Experimentation with Linux XFRM

(First some notes that are easier to understand than the horrible mess of EBNF that ip xfrm spits out)

The command line for XFRM is:

ip xfrm policy add SELECTOR dir DIR [LIMITS] [TEMPLATES]

Now SELECTOR matches on a packet, it can be any sensible combination of:

For example SELECTOR might be:

src dst dev eth0 proto tcp port 80

DIR can be one of:

LIMITS can be any sensible combination of:

This appears to be some kind of rate limiting functionality?

TEMPLATES consist of a list of the word tmpl and any sensible combination of:

then they have an optional MODE which can be one of:

This can then be optionally flagged as "level required" (default) or "level use"

These TEMPLATES seem to specify what to do with the packet.

So, an (untested) sample command line might be:

ip xfrm \
    policy add \
    src dst proto icmp \
    dir out \
    tmpl proto route2 dst mode ro level use

ip xfrm \
    state add \
    src dst proto icmp \
    proto route2 mode ro \
    coa \
    sel src ::/0 dst ::/0

I don't know what the "xfrm state" sel is used for. It's a selector for something, but I dunno why it doesn't just match on the src/dst earlier in the command line. Oh, it's used for the outer addresses on encap tunnels?