feat: Added NetBSD man pages

1 files changed, 198 insertions, 0 deletions

diff --git a/static/netbsd/man4/ipsecif.4 b/static/netbsd/man4/ipsecif.4
new file mode 100644
index 00000000..00d7c061
--- /dev/null
+++ b/static/netbsd/man4/ipsecif.4
@@ -0,0 +1,198 @@
+.\"	$NetBSD: ipsecif.4,v 1.6 2024/09/29 19:35:35 bad Exp $
+.\"
+.\" Copyright (C) 2017 Internet Initiative Japan Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the project nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd January 25, 2018
+.Dt IPSECIF 4
+.Os
+.Sh NAME
+.Nm ipsecif
+.Nd IPsec interface
+.Sh SYNOPSIS
+.Cd "pseudo-device ipsecif"
+.Sh DESCRIPTION
+The
+.Nm
+interface is targeted for route-based VPNs.
+It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and
+secure it with ESP.
+.Pp
+.Nm
+interfaces are dynamically created and destroyed with the
+.Xr ifconfig 8
+.Cm create
+and
+.Cm destroy
+subcommands.
+The administrator must configure
+.Nm
+tunnel endpoint addresses.
+These addresses will be used for the outer IP header of ESP packets.
+The administrator also configures the protocol
+and addresses for the inner IP header with the
+.Xr ifconfig 8
+.Cm inet
+or
+.Cm inet6
+subcommands, and modify the routing table to route the packets through
+the
+.Nm
+interface.
+.Pp
+The packet processing is similar to
+.Xr gif 4
+over
+.Xr ipsec 4
+transport mode, however the security policy management is different.
+.Xr gif 4
+over
+.Xr ipsec 4
+transport mode expects userland programs to manage their
+security policies.
+In contrast,
+.Nm
+manages its security policies by itself: when the administrator
+sets up an
+.Nm
+tunnel source and destination address pair, the related security policies
+are created automatically in the kernel.
+They are automatically deleted when the tunnel is destroyed.
+.Pp
+It also means that
+.Nm
+ensures that both the in and out security policy pairs exist, that is,
+.Nm
+avoids the trouble caused when only one of the in and out security
+policy pair exists.
+.Pp
+There are four security policies generated by
+.Nm :
+one in and out pair for IPv4 and IPv6 each.
+These security policies are equivalent to the following
+.Xr ipsec.conf 5
+configuration where src and dst are IP addresses specified to the tunnel:
+.Bd -literal -offset indent
+spdadd "src" "dst" ipv4 -P out ipsec esp/transport//unique;
+spdadd "dst" "src" ipv4 -P in ipsec esp/transport//unique;
+spdadd "src" "dst" ipv6 -P out ipsec esp/transport//unique;
+spdadd "dst" "src" ipv6 -P in ipsec esp/transport//unique;
+.Ed
+.Pp
+The
+.Nm
+configuration will fail if such security policies already exist, and
+vice versa.
+.Pp
+The related security associations can be established by an IKE daemon such as
+.Xr racoon 8 .
+They can also be manipulated manually by
+.Xr setkey 8
+with the
+.Fl u
+option which sets a security policy's unique id.
+.Pp
+Some
+.Xr ifconfig 8
+parameters change the behaviour of
+.Nm .
+link0 can enable NAT-Traversal,
+link1 can enable ECN friendly mode like
+.Xr gif 4 ,
+and link2 can enable forwarding inner IPv6 packets.
+Only link2 is set by default.
+If you use only IPv4 packets as inner packets, you would want to
+do
+.Bd -literal -offset indent
+ifconfig ipsec0 -link2
+.Ed
+.Pp
+to reduce security associations for IPv6 packets.
+.Sh EXAMPLES
+Configuration example:
+.Bd -literal
+Out IP addr = 172.16.100.1            Out IP addr = 172.16.200.1
+wm0 = 192.168.0.1/24                        wm0 = 192.168.0.2/24
+wm1 = 10.100.0.1/24                          wm1 = 10.200.0.1/24
+
++------------+                                    +------------+
+|  NetBSD_A  |                                    |  NetBSD_B  |
+|------------|                                    |------------|
+|  [ipsec0] - - - - - - - - (tunnel) - - - - - - - - [ipsec0]  |
+|          [wm0]------------- ... --------------[wm0]          |
+|            |                                    |            |
++---[wm1]----+                                    +----[wm1]---+
+      |                                                  |
+      |                                                  |
++------------+                                    +------------+
+|   Host_X   |                                    |   Host_Y   |
++------------+                                    +------------+
+.Ed
+.Pp
+Host_X and Host_Y will be able to communicate via an IPv4 IPsec
+tunnel.
+.Pp
+On NetBSD_A:
+.Bd -literal
+# ifconfig wm0 inet 192.168.0.1/24
+# ifconfig ipsec0 create
+# ifconfig ipsec0 tunnel 192.168.0.1 192.168.0.2
+# ifconfig ipsec0 inet 172.16.100.1/32 172.16.200.1
+start IKE daemon or set security associations manually.
+# ifconfig wm1 inet 10.100.0.1/24
+# route add 10.200.0.1 172.16.100.1
+.Ed
+.Pp
+On NetBSD_B:
+.Bd -literal
+# ifconfig wm0 inet 192.168.0.2/24
+# ifconfig ipsec0 create
+# ifconfig ipsec0 tunnel 192.168.0.2 192.168.0.1
+# ifconfig ipsec0 inet 172.16.200.1/32 172.16.100.1
+start IKE daemon or set security associations manually.
+# ifconfig wm1 inet 10.200.0.1/24
+# route add 10.100.0.1 172.16.200.1
+.Ed
+.Sh SEE ALSO
+.Xr gif 4 ,
+.Xr inet 4 ,
+.Xr inet6 4 ,
+.Xr ipsec 4 ,
+.Xr ifconfig 8 ,
+.Xr racoon 8 ,
+.Xr setkey 8
+.Sh HISTORY
+The
+.Nm
+device first appeared in
+.Nx 8.0 .
+.Sh LIMITATIONS
+Currently, the
+.Nm
+interface supports the ESP protocol only.
+.Nm
+supports default port number (4500) only for NAT-Traversal.