path: root/
diff options
authorMark Montague <>2011-04-04 14:54:52 +0200
committerPatrick McHardy <>2011-04-04 14:54:52 +0200
commitdf37d99b0cba63443d4224187f2d5a0c299ad7ad (patch)
treee6ad8ad0c3d1618a1a236af90683242d8cf1841c /
parentc7948744bf591e0c46b6d19ccfa408cc59e11ef1 (diff)
iptables: documentation for iptables and ip6tables "security" tables
Add documentation for the iptables and ip6tables "security" tables. Based on and kernel source. Signed-off-by: Mark Montague <> Signed-off-by: Patrick McHardy <>
Diffstat (limited to '')
1 files changed, 11 insertions, 0 deletions
diff --git a/ b/
index 4b97bc3d..110c5994 100644
--- a/
+++ b/
@@ -129,6 +129,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
The options that are recognized by