extensions/libxt_policy.man

This modules matches the policy used by IPsec for handling a packet.
.TP
\fB\-\-dir\fP {\fBin\fP|\fBout\fP}
Used to select whether to match the policy used for decapsulation or the
policy that will be used for encapsulation.
.B in
is valid in the
.B PREROUTING, INPUT and FORWARD
chains,
.B out
is valid in the
.B POSTROUTING, OUTPUT and FORWARD
chains.
.TP
\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}
Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP
cannot be combined with \fB\-\-strict\fP.
.TP
\fB\-\-strict\fP
Selects whether to match the exact policy or match if any rule of
the policy matches the given policy.
.PP
For each policy element that is to be described, one can use one or more of
the following options. When \fB\-\-strict\fP is in effect, at least one must be
used per element.
.TP
[\fB!\fP] \fB\-\-reqid\fP \fIid\fP
Matches the reqid of the policy rule. The reqid can be specified with
.B setkey(8)
using
.B unique:id
as level.
.TP
[\fB!\fP] \fB\-\-spi\fP \fIspi\fP
Matches the SPI of the SA.
.TP
[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}
Matches the encapsulation protocol.
.TP
[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP}
Matches the encapsulation mode.
.TP
[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]
Matches the source end-point address of a tunnel mode SA.
Only valid with \fB\-\-mode tunnel\fP.
.TP
[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]
Matches the destination end-point address of a tunnel mode SA.
Only valid with \fB\-\-mode tunnel\fP.
.TP
\fB\-\-next\fP
Start the next element in the policy specification. Can only be used with
\fB\-\-strict\fP.