Set all packet's secmark to 'System' label on input iptables

It is hard to change packet's secmark in specific IP scope
to avoid Smack denial. Nether provides access control for
input and output packet better than IP management.

Change-Id: I7a6da0d53c313a7987217d62fefb16ef2f0b8a0f
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>

diff --git a/conf/nether.rules b/conf/nether.rules
index f5b3c93..71b6464 100644 (file)
--- a/conf/nether.rules
+++ b/conf/nether.rules
@@ -23,8 +23,7 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [816152:74580343]
 :POSTROUTING ACCEPT [824147:75308906]
-# ipv4 multicase address for "All CoAP Nodes"
--A INPUT -d 224.0.1.187 -j SECMARK --selctx System
+-A INPUT -j SECMARK --selctx System
 -A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass
 COMMIT

diff --git a/conf/nether_ipv6.rules b/conf/nether_ipv6.rules
index 57a8900..cee3319 100644 (file)
--- a/conf/nether_ipv6.rules
+++ b/conf/nether_ipv6.rules
@@ -23,8 +23,5 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [816152:74580343]
 :POSTROUTING ACCEPT [824147:75308906]
-# ipv6 multicase address for "All CoAP Nodes": Link-Local scope
--A INPUT -d ff02::158 -j SECMARK --selctx System
-# TODO: RULE FOR IOTCON PROVISIONING SHOULD BE REMOVED
--A INPUT -d fe80::ae5a:14ff:fe0e:b2c0 -j SECMARK --selctx System
+-A INPUT -j SECMARK --selctx System
 COMMIT