iptables: documentation for iptables and ip6tables "security" tables
Add documentation for the iptables and ip6tables "security" tables.
Based on http://lwn.net/Articles/267140/ and kernel source.
Signed-off-by: Mark Montague <mark@catseye.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/iptables.8.in b/iptables.8.in
index 4b97bc3..110c599 100644
--- a/iptables.8.in
+++ b/iptables.8.in
@@ -129,6 +129,17 @@
IP tables. It provides the following built-in chains: \fBPREROUTING\fP
(for packets arriving via any network interface) \fBOUTPUT\fP
(for packets generated by local processes)
+.TP
+\fBsecurity\fP:
+This table is used for Mandatory Access Control (MAC) networking rules, such
+as those enabled by the \fBSECMARK\fP and \fBCONNSECMARK\fP targets.
+Mandatory Access Control is implemented by Linux Security Modules such as
+SELinux. The security table is called after the filter table, allowing any
+Discretionary Access Control (DAC) rules in the filter table to take effect
+before MAC rules. This table provides the following built-in chains:
+\fBINPUT\fP (for packets coming into the box itself),
+\fBOUTPUT\fP (for altering locally-generated packets before routing), and
+\fBFORWARD\fP (for altering packets being routed through the box).
.RE
.SH OPTIONS
The options that are recognized by