Index: sys/security/mac_ipacl/notes.txt =================================================================== --- sys/security/mac_ipacl/notes.txt +++ sys/security/mac_ipacl/notes.txt @@ -3,7 +3,8 @@ IP Address access control policy 1. mac_ipacl allows the root of the host to limit the VNET jail's privileges - of setting IPv4 and IPv6 addresses via sysctl(8) interface. + of setting IPv4 and IPv6 addresses via sysctl(8) interface. So, the host + can define rules for jails and their interfaces about IP addresses. 2. Its default behaviour is to deny all IP addresses if policy is enforced and allow/deny IP(or subnets) according to rules specified with sysctl @@ -25,15 +26,16 @@ left empty(ie, NULL) then it is a wildcard to enforce rule for all interfaces. - address_family: Address family of the IP_addr. give input string as AF_INET - or AF_INET6 only + address_family: Address family of the IP_addr. give input as AF_INET + or AF_INET6 string only IP_addr: IP address(or subnet) to be allowed/deny. Action depend on the prefix length prefix_length: Prefix length of the subnet to be enforced by the policy. - -1 impleis the policy is enforced for indivisual IP address. - + -1 implies the policy is enforced for individual IP address. + For non-negative value, a range of IP address(present in subnet) + which calculated as subnet = IP_addr & mask 3. Example- a.) sysctl security.mac.ipacl.ipv4=1 @@ -55,7 +57,15 @@ It allow IPv4 in the subnet 198.51.100.0/24 for jail 2 and all interfaces. It allow IPv6 address in the subnet fc00::/7 but deny the subnet fc00::1111:2200/120, and allow individual IP fc00::1111:2299 from the denied subnet for all interfaces in the jail 2 -5. To discuss on using the test scripts + +4. Using the test scripts: + a.) + Test scripts are not completely automatic :( So, the user has to create + edit the scripts to enter the jid of the test jails and interface. + After editing the scripts run make && make install, which then install + the scripts in /usr/tests/sys/mac/ipacl. + you may also need to create that directory if it gives error. + 6. To discuss the limitation of the module and point to be kept in mind while using it. a.) @@ -63,6 +73,10 @@ there for a IP(or a set of IP), result depend on final rule. b.) +7. Future Works + a.) + rules are given with sysctl interface which gets very complex to give them all in + command line. It has to be simplified with a better way to input those rules. -------------------------------------