[PATCH v2] iptables: documentation for iptables and ip6tables "security" tables

[Mark Montague <mark@catseye.org>]

Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.

Signed-off-by: Mark Montague <mark@catseye.org>
---
 extensions/libxt_CONNSECMARK.man |    7 +++++--
 extensions/libxt_SECMARK.man     |    7 +++++--
 ip6tables.8.in                   |   11 +++++++++++
 iptables.8.in                    |   11 +++++++++++
 4 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_CONNSECMARK.man b/extensions/libxt_CONNSECMARK.man
index a72e710..2616ab9 100644
--- a/extensions/libxt_CONNSECMARK.man
+++ b/extensions/libxt_CONNSECMARK.man
@@ -1,9 +1,12 @@
 This module copies security markings from packets to connections
 (if unlabeled), and from connections back to packets (also only
 if unlabeled).  Typically used in conjunction with SECMARK, it is
-only valid in the
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
+valid in the
 .B mangle
-table.
+table).
 .TP
 \fB\-\-save\fP
 If the packet has a security marking, copy it to the connection
diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man
index e44efce..45c8b19 100644
--- a/extensions/libxt_SECMARK.man
+++ b/extensions/libxt_SECMARK.man
@@ -1,7 +1,10 @@
 This is used to set the security mark value associated with the
-packet for use by security subsystems such as SELinux.  It is only
+packet for use by security subsystems such as SELinux.  It is
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
 valid in the
 .B mangle
-table. The mark is 32 bits wide.
+table). The mark is 32 bits wide.
 .TP
 \fB\-\-selctx\fP \fIsecurity_context\fP
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 7690ba1..61d6667 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
 IP tables.  It provides the following built-in chains: \fBPREROUTING\fP
 (for packets arriving via any network interface) \fBOUTPUT\fP
 (for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux.  The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules.  This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
 .RE
 .SH OPTIONS
 The options that are recognized by
diff --git a/iptables.8.in b/iptables.8.in
index 4b97bc3..110c599 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -129,6 +129,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
 IP tables.  It provides the following built-in chains: \fBPREROUTING\fP
 (for packets arriving via any network interface) \fBOUTPUT\fP
 (for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux.  The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules.  This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
 .RE
 .SH OPTIONS
 The options that are recognized by
-- 
1.7.4