1 This modules matches the policy used by IPsec for handling a packet. 2 .TP 3 .BI "--dir " "in|out" 4 Used to select whether to match the policy used for decapsulation or the 5 policy that will be used for encapsulation. 6 .B in 7 is valid in the 8 .B PREROUTING, INPUT and FORWARD 9 chains, 10 .B out 11 is valid in the 12 .B POSTROUTING, OUTPUT and FORWARD 13 chains. 14 .TP 15 .BI "--pol " "none|ipsec" 16 Matches if the packet is subject to IPsec processing. 17 .TP 18 .BI "--strict" 19 Selects whether to match the exact policy or match if any rule of 20 the policy matches the given policy. 21 .TP 22 .BI "--reqid " "id" 23 Matches the reqid of the policy rule. The reqid can be specified with 24 .B setkey(8) 25 using 26 .B unique:id 27 as level. 28 .TP 29 .BI "--spi " "spi" 30 Matches the SPI of the SA. 31 .TP 32 .BI "--proto " "ah|esp|ipcomp" 33 Matches the encapsulation protocol. 34 .TP 35 .BI "--mode " "tunnel|transport" 36 Matches the encapsulation mode. 37 .TP 38 .BI "--tunnel-src " "addr[/mask]" 39 Matches the source end-point address of a tunnel mode SA. 40 Only valid with --mode tunnel. 41 .TP 42 .BI "--tunnel-dst " "addr[/mask]" 43 Matches the destination end-point address of a tunnel mode SA. 44 Only valid with --mode tunnel. 45 .TP 46 .BI "--next" 47 Start the next element in the policy specification. Can only be used with 48 --strict 49
