MFC r322310:

  Add to if_enc(4) ability to capture packets via BPF after pfil processing.

  New flag 0x4 can be configured in net.enc.[in|out].ipsec_bpf_mask.
  When it is set, if_enc(4) additionally captures a packet via BPF after
  invoking pfil hook. This may be useful for debugging.

  Sponsored by:	Yandex LLC

1 files changed, 13 insertions, 1 deletions

diff --git a/share/man/man4/enc.4 b/share/man/man4/enc.4
index 3205918..42e0143 100644
--- a/share/man/man4/enc.4
+++ b/share/man/man4/enc.4
@@ -31,7 +31,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd November 28, 2007
+.Dd August 9, 2017
 .Dt ENC 4
 .Os
 .Sh NAME
@@ -44,6 +44,13 @@ kernel configuration file:
 .Bd -ragged -offset indent
 .Cd "device enc"
 .Ed
+.Pp
+Alternatively, to load the driver as a
+module at boot time, place the following line in
+.Xr loader.conf 5 :
+.Bd -literal -offset indent
+if_enc_load="YES"
+.Ed
 .Sh DESCRIPTION
 The
 .Nm
@@ -115,6 +122,11 @@ outgoing path                                          |------|
 Most people will want to run with the suggested defaults for
 .Cm ipsec_filter_mask
 and rely on the security policy database for the outer headers.
+.Pp
+Note that packets are captured by BPF before firewall processing.
+The special value 0x4 can be configured in the
+.Ar ipsec_bpf_mask
+and packets will be also captured after firewall processing.
 .Sh EXAMPLES
 To see the packets the processed via
 .Xr ipsec 4 ,