Loopback communication should be allowed only for multicast address range.
In case, iptable will set packet's secmark to 'System' label to avoid
Smack deny issue.
Current -r option is for ipv4. ip6table will be updated on ExecStartPost.
* IPv4
- '224.0.1.187', IPv4 multicast address for "All CoAP Nodes"
* IPv6
- 'ff02::', IPv6 multicast address for "All CoAP Nodes", link-local scope
- 'fe80::ae5a:14ff:fe0e:b2c0', This is only for iotcon provisioning, but
should be removed.
Change-Id: Ic57d2205f8bb20ece23de4fe48db9d2cbad43ea8
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
INSTALL(FILES file.policy DESTINATION ${SYSCONF_INSTALL_DIR}/nether)
INSTALL(FILES cynara.policy DESTINATION ${SYSCONF_INSTALL_DIR}/nether)
INSTALL(FILES nether.rules DESTINATION ${SYSCONF_INSTALL_DIR}/nether)
+INSTALL(FILES nether_ipv6.rules DESTINATION ${SYSCONF_INSTALL_DIR}/nether)
INSTALL(FILES systemd/nether.service DESTINATION ${SYSTEMD_UNIT_DIR})
INSTALL(FILES systemd/nether.service DESTINATION ${SYSTEMD_UNIT_DIR}/multi-user.target.wants)
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [816152:74580343]
:POSTROUTING ACCEPT [824147:75308906]
+# ipv4 multicase address for "All CoAP Nodes"
+-A INPUT -d 224.0.1.187 -j SECMARK --selctx System
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
--- /dev/null
+#
+# Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+#
+# Contact: Roman Kubiak (r.kubiak@samsung.com)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License
+#
+
+# nether iptables rules
+*mangle
+:PREROUTING ACCEPT [1008811:2134498122]
+:INPUT ACCEPT [948545:2129919738]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [816152:74580343]
+:POSTROUTING ACCEPT [824147:75308906]
+# ipv6 multicase address for "All CoAP Nodes": Link-Local scope
+-A INPUT -d ff02::158 -j SECMARK --selctx System
+# TODO: RULE FOR IOTCON PROVISIONING SHOULD BE REMOVED
+-A INPUT -d fe80::ae5a:14ff:fe0e:b2c0 -j SECMARK --selctx System
+COMMIT
[Service]
Type=simple
ExecStart=/usr/local/bin/nether -d -l JOURNAL -P policy=/etc/nether/cynara.policy -B /etc/nether/file.policy -r /etc/nether/nether.rules
+ExecStartPost=/usr/sbin/ip6tables-restore /etc/nether/nether_ipv6.rules
Restart=on-failure
ExecReload=/bin/kill -HUP $MAINPID
+User=security_fw
+Group=security_fw
+SecureBits=keep-caps
+Capabilities=cap_net_admin,cap_net_raw=eip
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+SmackProcessLabel=System
[Install]
WantedBy=multi-user.target
[Service]
Type=simple
ExecStart=${CMAKE_INSTALL_PREFIX}/bin/nether -l JOURNAL -P policy=${SYSCONF_INSTALL_DIR}/nether/cynara.policy -B ${SYSCONF_INSTALL_DIR}/nether/file.policy -r ${SYSCONF_INSTALL_DIR}/nether/nether.rules
+ExecStartPost=${SBIN_INSTALL_DIR}/ip6tables-restore ${SYSCONF_INSTALL_DIR}/nether/nether_ipv6.rules
Restart=on-failure
ExecReload=/bin/kill -HUP $MAINPID
User=security_fw
%dir %{_sysconfdir}/nether
%config %{_sysconfdir}/nether/file.policy
%config %{_sysconfdir}/nether/nether.rules
+%config %{_sysconfdir}/nether/nether_ipv6.rules
%config %{_sysconfdir}/nether/cynara.policy
%{_unitdir}/nether.service
%{_unitdir}/multi-user.target.wants/nether.service
-DCMAKE_BUILD_TYPE=%{build_type} \
-DSYSTEMD_UNIT_DIR=%{_unitdir} \
-DBIN_INSTALL_DIR=%{_bindir} \
+ -DSBIN_INSTALL_DIR=%{_sbindir} \
-DSYSCONF_INSTALL_DIR=%{_sysconfdir}
make %{?_smp_mflags}