diff options
author | bz <bz@FreeBSD.org> | 2007-11-28 22:35:48 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2007-11-28 22:35:48 +0000 |
commit | 9f93f5ff2f22ec1a46e88ab0cbbbfdde63a65de1 (patch) | |
tree | 8acdcc1ddf59069381367340dc2918e7f34c48e1 /share | |
parent | 05fda2a0bf2b957c1175b607bf125c590f44a416 (diff) | |
download | FreeBSD-src-9f93f5ff2f22ec1a46e88ab0cbbbfdde63a65de1.zip FreeBSD-src-9f93f5ff2f22ec1a46e88ab0cbbbfdde63a65de1.tar.gz |
Update man page to reflect latest work on enc(4):
- added sysctls to if_enc(4) to control whether the firewalls or
bpf will see inner and outer headers or just inner headers
for incoming and outgoing IPsec packets.
- if_enc work with IPv6 now as well.
Reviewed by: brueffer
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man4/enc.4 | 59 |
1 files changed, 52 insertions, 7 deletions
diff --git a/share/man/man4/enc.4 b/share/man/man4/enc.4 index 3da2dfd..4b05e57 100644 --- a/share/man/man4/enc.4 +++ b/share/man/man4/enc.4 @@ -31,7 +31,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 1, 2007 +.Dd November 28, 2007 .Dt ENC 4 .Os .Sh NAME @@ -56,10 +56,10 @@ framework. .Pp The .Nm -interface allows an administrator -to see outgoing packets before they have been processed by -.Xr ipsec 4 , -or incoming packets after they have been similarly processed, via +interface allows an administrator to see incoming and outgoing packets +before and after they will be or have been processed by +.Xr ipsec 4 +via .Xr tcpdump 1 . .Pp The @@ -72,10 +72,55 @@ and all IPsec traffic could be seen by invoking on the .Dq Li enc0 interface. +.Pp +What can be seen with +.Xr tcpdump 1 +and what will be passed on to the firewalls via the +.Xr pfil 9 +framework can be independently controlled using the following +.Xr sysctl 8 +variables: +.Bl -column net.enc.out.ipsec_filter_mask 0x00000000 0x00000000 +.It Sy "Name Defaults Suggested" +.It "net.enc.out.ipsec_bpf_mask" 0x00000003 0x00000001 +.It "net.enc.out.ipsec_filter_mask" 0x00000001 0x00000001 +.It "net.enc.in.ipsec_bpf_mask" 0x00000001 0x00000002 +.It "net.enc.in.ipsec_filter_mask" 0x00000001 0x00000002 +.El +.Pp +For the incoming path a value of +.Li 0x1 +means +.Dq Li before stripping off the outer header +and +.Li 0x2 +means +.Dq Li after stripping off the outer header . +For the outgoing path +.Li 0x1 +means +.Dq Li with only the inner header +and +.Li 0x2 +means +.Dq Li with outer and inner headers . +.Bd -literal +incoming path |------| +---- IPsec processing ---- (before) ---- (after) ----> | | + | Host | +<--- IPsec processing ---- (after) ----- (before) ---- | | +outgoing path |------| +.Ed +.Pp +Most people will want to run with the suggested defaults for +.Cm ipsec_filter_mask +and rely on the security policy database for the outer headers. .Sh EXAMPLES -To see all outgoing packets before they have been processed via +To see the packets the processed via .Xr ipsec 4 , -or all incoming packets after they have been similarly processed: +adjust the +.Xr sysctl 8 +variables according to your need and run: .Pp .Dl "tcpdump -i enc0" .Sh SEE ALSO |