The following patches add a new ip[6]tables "security" table, for use with mandatory access control (MAC) security schemes. This follows on from an RFC post earlier in the year: http://thread.gmane.org/gmane.linux.redhat.fedora.selinux/8490 In a nutshell, the need for this arises from the fact that MAC labeling rules utilizing iptables via SECMARK and CONNSECMARK are not subject to discretionary security policy (i.e. not even "root" or a user with CAP_NET_ADMIN may be able to modify these rules). So, a separate table is proposed here to allow these administrative security domains to be separated, and specifically to assist with distro integration. Patches for IPv4 and IPv6 follow. Please review and consider for 2.6.27. - James -- James Morris <jmorris@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
