iptables: documentation for iptables and ip6tables "security" tables

Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.

Signed-off-by: Mark Montague <mark@catseye.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/extensions/libxt_CONNSECMARK.man b/extensions/libxt_CONNSECMARK.man
index a72e7104485d79ec5251e691ba84fafc79436cb6..2616ab99f741074dab3afa6a583fd0a55420e0f2 100644 (file)
--- a/extensions/libxt_CONNSECMARK.man
+++ b/extensions/libxt_CONNSECMARK.man
@@ -1,9 +1,12 @@
 This module copies security markings from packets to connections
 (if unlabeled), and from connections back to packets (also only
 if unlabeled).  Typically used in conjunction with SECMARK, it is
-only valid in the
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
+valid in the
 .B mangle
-table.
+table).
 .TP
 \fB\-\-save\fP
 If the packet has a security marking, copy it to the connection

diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man
index e44efced79b988fb3af0f49ec4c3c08b36a7f68e..d0e6fd645556000309cc86ad6c6cd41669acac8e 100644 (file)
--- a/extensions/libxt_SECMARK.man
+++ b/extensions/libxt_SECMARK.man
@@ -1,7 +1,10 @@
 This is used to set the security mark value associated with the
-packet for use by security subsystems such as SELinux.  It is only
+packet for use by security subsystems such as SELinux.  It is
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
 valid in the
 .B mangle
-table. The mark is 32 bits wide.
+table). The mark is 32 bits wide.
 .TP
 \fB\-\-selctx\fP \fIsecurity_context\fP

diff --git a/ip6tables.8.in b/ip6tables.8.in
index 7690ba14d2ec4744dc6f66157b816db620895460..61d6667e2a741be7377f56a0eea4f9a085ae78b2 100644 (file)
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
 IP tables.  It provides the following built-in chains: \fBPREROUTING\fP
 (for packets arriving via any network interface) \fBOUTPUT\fP
 (for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux.  The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules.  This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
 .RE
 .SH OPTIONS
 The options that are recognized by

diff --git a/iptables.8.in b/iptables.8.in
index 4b97bc3dba432581661a3dbed91db8ae96ed2e1f..110c5994d7d5080a33293d6a848793be450da4cf 100644 (file)
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -129,6 +129,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
 IP tables.  It provides the following built-in chains: \fBPREROUTING\fP
 (for packets arriving via any network interface) \fBOUTPUT\fP
 (for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux.  The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules.  This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
 .RE
 .SH OPTIONS
 The options that are recognized by