Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.

Should work with both regular and fast ipsec (mutually exclusive). See manpage for more details. Submitted by: Ari Suutari (ari.suutari@syncrontech.com) Revised by: sam MFC after: 1 week
author: luigi <luigi@FreeBSD.org> 2003-07-04 21:42:32 +0000
committer: luigi <luigi@FreeBSD.org> 2003-07-04 21:42:32 +0000
commit: c530f5973f70002f8d4f101d8be867a7b2cd031c (patch)
tree: 2273123f1eca64c0add21999e5c7ee78411d66b4 /sbin/ipfw/ipfw.8
parent: d9dfac9f45d8211c085077869a18bbb7761f562b (diff)
download: FreeBSD-src-c530f5973f70002f8d4f101d8be867a7b2cd031c.zip
FreeBSD-src-c530f5973f70002f8d4f101d8be867a7b2cd031c.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 42d1956..ba2ded6 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -927,6 +927,18 @@ with a
 .It Cm ipprecedence Ar precedence
 Matches IP packets whose precedence field is equal to
 .Ar precedence .
+.It Cm ipsec
+Matches packets that have IPSEC history associated with them
+(i.e. the packet comes encapsulated in IPSEC, the kernel
+has IPSEC support and IPSEC_FILTERGIF option, and can correctly
+decapsulate it).
+.Pp
+Note that specifying
+.Cm ipsec
+is different from specifying
+.Cm proto Ar ipsec
+as the latter will only look at the specific IP protocol field,
+irrespective of IPSEC kernel support and the validity of the IPSEC data.
 .It Cm iptos Ar spec
 Matches IP packets whose
 .Cm tos
author	luigi <luigi@FreeBSD.org>	2003-07-04 21:42:32 +0000
committer	luigi <luigi@FreeBSD.org>	2003-07-04 21:42:32 +0000
commit	c530f5973f70002f8d4f101d8be867a7b2cd031c (patch)
tree	2273123f1eca64c0add21999e5c7ee78411d66b4 /sbin/ipfw/ipfw.8
parent	d9dfac9f45d8211c085077869a18bbb7761f562b (diff)
download	FreeBSD-src-c530f5973f70002f8d4f101d8be867a7b2cd031c.zip FreeBSD-src-c530f5973f70002f8d4f101d8be867a7b2cd031c.tar.gz