diff options
Diffstat (limited to 'ip6tables.8.in')
-rw-r--r-- | ip6tables.8.in | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/ip6tables.8.in b/ip6tables.8.in index 7690ba14..61d6667e 100644 --- a/ip6tables.8.in +++ b/ip6tables.8.in @@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: \fBPREROUTING\fP (for packets arriving via any network interface) \fBOUTPUT\fP (for packets generated by local processes) +.TP +\fBsecurity\fP: +This table is used for Mandatory Access Control (MAC) networking rules, such +as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. +Mandatory Access Control is implemented by Linux Security Modules such as +SELinux. The security table is called after the filter table, allowing any +Discretionary Access Control (DAC) rules in the filter table to take effect +before MAC rules. This table provides the following built-in chains: +\fBINPUT\fP (for packets coming into the box itself), +\fBOUTPUT\fP (for altering locally-generated packets before routing), and +\fBFORWARD\fP (for altering packets being routed through the box). .RE .SH OPTIONS The options that are recognized by |