1.\" $OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ 2.\" 3.\" Copyright (c) 1999 Angelos D. Keromytis 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. All advertising materials mentioning features or use of this software 16.\" must display the following acknowledgement: 17.\" This product includes software developed by Angelos D. Keromytis. 18.\" 4. The name of the author may not be used to endorse or promote products 19.\" derived from this software without specific prior written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 22.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 23.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 24.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 25.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 26.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 27.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 28.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 29.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 30.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31.\" 32.Dd August 9, 2017 33.Dt ENC 4 34.Os 35.Sh NAME 36.Nm enc 37.Nd Encapsulating Interface 38.Sh SYNOPSIS 39To compile this driver into the kernel, 40place the following line in your 41kernel configuration file: 42.Bd -ragged -offset indent 43.Cd "device enc" 44.Ed 45.Pp 46Alternatively, to load the driver as a 47module at boot time, place the following line in 48.Xr loader.conf 5 : 49.Bd -literal -offset indent 50if_enc_load="YES" 51.Ed 52.Sh DESCRIPTION 53The 54.Nm 55interface is a software loopback mechanism that allows hosts or 56firewalls to filter 57.Xr ipsec 4 58traffic using any firewall package that hooks in via the 59.Xr pfil 9 60framework. 61.Pp 62The 63.Nm 64interface allows an administrator to see incoming and outgoing packets 65before and after they will be or have been processed by 66.Xr ipsec 4 67via 68.Xr tcpdump 1 . 69.Pp 70The 71.Dq Li enc0 72interface inherits all IPsec traffic. 73Thus all IPsec traffic can be filtered based on 74.Dq Li enc0 , 75and all IPsec traffic could be seen by invoking 76.Xr tcpdump 1 77on the 78.Dq Li enc0 79interface. 80.Pp 81What can be seen with 82.Xr tcpdump 1 83and what will be passed on to the firewalls via the 84.Xr pfil 9 85framework can be independently controlled using the following 86.Xr sysctl 8 87variables: 88.Bl -column net.enc.out.ipsec_filter_mask 0x00000000 0x00000000 89.It Sy "Name Defaults Suggested" 90.It "net.enc.out.ipsec_bpf_mask 0x00000003 0x00000001" 91.It "net.enc.out.ipsec_filter_mask 0x00000001 0x00000001" 92.It "net.enc.in.ipsec_bpf_mask 0x00000001 0x00000002" 93.It "net.enc.in.ipsec_filter_mask 0x00000001 0x00000002" 94.El 95.Pp 96For the incoming path a value of 97.Li 0x1 98means 99.Dq Li before stripping off the outer header 100and 101.Li 0x2 102means 103.Dq Li after stripping off the outer header . 104For the outgoing path 105.Li 0x1 106means 107.Dq Li with only the inner header 108and 109.Li 0x2 110means 111.Dq Li with outer and inner headers . 112.Bd -literal 113incoming path |------| 114---- IPsec processing ---- (before) ---- (after) ----> | | 115 | Host | 116<--- IPsec processing ---- (after) ----- (before) ---- | | 117outgoing path |------| 118.Ed 119.Pp 120Most people will want to run with the suggested defaults for 121.Cm ipsec_filter_mask 122and rely on the security policy database for the outer headers. 123.Pp 124Note that packets are captured by BPF before firewall processing. 125The special value 0x4 can be configured in the 126.Ar ipsec_bpf_mask 127and packets will be also captured after firewall processing. 128.Sh EXAMPLES 129To see the packets processed via 130.Xr ipsec 4 , 131adjust the 132.Xr sysctl 8 133variables according to your need and run: 134.Pp 135.Dl "tcpdump -i enc0" 136.Sh SEE ALSO 137.Xr tcpdump 1 , 138.Xr bpf 4 , 139.Xr ipf 4 , 140.Xr ipfw 4 , 141.Xr ipsec 4 , 142.Xr pf 4 143