Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 1 | This modules matches the policy used by IPsec for handling a packet. |
| 2 | .TP |
| 3 | .BI "--dir " "in|out" |
| 4 | Used to select whether to match the policy used for decapsulation or the |
| 5 | policy that will be used for encapsulation. |
| 6 | .B in |
| 7 | is valid in the |
| 8 | .B PREROUTING, INPUT and FORWARD |
| 9 | chains, |
| 10 | .B out |
| 11 | is valid in the |
| 12 | .B POSTROUTING, OUTPUT and FORWARD |
| 13 | chains. |
| 14 | .TP |
| 15 | .BI "--pol " "none|ipsec" |
| 16 | Matches if the packet is subject to IPsec processing. |
| 17 | .TP |
| 18 | .BI "--strict" |
| 19 | Selects whether to match the exact policy or match if any rule of |
| 20 | the policy matches the given policy. |
| 21 | .TP |
| 22 | .BI "--reqid " "id" |
| 23 | Matches the reqid of the policy rule. The reqid can be specified with |
| 24 | .B setkey(8) |
| 25 | using |
| 26 | .B unique:id |
| 27 | as level. |
| 28 | .TP |
| 29 | .BI "--spi " "spi" |
| 30 | Matches the SPI of the SA. |
| 31 | .TP |
| 32 | .BI "--proto " "ah|esp|ipcomp" |
| 33 | Matches the encapsulation protocol. |
| 34 | .TP |
| 35 | .BI "--mode " "tunnel|transport" |
| 36 | Matches the encapsulation mode. |
| 37 | .TP |
| 38 | .BI "--tunnel-src " "addr[/mask]" |
Patrick McHardy | 37b7c9b | 2006-01-12 16:14:41 +0000 | [diff] [blame] | 39 | Matches the source end-point address of a tunnel mode SA. |
| 40 | Only valid with --mode tunnel. |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 41 | .TP |
| 42 | .BI "--tunnel-dst " "addr[/mask]" |
Patrick McHardy | 37b7c9b | 2006-01-12 16:14:41 +0000 | [diff] [blame] | 43 | Matches the destination end-point address of a tunnel mode SA. |
| 44 | Only valid with --mode tunnel. |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 45 | .TP |
| 46 | .BI "--next" |
| 47 | Start the next element in the policy specification. Can only be used with |
| 48 | --strict |