]> git.saurik.com Git - apple/ipsec.git/blame_incremental - ipsec-tools/libipsec/ipsec_set_policy.3
ipsec-93.6.tar.gz
[apple/ipsec.git] / ipsec-tools / libipsec / ipsec_set_policy.3
... / ...
CommitLineData
1.\" $KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $
2.\"
3.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\" notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\" notice, this list of conditions and the following disclaimer in the
13.\" documentation and/or other materials provided with the distribution.
14.\" 3. Neither the name of the project nor the names of its contributors
15.\" may be used to endorse or promote products derived from this software
16.\" without specific prior written permission.
17.\"
18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28.\" SUCH DAMAGE.
29.\"
30.Dd May 5, 1998
31.Dt IPSEC_SET_POLICY 3
32.Os
33.Sh NAME
34.Nm ipsec_dump_policy ,
35.Nm ipsec_get_policylen ,
36.Nm ipsec_set_policy
37.Nd manipulate IPsec policy specification structure from human-readable policy string
38.\"
39.Sh LIBRARY
40.Lb libipsec
41.Sh SYNOPSIS
42.In netinet6/ipsec.h
43.Ft "char *"
44.Fo ipsec_dump_policy
45.Fa "caddr_t buf"
46.Fa "char *delim"
47.Fc
48.Ft int
49.Fo ipsec_get_policylen
50.Fa "caddr_t buf"
51.Fc
52.Ft "char *"
53.Fo ipsec_set_policy
54.Fa "char *policy"
55.Fa "int len"
56.Fc
57.Sh DESCRIPTION
58.Fn ipsec_set_policy
59generates an IPsec policy specification structure, namely
60.Li struct sadb_x_policy
61and/or
62.Li struct sadb_x_ipsecrequest
63from a human-readable policy specification.
64The policy specification must be given as a C string
65.Fa policy
66and its length
67.Fa len .
68.Fn ipsec_set_policy
69will return a buffer with the corresponding IPsec policy specification structure.
70The buffer is dynamically allocated, and must be
71.Xr free 3 Ap d
72by the caller.
73.Pp
74You can get the length of the generated buffer with
75.Fn ipsec_get_policylen
76(i.e. for calling
77.Xr setsockopt 2 ) .
78.Pp
79.Fn ipsec_dump_policy
80converts an IPsec policy structure into human-readable form.
81Therefore,
82.Fn ipsec_dump_policy
83can be regarded as the inverse function to
84.Fn ipsec_set_policy .
85.Fa buf
86points to an IPsec policy structure,
87.Li struct sadb_x_policy .
88.Fa delim
89is a delimiter string, which is usually a blank character.
90If you set
91.Fa delim
92to
93.Dv NULL ,
94a single whitespace is assumed.
95.Fn ipsec_dump_policy
96returns a pointer to a dynamically allocated string.
97It is the caller's responsibility to
98.Xr free 3
99it.
100.Pp
101.Fa policy
102is formatted as either of the following:
103.Bl -tag -width "discard"
104.It Ar direction [priority specification] Li discard
105.Ar direction
106must be
107.Li in ,
108.Li out ,
109or
110.Li fwd .
111.Ar direction
112specifies in which direction the policy needs to be applied.
113The non-standard direction
114.Li fwd
115is substituted with
116.Li in
117on platforms which do not support forward policies.
118.Pp
119.Ar priority specification
120is used to control the placement of the policy within the SPD.
121The policy position is determined by
122a signed integer where higher priorities indicate the policy is placed
123closer to the beginning of the list and lower priorities indicate the
124policy is placed closer to the end of the list.
125Policies with equal
126priorities are added at the end of the group of such policies.
127.Pp
128Priority can only
129be specified when libipsec has been compiled against kernel headers that
130support policy priorities (Linux \*[Gt]= 2.6.6).
131It takes one of the following formats:
132.Bl -tag -width "discard"
133.It Xo
134.Ar {priority,prio} offset
135.Xc
136.Ar offset
137is an integer in the range -2147483647..214783648.
138.It Xo
139.Ar {priority,prio} base {+,-} offset
140.Xc
141.Ar base
142is either
143.Li low (-1073741824) ,
144.Li def (0) ,
145or
146.Li high (1073741824) .
147.Pp
148.Ar offset
149is an unsigned integer.
150It can be up to 1073741824 for
151positive offsets, and up to 1073741823 for negative offsets.
152.El
153.Pp
154The interpretation of policy priority in these functions and the
155kernel DOES differ.
156The relationship between the two can be described as
157p(kernel) = 0x80000000 - p(func)
158.Pp
159With
160.Li discard
161policy, packets will be dropped if they match the policy.
162.It Ar direction [priority specification] Li entrust
163.Li entrust
164means to consult the SPD defined by
165.Xr setkey 8 .
166.It Ar direction [priority specification] Li bypass
167.Li bypass
168means to bypass the IPsec processing.
169.Pq the packet will be transmitted in clear .
170This is for privileged sockets.
171.It Xo
172.Ar direction
173.Bq Ar priority specification
174.Li ipsec
175.Ar request ...
176.Xc
177.Li ipsec
178means that the matching packets are subject to IPsec processing.
179.Li ipsec
180can be followed by one or more
181.Ar request
182strings, which are formatted as below:
183.Bl -tag -width "discard"
184.It Xo
185.Ar protocol
186.Li /
187.Ar mode
188.Li /
189.Ar src
190.Li -
191.Ar dst
192.Op Ar /level
193.Xc
194.Ar protocol
195is either
196.Li ah ,
197.Li esp ,
198or
199.Li ipcomp .
200.Pp
201.Ar mode
202is either
203.Li transport
204or
205.Li tunnel .
206.Pp
207.Ar src
208and
209.Ar dst
210specifies the IPsec endpoint.
211.Ar src
212always means the
213.Dq sending node
214and
215.Ar dst
216always means the
217.Dq receiving node .
218Therefore, when
219.Ar direction
220is
221.Li in ,
222.Ar dst
223is this node
224and
225.Ar src
226is the other node
227.Pq peer .
228If
229.Ar mode
230is
231.Li transport ,
232Both
233.Ar src
234and
235.Ar dst
236can be omitted.
237.Pp
238.Ar level
239must be set to one of the following:
240.Li default , use , require ,
241or
242.Li unique .
243.Li default
244means that the kernel should consult the system default policy
245defined by
246.Xr sysctl 8 ,
247such as
248.Li net.inet.ipsec.esp_trans_deflev .
249See
250.Xr ipsec 4
251regarding the system default.
252.Li use
253means that a relevant SA can be used when available,
254since the kernel may perform IPsec operation against packets when possible.
255In this case, packets can be transmitted in clear
256.Pq when SA is not available ,
257or encrypted
258.Pq when SA is available .
259.Li require
260means that a relevant SA is required,
261since the kernel must perform IPsec operation against packets.
262.Li unique
263is the same as
264.Li require ,
265but adds the restriction that the SA for outbound traffic is used
266only for this policy.
267You may need the identifier in order to relate the policy and the SA
268when you define the SA by manual keying.
269You can put the decimal number as the identifier after
270.Li unique
271like
272.Li unique : number .
273.Li number
274must be between 1 and 32767 .
275If the
276.Ar request
277string is kept unambiguous,
278.Ar level
279and slash prior to
280.Ar level
281can be omitted.
282However, it is encouraged to specify them explicitly
283to avoid unintended behavior.
284If
285.Ar level
286is omitted, it will be interpreted as
287.Li default .
288.El
289.Pp
290Note that there are slight differences to the specification of
291.Xr setkey 8 .
292In the specification of
293.Xr setkey 8 ,
294both
295.Li entrust
296and
297.Li bypass
298are not used.
299Refer to
300.Xr setkey 8
301for details.
302.Pp
303Here are several examples
304.Pq long lines are wrapped for readability :
305.Bd -literal -offset indent
306in discard
307out ipsec esp/transport//require
308in ipsec ah/transport//require
309out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use
310in ipsec ipcomp/transport//use
311 esp/transport//use
312.Ed
313.El
314.Sh RETURN VALUES
315.Fn ipsec_set_policy
316returns a pointer to the allocated buffer with the policy specification
317if successful; otherwise a
318.Dv NULL
319pointer is returned.
320.Fn ipsec_get_policylen
321returns a positive value
322.Pq meaning the buffer size
323on success, and a negative value on errors.
324.Fn ipsec_dump_policy
325returns a pointer to a dynamically allocated region on success,
326and
327.Dv NULL
328on errors.
329.Sh SEE ALSO
330.Xr ipsec_strerror 3 ,
331.Xr ipsec 4 ,
332.Xr setkey 8
333.Sh HISTORY
334The functions first appeared in the WIDE/KAME IPv6 protocol stack kit.