1.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the project nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $ 29.\" $FreeBSD$ 30.\" 31.Dd May 5, 1998 32.Dt IPSEC_SET_POLICY 3 33.Os 34.Sh NAME 35.Nm ipsec_set_policy , 36.Nm ipsec_get_policylen , 37.Nm ipsec_dump_policy 38.Nd manipulate IPsec policy specification structure from readable string 39.Sh LIBRARY 40.Lb libipsec 41.Sh SYNOPSIS 42.Fd #include <sys/types.h> 43.Fd #include <netinet6/ipsec.h> 44.Ft "char *" 45.Fn ipsec_set_policy "char *policy" "int len" 46.Ft int 47.Fn ipsec_get_policylen "char *buf" 48.Ft "char *" 49.Fn ipsec_dump_policy "char *buf" "char *delim" 50.Sh DESCRIPTION 51.Fn ipsec_set_policy 52generates IPsec policy specification structure, namely 53.Li struct sadb_x_policy 54and/or 55.Li struct sadb_x_ipsecrequest 56from human-readable policy specification. 57policy specification must be given as C string 58.Fa policy 59and length 60.Fa len 61of 62.Fa policy . 63.Fn ipsec_set_policy 64will return the buffer of IPsec policy specification structure. 65.Pp 66You may want the length of the generated buffer such when calling 67.Xr setsockopt 2 . 68.Fn ipsec_get_policylen 69will return the length. 70.Pp 71.Fn ipsec_dump_policy 72converts IPsec policy structure into readable form. 73Therefore, 74.Fn ipsec_dump_policy 75can be regarded as inverse conversion of 76.Fn ipsec_set_policy . 77.Fa buf 78points to a IPsec policy structure, 79.Li struct sadb_x_policy . 80.Fa delim 81is a delimiter string, which is usually a blank character. 82If you set 83.Fa delim 84to 85.Dv NULL , 86single whitespace is assumed. 87.Fn ipsec_dump_policy 88returns pointer to dynamically allocated string. 89It is caller's responsibility to reclaim the region, by using 90.Xr free 3 . 91.Pp 92.Fa policy 93is formatted as either of the following: 94.Bl -tag -width "discard" 95.It Ar direction Li entrust 96.Ar direction 97must be 98.Li in 99or 100.Li out . 101.Ar direction 102specifies which direction the policy needs to be applied. 103.Li entrust 104means to consult to SPD defined by 105.Xr setkey 8 . 106.It Ar direction Li bypass 107.Li bypass 108means to be bypassed the IPsec processing. 109.Pq packet will be transmitted in clear . 110This is for privileged socket. 111.It Xo 112.Ar direction 113.Li ipsec 114.Ar request ... 115.Xc 116.Li ipsec 117means that the matching packets are subject to IPsec processing. 118.Li ipsec 119can be followed by one or more 120.Ar request 121string, which is formatted as below: 122.Bl -tag -width "discard" 123.It Xo 124.Ar protocol 125.Li / 126.Ar mode 127.Li / 128.Ar src 129.Li - 130.Ar dst 131.Op Ar /level 132.Xc 133.Ar protocol 134is either 135.Li ah , 136.Li esp 137or 138.Li ipcomp . 139.Pp 140.Ar mode 141is either 142.Li transport 143or 144.Li tunnel . 145.Pp 146.Ar src 147and 148.Ar dst 149specifies IPsec endpoint. 150.Ar src 151always means 152.Dq sending node 153and 154.Ar dst 155always means 156.Dq receiving node . 157Therefore, when 158.Ar direction 159is 160.Li in , 161.Ar dst 162is this node 163and 164.Ar src 165is the other node 166.Pq peer . 167.Pp 168.Ar level 169must be set to one of the following: 170.Li default , use 171or 172.Li require . 173.Li default 174means that the kernel should consult the system default policy 175defined by 176.Xr sysctl 8 , 177such as 178.Li net.inet.ipsec.esp_trans_deflev . 179See 180.Xr ipsec 4 181regarding the system default. 182.Li use 183means that a relevant SA can be used when available, 184since the kernel may perform IPsec operation against packets when possible. 185In this case, packets can be transmitted in clear 186.Pq when SA is not available , 187or encrypted 188.Pq when SA is available . 189.Li require 190means that a relevant SA is required, 191since the kernel must perform IPsec operation against packets. 192If the 193.Ar request 194string is kept unambiguous, 195.Ar level 196and slash prior to 197.Ar level 198can be omitted. 199However, it is encouraged to specify them explicitly 200to avoid unintended behaviors. 201If 202.Ar level 203is omitted, it will be interpreted as 204.Li default . 205.El 206.El 207.Pp 208Note that there is a bit difference of specification from 209.Xr setkey 8 . 210In specification by 211.Xr setkey 8 , 212both entrust and bypass are not used. Refer to 213.Xr setkey 8 214for detail. 215.Pp 216Here are several examples 217.Pq long lines are wrapped for readability : 218.Bd -literal -offset indent 219in discard 220out ipsec esp/transport/10.1.1.1-10.1.1.2/require 221in ipsec ah/transport/10.1.1.2-10.1.1.1/require 222in ipsec esp/transport/10.1.1.2-10.1.1.1/use 223 ah/tunnel/10.1.1.2-10.1.1.1/require 224in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use 225 esp/transport/10.1.1.2-10.1.1.1/use 226.Ed 227.Sh RETURN VALUES 228.Fn ipsec_set_policy 229returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned. 230.Fn ipsec_get_policylen 231returns with positive value 232.Pq meaning the buffer size 233on success, and negative value on errors. 234.Fn ipsec_dump_policy 235returns a pointer to dynamically allocated region on success, 236and 237.Dv NULL 238on errors. 239.Sh SEE ALSO 240.Xr ipsec_strerror 3 , 241.Xr ipsec 4 , 242.Xr setkey 8 243.Sh HISTORY 244The functions first appeared in WIDE/KAME IPv6 protocol stack kit. 245IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack 246was initialy integrated into 247.Fx 4.0 248