Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 1 | This modules matches the policy used by IPsec for handling a packet. |
| 2 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 3 | \fB\-\-dir\fP {\fBin\fP|\fBout\fP} |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 4 | Used to select whether to match the policy used for decapsulation or the |
| 5 | policy that will be used for encapsulation. |
| 6 | .B in |
| 7 | is valid in the |
| 8 | .B PREROUTING, INPUT and FORWARD |
| 9 | chains, |
| 10 | .B out |
| 11 | is valid in the |
| 12 | .B POSTROUTING, OUTPUT and FORWARD |
| 13 | chains. |
| 14 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 15 | \fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP} |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 16 | Matches if the packet is subject to IPsec processing. |
| 17 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 18 | \fB\-\-strict\fP |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 19 | Selects whether to match the exact policy or match if any rule of |
| 20 | the policy matches the given policy. |
| 21 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 22 | [\fB!\fP] \fB\-\-reqid\fP \fIid\fP |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 23 | Matches the reqid of the policy rule. The reqid can be specified with |
| 24 | .B setkey(8) |
| 25 | using |
| 26 | .B unique:id |
| 27 | as level. |
| 28 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 29 | [\fB!\fP] \fB\-\-spi\fP \fIspi\fP |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 30 | Matches the SPI of the SA. |
| 31 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 32 | [\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP} |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 33 | Matches the encapsulation protocol. |
| 34 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 35 | [\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP} |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 36 | Matches the encapsulation mode. |
| 37 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 38 | [\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP] |
Patrick McHardy | 37b7c9b | 2006-01-12 16:14:41 +0000 | [diff] [blame] | 39 | Matches the source end-point address of a tunnel mode SA. |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 40 | Only valid with \fB\-\-mode tunnel\fP. |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 41 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 42 | [\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP] |
Patrick McHardy | 37b7c9b | 2006-01-12 16:14:41 +0000 | [diff] [blame] | 43 | Matches the destination end-point address of a tunnel mode SA. |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 44 | Only valid with \fB\-\-mode tunnel\fP. |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 45 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 46 | \fB\-\-next\fP |
Patrick McHardy | 524bb80 | 2005-11-19 09:00:03 +0000 | [diff] [blame] | 47 | Start the next element in the policy specification. Can only be used with |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 48 | \fB\-\-strict\fP. |