From 57c2b152c5f0866be5bf1acda2f341ba26ba9448 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Eckl?= <ecklm94@gmail.com>
Date: Wed, 5 Sep 2018 11:16:44 +0200
Subject: src: add ipsec (xfrm) expression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.

Examples:

 ipsec in ip saddr 192.168.1.0/24
 ipsec out ip6 daddr @endpoints
 ipsec in spi 1-65536

Joint work with Florian Westphal.

Cc: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/scanner.l | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'src/scanner.l')

diff --git a/src/scanner.l b/src/scanner.l
index 26e63b9b..4a143b1e 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -555,6 +555,15 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "exthdr"		{ return EXTHDR; }
 
 "ipsec"			{ return IPSEC; }
+"mode"			{ return MODE; }
+"reqid"			{ return REQID; }
+"spnum"			{ return SPNUM; }
+"transport"		{ return TRANSPORT; }
+"tunnel"		{ return TUNNEL; }
+
+"in"			{ return IN; }
+"out"			{ return OUT; }
+
 {addrstring}		{
 				yylval->string = xstrdup(yytext);
 				return STRING;
-- 
cgit v1.2.3