1bdea400fSAndrew Thompson.\" $OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ 2bdea400fSAndrew Thompson.\" 3bdea400fSAndrew Thompson.\" Copyright (c) 1999 Angelos D. Keromytis 4bdea400fSAndrew Thompson.\" All rights reserved. 5bdea400fSAndrew Thompson.\" 6bdea400fSAndrew Thompson.\" Redistribution and use in source and binary forms, with or without 7bdea400fSAndrew Thompson.\" modification, are permitted provided that the following conditions 8bdea400fSAndrew Thompson.\" are met: 9bdea400fSAndrew Thompson.\" 10bdea400fSAndrew Thompson.\" 1. Redistributions of source code must retain the above copyright 11bdea400fSAndrew Thompson.\" notice, this list of conditions and the following disclaimer. 12bdea400fSAndrew Thompson.\" 2. Redistributions in binary form must reproduce the above copyright 13bdea400fSAndrew Thompson.\" notice, this list of conditions and the following disclaimer in the 14bdea400fSAndrew Thompson.\" documentation and/or other materials provided with the distribution. 15bdea400fSAndrew Thompson.\" 3. All advertising materials mentioning features or use of this software 16bdea400fSAndrew Thompson.\" must display the following acknowledgement: 17bdea400fSAndrew Thompson.\" This product includes software developed by Angelos D. Keromytis. 18bdea400fSAndrew Thompson.\" 4. The name of the author may not be used to endorse or promote products 19bdea400fSAndrew Thompson.\" derived from this software without specific prior written permission. 20bdea400fSAndrew Thompson.\" 21bdea400fSAndrew Thompson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22bdea400fSAndrew Thompson.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23bdea400fSAndrew Thompson.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24bdea400fSAndrew Thompson.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25bdea400fSAndrew Thompson.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26bdea400fSAndrew Thompson.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27bdea400fSAndrew Thompson.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28bdea400fSAndrew Thompson.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29bdea400fSAndrew Thompson.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30bdea400fSAndrew Thompson.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31bdea400fSAndrew Thompson.\" 3295e8b991SAndrey V. Elsukov.Dd August 9, 2017 33bdea400fSAndrew Thompson.Dt ENC 4 34bdea400fSAndrew Thompson.Os 35bdea400fSAndrew Thompson.Sh NAME 36bdea400fSAndrew Thompson.Nm enc 37bdea400fSAndrew Thompson.Nd Encapsulating Interface 38bdea400fSAndrew Thompson.Sh SYNOPSIS 39904887e2SChristian BruefferTo compile this driver into the kernel, 40904887e2SChristian Bruefferplace the following line in your 41904887e2SChristian Bruefferkernel configuration file: 42904887e2SChristian Brueffer.Bd -ragged -offset indent 43bdea400fSAndrew Thompson.Cd "device enc" 44904887e2SChristian Brueffer.Ed 4595e8b991SAndrey V. Elsukov.Pp 4695e8b991SAndrey V. ElsukovAlternatively, to load the driver as a 4795e8b991SAndrey V. Elsukovmodule at boot time, place the following line in 4895e8b991SAndrey V. Elsukov.Xr loader.conf 5 : 4995e8b991SAndrey V. Elsukov.Bd -literal -offset indent 5095e8b991SAndrey V. Elsukovif_enc_load="YES" 5195e8b991SAndrey V. Elsukov.Ed 52bdea400fSAndrew Thompson.Sh DESCRIPTION 53bdea400fSAndrew ThompsonThe 54bdea400fSAndrew Thompson.Nm 55bdea400fSAndrew Thompsoninterface is a software loopback mechanism that allows hosts or 56bdea400fSAndrew Thompsonfirewalls to filter 57e0c92631SBjoern A. Zeeb.Xr ipsec 4 58bdea400fSAndrew Thompsontraffic using any firewall package that hooks in via the 59bdea400fSAndrew Thompson.Xr pfil 9 60bdea400fSAndrew Thompsonframework. 61bdea400fSAndrew Thompson.Pp 62bdea400fSAndrew ThompsonThe 63bdea400fSAndrew Thompson.Nm 6445358a00SBjoern A. Zeebinterface allows an administrator to see incoming and outgoing packets 6545358a00SBjoern A. Zeebbefore and after they will be or have been processed by 6645358a00SBjoern A. Zeeb.Xr ipsec 4 6745358a00SBjoern A. Zeebvia 68e0ca5a93SChristian Brueffer.Xr tcpdump 1 . 69bdea400fSAndrew Thompson.Pp 70bdea400fSAndrew ThompsonThe 71ae91966bSRuslan Ermilov.Dq Li enc0 72bdea400fSAndrew Thompsoninterface inherits all IPsec traffic. 73bdea400fSAndrew ThompsonThus all IPsec traffic can be filtered based on 74ae91966bSRuslan Ermilov.Dq Li enc0 , 75bdea400fSAndrew Thompsonand all IPsec traffic could be seen by invoking 76e0ca5a93SChristian Brueffer.Xr tcpdump 1 77bdea400fSAndrew Thompsonon the 78ae91966bSRuslan Ermilov.Dq Li enc0 79bdea400fSAndrew Thompsoninterface. 8045358a00SBjoern A. Zeeb.Pp 8145358a00SBjoern A. ZeebWhat can be seen with 8245358a00SBjoern A. Zeeb.Xr tcpdump 1 8345358a00SBjoern A. Zeeband what will be passed on to the firewalls via the 8445358a00SBjoern A. Zeeb.Xr pfil 9 8545358a00SBjoern A. Zeebframework can be independently controlled using the following 8645358a00SBjoern A. Zeeb.Xr sysctl 8 8745358a00SBjoern A. Zeebvariables: 8845358a00SBjoern A. Zeeb.Bl -column net.enc.out.ipsec_filter_mask 0x00000000 0x00000000 8945358a00SBjoern A. Zeeb.It Sy "Name Defaults Suggested" 90c913de0eSJoel Dahl.It "net.enc.out.ipsec_bpf_mask 0x00000003 0x00000001" 91c913de0eSJoel Dahl.It "net.enc.out.ipsec_filter_mask 0x00000001 0x00000001" 92c913de0eSJoel Dahl.It "net.enc.in.ipsec_bpf_mask 0x00000001 0x00000002" 93c913de0eSJoel Dahl.It "net.enc.in.ipsec_filter_mask 0x00000001 0x00000002" 9445358a00SBjoern A. Zeeb.El 9545358a00SBjoern A. Zeeb.Pp 9645358a00SBjoern A. ZeebFor the incoming path a value of 9745358a00SBjoern A. Zeeb.Li 0x1 9845358a00SBjoern A. Zeebmeans 9945358a00SBjoern A. Zeeb.Dq Li before stripping off the outer header 10045358a00SBjoern A. Zeeband 10145358a00SBjoern A. Zeeb.Li 0x2 10245358a00SBjoern A. Zeebmeans 10345358a00SBjoern A. Zeeb.Dq Li after stripping off the outer header . 10445358a00SBjoern A. ZeebFor the outgoing path 10545358a00SBjoern A. Zeeb.Li 0x1 10645358a00SBjoern A. Zeebmeans 10745358a00SBjoern A. Zeeb.Dq Li with only the inner header 10845358a00SBjoern A. Zeeband 10945358a00SBjoern A. Zeeb.Li 0x2 11045358a00SBjoern A. Zeebmeans 11145358a00SBjoern A. Zeeb.Dq Li with outer and inner headers . 11245358a00SBjoern A. Zeeb.Bd -literal 11345358a00SBjoern A. Zeebincoming path |------| 11445358a00SBjoern A. Zeeb---- IPsec processing ---- (before) ---- (after) ----> | | 11545358a00SBjoern A. Zeeb | Host | 11645358a00SBjoern A. Zeeb<--- IPsec processing ---- (after) ----- (before) ---- | | 11745358a00SBjoern A. Zeeboutgoing path |------| 11845358a00SBjoern A. Zeeb.Ed 11945358a00SBjoern A. Zeeb.Pp 12045358a00SBjoern A. ZeebMost people will want to run with the suggested defaults for 12145358a00SBjoern A. Zeeb.Cm ipsec_filter_mask 12245358a00SBjoern A. Zeeband rely on the security policy database for the outer headers. 12395e8b991SAndrey V. Elsukov.Pp 12495e8b991SAndrey V. ElsukovNote that packets are captured by BPF before firewall processing. 12595e8b991SAndrey V. ElsukovThe special value 0x4 can be configured in the 12695e8b991SAndrey V. Elsukov.Ar ipsec_bpf_mask 12795e8b991SAndrey V. Elsukovand packets will be also captured after firewall processing. 128bdea400fSAndrew Thompson.Sh EXAMPLES 129*4ca4a3b1SIgor OstapenkoTo see the packets processed via 130e0c92631SBjoern A. Zeeb.Xr ipsec 4 , 13145358a00SBjoern A. Zeebadjust the 13245358a00SBjoern A. Zeeb.Xr sysctl 8 13345358a00SBjoern A. Zeebvariables according to your need and run: 134bdea400fSAndrew Thompson.Pp 135ae91966bSRuslan Ermilov.Dl "tcpdump -i enc0" 136bdea400fSAndrew Thompson.Sh SEE ALSO 137904887e2SChristian Brueffer.Xr tcpdump 1 , 138bdea400fSAndrew Thompson.Xr bpf 4 , 139bdea400fSAndrew Thompson.Xr ipf 4 , 140bdea400fSAndrew Thompson.Xr ipfw 4 , 141e0c92631SBjoern A. Zeeb.Xr ipsec 4 , 142e81210c1SEdward Tomasz Napierala.Xr pf 4 143