NetBSD/lib/libipsec/ipsec_set_policy.3

.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
.\" All rights reserved.
.\" 
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\" 
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     $Id: ipsec_set_policy.3,v 1.1 1999/07/01 20:15:28 itojun Exp $
.\"
.Dd May 5, 1998
.Dt IPSEC_SET_POLICY 3
.Os KAME
.\" 
.Sh NAME
.Nm ipsec_set_policy ,
.Nm ipsec_get_policylen ,
.Nm ipsec_dump_policy
.Nd manipulate IPsec policy specification structure from readable string
.\" 
.Sh SYNOPSIS
.Fd #include <netinet6/ipsec.h>
.Ft int
.Fn ipsec_set_policy "char *buf" "int len" "char *policy"
.Ft int
.Fn ipsec_get_policylen "char *policy"
.Ft "char *"
.Fn ipsec_dump_policy "char *buf" "char *delim"
.\" 
.Sh DESCRIPTION
.Fn ipsec_set_policy
generates IPsec policy specification structure, namely
.Li struct sadb_x_policy
and/or
.Li struct sadb_x_ipsecrequest
from human-readable policy specification.
policy specification must be given as C string
.Fa policy ,
and the resulting structure will be generated at the buffer pointed to by
.Fa buf ,
length
.Fa len .
.Pp
To obtain the required buffer size beforehand, use
.Fn ipsec_get_policylen
with the same
.Fa policy
argument.
.Fn ipsec_get_policylen
will return the required buffer size,
and you may want to allocate buffer dynamically for use with
.Fn ipsec_set_policy .
.Pp
.Fn ipsec_dump_policy
converts IPsec policy structure into readable form.
Therefore,
.Fn ipsec_dump_policy
can be regarded as inverse conversion of
.Fn ipsec_set_policy .
.Fa buf
points to a IPsec policy structure,
.Li struct sadb_x_policy .
.Fa delim
is a delimiter string, which is usually a blank character.
If you set
.Fa delim
to
.Dv NULL ,
single whitespace is assumed.
.Fn ipsec_dump_policy
returns pointer to dynamically allocated string.
It is caller's responsibility to reclaim the region, by using
.Xr free 3 .
.Pp
.Fa policy
is formatted as either of the following:
.Bl -tag  -width "discard"
.It Li discard
.Li discard
means the packet matching indexes will be discarded.
.It Li none
.Li none
means IPsec will not be performed on the matching packets
.Po
packet will be transmitted in clear
.Pc .
.It Xo Li ipsec
.Ar protocol
.Op Ar /level
.Op Ar /peer
.Op ...
.Xc
.Li ipsec
means that the matching packets are subject to IPsec processing.
.Li ipsec
can be followed by multiple set of
.Do
.Ar protocol
.Op Ar /level
.Op Ar /peer
.Dc
arguments.
.Ar protocol
is either
.Li ah ,
.Li esp
or
.Li ipcomp .
.Ar level
must be set to one of the following: 
.Li default , use
or
.Li require .
.Li default
means that the kernel should consult the system default policy
defined by
.Xr sysctl 8 ,
such as
.Li net.inet.ipsec.esp_trans_deflev .
.Li use
means that a relevant SA can be used when available,
since the kernel may perform IPsec operation against packets when possible.
In this case, packets can be transmitted in clear
.Pq when SA is not available ,
or encrypted
.Pq when SA is available .
.Li require
means that a relevant SA is required,
since the kernel must perform IPsec operation against packets.
.Ar peer
is an IPv4 or IPv6 address string, and it will be used as 
a hint when IPsec system configures IPsec tunnel mode SA by using
key management protocol.
.Pp
If the string is kept unambiguous,
.Ar level
and slashes surrounding
.Ar level
can be omitted.
However, it is encouraged to specify them explicitly
to avoid unintended behaviors.
If
.Ar level
is omitted, it will be interpreted as
.Li default .
.El
.Pp
Here are several examples:
.Bd -literal -offset indent
discard
ipsec esp/require
ipsec ah/use/10.1.1.1
ipsec esp/use ah/require
ipsec ipcomp/use esp/use ah/require
.Ed
.\" 
.Sh RETURN VALUES
.Fn ipsec_set_policy
returns with 0 on success, negative value on errors.
.Fn ipsec_get_policylen
returns with positive value
.Pq meaning the buffer size
on success, and negative value on errors.
.Fn ipsec_dump_policy
returns a pointer to dynamically allocated region on success,
and
.Dv NULL
on errors.
.\" 
.Sh SEE ALSO
.Xr ipsec_strerror 3 ,
.Xr setkey 8
.\" 
.Sh HISTORY
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
.\"
.\" .Sh BUGS
.\" (to be written)
ipsec support library. mainly for debugging, and policy text->binary conversion. NO crypto code is included so it is export safe. 1999-07-02 00:15:26 +04:00			`.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.`
			`.\" All rights reserved.`
			`.\"`
			`.\" Redistribution and use in source and binary forms, with or without`
			`.\" modification, are permitted provided that the following conditions`
			`.\" are met:`
			`.\" 1. Redistributions of source code must retain the above copyright`
			`.\" notice, this list of conditions and the following disclaimer.`
			`.\" 2. Redistributions in binary form must reproduce the above copyright`
			`.\" notice, this list of conditions and the following disclaimer in the`
			`.\" documentation and/or other materials provided with the distribution.`
			`.\" 3. Neither the name of the project nor the names of its contributors`
			`.\" may be used to endorse or promote products derived from this software`
			`.\" without specific prior written permission.`
			`.\"`
			.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
			`.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE`
			`.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
			`.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS`
			`.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
			`.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT`
			`.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY`
			`.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF`
			`.\" SUCH DAMAGE.`
			`.\"`
			`.\" $Id: ipsec_set_policy.3,v 1.1 1999/07/01 20:15:28 itojun Exp $`
			`.\"`
			`.Dd May 5, 1998`
			`.Dt IPSEC_SET_POLICY 3`
			`.Os KAME`
			`.\"`
			`.Sh NAME`
			`.Nm ipsec_set_policy ,`
			`.Nm ipsec_get_policylen ,`
			`.Nm ipsec_dump_policy`
			`.Nd manipulate IPsec policy specification structure from readable string`
			`.\"`
			`.Sh SYNOPSIS`
			`.Fd #include <netinet6/ipsec.h>`
			`.Ft int`
			`.Fn ipsec_set_policy "char buf" "int len" "char policy"`
			`.Ft int`
			`.Fn ipsec_get_policylen "char *policy"`
			`.Ft "char *"`
			`.Fn ipsec_dump_policy "char buf" "char delim"`
			`.\"`
			`.Sh DESCRIPTION`
			`.Fn ipsec_set_policy`
			`generates IPsec policy specification structure, namely`
			`.Li struct sadb_x_policy`
			`and/or`
			`.Li struct sadb_x_ipsecrequest`
			`from human-readable policy specification.`
			`policy specification must be given as C string`
			`.Fa policy ,`
			`and the resulting structure will be generated at the buffer pointed to by`
			`.Fa buf ,`
			`length`
			`.Fa len .`
			`.Pp`
			`To obtain the required buffer size beforehand, use`
			`.Fn ipsec_get_policylen`
			`with the same`
			`.Fa policy`
			`argument.`
			`.Fn ipsec_get_policylen`
			`will return the required buffer size,`
			`and you may want to allocate buffer dynamically for use with`
			`.Fn ipsec_set_policy .`
			`.Pp`
			`.Fn ipsec_dump_policy`
			`converts IPsec policy structure into readable form.`
			`Therefore,`
			`.Fn ipsec_dump_policy`
			`can be regarded as inverse conversion of`
			`.Fn ipsec_set_policy .`
			`.Fa buf`
			`points to a IPsec policy structure,`
			`.Li struct sadb_x_policy .`
			`.Fa delim`
			`is a delimiter string, which is usually a blank character.`
			`If you set`
			`.Fa delim`
			`to`
			`.Dv NULL ,`
			`single whitespace is assumed.`
			`.Fn ipsec_dump_policy`
			`returns pointer to dynamically allocated string.`
			`It is caller's responsibility to reclaim the region, by using`
			`.Xr free 3 .`
			`.Pp`
			`.Fa policy`
			`is formatted as either of the following:`
			`.Bl -tag -width "discard"`
			`.It Li discard`
			`.Li discard`
			`means the packet matching indexes will be discarded.`
			`.It Li none`
			`.Li none`
			`means IPsec will not be performed on the matching packets`
			`.Po`
			`packet will be transmitted in clear`
			`.Pc .`
			`.It Xo Li ipsec`
			`.Ar protocol`
			`.Op Ar /level`
			`.Op Ar /peer`
			`.Op ...`
			`.Xc`
			`.Li ipsec`
			`means that the matching packets are subject to IPsec processing.`
			`.Li ipsec`
			`can be followed by multiple set of`
			`.Do`
			`.Ar protocol`
			`.Op Ar /level`
			`.Op Ar /peer`
			`.Dc`
			`arguments.`
			`.Ar protocol`
			`is either`
			`.Li ah ,`
			`.Li esp`
			`or`
			`.Li ipcomp .`
			`.Ar level`
			`must be set to one of the following:`
			`.Li default , use`
			`or`
			`.Li require .`
			`.Li default`
			`means that the kernel should consult the system default policy`
			`defined by`
			`.Xr sysctl 8 ,`
			`such as`
			`.Li net.inet.ipsec.esp_trans_deflev .`
			`.Li use`
			`means that a relevant SA can be used when available,`
			`since the kernel may perform IPsec operation against packets when possible.`
			`In this case, packets can be transmitted in clear`
			`.Pq when SA is not available ,`
			`or encrypted`
			`.Pq when SA is available .`
			`.Li require`
			`means that a relevant SA is required,`
			`since the kernel must perform IPsec operation against packets.`
			`.Ar peer`
			`is an IPv4 or IPv6 address string, and it will be used as`
			`a hint when IPsec system configures IPsec tunnel mode SA by using`
			`key management protocol.`
			`.Pp`
			`If the string is kept unambiguous,`
			`.Ar level`
			`and slashes surrounding`
			`.Ar level`
			`can be omitted.`
			`However, it is encouraged to specify them explicitly`
			`to avoid unintended behaviors.`
			`If`
			`.Ar level`
			`is omitted, it will be interpreted as`
			`.Li default .`
			`.El`
			`.Pp`
			`Here are several examples:`
			`.Bd -literal -offset indent`
			`discard`
			`ipsec esp/require`
			`ipsec ah/use/10.1.1.1`
			`ipsec esp/use ah/require`
			`ipsec ipcomp/use esp/use ah/require`
			`.Ed`
			`.\"`
			`.Sh RETURN VALUES`
			`.Fn ipsec_set_policy`
			`returns with 0 on success, negative value on errors.`
			`.Fn ipsec_get_policylen`
			`returns with positive value`
			`.Pq meaning the buffer size`
			`on success, and negative value on errors.`
			`.Fn ipsec_dump_policy`
			`returns a pointer to dynamically allocated region on success,`
			`and`
			`.Dv NULL`
			`on errors.`
			`.\"`
			`.Sh SEE ALSO`
			`.Xr ipsec_strerror 3 ,`
			`.Xr setkey 8`
			`.\"`
			`.Sh HISTORY`
			`The functions first appeared in WIDE/KAME IPv6 protocol stack kit.`
			`.\"`
			`.\" .Sh BUGS`
			`.\" (to be written)`