1bdea400fSAndrew Thompson.\" $OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ 2bdea400fSAndrew Thompson.\" 3bdea400fSAndrew Thompson.\" Copyright (c) 1999 Angelos D. Keromytis 4bdea400fSAndrew Thompson.\" All rights reserved. 5bdea400fSAndrew Thompson.\" 6bdea400fSAndrew Thompson.\" Redistribution and use in source and binary forms, with or without 7bdea400fSAndrew Thompson.\" modification, are permitted provided that the following conditions 8bdea400fSAndrew Thompson.\" are met: 9bdea400fSAndrew Thompson.\" 10bdea400fSAndrew Thompson.\" 1. Redistributions of source code must retain the above copyright 11bdea400fSAndrew Thompson.\" notice, this list of conditions and the following disclaimer. 12bdea400fSAndrew Thompson.\" 2. Redistributions in binary form must reproduce the above copyright 13bdea400fSAndrew Thompson.\" notice, this list of conditions and the following disclaimer in the 14bdea400fSAndrew Thompson.\" documentation and/or other materials provided with the distribution. 15bdea400fSAndrew Thompson.\" 3. All advertising materials mentioning features or use of this software 16bdea400fSAndrew Thompson.\" must display the following acknowledgement: 17bdea400fSAndrew Thompson.\" This product includes software developed by Angelos D. Keromytis. 18bdea400fSAndrew Thompson.\" 4. The name of the author may not be used to endorse or promote products 19bdea400fSAndrew Thompson.\" derived from this software without specific prior written permission. 20bdea400fSAndrew Thompson.\" 21bdea400fSAndrew Thompson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22bdea400fSAndrew Thompson.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23bdea400fSAndrew Thompson.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24bdea400fSAndrew Thompson.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25bdea400fSAndrew Thompson.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26bdea400fSAndrew Thompson.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27bdea400fSAndrew Thompson.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28bdea400fSAndrew Thompson.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29bdea400fSAndrew Thompson.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30bdea400fSAndrew Thompson.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31bdea400fSAndrew Thompson.\" 32bdea400fSAndrew Thompson.\" $FreeBSD$ 33bdea400fSAndrew Thompson.\" 34*95e8b991SAndrey V. Elsukov.Dd August 9, 2017 35bdea400fSAndrew Thompson.Dt ENC 4 36bdea400fSAndrew Thompson.Os 37bdea400fSAndrew Thompson.Sh NAME 38bdea400fSAndrew Thompson.Nm enc 39bdea400fSAndrew Thompson.Nd Encapsulating Interface 40bdea400fSAndrew Thompson.Sh SYNOPSIS 41904887e2SChristian BruefferTo compile this driver into the kernel, 42904887e2SChristian Bruefferplace the following line in your 43904887e2SChristian Bruefferkernel configuration file: 44904887e2SChristian Brueffer.Bd -ragged -offset indent 45bdea400fSAndrew Thompson.Cd "device enc" 46904887e2SChristian Brueffer.Ed 47*95e8b991SAndrey V. Elsukov.Pp 48*95e8b991SAndrey V. ElsukovAlternatively, to load the driver as a 49*95e8b991SAndrey V. Elsukovmodule at boot time, place the following line in 50*95e8b991SAndrey V. Elsukov.Xr loader.conf 5 : 51*95e8b991SAndrey V. Elsukov.Bd -literal -offset indent 52*95e8b991SAndrey V. Elsukovif_enc_load="YES" 53*95e8b991SAndrey V. Elsukov.Ed 54bdea400fSAndrew Thompson.Sh DESCRIPTION 55bdea400fSAndrew ThompsonThe 56bdea400fSAndrew Thompson.Nm 57bdea400fSAndrew Thompsoninterface is a software loopback mechanism that allows hosts or 58bdea400fSAndrew Thompsonfirewalls to filter 59e0c92631SBjoern A. Zeeb.Xr ipsec 4 60bdea400fSAndrew Thompsontraffic using any firewall package that hooks in via the 61bdea400fSAndrew Thompson.Xr pfil 9 62bdea400fSAndrew Thompsonframework. 63bdea400fSAndrew Thompson.Pp 64bdea400fSAndrew ThompsonThe 65bdea400fSAndrew Thompson.Nm 6645358a00SBjoern A. Zeebinterface allows an administrator to see incoming and outgoing packets 6745358a00SBjoern A. Zeebbefore and after they will be or have been processed by 6845358a00SBjoern A. Zeeb.Xr ipsec 4 6945358a00SBjoern A. Zeebvia 70e0ca5a93SChristian Brueffer.Xr tcpdump 1 . 71bdea400fSAndrew Thompson.Pp 72bdea400fSAndrew ThompsonThe 73ae91966bSRuslan Ermilov.Dq Li enc0 74bdea400fSAndrew Thompsoninterface inherits all IPsec traffic. 75bdea400fSAndrew ThompsonThus all IPsec traffic can be filtered based on 76ae91966bSRuslan Ermilov.Dq Li enc0 , 77bdea400fSAndrew Thompsonand all IPsec traffic could be seen by invoking 78e0ca5a93SChristian Brueffer.Xr tcpdump 1 79bdea400fSAndrew Thompsonon the 80ae91966bSRuslan Ermilov.Dq Li enc0 81bdea400fSAndrew Thompsoninterface. 8245358a00SBjoern A. Zeeb.Pp 8345358a00SBjoern A. ZeebWhat can be seen with 8445358a00SBjoern A. Zeeb.Xr tcpdump 1 8545358a00SBjoern A. Zeeband what will be passed on to the firewalls via the 8645358a00SBjoern A. Zeeb.Xr pfil 9 8745358a00SBjoern A. Zeebframework can be independently controlled using the following 8845358a00SBjoern A. Zeeb.Xr sysctl 8 8945358a00SBjoern A. Zeebvariables: 9045358a00SBjoern A. Zeeb.Bl -column net.enc.out.ipsec_filter_mask 0x00000000 0x00000000 9145358a00SBjoern A. Zeeb.It Sy "Name Defaults Suggested" 92c913de0eSJoel Dahl.It "net.enc.out.ipsec_bpf_mask 0x00000003 0x00000001" 93c913de0eSJoel Dahl.It "net.enc.out.ipsec_filter_mask 0x00000001 0x00000001" 94c913de0eSJoel Dahl.It "net.enc.in.ipsec_bpf_mask 0x00000001 0x00000002" 95c913de0eSJoel Dahl.It "net.enc.in.ipsec_filter_mask 0x00000001 0x00000002" 9645358a00SBjoern A. Zeeb.El 9745358a00SBjoern A. Zeeb.Pp 9845358a00SBjoern A. ZeebFor the incoming path a value of 9945358a00SBjoern A. Zeeb.Li 0x1 10045358a00SBjoern A. Zeebmeans 10145358a00SBjoern A. Zeeb.Dq Li before stripping off the outer header 10245358a00SBjoern A. Zeeband 10345358a00SBjoern A. Zeeb.Li 0x2 10445358a00SBjoern A. Zeebmeans 10545358a00SBjoern A. Zeeb.Dq Li after stripping off the outer header . 10645358a00SBjoern A. ZeebFor the outgoing path 10745358a00SBjoern A. Zeeb.Li 0x1 10845358a00SBjoern A. Zeebmeans 10945358a00SBjoern A. Zeeb.Dq Li with only the inner header 11045358a00SBjoern A. Zeeband 11145358a00SBjoern A. Zeeb.Li 0x2 11245358a00SBjoern A. Zeebmeans 11345358a00SBjoern A. Zeeb.Dq Li with outer and inner headers . 11445358a00SBjoern A. Zeeb.Bd -literal 11545358a00SBjoern A. Zeebincoming path |------| 11645358a00SBjoern A. Zeeb---- IPsec processing ---- (before) ---- (after) ----> | | 11745358a00SBjoern A. Zeeb | Host | 11845358a00SBjoern A. Zeeb<--- IPsec processing ---- (after) ----- (before) ---- | | 11945358a00SBjoern A. Zeeboutgoing path |------| 12045358a00SBjoern A. Zeeb.Ed 12145358a00SBjoern A. Zeeb.Pp 12245358a00SBjoern A. ZeebMost people will want to run with the suggested defaults for 12345358a00SBjoern A. Zeeb.Cm ipsec_filter_mask 12445358a00SBjoern A. Zeeband rely on the security policy database for the outer headers. 125*95e8b991SAndrey V. Elsukov.Pp 126*95e8b991SAndrey V. ElsukovNote that packets are captured by BPF before firewall processing. 127*95e8b991SAndrey V. ElsukovThe special value 0x4 can be configured in the 128*95e8b991SAndrey V. Elsukov.Ar ipsec_bpf_mask 129*95e8b991SAndrey V. Elsukovand packets will be also captured after firewall processing. 130bdea400fSAndrew Thompson.Sh EXAMPLES 13145358a00SBjoern A. ZeebTo see the packets the processed via 132e0c92631SBjoern A. Zeeb.Xr ipsec 4 , 13345358a00SBjoern A. Zeebadjust the 13445358a00SBjoern A. Zeeb.Xr sysctl 8 13545358a00SBjoern A. Zeebvariables according to your need and run: 136bdea400fSAndrew Thompson.Pp 137ae91966bSRuslan Ermilov.Dl "tcpdump -i enc0" 138bdea400fSAndrew Thompson.Sh SEE ALSO 139904887e2SChristian Brueffer.Xr tcpdump 1 , 140bdea400fSAndrew Thompson.Xr bpf 4 , 141bdea400fSAndrew Thompson.Xr ipf 4 , 142bdea400fSAndrew Thompson.Xr ipfw 4 , 143e0c92631SBjoern A. Zeeb.Xr ipsec 4 , 144e81210c1SEdward Tomasz Napierala.Xr pf 4 145