1.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 2.\" $FreeBSD$ 3.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $ 4.\" 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the project nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.Dd May 5, 1998 32.Dt IPSEC_SET_POLICY 3 33.Os 34.Sh NAME 35.Nm ipsec_set_policy , 36.Nm ipsec_get_policylen , 37.Nm ipsec_dump_policy 38.Nd manipulate IPsec policy specification structure from readable string 39.\" 40.Sh LIBRARY 41.Lb libipsec 42.Sh SYNOPSIS 43.Fd #include <netinet6/ipsec.h> 44.Ft "char *" 45.Fn ipsec_set_policy "char *policy" "int len" 46.Ft int 47.Fn ipsec_get_policylen "char *buf" 48.Ft "char *" 49.Fn ipsec_dump_policy "char *buf" "char *delim" 50.Sh DESCRIPTION 51.Fn ipsec_set_policy 52generates IPsec policy specification structure, namely 53.Li struct sadb_x_policy 54and/or 55.Li struct sadb_x_ipsecrequest 56from human-readable policy specification. 57policy specification must be given as C string 58.Fa policy 59and length 60.Fa len 61of 62.Fa policy . 63.Fn ipsec_set_policy 64will return the buffer of IPsec policy specification structure. 65.Pp 66You may want the length of the generated buffer such when calling 67.Xr setsockopt 2 . 68.Fn ipsec_get_policylen 69will return the length. 70.Pp 71.Fn ipsec_dump_policy 72converts IPsec policy structure into readable form. 73Therefore, 74.Fn ipsec_dump_policy 75can be regarded as inverse conversion of 76.Fn ipsec_set_policy . 77.Fa buf 78points to a IPsec policy structure, 79.Li struct sadb_x_policy . 80.Fa delim 81is a delimiter string, which is usually a blank character. 82If you set 83.Fa delim 84to 85.Dv NULL , 86single whitespace is assumed. 87.Fn ipsec_dump_policy 88returns pointer to dynamically allocated string. 89It is caller's responsibility to reclaim the region, by using 90.Xr free 3 . 91.Pp 92.Fa policy 93is formatted as either of the following: 94.Bl -tag -width "discard" 95.It Ar direction Li entrust 96.Ar direction 97must be 98.Li in 99or 100.Li out . 101.Ar direction 102specifies which direction the policy needs to be applied. 103.Li entrust 104means to consult to SPD defined by 105.Xr setkey 8 . 106.It Ar direction Li bypass 107.Li bypass 108means to be bypassed the IPsec processing. 109.Pq packet will be transmitted in clear . 110This is for privileged socket. 111.It Xo 112.Ar direction 113.Li ipsec 114.Ar request ... 115.Xc 116.Li ipsec 117means that the matching packets are subject to IPsec processing. 118.Li ipsec 119can be followed by one or more 120.Ar request 121string, which is formatted as below: 122.Bl -tag -width "discard" 123.It Xo 124.Ar protocol 125.Li / 126.Ar mode 127.Li / 128.Ar src 129.Li - 130.Ar dst 131.Op Ar /level 132.Xc 133.Ar protocol 134is either 135.Li ah , 136.Li esp 137or 138.Li ipcomp . 139.Pp 140.Ar mode 141is either 142.Li transport 143or 144.Li tunnel . 145.Pp 146.Ar src 147and 148.Ar dst 149specifies IPsec endpoint. 150.Ar src 151always means 152.Dq sending node 153and 154.Ar dst 155always means 156.Dq receiving node . 157Therefore, when 158.Ar direction 159is 160.Li in , 161.Ar dst 162is this node 163and 164.Ar src 165is the other node 166.Pq peer . 167.Pp 168.Ar level 169must be set to one of the following: 170.Li default , use , require 171or 172.Li unique . 173.Li default 174means that the kernel should consult the system default policy 175defined by 176.Xr sysctl 8 , 177such as 178.Li net.inet.ipsec.esp_trans_deflev . 179See 180.Xr ipsec 4 181regarding the system default. 182.Li use 183means that a relevant SA can be used when available, 184since the kernel may perform IPsec operation against packets when possible. 185In this case, packets can be transmitted in clear 186.Pq when SA is not available , 187or encrypted 188.Pq when SA is available . 189.Li require 190means that a relevant SA is required, 191since the kernel must perform IPsec operation against packets. 192.Li unique 193is the same as 194.Li require , 195but adds the restriction that the SA for outbound traffic is used 196only for this policy. 197You may need the identifier in order to relate the policy and the SA 198when you define the SA by manual keying. 199You can put the decimal number as the identifier after 200.Li unique 201like 202.Li unique : number . 203.Li number 204must be between 1 and 32767 . 205If the 206.Ar request 207string is kept unambiguous, 208.Ar level 209and slash prior to 210.Ar level 211can be omitted. 212However, it is encouraged to specify them explicitly 213to avoid unintended behaviors. 214If 215.Ar level 216is omitted, it will be interpreted as 217.Li default . 218.El 219.El 220.Pp 221Note that there is a bit difference of specification from 222.Xr setkey 8 . 223In specification by 224.Xr setkey 8 , 225both entrust and bypass are not used. Refer to 226.Xr setkey 8 227for detail. 228.Pp 229Here are several examples 230.Pq long lines are wrapped for readability : 231.Bd -literal -offset indent 232in discard 233out ipsec esp/transport/10.1.1.1-10.1.1.2/require 234in ipsec ah/transport/10.1.1.2-10.1.1.1/require 235out ipsec esp/transport/10.1.1.2-10.1.1.1/use 236 ah/tunnel/10.1.1.2-10.1.1.1/unique:1000 237in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use 238 esp/transport/10.1.1.2-10.1.1.1/use 239.Ed 240.Sh RETURN VALUES 241.Fn ipsec_set_policy 242returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned. 243.Fn ipsec_get_policylen 244returns with positive value 245.Pq meaning the buffer size 246on success, and negative value on errors. 247.Fn ipsec_dump_policy 248returns a pointer to dynamically allocated region on success, 249and 250.Dv NULL 251on errors. 252.Sh SEE ALSO 253.Xr ipsec_strerror 3 , 254.Xr ispec 4 , 255.Xr setkey 8 256.Sh HISTORY 257The functions first appeared in WIDE/KAME IPv6 protocol stack kit. 258