mirror of
git://git.code.sf.net/p/xtables-addons/xtables-addons
synced 2025-09-20 11:34:57 +02:00
9c4c76f9e2
This patch adds a module which is useful to users of grsecurity's RBAC system. It matches packets based on whether RBAC is enabled or disabled. See: http://grsecurity.net/ Signed-off-by: Anthony G. Basile <basile@opensource.dyc.edu> Jan Engelhardt> Also, I do not see a xt_gradm.c in this patch. This [xt_gradm.c] is part of the grsecurity patch which not only adds the Xtables code, but also the RBAC code. Without the entire RBAC stuff, xt_gradm does not make sense and so it is included with the grsecurity patch to the kernel, and not this patch to Xtables-addons. >Can you elaborate a bit on how this is useful in conjunction with >rulesets? I could imagine it be used with LSM selctx'es for example, >or another extension that tests for other RBAC attributes. The idea here is that when the RBAC rulesets are not being enforced, the system is more vulnerable and the user wants stricter firewall rules. When RBAC is being enforced, one can relax the firewall and access to services which are now better protected. In practice this usually means allowing only access to some trusted IP(s) on boot before RBAC is turned on.
Xtables-addons ============== Xtables-addons is the proclaimed successor to patch-o-matic(-ng). It contains extensions that were not accepted in the main Xtables package. Xtables-addons is different from patch-o-matic in that you do not have to patch or recompile either kernel or Xtables(iptables). But please see the INSTALL file for the minimum requirements of this package. All code imported from patch-o-matic has been reviewed and all apparent bugs like binary stability across multiarches, missing sanity checks and incorrect endianess handling have been fixed, simplified, and sped up. Inclusion into a kernel tree ============================ External extensions =================== The program "xa-download-more" can be used to download more extensions from 3rd parties into the source tree. The URLs are listed in the "sources" file. If the "sources" file contains an entry like http://foobar.org/xa/ xa-download-more will inspect http://foobar.org/xa/xa-index.txt for files to download. That file may contain foobar.tar.bz2 and xa-download-more will then retrieve and unpack http://foobar.org/xa/foobar.tar.bz2. Files that should be contained in the tarball are an mconfig and Kbuild files to control building the extension, libxt_foobar.c for the userspace extension and xt_foobar.c for the kernel extension. mconfig.foobar extensions/Kbuild.foobar extensions/Mbuild.foobar extensions/libxt_foobar.c extensions/libxt_foobar.man extensions/xt_foobar.c extensions/xt_foobar.h