diff options
Diffstat (limited to 'static/freebsd/man4/enc.4 3.html')
| -rw-r--r-- | static/freebsd/man4/enc.4 3.html | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/static/freebsd/man4/enc.4 3.html b/static/freebsd/man4/enc.4 3.html new file mode 100644 index 00000000..f75c5d00 --- /dev/null +++ b/static/freebsd/man4/enc.4 3.html @@ -0,0 +1,115 @@ +<table class="head"> + <tr> + <td class="head-ltitle">ENC(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">ENC(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">enc</code> — + <span class="Nd">Encapsulating Interface</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp">To compile this driver into the kernel, place the following line + in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">device enc</code></div> +<p class="Pp">Alternatively, to load the driver as a module at boot time, place + the following line in <a class="Xr">loader.conf(5)</a>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>if_enc_load="YES"</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">enc</code> interface is a software loopback + mechanism that allows hosts or firewalls to filter + <a class="Xr">ipsec(4)</a> traffic using any firewall package that hooks in + via the <a class="Xr">pfil(9)</a> framework.</p> +<p class="Pp">The <code class="Nm">enc</code> interface allows an administrator + to see incoming and outgoing packets before and after they will be or have + been processed by <a class="Xr">ipsec(4)</a> via + <a class="Xr">tcpdump(1)</a>.</p> +<p class="Pp">The “<code class="Li">enc0</code>” interface + inherits all IPsec traffic. Thus all IPsec traffic can be filtered based on + “<code class="Li">enc0</code>”, and all IPsec traffic could be + seen by invoking <a class="Xr">tcpdump(1)</a> on the + “<code class="Li">enc0</code>” interface.</p> +<p class="Pp">What can be seen with <a class="Xr">tcpdump(1)</a> and what will + be passed on to the firewalls via the <a class="Xr">pfil(9)</a> framework + can be independently controlled using the following + <a class="Xr">sysctl(8)</a> variables:</p> +<table class="Bl-column"> + <tr id="Name"> + <td><a class="permalink" href="#Name"><b class="Sy">Name</b></a></td> + <td>Defaults</td> + <td>Suggested</td> + </tr> + <tr> + <td>net.enc.out.ipsec_bpf_mask</td> + <td>0x00000003</td> + <td>0x00000001</td> + </tr> + <tr> + <td>net.enc.out.ipsec_filter_mask</td> + <td>0x00000001</td> + <td>0x00000001</td> + </tr> + <tr> + <td>net.enc.in.ipsec_bpf_mask</td> + <td>0x00000001</td> + <td>0x00000002</td> + </tr> + <tr> + <td>net.enc.in.ipsec_filter_mask</td> + <td>0x00000001</td> + <td>0x00000002</td> + </tr> +</table> +<p class="Pp">For the incoming path a value of <code class="Li">0x1</code> means + “<code class="Li">before stripping off the outer + header</code>” and <code class="Li">0x2</code> means + “<code class="Li">after stripping off the outer + header</code>”. For the outgoing path <code class="Li">0x1</code> + means “<code class="Li">with only the inner header</code>” and + <code class="Li">0x2</code> means “<code class="Li">with outer and + inner headers</code>”.</p> +<div class="Bd Pp Li"> +<pre>incoming path |------| +---- IPsec processing ---- (before) ---- (after) ----> | | + | Host | +<--- IPsec processing ---- (after) ----- (before) ---- | | +outgoing path |------|</pre> +</div> +<p class="Pp">Most people will want to run with the suggested defaults for + <code class="Cm">ipsec_filter_mask</code> and rely on the security policy + database for the outer headers.</p> +<p class="Pp">Note that packets are captured by BPF before firewall processing. + The special value 0x4 can be configured in the + <var class="Ar">ipsec_bpf_mask</var> and packets will be also captured after + firewall processing.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1> +<p class="Pp">To see the packets processed via <a class="Xr">ipsec(4)</a>, + adjust the <a class="Xr">sysctl(8)</a> variables according to your need and + run:</p> +<p class="Pp"></p> +<div class="Bd Bd-indent"><code class="Li">tcpdump -i enc0</code></div> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">tcpdump(1)</a>, <a class="Xr">bpf(4)</a>, + <a class="Xr">ipf(4)</a>, <a class="Xr">ipfw(4)</a>, + <a class="Xr">ipsec(4)</a>, <a class="Xr">pf(4)</a></p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">August 9, 2017</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |