Add documentation for the iptables and ip6tables "security" tables. Based on http://lwn.net/Articles/267140/ and kernel source. Signed-off-by: Mark Montague <mark@xxxxxxxxxxx> --- extensions/libxt_CONNSECMARK.man | 7 +++++-- extensions/libxt_SECMARK.man | 7 +++++-- ip6tables.8.in | 11 +++++++++++ iptables.8.in | 11 +++++++++++ 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/extensions/libxt_CONNSECMARK.man b/extensions/libxt_CONNSECMARK.man index a72e710..2616ab9 100644 --- a/extensions/libxt_CONNSECMARK.man +++ b/extensions/libxt_CONNSECMARK.man @@ -1,9 +1,12 @@ This module copies security markings from packets to connections (if unlabeled), and from connections back to packets (also only if unlabeled). Typically used in conjunction with SECMARK, it is -only valid in the +valid in the +.B security +table (for backwards compatibility with older kernels, it is also +valid in the .B mangle -table. +table). .TP \fB\-\-save\fP If the packet has a security marking, copy it to the connection diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man index e44efce..45c8b19 100644 --- a/extensions/libxt_SECMARK.man +++ b/extensions/libxt_SECMARK.man @@ -1,7 +1,10 @@ This is used to set the security mark value associated with the -packet for use by security subsystems such as SELinux. It is only +packet for use by security subsystems such as SELinux. It is +valid in the +.B security +table (for backwards compatibility with older kernels, it is also valid in the .B mangle -table. The mark is 32 bits wide. +table). The mark is 32 bits wide. .TP \fB\-\-selctx\fP \fIsecurity_context\fP diff --git a/ip6tables.8.in b/ip6tables.8.in index 7690ba1..61d6667 100644 --- a/ip6tables.8.in +++ b/ip6tables.8.in @@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: \fBPREROUTING\fP (for packets arriving via any network interface) \fBOUTPUT\fP (for packets generated by local processes) +.TP +\fBsecurity\fP: +This table is used for Mandatory Access Control (MAC) networking rules, such +as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. +Mandatory Access Control is implemented by Linux Security Modules such as +SELinux. The security table is called after the filter table, allowing any +Discretionary Access Control (DAC) rules in the filter table to take effect +before MAC rules. This table provides the following built-in chains: +\fBINPUT\fP (for packets coming into the box itself), +\fBOUTPUT\fP (for altering locally-generated packets before routing), and +\fBFORWARD\fP (for altering packets being routed through the box). .RE .SH OPTIONS The options that are recognized by diff --git a/iptables.8.in b/iptables.8.in index 4b97bc3..110c599 100644 --- a/iptables.8.in +++ b/iptables.8.in @@ -129,6 +129,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: \fBPREROUTING\fP (for packets arriving via any network interface) \fBOUTPUT\fP (for packets generated by local processes) +.TP +\fBsecurity\fP: +This table is used for Mandatory Access Control (MAC) networking rules, such +as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets. +Mandatory Access Control is implemented by Linux Security Modules such as +SELinux. The security table is called after the filter table, allowing any +Discretionary Access Control (DAC) rules in the filter table to take effect +before MAC rules. This table provides the following built-in chains: +\fBINPUT\fP (for packets coming into the box itself), +\fBOUTPUT\fP (for altering locally-generated packets before routing), and +\fBFORWARD\fP (for altering packets being routed through the box). .RE .SH OPTIONS The options that are recognized by -- 1.7.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
