This modules matches the policy used by IPsec for handling a packet.

.TP

\fB\-\-dir\fP {\fBin\fP|\fBout\fP}

Used to select whether to match the policy used for decapsulation or the

policy that will be used for encapsulation.

.B in

is valid in the

.B PREROUTING, INPUT and FORWARD

chains,

.B out

is valid in the

.B POSTROUTING, OUTPUT and FORWARD

chains.

.TP

\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP}

Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP

cannot be combined with \fB\-\-strict\fP.

.TP

\fB\-\-strict\fP

Selects whether to match the exact policy or match if any rule of

the policy matches the given policy.

.PP

For each policy element that is to be described, one can use one or more of

the following options. When \fB\-\-strict\fP is in effect, at least one must be

used per element.

.TP

[\fB!\fP] \fB\-\-reqid\fP \fIid\fP

Matches the reqid of the policy rule. The reqid can be specified with

.B setkey(8)

using

.B unique:id

as level.

.TP

[\fB!\fP] \fB\-\-spi\fP \fIspi\fP

Matches the SPI of the SA.

.TP

[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP}

Matches the encapsulation protocol.

.TP

[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP}

Matches the encapsulation mode.

.TP

[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP]

Matches the source end-point address of a tunnel mode SA.

Only valid with \fB\-\-mode tunnel\fP.

.TP

[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP]

Matches the destination end-point address of a tunnel mode SA.

Only valid with \fB\-\-mode tunnel\fP.

.TP

\fB\-\-next\fP

Start the next element in the policy specification. Can only be used with

\fB\-\-strict\fP.