1This modules matches the policy used by IPsec for handling a packet. 2.TP 3\fB\-\-dir\fP {\fBin\fP|\fBout\fP} 4Used to select whether to match the policy used for decapsulation or the 5policy that will be used for encapsulation. 6.B in 7is valid in the 8.B PREROUTING, INPUT and FORWARD 9chains, 10.B out 11is valid in the 12.B POSTROUTING, OUTPUT and FORWARD 13chains. 14.TP 15\fB\-\-pol\fP {\fBnone\fP|\fBipsec\fP} 16Matches if the packet is subject to IPsec processing. \fB\-\-pol none\fP 17cannot be combined with \fB\-\-strict\fP. 18.TP 19\fB\-\-strict\fP 20Selects whether to match the exact policy or match if any rule of 21the policy matches the given policy. 22.PP 23For each policy element that is to be described, one can use one or more of 24the following options. When \fB\-\-strict\fP is in effect, at least one must be 25used per element. 26.TP 27[\fB!\fP] \fB\-\-reqid\fP \fIid\fP 28Matches the reqid of the policy rule. The reqid can be specified with 29.B setkey(8) 30using 31.B unique:id 32as level. 33.TP 34[\fB!\fP] \fB\-\-spi\fP \fIspi\fP 35Matches the SPI of the SA. 36.TP 37[\fB!\fP] \fB\-\-proto\fP {\fBah\fP|\fBesp\fP|\fBipcomp\fP} 38Matches the encapsulation protocol. 39.TP 40[\fB!\fP] \fB\-\-mode\fP {\fBtunnel\fP|\fBtransport\fP} 41Matches the encapsulation mode. 42.TP 43[\fB!\fP] \fB\-\-tunnel\-src\fP \fIaddr\fP[\fB/\fP\fImask\fP] 44Matches the source end-point address of a tunnel mode SA. 45Only valid with \fB\-\-mode tunnel\fP. 46.TP 47[\fB!\fP] \fB\-\-tunnel\-dst\fP \fIaddr\fP[\fB/\fP\fImask\fP] 48Matches the destination end-point address of a tunnel mode SA. 49Only valid with \fB\-\-mode tunnel\fP. 50.TP 51\fB\-\-next\fP 52Start the next element in the policy specification. Can only be used with 53\fB\-\-strict\fP. 54