From df37d99b0cba63443d4224187f2d5a0c299ad7ad Mon Sep 17 00:00:00 2001 From: Mark Montague Date: Mon, 4 Apr 2011 14:54:52 +0200 Subject: iptables: documentation for iptables and ip6tables "security" tables Add documentation for the iptables and ip6tables "security" tables. Based on http://lwn.net/Articles/267140/ and kernel source. Signed-off-by: Mark Montague Signed-off-by: Patrick McHardy --- ip6tables.8.in | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'ip6tables.8.in') diff --git a/ip6tables.8.in b/ip6tables.8.in index 7690ba14..61d6667e 100644 --- a/ip6tables.8.in +++ b/ip6tables.8.in @@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: \fBPREROUTING\fP (for packets arriving via any network interface) \fBOUTPUT\fP (for packets generated by local processes) +.TP +\fBsecurity\fP: +This table is used for Mandatory Access Control (MAC) networking rules, such +as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. +Mandatory Access Control is implemented by Linux Security Modules such as +SELinux. The security table is called after the filter table, allowing any +Discretionary Access Control (DAC) rules in the filter table to take effect +before MAC rules. This table provides the following built-in chains: +\fBINPUT\fP (for packets coming into the box itself), +\fBOUTPUT\fP (for altering locally-generated packets before routing), and +\fBFORWARD\fP (for altering packets being routed through the box). .RE .SH OPTIONS The options that are recognized by -- cgit v1.2.3