diff options
author | Máté Eckl <ecklm94@gmail.com> | 2018-09-05 11:16:44 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2018-09-21 12:06:27 +0200 |
commit | 57c2b152c5f0866be5bf1acda2f341ba26ba9448 (patch) | |
tree | 091cabd5ef590d0d0edf0dc972d3cf53ae0008cb /doc | |
parent | 8f55ed41d007061bd8aae94fee2bda172c0e8996 (diff) |
src: add ipsec (xfrm) expression
This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.
Examples:
ipsec in ip saddr 192.168.1.0/24
ipsec out ip6 daddr @endpoints
ipsec in spi 1-65536
Joint work with Florian Westphal.
Cc: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/primary-expression.txt | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 6db7edae..0fda76dd 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@ -285,3 +285,37 @@ ip6 filter output rt nexthop fd00::1 inet filter output rt ip nexthop 192.168.0.1 inet filter output rt ip6 nexthop fd00::1 -------------------------- + +IPSEC EXPRESSIONS +~~~~~~~~~~~~~~~~~ + +[verse] +*ipsec* {in | out} [ spnum 'NUM' ] {reqid | spi } +*ipsec* {in | out} [ spnum 'NUM' ] {ip | ip6 } { saddr | daddr } + +A ipsec expression refers to ipsec data associated with a packet. + +The 'in' or 'out' keyword needs to be used to specify if the expression should +examine inbound or outbound policies. The 'in' keyword can be used in the +prerouting, input and forward hooks. The 'out' keyword applies to forward, +output and postrouting hooks. +The optional keyword spnum can be used to match a specific state in a chain, +it defaults to 0. + +.Ipsec expression types +[options="header"] +|======================= +|Keyword| Description| Type +|reqid| +Request ID| +integer (32 bit) +|spi| +Security Parameter Index| +integer (32 bit) +|saddr| +Source address of the tunnel| +ipv4_addr/ipv6_addr +|daddr| +Destination address of the tunnel| +ipv4_addr/ipv6_addr +|================================= |