src: add ipsec (xfrm) expression

This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.

Examples:

 ipsec in ip saddr 192.168.1.0/24
 ipsec out ip6 daddr @endpoints
 ipsec in spi 1-65536

Joint work with Florian Westphal.

Cc: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>

1 files changed, 34 insertions, 0 deletions

diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 6db7edae..0fda76dd 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -285,3 +285,37 @@ ip6 filter output rt nexthop fd00::1
 inet filter output rt ip nexthop 192.168.0.1
 inet filter output rt ip6 nexthop fd00::1
 -------------------------- 
+
+IPSEC EXPRESSIONS
+~~~~~~~~~~~~~~~~~
+
+[verse]
+*ipsec* {in | out} [ spnum 'NUM' ]  {reqid | spi }
+*ipsec* {in | out} [ spnum 'NUM' ]  {ip | ip6 } { saddr | daddr }
+
+A ipsec expression refers to ipsec data associated with a packet.
+
+The 'in' or 'out' keyword needs to be used to specify if the expression should
+examine inbound or outbound policies. The 'in' keyword can be used in the
+prerouting, input and forward hooks.  The 'out' keyword applies to forward,
+output and postrouting hooks.
+The optional keyword spnum can be used to match a specific state in a chain,
+it defaults to 0.
+
+.Ipsec expression types
+[options="header"]
+|=======================
+|Keyword| Description| Type
+|reqid|
+Request ID|
+integer (32 bit)
+|spi|
+Security Parameter Index|
+integer (32 bit)
+|saddr|
+Source address of the tunnel|
+ipv4_addr/ipv6_addr
+|daddr|
+Destination address of the tunnel|
+ipv4_addr/ipv6_addr
+|=================================