Experimentation with Linux XFRM
===============================

(First some notes that are easier to understand than the horrible mess of EBNF
 that ip xfrm spits out)

The command line for XFRM is:

   ip xfrm policy add SELECTOR dir DIR \[LIMITS] \[TEMPLATES]

Now SELECTOR matches on a packet, it can be any sensible combination of:

 * `src` ADDR
 * `src` ADDR/PREFIXLEN
 * `dst` ADDR
 * `dst` ADDR/PREFIXLEN
 * `dev` DEVICE
 * `proto` { tcp | udp | sctp | dccp } \[sport PORT] \[dport PORT]
 * `proto` { icmp | icmp6-icmp | mobility-header } \[type NUMBER] \[code NUMBER]
 * `proto gre` [key { DOTTED-QUAD | NUMBER } ]
 * `proto` PROTO

For example SELECTOR might be:

    src 10.1.0.0/16 dst 10.2.0.0/16 dev eth0 proto tcp port 80


DIR can be one of:

 * `in`
 * `out`
 * `fwd`

LIMITS can be any sensible combination of:

 * `time-soft` SECONDS
 * `time-hard` SECONDS
 * `time-use-soft` SECONDS
 * `time-use-hard` SECONDS
 * `byte-soft` SIZE
 * `byte-hard` SIZE
 * `packet-soft` COUNT
 * `packet-hard` COUNT

This appears to be some kind of rate limiting functionality?

TEMPLATES consist of a list of the word `tmpl` and any sensible combination of:

 * `src` ADDR
 * `dst` ADDR
 * `proto` [ esp | ah | comp | route2 | hao ]
  These correspond to:
  * `esp` - IPSec Encapsulating Security Protocol
  * `ah` - IPSec Authentication Header
  * `comp` - IP Payload Compression.
  * `route2` - Mobile IPv6 Type 2 Routing Header.
  * `hao - Mobile IPv6 Home Address Option.
 * `spi` SPI

then they have an optional MODE which can be one of:

 * `mode transport` (IPSec transport mode)
 * `mode tunnel`  (IPSec tunnel mode)
 * `mode ro` (Route Optimisation)
 * `mode in\_trigger` ("inbound trigger")
 * `mode beet` ([Bound End-to-End Tunnel](http://tools.ietf.org/html/draft-nikander-esp-beet-mode))

This can then be optionally flagged as "`level required`" (default) or
"`level use`"

These TEMPLATES seem to specify what to do with the packet.

So, an (untested) sample command line might be:

    ip xfrm \
        policy add \
        src 10.1.0.0/16 dst 10.2.0.0/16 proto icmp \
        dir out \
        tmpl proto route2 dst 10.3.0.1 mode ro level use

    ip xfrm \
        state add \
        src 10.1.0.0/16 dst 10.2.0.0/16 proto icmp \
        proto route2 mode ro \
        coa 10.3.0.1 \
        sel src ::/0 dst ::/0

I don't know what the "xfrm state" sel is used for.  It's a selector for
something, but I dunno why it doesn't just match on the src/dst earlier in
the command line.  Oh, it's used for the outer addresses on encap tunnels?