-01-07 5:36 UTC (permalink / raw) To: James Morris; +Cc: laforge, netdev, netfilter-devel, sds On Tue, 6 Jan 2004 15:05:10 -0500 (EST) James Morris <jmorris@redhat.com> wrote: > Ok, here is the patch with support for IPv4 and IPv6. I've not added > anything for ARP yet as SELinux does not have any ARP controls at this > stage (and probably won't in the near future). > > Please apply. Applied, thanks guys. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-01-07 5:36 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2004-01-06 16:01 [RFC] IPv4 Netfilter hook priorities for SELinux James Morris 2004-01-06 19:13 ` Harald Welte 2004-01-06 20:05 ` James Morris 2004-01-07 5:36 ` David S. Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.