Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.
Signed-off-by: Mark Montague <mark@xxxxxxxxxxx>
---
extensions/libxt_CONNSECMARK.man | 7 +++++--
extensions/libxt_SECMARK.man | 7 +++++--
ip6tables.8.in | 11 +++++++++++
iptables.8.in | 11 +++++++++++
4 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_CONNSECMARK.man
b/extensions/libxt_CONNSECMARK.man
index a72e710..2616ab9 100644
--- a/extensions/libxt_CONNSECMARK.man
+++ b/extensions/libxt_CONNSECMARK.man
@@ -1,9 +1,12 @@
This module copies security markings from packets to connections
(if unlabeled), and from connections back to packets (also only
if unlabeled). Typically used in conjunction with SECMARK, it is
-only valid in the
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
+valid in the
.B mangle
-table.
+table).
.TP
\fB\-\-save\fP
If the packet has a security marking, copy it to the connection
diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man
index e44efce..45c8b19 100644
--- a/extensions/libxt_SECMARK.man
+++ b/extensions/libxt_SECMARK.man
@@ -1,7 +1,10 @@
This is used to set the security mark value associated with the
-packet for use by security subsystems such as SELinux. It is only
+packet for use by security subsystems such as SELinux. It is
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
valid in the
.B mangle
-table. The mark is 32 bits wide.
+table). The mark is 32 bits wide.
.TP
\fB\-\-selctx\fP \fIsecurity_context\fP
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 7690ba1..61d6667 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -123,6 +123,17 @@ hooks with higher priority and is thus called
before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules,
such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
.RE
.SH OPTIONS
The options that are recognized by
diff --git a/iptables.8.in b/iptables.8.in
index 4b97bc3..110c599 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -129,6 +129,17 @@ hooks with higher priority and is thus called
before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules,
such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
.RE
.SH OPTIONS
The options that are recognized by
--
1.7.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
