From 0bb8765cc28cf1ddde70f3f5bfed96a067b1ead3 Mon Sep 17 00:00:00 2001
From: "fan.du" <fan.du@windriver.com>
Date: Wed, 18 Dec 2013 11:27:22 +0800
Subject: iptables: Add IPv4/6 IPcomp match support

This patch enables user to set iptables ACTIONs for IPcomp
flow specified by its SPI value.

For example:
iptables  -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP
ip6tables -A OUTPUT -p 108 -m ipcomp --ipcompspi 0x12 -j DROP

IPcomp packet with spi as 0x12 will be dropped.

Signed-off-by: Fan Du <fan.du@windriver.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_ipcomp.c.man | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 extensions/libxt_ipcomp.c.man

(limited to 'extensions/libxt_ipcomp.c.man')

diff --git a/extensions/libxt_ipcomp.c.man b/extensions/libxt_ipcomp.c.man
new file mode 100644
index 00000000..f3b17d21
--- /dev/null
+++ b/extensions/libxt_ipcomp.c.man
@@ -0,0 +1,7 @@
+This module matches the parameters in IPcomp header of IPsec packets.
+.TP
+[\fB!\fP] \fB\-\-ipcompspi\fP \fIspi\fP[\fB:\fP\fIspi\fP]
+Matches IPcomp header CPI value.
+.TP
+\fB\-\-compres\fP
+Matches if the reserved field is filled with zero.
-- 
cgit v1.2.3