.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of the project nor the names of its contributors .\" may be used to endorse or promote products derived from this software .\" without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" .\" $Id: ipsec_set_policy.3,v 1.1 1999/07/01 20:15:28 itojun Exp $ .\" .Dd May 5, 1998 .Dt IPSEC_SET_POLICY 3 .Os KAME .\" .Sh NAME .Nm ipsec_set_policy , .Nm ipsec_get_policylen , .Nm ipsec_dump_policy .Nd manipulate IPsec policy specification structure from readable string .\" .Sh SYNOPSIS .Fd #include .Ft int .Fn ipsec_set_policy "char *buf" "int len" "char *policy" .Ft int .Fn ipsec_get_policylen "char *policy" .Ft "char *" .Fn ipsec_dump_policy "char *buf" "char *delim" .\" .Sh DESCRIPTION .Fn ipsec_set_policy generates IPsec policy specification structure, namely .Li struct sadb_x_policy and/or .Li struct sadb_x_ipsecrequest from human-readable policy specification. policy specification must be given as C string .Fa policy , and the resulting structure will be generated at the buffer pointed to by .Fa buf , length .Fa len . .Pp To obtain the required buffer size beforehand, use .Fn ipsec_get_policylen with the same .Fa policy argument. .Fn ipsec_get_policylen will return the required buffer size, and you may want to allocate buffer dynamically for use with .Fn ipsec_set_policy . .Pp .Fn ipsec_dump_policy converts IPsec policy structure into readable form. Therefore, .Fn ipsec_dump_policy can be regarded as inverse conversion of .Fn ipsec_set_policy . .Fa buf points to a IPsec policy structure, .Li struct sadb_x_policy . .Fa delim is a delimiter string, which is usually a blank character. If you set .Fa delim to .Dv NULL , single whitespace is assumed. .Fn ipsec_dump_policy returns pointer to dynamically allocated string. It is caller's responsibility to reclaim the region, by using .Xr free 3 . .Pp .Fa policy is formatted as either of the following: .Bl -tag -width "discard" .It Li discard .Li discard means the packet matching indexes will be discarded. .It Li none .Li none means IPsec will not be performed on the matching packets .Po packet will be transmitted in clear .Pc . .It Xo Li ipsec .Ar protocol .Op Ar /level .Op Ar /peer .Op ... .Xc .Li ipsec means that the matching packets are subject to IPsec processing. .Li ipsec can be followed by multiple set of .Do .Ar protocol .Op Ar /level .Op Ar /peer .Dc arguments. .Ar protocol is either .Li ah , .Li esp or .Li ipcomp . .Ar level must be set to one of the following: .Li default , use or .Li require . .Li default means that the kernel should consult the system default policy defined by .Xr sysctl 8 , such as .Li net.inet.ipsec.esp_trans_deflev . .Li use means that a relevant SA can be used when available, since the kernel may perform IPsec operation against packets when possible. In this case, packets can be transmitted in clear .Pq when SA is not available , or encrypted .Pq when SA is available . .Li require means that a relevant SA is required, since the kernel must perform IPsec operation against packets. .Ar peer is an IPv4 or IPv6 address string, and it will be used as a hint when IPsec system configures IPsec tunnel mode SA by using key management protocol. .Pp If the string is kept unambiguous, .Ar level and slashes surrounding .Ar level can be omitted. However, it is encouraged to specify them explicitly to avoid unintended behaviors. If .Ar level is omitted, it will be interpreted as .Li default . .El .Pp Here are several examples: .Bd -literal -offset indent discard ipsec esp/require ipsec ah/use/10.1.1.1 ipsec esp/use ah/require ipsec ipcomp/use esp/use ah/require .Ed .\" .Sh RETURN VALUES .Fn ipsec_set_policy returns with 0 on success, negative value on errors. .Fn ipsec_get_policylen returns with positive value .Pq meaning the buffer size on success, and negative value on errors. .Fn ipsec_dump_policy returns a pointer to dynamically allocated region on success, and .Dv NULL on errors. .\" .Sh SEE ALSO .Xr ipsec_strerror 3 , .Xr setkey 8 .\" .Sh HISTORY The functions first appeared in WIDE/KAME IPv6 protocol stack kit. .\" .\" .Sh BUGS .\" (to be written)