| ipsec_set_policy.3 (60092) | ipsec_set_policy.3 (62583) |
|---|---|
| 1.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. | 1.\" Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. |
| 2.\" $FreeBSD: head/lib/libipsec/ipsec_set_policy.3 62583 2000-07-04 16:22:05Z itojun $ 3.\" $KAME: ipsec_set_policy.3,v 1.10 2000/05/07 05:25:03 itojun Exp $ 4.\" |
|
| 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright --- 10 unchanged lines hidden (view full) --- 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" | 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright --- 10 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
| 28.\" $Id: ipsec_set_policy.3,v 1.5 1999/10/20 00:21:06 sakane Exp $ 29.\" $FreeBSD: head/lib/libipsec/ipsec_set_policy.3 60092 2000-05-06 14:07:35Z phantom $ 30.\" | |
| 31.Dd May 5, 1998 32.Dt IPSEC_SET_POLICY 3 33.Os 34.Sh NAME 35.Nm ipsec_set_policy , 36.Nm ipsec_get_policylen , 37.Nm ipsec_dump_policy 38.Nd manipulate IPsec policy specification structure from readable string | 31.Dd May 5, 1998 32.Dt IPSEC_SET_POLICY 3 33.Os 34.Sh NAME 35.Nm ipsec_set_policy , 36.Nm ipsec_get_policylen , 37.Nm ipsec_dump_policy 38.Nd manipulate IPsec policy specification structure from readable string |
| 39.\" |
|
| 39.Sh LIBRARY 40.Lb libipsec 41.Sh SYNOPSIS | 40.Sh LIBRARY 41.Lb libipsec 42.Sh SYNOPSIS |
| 42.Fd #include <sys/types.h> | |
| 43.Fd #include <netinet6/ipsec.h> 44.Ft "char *" 45.Fn ipsec_set_policy "char *policy" "int len" 46.Ft int 47.Fn ipsec_get_policylen "char *buf" 48.Ft "char *" 49.Fn ipsec_dump_policy "char *buf" "char *delim" 50.Sh DESCRIPTION --- 111 unchanged lines hidden (view full) --- 162is this node 163and 164.Ar src 165is the other node 166.Pq peer . 167.Pp 168.Ar level 169must be set to one of the following: | 43.Fd #include <netinet6/ipsec.h> 44.Ft "char *" 45.Fn ipsec_set_policy "char *policy" "int len" 46.Ft int 47.Fn ipsec_get_policylen "char *buf" 48.Ft "char *" 49.Fn ipsec_dump_policy "char *buf" "char *delim" 50.Sh DESCRIPTION --- 111 unchanged lines hidden (view full) --- 162is this node 163and 164.Ar src 165is the other node 166.Pq peer . 167.Pp 168.Ar level 169must be set to one of the following: |
| 170.Li default , use | 170.Li default , use , require |
| 171or | 171or |
| 172.Li require . | 172.Li unique . |
| 173.Li default 174means that the kernel should consult the system default policy 175defined by 176.Xr sysctl 8 , 177such as 178.Li net.inet.ipsec.esp_trans_deflev . 179See 180.Xr ipsec 4 181regarding the system default. 182.Li use 183means that a relevant SA can be used when available, 184since the kernel may perform IPsec operation against packets when possible. 185In this case, packets can be transmitted in clear 186.Pq when SA is not available , 187or encrypted 188.Pq when SA is available . 189.Li require 190means that a relevant SA is required, 191since the kernel must perform IPsec operation against packets. | 173.Li default 174means that the kernel should consult the system default policy 175defined by 176.Xr sysctl 8 , 177such as 178.Li net.inet.ipsec.esp_trans_deflev . 179See 180.Xr ipsec 4 181regarding the system default. 182.Li use 183means that a relevant SA can be used when available, 184since the kernel may perform IPsec operation against packets when possible. 185In this case, packets can be transmitted in clear 186.Pq when SA is not available , 187or encrypted 188.Pq when SA is available . 189.Li require 190means that a relevant SA is required, 191since the kernel must perform IPsec operation against packets. |
| 192.Li unique 193is the same as 194.Li require , 195but adds the restriction that the SA for outbound traffic is used 196only for this policy. 197You may need the identifier in order to relate the policy and the SA 198when you define the SA by manual keying. 199You can put the decimal number as the identifier after 200.Li unique 201like 202.Li unique : number . 203.Li number 204must be between 1 and 32767 . |
|
| 192If the 193.Ar request 194string is kept unambiguous, 195.Ar level 196and slash prior to 197.Ar level 198can be omitted. 199However, it is encouraged to specify them explicitly --- 14 unchanged lines hidden (view full) --- 214for detail. 215.Pp 216Here are several examples 217.Pq long lines are wrapped for readability : 218.Bd -literal -offset indent 219in discard 220out ipsec esp/transport/10.1.1.1-10.1.1.2/require 221in ipsec ah/transport/10.1.1.2-10.1.1.1/require | 205If the 206.Ar request 207string is kept unambiguous, 208.Ar level 209and slash prior to 210.Ar level 211can be omitted. 212However, it is encouraged to specify them explicitly --- 14 unchanged lines hidden (view full) --- 227for detail. 228.Pp 229Here are several examples 230.Pq long lines are wrapped for readability : 231.Bd -literal -offset indent 232in discard 233out ipsec esp/transport/10.1.1.1-10.1.1.2/require 234in ipsec ah/transport/10.1.1.2-10.1.1.1/require |
| 222in ipsec esp/transport/10.1.1.2-10.1.1.1/use 223 ah/tunnel/10.1.1.2-10.1.1.1/require | 235out ipsec esp/transport/10.1.1.2-10.1.1.1/use 236 ah/tunnel/10.1.1.2-10.1.1.1/unique:1000 |
| 224in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use 225 esp/transport/10.1.1.2-10.1.1.1/use 226.Ed 227.Sh RETURN VALUES 228.Fn ipsec_set_policy 229returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned. 230.Fn ipsec_get_policylen 231returns with positive value 232.Pq meaning the buffer size 233on success, and negative value on errors. 234.Fn ipsec_dump_policy 235returns a pointer to dynamically allocated region on success, 236and 237.Dv NULL 238on errors. 239.Sh SEE ALSO 240.Xr ipsec_strerror 3 , | 237in ipsec ipcomp/transport/10.1.1.2-10.1.1.1/use 238 esp/transport/10.1.1.2-10.1.1.1/use 239.Ed 240.Sh RETURN VALUES 241.Fn ipsec_set_policy 242returns a pointer to the allocated buffer of policy specification if successful; otherwise a NULL pointer is returned. 243.Fn ipsec_get_policylen 244returns with positive value 245.Pq meaning the buffer size 246on success, and negative value on errors. 247.Fn ipsec_dump_policy 248returns a pointer to dynamically allocated region on success, 249and 250.Dv NULL 251on errors. 252.Sh SEE ALSO 253.Xr ipsec_strerror 3 , |
| 241.Xr ipsec 4 , | 254.Xr ispec 4 , |
| 242.Xr setkey 8 243.Sh HISTORY 244The functions first appeared in WIDE/KAME IPv6 protocol stack kit. | 255.Xr setkey 8 256.Sh HISTORY 257The functions first appeared in WIDE/KAME IPv6 protocol stack kit. |
| 245.Pp 246IPv6 and IPsec support based on the KAME Project (http://www.kame.net/) stack 247was initially integrated into 248.Fx 4.0 | |