Merge "Modify iptables policy for policing all protocols, not only TCP" into tizen

author Piotr Sawicki <p.sawicki2@partner.samsung.com>

Fri, 26 May 2017 13:28:50 +0000 (13:28 +0000)

committer Gerrit Code Review <gerrit@review.ap-northeast-2.compute.internal>

Fri, 26 May 2017 13:28:50 +0000 (13:28 +0000)
author Piotr Sawicki <p.sawicki2@partner.samsung.com>
Fri, 26 May 2017 13:28:50 +0000 (13:28 +0000)
committer Gerrit Code Review <gerrit@review.ap-northeast-2.compute.internal>
Fri, 26 May 2017 13:28:50 +0000 (13:28 +0000)
diff --cc conf/nether.rules

index ad939b9,b49d361..da7bd7e
--- 1/conf/nether.rules
--- 2/conf/nether.rules
+++ b/conf/nether.rules
@@@ -18,21 -18,21 +18,21 @@@
   
   # nether iptables rules
   *mangle
- -:PREROUTING ACCEPT [1008811:2134498122]
- -:INPUT ACCEPT [948545:2129919738]
- -:FORWARD ACCEPT [0:0]
- -:OUTPUT ACCEPT [816152:74580343]
- -:POSTROUTING ACCEPT [824147:75308906]
- --A INPUT -j SECMARK --selctx System
+ +:PREROUTING ACCEPT
+ +:INPUT ACCEPT
+ +:FORWARD ACCEPT
+ +:OUTPUT ACCEPT
+ +:POSTROUTING ACCEPT
+ +-A INPUT ! -i lo -j SECMARK --selctx System
   -A OUTPUT -o lo -j ACCEPT
- -A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass
+ -A OUTPUT -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
   COMMIT
   *filter
- -:INPUT ACCEPT [927054:2081201095]
- -:FORWARD ACCEPT [0:0]
- -:OUTPUT ACCEPT [805408:74228055]
- -:NETHER-ALLOWLOG - [0:0]
- -:NETHER-DENY - [0:0]
+ +:INPUT ACCEPT
+ +:FORWARD ACCEPT
+ +:OUTPUT ACCEPT
+ +:NETHER-ALLOWLOG -
+ +:NETHER-DENY -
   -A OUTPUT -o lo -j ACCEPT
   -A OUTPUT -m mark --mark 0x3 -j NETHER-DENY
   -A OUTPUT -m mark --mark 0x4 -j NETHER-ALLOWLOG
author	Piotr Sawicki <p.sawicki2@partner.samsung.com>
	Fri, 26 May 2017 13:28:50 +0000 (13:28 +0000)
committer	Gerrit Code Review <gerrit@review.ap-northeast-2.compute.internal>
	Fri, 26 May 2017 13:28:50 +0000 (13:28 +0000)