From: Tobias Brunner Date: Wed, 5 Mar 2025 09:55:51 +0000 (+0100) Subject: vici: Document ICMP type/code traffic selector restrictions X-Git-Tag: 6.0.1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fcaee9e1232e0b8b8e8ee5fd4f5679540eeac537;p=thirdparty%2Fstrongswan.git vici: Document ICMP type/code traffic selector restrictions --- diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index cb61210656..70dac8ee49 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -780,6 +780,10 @@ connections..children..local_ts = dynamic restriction may be numeric, a **getservent**(3) service name, or the special value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified as well, none of the kernel backends currently support port ranges, though. + If the protocol is _icmp_ or _ipv6-icmp_, the port is interpreted as ICMP + message type if it is less than 256 or as type and code if it is greater or + equal to 256, with the type in the most significant 8 bits and the code in + the least significant 8 bits. When IKEv1 is used only the first selector is interpreted, except if the Cisco Unity extension plugin is used. This is due to a limitation of the