SAFE public projects git trees. - safe/jmp/linux-2.6/commit

author	James Morris <jmorris@namei.org>
	Mon, 9 Jun 2008 22:57:24 +0000 (15:57 -0700)
committer	David S. Miller <davem@davemloft.net>
	Mon, 9 Jun 2008 22:57:24 +0000 (15:57 -0700)
commit	560ee653b67074b805f1b661988a72a0e58811a5
tree	e480158d626854dde7421d87e76b1fa6443c457f	tree \| snapshot
parent	a258860e01b80e8f554a4ab1a6c95e6042eb8b73	commit \| diff

netfilter: ip_tables: add iptables security table for mandatory access control rules

The following patch implements a new "security" table for iptables, so
that MAC (SELinux etc.) networking rules can be managed separately to
standard DAC rules.

This is to help with distro integration of the new secmark-based
network controls, per various previous discussions.

The need for a separate table arises from the fact that existing tools
and usage of iptables will likely clash with centralized MAC policy
management.

The SECMARK and CONNSECMARK targets will still be valid in the mangle
table to prevent breakage of existing users.

Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/linux/netfilter_ipv4.h		diff \| blob \| history
include/net/netns/ipv4.h		diff \| blob \| history
net/ipv4/netfilter/Kconfig		diff \| blob \| history
net/ipv4/netfilter/Makefile		diff \| blob \| history
net/ipv4/netfilter/iptable_security.c	[new file with mode: 0644]	blob
net/netfilter/xt_CONNSECMARK.c		diff \| blob \| history
net/netfilter/xt_SECMARK.c		diff \| blob \| history