1*a71a9546SAutomerger Merge WorkerThis module matches the policy used by IPsec for handling a packet. 2*a71a9546SAutomerger Merge Worker.TP 3*a71a9546SAutomerger Merge Worker\fB\-\-dir\fP {\fBin\fP|\fBout\fP} 4*a71a9546SAutomerger Merge WorkerUsed to select whether to match the policy used for decapsulation or the 5*a71a9546SAutomerger Merge Workerpolicy that will be used for encapsulation. 6*a71a9546SAutomerger Merge Worker.B in 7*a71a9546SAutomerger Merge Workeris valid in the 8*a71a9546SAutomerger Merge Worker.B PREROUTING, INPUT and FORWARD 9*a71a9546SAutomerger Merge Workerchains, 10*a71a9546SAutomerger Merge Worker.B out 11*a71a9546SAutomerger Merge Workeris valid in the 12*a71a9546SAutomerger Merge Worker.B POSTROUTING, OUTPUT and FORWARD 13*a71a9546SAutomerger Merge Workerchains. 14*a71a9546SAutomerger Merge Worker.TP 15*a71a9546SAutomerger Merge Worker\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP} 16*a71a9546SAutomerger Merge WorkerMatches if the packet is subject to IPsec processing. \fB\-\-pol none\fP 17*a71a9546SAutomerger Merge Workercannot be combined with \fB\-\-strict\fP. 18*a71a9546SAutomerger Merge Worker.TP 19*a71a9546SAutomerger Merge Worker\fB\-\-strict\fP 20*a71a9546SAutomerger Merge WorkerSelects whether to match the exact policy or match if any rule of 21*a71a9546SAutomerger Merge Workerthe policy matches the given policy. 22*a71a9546SAutomerger Merge Worker.PP 23*a71a9546SAutomerger Merge WorkerFor each policy element that is to be described, one can use one or more of 24*a71a9546SAutomerger Merge Workerthe following options. When \fB\-\-strict\fP is in effect, at least one must be 25*a71a9546SAutomerger Merge Workerused per element. 26*a71a9546SAutomerger Merge Worker.TP 27*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-reqid\fP \fIid\fP 28*a71a9546SAutomerger Merge WorkerMatches the reqid of the policy rule. The reqid can be specified with 29*a71a9546SAutomerger Merge Worker.B setkey(8) 30*a71a9546SAutomerger Merge Workerusing 31*a71a9546SAutomerger Merge Worker.B unique:id 32*a71a9546SAutomerger Merge Workeras level. 33*a71a9546SAutomerger Merge Worker.TP 34*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-spi\fP \fIspi\fP 35*a71a9546SAutomerger Merge WorkerMatches the SPI of the SA. 36*a71a9546SAutomerger Merge Worker.TP 37*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP} 38*a71a9546SAutomerger Merge WorkerMatches the encapsulation protocol. 39*a71a9546SAutomerger Merge Worker.TP 40*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP} 41*a71a9546SAutomerger Merge WorkerMatches the encapsulation mode. 42*a71a9546SAutomerger Merge Worker.TP 43*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP] 44*a71a9546SAutomerger Merge WorkerMatches the source end-point address of a tunnel mode SA. 45*a71a9546SAutomerger Merge WorkerOnly valid with \fB\-\-mode tunnel\fP. 46*a71a9546SAutomerger Merge Worker.TP 47*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP] 48*a71a9546SAutomerger Merge WorkerMatches the destination end-point address of a tunnel mode SA. 49*a71a9546SAutomerger Merge WorkerOnly valid with \fB\-\-mode tunnel\fP. 50*a71a9546SAutomerger Merge Worker.TP 51*a71a9546SAutomerger Merge Worker\fB\-\-next\fP 52*a71a9546SAutomerger Merge WorkerStart the next element in the policy specification. Can only be used with 53*a71a9546SAutomerger Merge Worker\fB\-\-strict\fP. 54