diff options
author | Mark Montague <mark@catseye.org> | 2011-04-04 14:54:52 +0200 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2011-04-04 14:54:52 +0200 |
commit | df37d99b0cba63443d4224187f2d5a0c299ad7ad (patch) | |
tree | e6ad8ad0c3d1618a1a236af90683242d8cf1841c /iptables.8.in | |
parent | c7948744bf591e0c46b6d19ccfa408cc59e11ef1 (diff) |
iptables: documentation for iptables and ip6tables "security" tables
Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.
Signed-off-by: Mark Montague <mark@catseye.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'iptables.8.in')
-rw-r--r-- | iptables.8.in | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/iptables.8.in b/iptables.8.in index 4b97bc3d..110c5994 100644 --- a/iptables.8.in +++ b/iptables.8.in @@ -129,6 +129,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: \fBPREROUTING\fP (for packets arriving via any network interface) \fBOUTPUT\fP (for packets generated by local processes) +.TP +\fBsecurity\fP: +This table is used for Mandatory Access Control (MAC) networking rules, such +as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. +Mandatory Access Control is implemented by Linux Security Modules such as +SELinux. The security table is called after the filter table, allowing any +Discretionary Access Control (DAC) rules in the filter table to take effect +before MAC rules. This table provides the following built-in chains: +\fBINPUT\fP (for packets coming into the box itself), +\fBOUTPUT\fP (for altering locally-generated packets before routing), and +\fBFORWARD\fP (for altering packets being routed through the box). .RE .SH OPTIONS The options that are recognized by |