Hi, On Fri, 1 Mar 2019, Pierre Colombier wrote: > the documentation I refer to is effectively ipset but it has a module > about ipsec and this module is the one I need informations about. The documentation you are referring to is about iptables. It can be found at the ipset webpage for the sake of completeness, because it contains the parts about how to use ipset from iptables. > You may not be the person who maintain this particular module but you > may know who can answer this question and forward this mail to him. The policy module of iptables was written by Patrick McHardy but I don't think he'll answer to questions. I'm not familiar with the policy module: > I double-checked the link > http://ipset.netfilter.org/iptables-extensions.man.html#lbBS > > policy > This modules matches the policy used by IPsec for handling a packet. > > --dir {in|out} > Used to select whether to match the policy used for decapsulation or the > policy that will be used for encapsulation. in is valid in the PREROUTING, > INPUT and FORWARD chains, out is valid in the POSTROUTING, OUTPUT and FORWARD > chains. > --pol {none|ipsec} > Matches if the packet is subject to IPsec processing. --pol none cannot be > combined with --strict. > > the bahaviour is also counter intuituitive > > as an exemple > > If I receive an Ipsec encapsulated Gre packet, then rule with --dir in --pol > none will match ESP packet. > > and rule with --dir in --pol ipsec will match Gre packet. Maybe you should use the "--proto ah|esp|ipcomp" part of the "policy" match? > By the way, what is the meaning of direction in/out in the forward context ? The same as in any other context: "in" means the packet is for decapsulation, "out" is for encapsulation. > A little documentation and explanations about why things are named the way > they are would be a great enhancement. Sorry, but I cannot help much about the policy match. Best regards, Jozsef > On 27/02/2019 19:18, Jozsef Kadlecsik wrote: > > On Wed, 27 Feb 2019, Pierre Colombier wrote: > > > > > Hi I feel the documentation quite unclear with this matcher. > > > > > > http://ipset.netfilter.org/iptables-extensions.man.html#lbBS > > > > > > the bahaviour is also counter intuituitive > > > > > > as an exemple > > > > > > If I receive an Ipsec encapsulated Gre packet, then rule with --dir in > > > --pol > > > none will match ESP packet. > > > > > > and rule with --dir in --pol ipsec will match Gre packet. > > > > > > By the way, what is the meaning of in/out in the forward context ? > > > > > > A little documentation and explanations about why things are named the way > > > they are would be a great enhancement. > > The documentation you are referring to is about ipset and not ipsec. > > > > Best regards, > > Jozsef > > - > > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx > > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences > > H-1525 Budapest 114, POB. 49, Hungary > - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary