]>
Commit | Line | Data |
---|---|---|
1 | .\" $KAME: ipsec_set_policy.3,v 1.16 2003/01/06 21:59:03 sumikawa Exp $ | |
2 | .\" | |
3 | .\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. | |
4 | .\" All rights reserved. | |
5 | .\" | |
6 | .\" Redistribution and use in source and binary forms, with or without | |
7 | .\" modification, are permitted provided that the following conditions | |
8 | .\" are met: | |
9 | .\" 1. Redistributions of source code must retain the above copyright | |
10 | .\" notice, this list of conditions and the following disclaimer. | |
11 | .\" 2. Redistributions in binary form must reproduce the above copyright | |
12 | .\" notice, this list of conditions and the following disclaimer in the | |
13 | .\" documentation and/or other materials provided with the distribution. | |
14 | .\" 3. Neither the name of the project nor the names of its contributors | |
15 | .\" may be used to endorse or promote products derived from this software | |
16 | .\" without specific prior written permission. | |
17 | .\" | |
18 | .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
19 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
20 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
21 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
22 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
23 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
24 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
25 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
26 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
27 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
28 | .\" SUCH DAMAGE. | |
29 | .\" | |
30 | .Dd May 5, 1998 | |
31 | .Dt IPSEC_SET_POLICY 3 | |
32 | .Os | |
33 | .Sh NAME | |
34 | .Nm ipsec_dump_policy , | |
35 | .Nm ipsec_get_policylen , | |
36 | .Nm ipsec_set_policy | |
37 | .Nd manipulate IPsec policy specification structure from human-readable policy string | |
38 | .\" | |
39 | .Sh LIBRARY | |
40 | .Lb libipsec | |
41 | .Sh SYNOPSIS | |
42 | .In netinet6/ipsec.h | |
43 | .Ft "char *" | |
44 | .Fo ipsec_dump_policy | |
45 | .Fa "caddr_t buf" | |
46 | .Fa "char *delim" | |
47 | .Fc | |
48 | .Ft int | |
49 | .Fo ipsec_get_policylen | |
50 | .Fa "caddr_t buf" | |
51 | .Fc | |
52 | .Ft "char *" | |
53 | .Fo ipsec_set_policy | |
54 | .Fa "char *policy" | |
55 | .Fa "int len" | |
56 | .Fc | |
57 | .Sh DESCRIPTION | |
58 | .Fn ipsec_set_policy | |
59 | generates an IPsec policy specification structure, namely | |
60 | .Li struct sadb_x_policy | |
61 | and/or | |
62 | .Li struct sadb_x_ipsecrequest | |
63 | from a human-readable policy specification. | |
64 | The policy specification must be given as a C string | |
65 | .Fa policy | |
66 | and its length | |
67 | .Fa len . | |
68 | .Fn ipsec_set_policy | |
69 | will return a buffer with the corresponding IPsec policy specification structure. | |
70 | The buffer is dynamically allocated, and must be | |
71 | .Xr free 3 Ap d | |
72 | by the caller. | |
73 | .Pp | |
74 | You can get the length of the generated buffer with | |
75 | .Fn ipsec_get_policylen | |
76 | (i.e. for calling | |
77 | .Xr setsockopt 2 ) . | |
78 | .Pp | |
79 | .Fn ipsec_dump_policy | |
80 | converts an IPsec policy structure into human-readable form. | |
81 | Therefore, | |
82 | .Fn ipsec_dump_policy | |
83 | can be regarded as the inverse function to | |
84 | .Fn ipsec_set_policy . | |
85 | .Fa buf | |
86 | points to an IPsec policy structure, | |
87 | .Li struct sadb_x_policy . | |
88 | .Fa delim | |
89 | is a delimiter string, which is usually a blank character. | |
90 | If you set | |
91 | .Fa delim | |
92 | to | |
93 | .Dv NULL , | |
94 | a single whitespace is assumed. | |
95 | .Fn ipsec_dump_policy | |
96 | returns a pointer to a dynamically allocated string. | |
97 | It is the caller's responsibility to | |
98 | .Xr free 3 | |
99 | it. | |
100 | .Pp | |
101 | .Fa policy | |
102 | is formatted as either of the following: | |
103 | .Bl -tag -width "discard" | |
104 | .It Ar direction [priority specification] Li discard | |
105 | .Ar direction | |
106 | must be | |
107 | .Li in , | |
108 | .Li out , | |
109 | or | |
110 | .Li fwd . | |
111 | .Ar direction | |
112 | specifies in which direction the policy needs to be applied. | |
113 | The non-standard direction | |
114 | .Li fwd | |
115 | is substituted with | |
116 | .Li in | |
117 | on platforms which do not support forward policies. | |
118 | .Pp | |
119 | .Ar priority specification | |
120 | is used to control the placement of the policy within the SPD. | |
121 | The policy position is determined by | |
122 | a signed integer where higher priorities indicate the policy is placed | |
123 | closer to the beginning of the list and lower priorities indicate the | |
124 | policy is placed closer to the end of the list. | |
125 | Policies with equal | |
126 | priorities are added at the end of the group of such policies. | |
127 | .Pp | |
128 | Priority can only | |
129 | be specified when libipsec has been compiled against kernel headers that | |
130 | support policy priorities (Linux \*[Gt]= 2.6.6). | |
131 | It takes one of the following formats: | |
132 | .Bl -tag -width "discard" | |
133 | .It Xo | |
134 | .Ar {priority,prio} offset | |
135 | .Xc | |
136 | .Ar offset | |
137 | is an integer in the range -2147483647..214783648. | |
138 | .It Xo | |
139 | .Ar {priority,prio} base {+,-} offset | |
140 | .Xc | |
141 | .Ar base | |
142 | is either | |
143 | .Li low (-1073741824) , | |
144 | .Li def (0) , | |
145 | or | |
146 | .Li high (1073741824) . | |
147 | .Pp | |
148 | .Ar offset | |
149 | is an unsigned integer. | |
150 | It can be up to 1073741824 for | |
151 | positive offsets, and up to 1073741823 for negative offsets. | |
152 | .El | |
153 | .Pp | |
154 | The interpretation of policy priority in these functions and the | |
155 | kernel DOES differ. | |
156 | The relationship between the two can be described as | |
157 | p(kernel) = 0x80000000 - p(func) | |
158 | .Pp | |
159 | With | |
160 | .Li discard | |
161 | policy, packets will be dropped if they match the policy. | |
162 | .It Ar direction [priority specification] Li entrust | |
163 | .Li entrust | |
164 | means to consult the SPD defined by | |
165 | .Xr setkey 8 . | |
166 | .It Ar direction [priority specification] Li bypass | |
167 | .Li bypass | |
168 | means to bypass the IPsec processing. | |
169 | .Pq the packet will be transmitted in clear . | |
170 | This is for privileged sockets. | |
171 | .It Xo | |
172 | .Ar direction | |
173 | .Bq Ar priority specification | |
174 | .Li ipsec | |
175 | .Ar request ... | |
176 | .Xc | |
177 | .Li ipsec | |
178 | means that the matching packets are subject to IPsec processing. | |
179 | .Li ipsec | |
180 | can be followed by one or more | |
181 | .Ar request | |
182 | strings, which are formatted as below: | |
183 | .Bl -tag -width "discard" | |
184 | .It Xo | |
185 | .Ar protocol | |
186 | .Li / | |
187 | .Ar mode | |
188 | .Li / | |
189 | .Ar src | |
190 | .Li - | |
191 | .Ar dst | |
192 | .Op Ar /level | |
193 | .Xc | |
194 | .Ar protocol | |
195 | is either | |
196 | .Li ah , | |
197 | .Li esp , | |
198 | or | |
199 | .Li ipcomp . | |
200 | .Pp | |
201 | .Ar mode | |
202 | is either | |
203 | .Li transport | |
204 | or | |
205 | .Li tunnel . | |
206 | .Pp | |
207 | .Ar src | |
208 | and | |
209 | .Ar dst | |
210 | specifies the IPsec endpoint. | |
211 | .Ar src | |
212 | always means the | |
213 | .Dq sending node | |
214 | and | |
215 | .Ar dst | |
216 | always means the | |
217 | .Dq receiving node . | |
218 | Therefore, when | |
219 | .Ar direction | |
220 | is | |
221 | .Li in , | |
222 | .Ar dst | |
223 | is this node | |
224 | and | |
225 | .Ar src | |
226 | is the other node | |
227 | .Pq peer . | |
228 | If | |
229 | .Ar mode | |
230 | is | |
231 | .Li transport , | |
232 | Both | |
233 | .Ar src | |
234 | and | |
235 | .Ar dst | |
236 | can be omitted. | |
237 | .Pp | |
238 | .Ar level | |
239 | must be set to one of the following: | |
240 | .Li default , use , require , | |
241 | or | |
242 | .Li unique . | |
243 | .Li default | |
244 | means that the kernel should consult the system default policy | |
245 | defined by | |
246 | .Xr sysctl 8 , | |
247 | such as | |
248 | .Li net.inet.ipsec.esp_trans_deflev . | |
249 | See | |
250 | .Xr ipsec 4 | |
251 | regarding the system default. | |
252 | .Li use | |
253 | means that a relevant SA can be used when available, | |
254 | since the kernel may perform IPsec operation against packets when possible. | |
255 | In this case, packets can be transmitted in clear | |
256 | .Pq when SA is not available , | |
257 | or encrypted | |
258 | .Pq when SA is available . | |
259 | .Li require | |
260 | means that a relevant SA is required, | |
261 | since the kernel must perform IPsec operation against packets. | |
262 | .Li unique | |
263 | is the same as | |
264 | .Li require , | |
265 | but adds the restriction that the SA for outbound traffic is used | |
266 | only for this policy. | |
267 | You may need the identifier in order to relate the policy and the SA | |
268 | when you define the SA by manual keying. | |
269 | You can put the decimal number as the identifier after | |
270 | .Li unique | |
271 | like | |
272 | .Li unique : number . | |
273 | .Li number | |
274 | must be between 1 and 32767 . | |
275 | If the | |
276 | .Ar request | |
277 | string is kept unambiguous, | |
278 | .Ar level | |
279 | and slash prior to | |
280 | .Ar level | |
281 | can be omitted. | |
282 | However, it is encouraged to specify them explicitly | |
283 | to avoid unintended behavior. | |
284 | If | |
285 | .Ar level | |
286 | is omitted, it will be interpreted as | |
287 | .Li default . | |
288 | .El | |
289 | .Pp | |
290 | Note that there are slight differences to the specification of | |
291 | .Xr setkey 8 . | |
292 | In the specification of | |
293 | .Xr setkey 8 , | |
294 | both | |
295 | .Li entrust | |
296 | and | |
297 | .Li bypass | |
298 | are not used. | |
299 | Refer to | |
300 | .Xr setkey 8 | |
301 | for details. | |
302 | .Pp | |
303 | Here are several examples | |
304 | .Pq long lines are wrapped for readability : | |
305 | .Bd -literal -offset indent | |
306 | in discard | |
307 | out ipsec esp/transport//require | |
308 | in ipsec ah/transport//require | |
309 | out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use | |
310 | in ipsec ipcomp/transport//use | |
311 | esp/transport//use | |
312 | .Ed | |
313 | .El | |
314 | .Sh RETURN VALUES | |
315 | .Fn ipsec_set_policy | |
316 | returns a pointer to the allocated buffer with the policy specification | |
317 | if successful; otherwise a | |
318 | .Dv NULL | |
319 | pointer is returned. | |
320 | .Fn ipsec_get_policylen | |
321 | returns a positive value | |
322 | .Pq meaning the buffer size | |
323 | on success, and a negative value on errors. | |
324 | .Fn ipsec_dump_policy | |
325 | returns a pointer to a dynamically allocated region on success, | |
326 | and | |
327 | .Dv NULL | |
328 | on errors. | |
329 | .Sh SEE ALSO | |
330 | .Xr ipsec_strerror 3 , | |
331 | .Xr ipsec 4 , | |
332 | .Xr setkey 8 | |
333 | .Sh HISTORY | |
334 | The functions first appeared in the WIDE/KAME IPv6 protocol stack kit. |