diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2016-07-17 18:26:09 +0300 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2016-07-18 12:20:16 +0300 |
| commit | 4ff16c6874eae2191c2b729a11501c563a9aace9 (patch) | |
| tree | 0749a2a1366b225ea59e0a0e120b4bae38984cb4 /README.md | |
| parent | 0c5c9c6a2da7ca1c548091cfdc0f96bb006dc100 (diff) | |
| download | awall-1.3.0.tar.bz2 awall-1.3.0.tar.xz | |
move ipsec attribute from rules to zonesv1.3.0
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 32 |
1 files changed, 17 insertions, 15 deletions
@@ -127,13 +127,14 @@ of the top-level service dictionary. A *zone* represents a set of network hosts. A top-level attribute **zone** is a dictionary that maps zone names to zone objects. A zone -object has an attribute named **iface**, **addr**, or both. **iface** -is a list of network interfaces and **addr** is a list of IPv4/IPv6 -host and network addresses (CIDR notation). **addr** may also contain -domain names, which are expanded to IP addresses using DNS -resolution. If not defined, **addr** defaults to the entire address -space and **iface** to all interfaces. An empty zone can be defined by -setting either **addr** or **iface** to an empty list. +object has any combination of attributes named **iface**, **addr**, +and **ipsec**. **iface** is a list of network interfaces and **addr** +is a list of IPv4/IPv6 host and network addresses (CIDR notation). +**addr** may also contain domain names, which are expanded to IP +addresses using DNS resolution. If not defined, **addr** defaults to +the entire address space and **iface** to all interfaces. An empty +zone can be defined by setting either **addr** or **iface** to an +empty list. Rule objects contain two attributes, **in** and **out**, which are lists of zone names. These attributes control whether a packet matches @@ -164,6 +165,15 @@ where **in** and **out** attributes of a rule are not equal but their definitions overlap. In this case, the **route-back** attribute of the **out** zone determines the behavior. +If used, the **ipsec** attribute is used to exclude from the zone any +traffic that is or is not subject to IPsec processing. If set to +**true** in the **in** zone, only the packets subject to IPsec +decapsulation are considered originating from the zone. In the **out** +zone, only the packets subject to IPsec encapsulation will be included +if **ipsec** is set to **true**. The value of **false** would exclude +any traffic requiring IPsec processing towards the respective +direction. + ### <a name="limit"></a>Limits A *limit* specifies the maximum rate for a flow of packets or new @@ -320,14 +330,6 @@ attributes: order specified by <strong>args</strong> </td> </tr> - <tr> - <td><strong>ipsec</strong></td> - <td><strong>in</strong> or <strong>out</strong></td> - <td> - IPsec decapsulation perfomed on ingress (<strong>in</strong>) - or encapsulation performed on egress (<strong>out</strong>) - </td> - </tr> </tbody> </table> |