added lefthostaccess and leftprotoport parameters

1 files changed, 43 insertions, 27 deletions

diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5
index 14a2e44a7..295aa35d5 100644
--- a/src/starter/ipsec.conf.5
+++ b/src/starter/ipsec.conf.5
@@ -295,25 +295,25 @@ signifying that the left end of the connection goes to the left participant
 only. When using IKEv2, the configured subnet of the peers may differ, the
 protocol narrows it to the greates common subnet.
 .TP
+.B leftsubnetwithin
+the peer can propose any subnet or single IP address that fits within the
+range defined by
+.BR leftsubnetwithin.
+Not relevant for IKEv2, as subnets are narrowed.
+.TP
+.B leftprotoport
+restrict the traffic selector to a single protocol and/or port.
+Examples:
+.B leftprotoport=tcp/http
+or
+.B leftprotoport=6/80
+or
+.B leftprotoport=udp
+.TP
 .B leftnexthop
 this parameter is not needed any more because the NETKEY IPsec stack does
 not require explicit routing entries for the traffic to be tunneled.
 .TP
-.B leftupdown
-what ``updown'' script to run to adjust routing and/or firewalling
-when the status of the connection
-changes (default
-.BR "ipsec _updown" ).
-May include positional parameters separated by white space
-(although this requires enclosing the whole string in quotes);
-including shell metacharacters is unwise.
-See
-.IR pluto (8)
-for details.
-Relevant only locally, other end need not agree on it. IKEv2 uses the updown
-script to insert firewall rules only. Routing is not support and will be
-implemented directly into Charon.
-.TP
 .B leftfirewall
 whether the left participant is doing forwarding-firewalling
 (including masquerading) using iptables for traffic from \fIleftsubnet\fR,
@@ -326,9 +326,7 @@ and
 (the default).
 May not be used in the same connection description with
 .BR leftupdown .
-Implemented as a parameter to the default
-.I updown
-script.
+Implemented as a parameter to the default \fBipsec _updown\fR script.
 See notes below.
 Relevant only locally, other end need not agree on it.
 
@@ -339,9 +337,7 @@ tunnels established with IPsec are exempted from it
 so that packets can flow unchanged through the tunnels.
 (This means that all subnets connected in this manner must have
 distinct, non-overlapping subnet address blocks.)
-This is done by the default
-.I updown
-script (see
+This is done by the default \fBipsec _updown\fR script (see
 .IR pluto (8)).
 
 In situations calling for more control,
@@ -350,6 +346,32 @@ it may be preferable for the user to supply his own
 script,
 which makes the appropriate adjustments for his system.
 .TP
+.B lefthostaccess
+inserts a pair of INPUT and OUTPUT iptables rules using the default
+\fBipsec _updown\fR script, thus allowing access to the host itself
+in the case where the host's internal interface is part of the
+negotiated client subnet.
+Acceptable values are
+.B yes
+and
+.B no
+(the default).
+.TP
+.B leftupdown
+what ``updown'' script to run to adjust routing and/or firewalling
+when the status of the connection
+changes (default
+.BR "ipsec _updown" ).
+May include positional parameters separated by white space
+(although this requires enclosing the whole string in quotes);
+including shell metacharacters is unwise.
+See
+.IR pluto (8)
+for details.
+Relevant only locally, other end need not agree on it. IKEv2 uses the updown
+script to insert firewall rules only. Routing is not support and will be
+implemented directly into Charon.
+.TP
 .B auto
 what operation, if any, should be done automatically at IPsec startup;
 currently-accepted values are
@@ -645,12 +667,6 @@ and
 Currently relevant for IKEv1 only since IKEv2 always uses the configuration
 payload in pull mode.
 .TP
-.B leftsubnetwithin
-the peer can propose any subnet or single IP address that fits within the
-range defined by
-.BR leftsubnetwithin .
-Not relevant for IKEv2, as subnets are narrowed.
-.TP
 .B pfs
 whether Perfect Forward Secrecy of keys is desired on the connection's
 keying channel