On Linux, ip xfrm policy
let's me specify the selector on which I want to enable IPsec. It allows you to restrict IPsec to a particular port, by specifying [ sport PORT ] [ dport PORT ]
I would like to enable IPsec for all but one port. E.g. IPsec for all ports except 873. Is there any way to do that? Is there any way to specify a "not" in the SELECTOR? If not, what is the workaround?
Note that I am referring to manual initialization of the kernel's IPsec, using the ip xfrm
command.
Best Answer
Just create passthrough policies for that port that have a higher
priority
(lower numeric value) than the policies that match all ports. Passthrough policies haveaction allow
but no templates attached.That's because the Linux kernel stores the policies in a list ordered by priority and only uses the first matching policy. So if an
action allow
policy (the default, the only other option is to useaction drop
to filter traffic) without templates (i.e. without any instructions how to process/encrypt the traffic) has a higher priority than the actual IPsec policies the traffic will just bypass IPsec processing.For instance, if your existing policies have priority 1000 then add passthrough policies for TCP port 873 like this:
The priority could be anything, it must just be lower than 1000 so traffic matches these policies first.