From df37d99b0cba63443d4224187f2d5a0c299ad7ad Mon Sep 17 00:00:00 2001 From: Mark Montague Date: Mon, 4 Apr 2011 14:54:52 +0200 Subject: iptables: documentation for iptables and ip6tables "security" tables Add documentation for the iptables and ip6tables "security" tables. Based on http://lwn.net/Articles/267140/ and kernel source. Signed-off-by: Mark Montague Signed-off-by: Patrick McHardy --- extensions/libxt_CONNSECMARK.man | 7 +++++-- extensions/libxt_SECMARK.man | 7 +++++-- ip6tables.8.in | 11 +++++++++++ iptables.8.in | 11 +++++++++++ 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/extensions/libxt_CONNSECMARK.man b/extensions/libxt_CONNSECMARK.man index a72e7104..2616ab99 100644 --- a/extensions/libxt_CONNSECMARK.man +++ b/extensions/libxt_CONNSECMARK.man @@ -1,9 +1,12 @@ This module copies security markings from packets to connections (if unlabeled), and from connections back to packets (also only if unlabeled). Typically used in conjunction with SECMARK, it is -only valid in the +valid in the +.B security +table (for backwards compatibility with older kernels, it is also +valid in the .B mangle -table. +table). .TP \fB\-\-save\fP If the packet has a security marking, copy it to the connection diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man index e44efced..d0e6fd64 100644 --- a/extensions/libxt_SECMARK.man +++ b/extensions/libxt_SECMARK.man @@ -1,7 +1,10 @@ This is used to set the security mark value associated with the -packet for use by security subsystems such as SELinux. It is only +packet for use by security subsystems such as SELinux. It is +valid in the +.B security +table (for backwards compatibility with older kernels, it is also valid in the .B mangle -table. The mark is 32 bits wide. +table). The mark is 32 bits wide. .TP \fB\-\-selctx\fP \fIsecurity_context\fP diff --git a/ip6tables.8.in b/ip6tables.8.in index 7690ba14..61d6667e 100644 --- a/ip6tables.8.in +++ b/ip6tables.8.in @@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: \fBPREROUTING\fP (for packets arriving via any network interface) \fBOUTPUT\fP (for packets generated by local processes) +.TP +\fBsecurity\fP: +This table is used for Mandatory Access Control (MAC) networking rules, such +as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. +Mandatory Access Control is implemented by Linux Security Modules such as +SELinux. The security table is called after the filter table, allowing any +Discretionary Access Control (DAC) rules in the filter table to take effect +before MAC rules. This table provides the following built-in chains: +\fBINPUT\fP (for packets coming into the box itself), +\fBOUTPUT\fP (for altering locally-generated packets before routing), and +\fBFORWARD\fP (for altering packets being routed through the box). .RE .SH OPTIONS The options that are recognized by diff --git a/iptables.8.in b/iptables.8.in index 4b97bc3d..110c5994 100644 --- a/iptables.8.in +++ b/iptables.8.in @@ -129,6 +129,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: \fBPREROUTING\fP (for packets arriving via any network interface) \fBOUTPUT\fP (for packets generated by local processes) +.TP +\fBsecurity\fP: +This table is used for Mandatory Access Control (MAC) networking rules, such +as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. +Mandatory Access Control is implemented by Linux Security Modules such as +SELinux. The security table is called after the filter table, allowing any +Discretionary Access Control (DAC) rules in the filter table to take effect +before MAC rules. This table provides the following built-in chains: +\fBINPUT\fP (for packets coming into the box itself), +\fBOUTPUT\fP (for altering locally-generated packets before routing), and +\fBFORWARD\fP (for altering packets being routed through the box). .RE .SH OPTIONS The options that are recognized by -- cgit v1.2.3