HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
c
compartments(4) compartments(4)
communications, the subject and target compartments should be of the processes that are communicating
and not that of the interface being used for communication. Each rule is specified by protocol (TCP, UDP,
or any raw protocol number) and the target compartment, and can optionally filter based on local or peer
port numbers (TCP and UDP only). If an explicit rule does not match a communication attempt, the
default is to deny communication.
Network rules use the following formats:
(grant|deny)(server
|client|bidir)(tcp|udp)[port ports][peer port ports]
compartment_name
(
grant|deny)(server
|client|bidir) raw protonum compartment_name
where the values are defined as follows:
grant Allows access to the network described by this rule.
deny Denies access to the network described by this rule. This rule is useful when you want
to deny access for a specific configuration (such as a single port), but you want to allow
all other access to the network. Use it in conjunction with a general rule that grants all
other traffic.
server Applies to inbound traffic. If the protocol is tcp, it allows processes in this compart-
ment to accept connections. For udp and raw, this rule applies to all inbound packets.
client Applies to outbound traffic. If the protocol is tcp, it allows processes in this compart-
ment to initiate connections. For udp and raw, this rule applies to all outbound pack-
ets.
bidir Applies to both inbound and outbound traffic. If the protocol is tcp, it allows for con-
nections to be initiated from the compartment, as well as to be accepted by the compart-
ment. For
udp and raw, his rule applies to traffic in both directions.
tcp Applies to TCP protocol traffic only.
udp Applies to UDP protocol traffic only.
raw protonum
Specifies the INET protocol to which this rule applies. The raw keyword is required if
the protonum parameter is specified. The protonum must be specified as the number
associated with a protocol. The names and numbers of these protocols are available
through the getprotoent() calls. See getprotoent(3N). The protocol numbers
corresponding to TCP and UDP (6 and 17) are not valid in a raw configuration.
port Specifies that this rule applies to a specific port. If this is specified as part of the
peer
designation, the port applies to the other end of the communication. If not part of the
peer designation, it refers to the local end of the communication.
ports Specifies the actual port being controlled by this rule. Must be specified as the number
of the port. It can be a single port number, a range of port numbers (such as, start of
range - end of range), or a comma separated list of port numbers and range of port
numbers. The names and numbers of these ports are available through the
getser-
vent()
calls. See getservent(3N).
peer Designates that the port specifier that follows applies to the other end of the communi-
cation.
compartment_name
Specifies the name of the compartment that is the target of the rule. This is usually the
interface compartment name, but can also be specified as another compartment to indi-
cate a loopback communication.
The network rules control how a process can communicate on a given port and interface, as well as how the
process can bind to a port or address. In other words, the network rules are enforced at the time a com-
munication takes place, and when a process calls bind(). The multibind facility enables processes to
attach to IFADDR_ANY on a specific port in different compartments having disjoint set of interface rules.
See the MULTIBIND section below.
Miscellaneous Rules
These are rules that don’t fit into the other categories:
60 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: February 2007