All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mark Montague <mark@catseye.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH] iptables: documentation for iptables and ip6tables "security" tables
Date: Mon, 28 Mar 2011 10:18:17 -0400	[thread overview]
Message-ID: <4D9098A9.7070106@catseye.org> (raw)

  Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.

Signed-off-by: Mark Montague <mark@catseye.org>
---
  extensions/libxt_CONNSECMARK.man |    7 +++++--
  extensions/libxt_SECMARK.man     |    7 +++++--
  ip6tables.8.in                   |   11 +++++++++++
  iptables.8.in                    |   11 +++++++++++
  4 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_CONNSECMARK.man 
b/extensions/libxt_CONNSECMARK.man
index a72e710..2616ab9 100644
--- a/extensions/libxt_CONNSECMARK.man
+++ b/extensions/libxt_CONNSECMARK.man
@@ -1,9 +1,12 @@
  This module copies security markings from packets to connections
  (if unlabeled), and from connections back to packets (also only
  if unlabeled).  Typically used in conjunction with SECMARK, it is
-only valid in the
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
+valid in the
  .B mangle
-table.
+table).
  .TP
  \fB\-\-save\fP
  If the packet has a security marking, copy it to the connection
diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man
index e44efce..45c8b19 100644
--- a/extensions/libxt_SECMARK.man
+++ b/extensions/libxt_SECMARK.man
@@ -1,7 +1,10 @@
  This is used to set the security mark value associated with the
-packet for use by security subsystems such as SELinux.  It is only
+packet for use by security subsystems such as SELinux.  It is
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
  valid in the
  .B mangle
-table. The mark is 32 bits wide.
+table). The mark is 32 bits wide.
  .TP
  \fB\-\-selctx\fP \fIsecurity_context\fP
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 7690ba1..61d6667 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -123,6 +123,17 @@ hooks with higher priority and is thus called 
before ip_conntrack, or any other
  IP tables.  It provides the following built-in chains: \fBPREROUTING\fP
  (for packets arriving via any network interface) \fBOUTPUT\fP
  (for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, 
such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux.  The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules.  This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
  .RE
  .SH OPTIONS
  The options that are recognized by
diff --git a/iptables.8.in b/iptables.8.in
index 4b97bc3..110c599 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -129,6 +129,17 @@ hooks with higher priority and is thus called 
before ip_conntrack, or any other
  IP tables.  It provides the following built-in chains: \fBPREROUTING\fP
  (for packets arriving via any network interface) \fBOUTPUT\fP
  (for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, 
such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux.  The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules.  This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
  .RE
  .SH OPTIONS
  The options that are recognized by
-- 
1.7.4


             reply	other threads:[~2011-03-28 14:18 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-28 14:18 Mark Montague [this message]
2011-03-28 14:41 ` [PATCH] iptables: documentation for iptables and ip6tables "security" tables Patrick McHardy
2011-03-28 15:31 ` [PATCH v2] " Mark Montague
2011-04-04 12:55   ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4D9098A9.7070106@catseye.org \
    --to=mark@catseye.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.