iptables: documentation for iptables and ip6tables "security" tables

Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.

Signed-off-by: Mark Montague <mark@catseye.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

1 files changed, 11 insertions, 0 deletions

diff --git a/ip6tables.8.in b/ip6tables.8.in
index 7690ba14..61d6667e 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
 IP tables.  It provides the following built-in chains: \fBPREROUTING\fP
 (for packets arriving via any network interface) \fBOUTPUT\fP
 (for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux.  The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules.  This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
 .RE
 .SH OPTIONS
 The options that are recognized by