path: root/doc
diff options
authorMáté Eckl <>2018-09-05 11:16:44 +0200
committerFlorian Westphal <>2018-09-21 12:06:27 +0200
commit57c2b152c5f0866be5bf1acda2f341ba26ba9448 (patch)
tree091cabd5ef590d0d0edf0dc972d3cf53ae0008cb /doc
parent8f55ed41d007061bd8aae94fee2bda172c0e8996 (diff)
src: add ipsec (xfrm) expression
This allows matching on ipsec tunnel/beet addresses in xfrm state associated with a packet, ipsec request id and the SPI. Examples: ipsec in ip saddr ipsec out ip6 daddr @endpoints ipsec in spi 1-65536 Joint work with Florian Westphal. Cc: Máté Eckl <> Signed-off-by: Florian Westphal <>
Diffstat (limited to 'doc')
1 files changed, 34 insertions, 0 deletions
diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt
index 6db7edae..0fda76dd 100644
--- a/doc/primary-expression.txt
+++ b/doc/primary-expression.txt
@@ -285,3 +285,37 @@ ip6 filter output rt nexthop fd00::1
inet filter output rt ip nexthop
inet filter output rt ip6 nexthop fd00::1
+*ipsec* {in | out} [ spnum 'NUM' ] {reqid | spi }
+*ipsec* {in | out} [ spnum 'NUM' ] {ip | ip6 } { saddr | daddr }
+A ipsec expression refers to ipsec data associated with a packet.
+The 'in' or 'out' keyword needs to be used to specify if the expression should
+examine inbound or outbound policies. The 'in' keyword can be used in the
+prerouting, input and forward hooks. The 'out' keyword applies to forward,
+output and postrouting hooks.
+The optional keyword spnum can be used to match a specific state in a chain,
+it defaults to 0.
+.Ipsec expression types
+|Keyword| Description| Type
+Request ID|
+integer (32 bit)
+Security Parameter Index|
+integer (32 bit)
+Source address of the tunnel|
+Destination address of the tunnel|