1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
|
.\"
.\" SPDX-License-Identifier: BSD-2-Clause
.\"
.\" Copyright (c) 2026 Pouria Mousavizadeh Tehrani <pouria@FreeBSD.org>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd March 19, 2026
.Dt ECN 9
.Os
.Sh NAME
.Nm ecn ,
.Nm ip_ecn_ingress ,
.Nm ip_ecn_egress ,
.Nm ip6_ecn_ingress ,
.Nm ip6_ecn_egress
.Nd IP ECN interfaces for tunnel encapsulation/decapsulation
.Sh SYNOPSIS
.In sys/netinet/ip_ecn.h
.In sys/netinet6/ip6_ecn.h
.\"
.Ss "Constants"
.Dv ECN_COMPLETE
.Dv ECN_ALLOWED
.Dv ECN_FORBIDDEN
.Dv ECN_NOCARE
.\"
.Ss "ECN Manipulation Functions"
.Ft "void"
.Fn ip_ecn_ingress "int mode" "uint8_t *outer" "const uint8_t *inner"
.Ft "void"
.Fn "ip6_ecn_ingress" "int mode" "uint32_t *outer" "const uint32_t *inner"
.Ft "int"
.Fn "ip_ecn_egress" "int mode" "uint8_t *outer" "const uint8_t *inner"
.Ft "int"
.Fn "ip6_ecn_egress" "int mode" "uint32_t *outer" "const uint32_t *inner"
.\"
.Sh DESCRIPTION
The
.Fn ip_ecn_ingress
and
.Fn ip_ecn_egress
interfaces implement Explicit Congestion Notification (ECN) processing for
tunnel encapsulation (ingress) and decapsulation (egress). They operate on
the ECN bits in the IP Type of Service (TOS) or
IPv6 Traffic Class (TCLASS) header field.
These functions implements the standard specification of RFC6040 in
.Vt ECN_ALLOWED
mode for
.Fn ip_ecn_egress
with addition of
.Vt ECN_FORBIDDEN
mode as compatibility mode in
.Fn ip_ecn_ingress .
.Ss Interface
The functions for manipulating
.Vt ip_tos
and
.Vt ipv6_flow
are as follows:
.Bl -tag -width indent -offset indent
.It Fn ip_ecn_ingress Fn ip6_ecn_ingress
Perform ECN processing at encapsulation time (ingress) based on
the ECN bits of the
.Vt ip_tos
field in
.Vt "struct ip"
or the
.Vt ip6_flow
field in
.Vt "struct ip6_hdr"
as
.Va inner
to
.Va outer .
It also copies the DSCP value from
.Va inner
to
.Va outer .
.It Fn ip_ecn_egress Fn ip6_ecn_egress
Perform ECN processing at decapsulation time (egress) based on
the ECN bits of
.Va outer
to
.Va inner .
.Vt ECN_ALLOWED
mode may modify the
.Va inner
ECN bits or instruct the caller to drop or log
by returning
.Vt ECN_WARN
or
.Vt ECN_ALARM
values.
.El
.Pp
Return codes for
.Fn ip_ecn_egress
are as follows:
.Bl -tag -width ".Dv ECN_SUCCESS" -offset indent
.It Dv ECN_DROP
(0) Caller MUST drop the packet.
.It Dv ECN_SUCCESS
(1) Processing succeeded;
inner ECN bits may have been updated.
.It Dv ECN_WARN
(2) Processing succeeded;
caller MAY log a warning for an anomalous ECN combination.
.It Dv ECN_ALARM
(3) Processing succeeded;
caller SHOULD log and MAY raise an alarm for a serious ECN anomaly.
.El
.Pp
The following modes are handled by functions:
.Bl -tag -width ".Dv ECN_FORBIDDEN" -offset indent
.It Dv ECN_COMPLETE
Normal mode as defined in RFC6040.
ECN bits are preserved through encapsulation;
decapsulation follows RFC6040 rules and it returns
.Vt ECN_WARN
or
.Vt ECN_ALARM
values when a potentially dangerous packet detected.
.It Dv ECN_ALLOWED
Normal mode as defined in RFC6040 without security checks.
ECN bits are preserved through encapsulation;
decapsulation follows RFC6040 rules.
.It Dv ECN_FORBIDDEN
Compatibility mode.
ECN is stripped on encapsulation and decapsulation will
drop packets that carry CE in the outer header.
This mode should not be used in
.Fn ip_ecn_egress
or
.Fn ip6_ecn_egress
since the
.Vt ECN_ALLOWED
mode already covers all possible scenarios as specified in RFC6040.
.It Dv ECN_NOCARE
leave ECN bits unchanged and ignored.
.El
.Ss IPV6 HANDLING
IPv6 interfaces
.Fn ip6_ecn_ingress
and
.Fn ip6_ecn_egress
extract the 8-bit DSCP and ECN values from the 32-bit
.Vt ip6_flow
and insert it to IPv4 equivalent interfaces.
.Sh SEE ALSO
.Xr ip 4 ,
.Xr ip6 4 ,
.Xr ipsec 4
.Sh HISTORY
Historically
.Fn ip_ecn_egress
used a boolean-style return.
The current API preserves numeric mapping for drop (ECN_DROP == 0)
and success (ECN_SUCCESS == 1) but defines additional non-zero
status codes (ECN_WARN, ECN_ALARM).
Callers that only test for non-zero success will continue to
treat WARN/ALARM as success.
.Sh AUTHORS
.An Pouria Mousavizadeh Tehrani Aq Mt pouria@FreeBSD.org
|
