xref: /freebsd/share/man/man4/enc.4 (revision 05427f4639bcf2703329a9be9d25ec09bb782742)
1.\"	$OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $
2.\"
3.\" Copyright (c) 1999 Angelos D. Keromytis
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\"
10.\" 1. Redistributions of source code must retain the above copyright
11.\"    notice, this list of conditions and the following disclaimer.
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\" 3. All advertising materials mentioning features or use of this software
16.\"    must display the following acknowledgement:
17.\"	This product includes software developed by Angelos D. Keromytis.
18.\" 4. The name of the author may not be used to endorse or promote products
19.\"    derived from this software without specific prior written permission.
20.\"
21.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31.\"
32.Dd August 9, 2017
33.Dt ENC 4
34.Os
35.Sh NAME
36.Nm enc
37.Nd Encapsulating Interface
38.Sh SYNOPSIS
39To compile this driver into the kernel,
40place the following line in your
41kernel configuration file:
42.Bd -ragged -offset indent
43.Cd "device enc"
44.Ed
45.Pp
46Alternatively, to load the driver as a
47module at boot time, place the following line in
48.Xr loader.conf 5 :
49.Bd -literal -offset indent
50if_enc_load="YES"
51.Ed
52.Sh DESCRIPTION
53The
54.Nm
55interface is a software loopback mechanism that allows hosts or
56firewalls to filter
57.Xr ipsec 4
58traffic using any firewall package that hooks in via the
59.Xr pfil 9
60framework.
61.Pp
62The
63.Nm
64interface allows an administrator to see incoming and outgoing packets
65before and after they will be or have been processed by
66.Xr ipsec 4
67via
68.Xr tcpdump 1 .
69.Pp
70The
71.Dq Li enc0
72interface inherits all IPsec traffic.
73Thus all IPsec traffic can be filtered based on
74.Dq Li enc0 ,
75and all IPsec traffic could be seen by invoking
76.Xr tcpdump 1
77on the
78.Dq Li enc0
79interface.
80.Pp
81What can be seen with
82.Xr tcpdump 1
83and what will be passed on to the firewalls via the
84.Xr pfil 9
85framework can be independently controlled using the following
86.Xr sysctl 8
87variables:
88.Bl -column net.enc.out.ipsec_filter_mask 0x00000000 0x00000000
89.It Sy "Name	Defaults	Suggested"
90.It "net.enc.out.ipsec_bpf_mask	0x00000003	0x00000001"
91.It "net.enc.out.ipsec_filter_mask	0x00000001	0x00000001"
92.It "net.enc.in.ipsec_bpf_mask	0x00000001	0x00000002"
93.It "net.enc.in.ipsec_filter_mask	0x00000001	0x00000002"
94.El
95.Pp
96For the incoming path a value of
97.Li 0x1
98means
99.Dq Li before stripping off the outer header
100and
101.Li 0x2
102means
103.Dq Li after stripping off the outer header .
104For the outgoing path
105.Li 0x1
106means
107.Dq Li with only the inner header
108and
109.Li 0x2
110means
111.Dq Li with outer and inner headers .
112.Bd -literal
113incoming path                                          |------|
114---- IPsec processing ---- (before) ---- (after) ----> |      |
115                                                       | Host |
116<--- IPsec processing ---- (after) ----- (before) ---- |      |
117outgoing path                                          |------|
118.Ed
119.Pp
120Most people will want to run with the suggested defaults for
121.Cm ipsec_filter_mask
122and rely on the security policy database for the outer headers.
123.Pp
124Note that packets are captured by BPF before firewall processing.
125The special value 0x4 can be configured in the
126.Ar ipsec_bpf_mask
127and packets will be also captured after firewall processing.
128.Sh EXAMPLES
129To see the packets processed via
130.Xr ipsec 4 ,
131adjust the
132.Xr sysctl 8
133variables according to your need and run:
134.Pp
135.Dl "tcpdump -i enc0"
136.Sh SEE ALSO
137.Xr tcpdump 1 ,
138.Xr bpf 4 ,
139.Xr ipf 4 ,
140.Xr ipfw 4 ,
141.Xr ipsec 4 ,
142.Xr pf 4
143