Experimentation with Linux XFRM

(First some notes that are easier to understand than the horrible mess of EBNF that ip xfrm spits out)

The command line for XFRM is:

ip xfrm policy add SELECTOR dir DIR [LIMITS] [TEMPLATES]

Now SELECTOR matches on a packet, it can be any sensible combination of:

• src ADDR
• src ADDR/PREFIXLEN
• dst ADDR
• dst ADDR/PREFIXLEN
• dev DEVICE
• proto { tcp | udp | sctp | dccp } [sport PORT] [dport PORT]
• proto { icmp | icmp6-icmp | mobility-header } [type NUMBER] [code NUMBER]
• proto gre [key { DOTTED-QUAD | NUMBER } ]
• proto PROTO

For example SELECTOR might be:

src 10.1.0.0/16 dst 10.2.0.0/16 dev eth0 proto tcp port 80

DIR can be one of:

• in
• out
• fwd

LIMITS can be any sensible combination of:

• time-soft SECONDS
• time-hard SECONDS
• time-use-soft SECONDS
• time-use-hard SECONDS
• byte-soft SIZE
• byte-hard SIZE
• packet-soft COUNT
• packet-hard COUNT

This appears to be some kind of rate limiting functionality?

TEMPLATES consist of a list of the word tmpl and any sensible combination of:

• src ADDR
• dst ADDR
• proto [ esp | ah | comp | route2 | hao ] These correspond to:
  • esp - IPSec Encapsulating Security Protocol
  • ah - IPSec Authentication Header
  • comp - IP Payload Compression.
  • route2 - Mobile IPv6 Type 2 Routing Header.
  • `hao - Mobile IPv6 Home Address Option.
• spi SPI

then they have an optional MODE which can be one of:

• mode transport (IPSec transport mode)
• mode tunnel (IPSec tunnel mode)
• mode ro (Route Optimisation)
• mode in\_trigger ("inbound trigger")
• mode beet (Bound End-to-End Tunnel)

This can then be optionally flagged as "level required" (default) or "level use"

These TEMPLATES seem to specify what to do with the packet.

So, an (untested) sample command line might be:

ip xfrm \
    policy add \
    src 10.1.0.0/16 dst 10.2.0.0/16 proto icmp \
    dir out \
    tmpl proto route2 dst 10.3.0.1 mode ro level use

ip xfrm \
    state add \
    src 10.1.0.0/16 dst 10.2.0.0/16 proto icmp \
    proto route2 mode ro \
    coa 10.3.0.1 \
    sel src ::/0 dst ::/0

I don't know what the "xfrm state" sel is used for. It's a selector for something, but I dunno why it doesn't just match on the src/dst earlier in the command line. Oh, it's used for the outer addresses on encap tunnels?