ipsec_portexcludes - insert and delete port exclusion policies into the kernel SPD


ipsec portexcludes [--clear] [--verbose]


ipsec portexcludes manages the exclusion list for port excludes in portexcludes.conf (found in the policies directory). It is usually run via the system service startup job. An administrator can run it manually as well. The portexcludes command deletes all passthrough conns that have a name that matches portexcludes-* before re-adding the rules read from its configuration file. The option --clear only removes the active passthrough connections providing a port hole.

The --verbose shows the translation of the rules defined in the portexcludes.conf file into whack commands.


The portexcludes.conf file takes the following format. Each non-empty line and line that does not start with a # symbol is read and parsed into five fields seperated by whitespace: direction protocol source dest priority. If a rule is not limited by source or destination being ipv4 or ipv6 specific, the rule will be applied for both ipv4 and ipv6.

direction of the rule determines whether the rule is an inbound ("in") rule, an outbound ("out") rule, or "both".

protocol specifies the protocol either by name (eg "tcp" or "udp") or by number (eg 6 or 17)

source and destination specify a source or destination, specified by IPs in CIDR format, optionally followed by @port. The special values "any", "any4" and "any6" are recognised.

priority is the priority of the SPD policy. This can be used to tune it to override some but not all defined connections. For example it can be used to override Opportunistic connections but not static tunnels. A priority smaller than 1024 would override every connection that does not manually set its own priority to a lower value.






Written for the Libreswan Project <m[blue][]> by Paul Wouters.


Paul Wouters

This HTML page was made with roffit.