From: Piotr Sawicki <p.sawicki2@partner.samsung.com>
Date: Fri, 26 May 2017 13:28:50 +0000 (+0000)
Subject: Merge "Modify iptables policy for policing all protocols, not only TCP" into tizen
X-Git-Tag: submit/tizen/20170731.124137~11
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=3905eb8f1b620dc240c076e3d14a06937b43e0dd;p=platform%2Fcore%2Fsecurity%2Fnether.git

Merge "Modify iptables policy for policing all protocols, not only TCP" into tizen
---

3905eb8f1b620dc240c076e3d14a06937b43e0dd
diff --cc conf/nether.rules
index ad939b9,b49d361..da7bd7e
--- a/conf/nether.rules
+++ b/conf/nether.rules
@@@ -18,21 -18,21 +18,21 @@@
  
  # nether iptables rules
  *mangle
 -:PREROUTING ACCEPT [1008811:2134498122]
 -:INPUT ACCEPT [948545:2129919738]
 -:FORWARD ACCEPT [0:0]
 -:OUTPUT ACCEPT [816152:74580343]
 -:POSTROUTING ACCEPT [824147:75308906]
 --A INPUT -j SECMARK --selctx System
 +:PREROUTING ACCEPT
 +:INPUT ACCEPT
 +:FORWARD ACCEPT
 +:OUTPUT ACCEPT
 +:POSTROUTING ACCEPT
 +-A INPUT ! -i lo -j SECMARK --selctx System
  -A OUTPUT -o lo -j ACCEPT
- -A OUTPUT -p tcp -m state --state NEW -j NFQUEUE --queue-num 0 --queue-bypass
+ -A OUTPUT -m conntrack --ctstate NEW ! --ctstatus CONFIRMED -j NFQUEUE --queue-num 0 --queue-bypass
  COMMIT
  *filter
 -:INPUT ACCEPT [927054:2081201095]
 -:FORWARD ACCEPT [0:0]
 -:OUTPUT ACCEPT [805408:74228055]
 -:NETHER-ALLOWLOG - [0:0]
 -:NETHER-DENY - [0:0]
 +:INPUT ACCEPT
 +:FORWARD ACCEPT
 +:OUTPUT ACCEPT
 +:NETHER-ALLOWLOG -
 +:NETHER-DENY -
  -A OUTPUT -o lo -j ACCEPT
  -A OUTPUT -m mark --mark 0x3 -j NETHER-DENY
  -A OUTPUT -m mark --mark 0x4 -j NETHER-ALLOWLOG