diff options
| author | ume <ume@FreeBSD.org> | 2001-06-11 12:39:29 +0000 |
|---|---|---|
| committer | ume <ume@FreeBSD.org> | 2001-06-11 12:39:29 +0000 |
| commit | 832f8d224926758a9ae0b23a6b45353e44fbc87a (patch) | |
| tree | a79fc7ad2b97862c4a404f352f0211ad93a7b5f1 /lib/libipsec/ipsec_set_policy.3 | |
| parent | 2693854b01a52b0395a91322aa3edf926bddff38 (diff) | |
| download | FreeBSD-src-832f8d224926758a9ae0b23a6b45353e44fbc87a.zip FreeBSD-src-832f8d224926758a9ae0b23a6b45353e44fbc87a.tar.gz | |
Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.
TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.
Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks
Diffstat (limited to 'lib/libipsec/ipsec_set_policy.3')
| -rw-r--r-- | lib/libipsec/ipsec_set_policy.3 | 37 |
1 files changed, 27 insertions, 10 deletions
diff --git a/lib/libipsec/ipsec_set_policy.3 b/lib/libipsec/ipsec_set_policy.3 index 7b71c53..bb27a5b 100644 --- a/lib/libipsec/ipsec_set_policy.3 +++ b/lib/libipsec/ipsec_set_policy.3 @@ -1,7 +1,7 @@ -.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. +.\" $KAME: ipsec_set_policy.3,v 1.14 2001/04/06 07:00:46 itojun Exp $ .\" $FreeBSD$ -.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $ .\" +.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -92,7 +92,7 @@ It is caller's responsibility to reclaim the region, by using .Fa policy is formatted as either of the following: .Bl -tag -width "discard" -.It Ar direction Li entrust +.It Ar direction Li discard .Ar direction must be .Li in @@ -100,6 +100,10 @@ or .Li out . .Ar direction specifies which direction the policy needs to be applied. +With +.Li discard +policy, packets will be dropped if they match the policy. +.It Ar direction Li entrust .Li entrust means to consult to SPD defined by .Xr setkey 8 . @@ -164,6 +168,15 @@ and .Ar src is the other node .Pq peer . +If +.Ar mode +is +.Li transport , +Both +.Ar src +and +.Ar dst +can be omited. .Pp .Ar level must be set to one of the following: @@ -222,7 +235,8 @@ Note that there is a bit difference of specification from .Xr setkey 8 . In specification by .Xr setkey 8 , -both entrust and bypass are not used. Refer to +both entrust and bypass are not used. +Refer to .Xr setkey 8 for detail. .Pp @@ -230,12 +244,11 @@ Here are several examples .Pq long lines are wrapped for readability : .Bd -literal -offset indent in discard -out ipsec esp/transport/10.1.1.1-10.1.1.2/require -in ipsec ah/transport/10.1.1.2-10.1.1.1/require -out ipsec esp/transport/10.1.1.2-10.1.1.1/use - ah/tunnel/10.1.1.2-10.1.1.1/unique:1000 -in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use - esp/transport/10.1.1.2-10.1.1.1/use +out ipsec esp/transport//require +in ipsec ah/transport//require +out ipsec esp/tunnel/10.1.1.2-10.1.1.1/use +in ipsec ipcomp/transport//use + esp/transport//use .Ed .Sh RETURN VALUES .Fn ipsec_set_policy @@ -255,3 +268,7 @@ on errors. .Xr setkey 8 .Sh HISTORY The functions first appeared in WIDE/KAME IPv6 protocol stack kit. +.Pp +IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack +was initially integrated into +.Fx 4.0 |
