202 lines
5.5 KiB
Groff
202 lines
5.5 KiB
Groff
.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $NetBSD: ipsec_set_policy.3,v 1.4 1999/07/04 01:36:13 itojun Exp $
|
|
.\" KAME Id: ipsec_set_policy.3,v 1.1.2.6 1999/07/01 06:54:58 sakane Exp
|
|
.\"
|
|
.Dd May 5, 1998
|
|
.Dt IPSEC_SET_POLICY 3
|
|
.Os KAME
|
|
.\"
|
|
.Sh NAME
|
|
.Nm ipsec_set_policy ,
|
|
.Nm ipsec_get_policylen ,
|
|
.Nm ipsec_dump_policy
|
|
.Nd manipulate IPsec policy specification structure from readable string
|
|
.\"
|
|
.Sh LIBRARY
|
|
.Lb libipsec
|
|
.\"
|
|
.Sh SYNOPSIS
|
|
.Fd #include <netinet6/ipsec.h>
|
|
.Ft int
|
|
.Fn ipsec_set_policy "char *buf" "int len" "char *policy"
|
|
.Ft int
|
|
.Fn ipsec_get_policylen "char *policy"
|
|
.Ft "char *"
|
|
.Fn ipsec_dump_policy "char *buf" "char *delim"
|
|
.\"
|
|
.Sh DESCRIPTION
|
|
.Fn ipsec_set_policy
|
|
generates IPsec policy specification structure, namely
|
|
.Li struct sadb_x_policy
|
|
and/or
|
|
.Li struct sadb_x_ipsecrequest
|
|
from human-readable policy specification.
|
|
policy specification must be given as C string
|
|
.Fa policy ,
|
|
and the resulting structure will be generated at the buffer pointed to by
|
|
.Fa buf ,
|
|
length
|
|
.Fa len .
|
|
.Pp
|
|
To obtain the required buffer size beforehand, use
|
|
.Fn ipsec_get_policylen
|
|
with the same
|
|
.Fa policy
|
|
argument.
|
|
.Fn ipsec_get_policylen
|
|
will return the required buffer size,
|
|
and you may want to allocate buffer dynamically for use with
|
|
.Fn ipsec_set_policy .
|
|
.Pp
|
|
.Fn ipsec_dump_policy
|
|
converts IPsec policy structure into readable form.
|
|
Therefore,
|
|
.Fn ipsec_dump_policy
|
|
can be regarded as inverse conversion of
|
|
.Fn ipsec_set_policy .
|
|
.Fa buf
|
|
points to a IPsec policy structure,
|
|
.Li struct sadb_x_policy .
|
|
.Fa delim
|
|
is a delimiter string, which is usually a blank character.
|
|
If you set
|
|
.Fa delim
|
|
to
|
|
.Dv NULL ,
|
|
single whitespace is assumed.
|
|
.Fn ipsec_dump_policy
|
|
returns pointer to dynamically allocated string.
|
|
It is caller's responsibility to reclaim the region, by using
|
|
.Xr free 3 .
|
|
.Pp
|
|
.Fa policy
|
|
is formatted as either of the following:
|
|
.Bl -tag -width "discard"
|
|
.It Li discard
|
|
.Li discard
|
|
means the packet matching indexes will be discarded.
|
|
.It Li none
|
|
.Li none
|
|
means IPsec will not be performed on the matching packets
|
|
.Po
|
|
packet will be transmitted in clear
|
|
.Pc .
|
|
.It Xo Li ipsec
|
|
.Ar protocol
|
|
.Op Ar /level
|
|
.Op Ar /peer
|
|
.Op ...
|
|
.Xc
|
|
.Li ipsec
|
|
means that the matching packets are subject to IPsec processing.
|
|
.Li ipsec
|
|
can be followed by multiple set of
|
|
.Do
|
|
.Ar protocol
|
|
.Op Ar /level
|
|
.Op Ar /peer
|
|
.Dc
|
|
arguments.
|
|
.Ar protocol
|
|
is either
|
|
.Li ah ,
|
|
.Li esp
|
|
or
|
|
.Li ipcomp .
|
|
.Ar level
|
|
must be set to one of the following:
|
|
.Li default , use
|
|
or
|
|
.Li require .
|
|
.Li default
|
|
means that the kernel should consult the system default policy
|
|
defined by
|
|
.Xr sysctl 8 ,
|
|
such as
|
|
.Li net.inet.ipsec.esp_trans_deflev .
|
|
.Li use
|
|
means that a relevant SA can be used when available,
|
|
since the kernel may perform IPsec operation against packets when possible.
|
|
In this case, packets can be transmitted in clear
|
|
.Pq when SA is not available ,
|
|
or encrypted
|
|
.Pq when SA is available .
|
|
.Li require
|
|
means that a relevant SA is required,
|
|
since the kernel must perform IPsec operation against packets.
|
|
.Ar peer
|
|
is an IPv4 or IPv6 address string, and it will be used as
|
|
a hint when IPsec system configures IPsec tunnel mode SA by using
|
|
key management protocol.
|
|
.Pp
|
|
If the string is kept unambiguous,
|
|
.Ar level
|
|
and slashes surrounding
|
|
.Ar level
|
|
can be omitted.
|
|
However, it is encouraged to specify them explicitly
|
|
to avoid unintended behaviors.
|
|
If
|
|
.Ar level
|
|
is omitted, it will be interpreted as
|
|
.Li default .
|
|
.El
|
|
.Pp
|
|
Here are several examples:
|
|
.Bd -literal -offset indent
|
|
discard
|
|
ipsec esp/require
|
|
ipsec ah/use/10.1.1.1
|
|
ipsec esp/use ah/require
|
|
ipsec ipcomp/use esp/use ah/require
|
|
.Ed
|
|
.\"
|
|
.Sh RETURN VALUES
|
|
.Fn ipsec_set_policy
|
|
returns with 0 on success, negative value on errors.
|
|
.Fn ipsec_get_policylen
|
|
returns with positive value
|
|
.Pq meaning the buffer size
|
|
on success, and negative value on errors.
|
|
.Fn ipsec_dump_policy
|
|
returns a pointer to dynamically allocated region on success,
|
|
and
|
|
.Dv NULL
|
|
on errors.
|
|
.\"
|
|
.Sh SEE ALSO
|
|
.Xr ipsec_strerror 3 ,
|
|
.Xr setkey 8
|
|
.\"
|
|
.Sh HISTORY
|
|
The functions first appeared in WIDE/KAME IPv6 protocol stack kit.
|
|
.\"
|
|
.\" .Sh BUGS
|
|
.\" (to be written)
|