path: root/doc/primary-expression.txt
diff options
Diffstat (limited to 'doc/primary-expression.txt')
1 files changed, 34 insertions, 0 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 6db7edae..0fda76dd 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -285,3 +285,37 @@ ip6 filter output rt nexthop fd00::1
inet filter output rt ip nexthop
inet filter output rt ip6 nexthop fd00::1
+*ipsec* {in | out} [ spnum 'NUM' ] {reqid | spi }
+*ipsec* {in | out} [ spnum 'NUM' ] {ip | ip6 } { saddr | daddr }
+A ipsec expression refers to ipsec data associated with a packet.
+The 'in' or 'out' keyword needs to be used to specify if the expression should
+examine inbound or outbound policies. The 'in' keyword can be used in the
+prerouting, input and forward hooks. The 'out' keyword applies to forward,
+output and postrouting hooks.
+The optional keyword spnum can be used to match a specific state in a chain,
+it defaults to 0.
+.Ipsec expression types
+|Keyword| Description| Type
+Request ID|
+integer (32 bit)
+Security Parameter Index|
+integer (32 bit)
+Source address of the tunnel|
+Destination address of the tunnel|