* [PATCH] iptables: documentation for iptables and ip6tables "security" tables
@ 2011-03-28 14:18 Mark Montague
2011-03-28 14:41 ` Patrick McHardy
2011-03-28 15:31 ` [PATCH v2] " Mark Montague
0 siblings, 2 replies; 4+ messages in thread
From: Mark Montague @ 2011-03-28 14:18 UTC (permalink / raw)
To: netfilter-devel
Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.
Signed-off-by: Mark Montague <mark@catseye.org>
---
extensions/libxt_CONNSECMARK.man | 7 +++++--
extensions/libxt_SECMARK.man | 7 +++++--
ip6tables.8.in | 11 +++++++++++
iptables.8.in | 11 +++++++++++
4 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_CONNSECMARK.man
b/extensions/libxt_CONNSECMARK.man
index a72e710..2616ab9 100644
--- a/extensions/libxt_CONNSECMARK.man
+++ b/extensions/libxt_CONNSECMARK.man
@@ -1,9 +1,12 @@
This module copies security markings from packets to connections
(if unlabeled), and from connections back to packets (also only
if unlabeled). Typically used in conjunction with SECMARK, it is
-only valid in the
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
+valid in the
.B mangle
-table.
+table).
.TP
\fB\-\-save\fP
If the packet has a security marking, copy it to the connection
diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man
index e44efce..45c8b19 100644
--- a/extensions/libxt_SECMARK.man
+++ b/extensions/libxt_SECMARK.man
@@ -1,7 +1,10 @@
This is used to set the security mark value associated with the
-packet for use by security subsystems such as SELinux. It is only
+packet for use by security subsystems such as SELinux. It is
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
valid in the
.B mangle
-table. The mark is 32 bits wide.
+table). The mark is 32 bits wide.
.TP
\fB\-\-selctx\fP \fIsecurity_context\fP
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 7690ba1..61d6667 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -123,6 +123,17 @@ hooks with higher priority and is thus called
before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules,
such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
.RE
.SH OPTIONS
The options that are recognized by
diff --git a/iptables.8.in b/iptables.8.in
index 4b97bc3..110c599 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -129,6 +129,17 @@ hooks with higher priority and is thus called
before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules,
such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
.RE
.SH OPTIONS
The options that are recognized by
--
1.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] iptables: documentation for iptables and ip6tables "security" tables
2011-03-28 14:18 [PATCH] iptables: documentation for iptables and ip6tables "security" tables Mark Montague
@ 2011-03-28 14:41 ` Patrick McHardy
2011-03-28 15:31 ` [PATCH v2] " Mark Montague
1 sibling, 0 replies; 4+ messages in thread
From: Patrick McHardy @ 2011-03-28 14:41 UTC (permalink / raw)
To: Mark Montague; +Cc: netfilter-devel
On 28.03.2011 16:18, Mark Montague wrote:
> Add documentation for the iptables and ip6tables "security" tables.
> Based on http://lwn.net/Articles/267140/ and kernel source.
>
This doesn't apply to the current tree. Please rediff and send
an updated patch. Thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] iptables: documentation for iptables and ip6tables "security" tables
2011-03-28 14:18 [PATCH] iptables: documentation for iptables and ip6tables "security" tables Mark Montague
2011-03-28 14:41 ` Patrick McHardy
@ 2011-03-28 15:31 ` Mark Montague
2011-04-04 12:55 ` Patrick McHardy
1 sibling, 1 reply; 4+ messages in thread
From: Mark Montague @ 2011-03-28 15:31 UTC (permalink / raw)
To: netfilter-devel; +Cc: Mark Montague
Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.
Signed-off-by: Mark Montague <mark@catseye.org>
---
extensions/libxt_CONNSECMARK.man | 7 +++++--
extensions/libxt_SECMARK.man | 7 +++++--
ip6tables.8.in | 11 +++++++++++
iptables.8.in | 11 +++++++++++
4 files changed, 32 insertions(+), 4 deletions(-)
diff --git a/extensions/libxt_CONNSECMARK.man b/extensions/libxt_CONNSECMARK.man
index a72e710..2616ab9 100644
--- a/extensions/libxt_CONNSECMARK.man
+++ b/extensions/libxt_CONNSECMARK.man
@@ -1,9 +1,12 @@
This module copies security markings from packets to connections
(if unlabeled), and from connections back to packets (also only
if unlabeled). Typically used in conjunction with SECMARK, it is
-only valid in the
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
+valid in the
.B mangle
-table.
+table).
.TP
\fB\-\-save\fP
If the packet has a security marking, copy it to the connection
diff --git a/extensions/libxt_SECMARK.man b/extensions/libxt_SECMARK.man
index e44efce..45c8b19 100644
--- a/extensions/libxt_SECMARK.man
+++ b/extensions/libxt_SECMARK.man
@@ -1,7 +1,10 @@
This is used to set the security mark value associated with the
-packet for use by security subsystems such as SELinux. It is only
+packet for use by security subsystems such as SELinux. It is
+valid in the
+.B security
+table (for backwards compatibility with older kernels, it is also
valid in the
.B mangle
-table. The mark is 32 bits wide.
+table). The mark is 32 bits wide.
.TP
\fB\-\-selctx\fP \fIsecurity_context\fP
diff --git a/ip6tables.8.in b/ip6tables.8.in
index 7690ba1..61d6667 100644
--- a/ip6tables.8.in
+++ b/ip6tables.8.in
@@ -123,6 +123,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
.RE
.SH OPTIONS
The options that are recognized by
diff --git a/iptables.8.in b/iptables.8.in
index 4b97bc3..110c599 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -129,6 +129,17 @@ hooks with higher priority and is thus called before ip_conntrack, or any other
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
.RE
.SH OPTIONS
The options that are recognized by
--
1.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-04-04 12:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-28 14:18 [PATCH] iptables: documentation for iptables and ip6tables "security" tables Mark Montague
2011-03-28 14:41 ` Patrick McHardy
2011-03-28 15:31 ` [PATCH v2] " Mark Montague
2011-04-04 12:55 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).