From bdea400f3ba20dd0ffcaef20d68912f7041d9eeb Mon Sep 17 00:00:00 2001 From: Andrew Thompson Date: Mon, 26 Jun 2006 22:30:08 +0000 Subject: Add a pseudo interface for packet filtering IPSec connections before or after encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month --- share/man/man4/enc.4 | 82 +++++++++++++++++++++++++++++++++++++++++++++ share/man/man4/fast_ipsec.4 | 6 ++++ 2 files changed, 88 insertions(+) create mode 100644 share/man/man4/enc.4 (limited to 'share/man') diff --git a/share/man/man4/enc.4 b/share/man/man4/enc.4 new file mode 100644 index 000000000000..9f76e6d6c073 --- /dev/null +++ b/share/man/man4/enc.4 @@ -0,0 +1,82 @@ +.\" $OpenBSD: enc.4,v 1.22 2006/05/26 08:51:29 jmc Exp $ +.\" +.\" Copyright (c) 1999 Angelos D. Keromytis +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Angelos D. Keromytis. +.\" 4. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd June 16, 2006 +.Dt ENC 4 +.Os +.Sh NAME +.Nm enc +.Nd Encapsulating Interface +.Sh SYNOPSIS +.Cd "device enc" +.Sh DESCRIPTION +The +.Nm +interface is a software loopback mechanism that allows hosts or +firewalls to filter +.Xr fast_ipsec 4 +traffic using any firewall package that hooks in via the +.Xr pfil 9 +framework. +.Pp +The +.Nm +interface allows an administrator +to see outgoing packets before they have been processed by +.Xr fast_ipsec 4 , +or incoming packets after they have been similarly processed, via +.Xr tcpdump 8 . +.Pp +The +.Dq enc0 +interface inherits all IPsec traffic. +Thus all IPsec traffic can be filtered based on +.Dq enc0 , +and all IPsec traffic could be seen by invoking +.Xr tcpdump 8 +on the +.Dq enc0 +interface. +.Sh EXAMPLES +To see all outgoing packets before they have been processed via +.Xr fast_ipsec 4 , +or all incoming packets after they have been similarly processed: +.Pp +.Dl # tcpdump -i enc0 +.Sh SEE ALSO +.Xr bpf 4 , +.Xr fast_ipsec 4 , +.Xr ipf 4 , +.Xr ipfw 4 , +.Xr pf 4 , +.Xr tcpdump 8 diff --git a/share/man/man4/fast_ipsec.4 b/share/man/man4/fast_ipsec.4 index 503ef60c2942..e792cd993fd5 100644 --- a/share/man/man4/fast_ipsec.4 +++ b/share/man/man4/fast_ipsec.4 @@ -78,10 +78,16 @@ When the protocols are configured for use, all protocols are included in the system. To selectively enable/disable protocols, use .Xr sysctl 8 . +.Pp +The packets can be passed to a virtual interface, +.Dq enc0 , +to perform packet filtering before outbound encryption and after decapsulation +inbound. .Sh DIAGNOSTICS To be added. .Sh SEE ALSO .Xr crypto 4 , +.Xr enc 4 , .Xr ipsec 4 , .Xr setkey 8 , .Xr sysctl 8 -- cgit v1.2.3