HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)
c
compartments(4) compartments(4)
allow all other access to the network. Use it in conjunction with a general rule that
grants all other traffic.
server Applies to inbound traffic. If the protocol is
tcp, it allows processes in this compart-
ment to accept connections. For
udp
and raw, this rule applies to all inbound pack-
ets.
client Applies to outbound traffic. If the protocol is
tcp, it allows processes in this compart-
ment to initiate connections. For
udp and raw, this rule applies to all outbound
packets.
bidir Applies to both inbound and outbound traffic. If the protocol is
tcp, it allows for con-
nections to be initiated from the compartment, as well as to be accepted by the com-
partment. For
udp and raw, his rule applies to traffic in both directions.
tcp Applies to TCP protocol traffic only.
udp Applies to UDP protocol traffic only.
raw Applies to the specified protocol number in the INET domain. The protonum parame-
ter is required if the
raw keyword is specified.
protonum Specifies the INET protocol to which this rule applies. It is only valid with the
raw
keyword. Must be specified as the number associated with a protocol. The names and
numbers of these protocols are available through the getprotoent()
calls. See
getprotoent(3N). The protocol numbers corresponding to TCP and UDP (6 and 17) are
not valid in a raw configuration.
port Specifies that this rule applies to a specific port. If this is specified as part of the
peer designation, the port applies to the other end of the communication. If not part
of the peer designation, it refers to the local end of the communication.
port Specifies the actual port being controlled by this rule. Must be specified as the
number of the port. The names and numbers of these ports are available through the
getservent() calls. See getservent(3N).
peer Designates that the port specifier that follows applies to the other end of the commun-
ication.
compartment_name
Specifies the name of the compartment that is the target of the rule. This is usually
the interface compartment name, but can also be specified as another compartment to
indicate a loopback communication.
The network rules control how a process can communicate on a given port and interface, but not how
the process can bind a port or address. In other words, the network rules are enforced at the time a
communication takes place, not when a process calls bind(2). Suppose that a compartment is
configured such that it has no access to port 8088 on lan0 interface. A process in this compartment
can still succesfully bind a socket to port 8088 on an address that corresponds to the
lan0
interface.
However, it will not be able to receive or send any packets on the socket.
Miscellaneous Rules
These are rules that don’t fit into the other categories:
• Privilege limitation rules
• Network interface rules
Privilege Limitation Rules
Privilege limitations provide a fine control of privileges that cannot be obtained when calling
execve().
See execve(2). Privilege limitation rules use the following format:
disallowed privileges privilege[[,privilege]...]
where the values are define as follows:
disallowed privileges
Identifies this as a privilege limitation.
privilege[[,privilege]...]
is a comma separated list of privileges. The compound privileges basic, basicroot ,
56 Hewlett-Packard Company − 4 − HP-UX 11i Version 2: December 2007 Update