diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile --- a/share/man/man9/Makefile +++ b/share/man/man9/Makefile @@ -144,6 +144,7 @@ drbr.9 \ driver.9 \ DRIVER_MODULE.9 \ + ecn.9 \ efirt.9 \ epoch.9 \ ether_gen_addr.9 \ @@ -1106,6 +1107,10 @@ MLINKS+=DRIVER_MODULE.9 DRIVER_MODULE_ORDERED.9 \ DRIVER_MODULE.9 EARLY_DRIVER_MODULE.9 \ DRIVER_MODULE.9 EARLY_DRIVER_MODULE_ORDERED.9 +MLINKS+=ecn.9 ip_ecn_ingress.9 \ + ecn.9 ip_ecn_egress.9 \ + ecn.9 ip6_ecn_ingress.9 \ + ecn.9 ip6_ecn_egress.9 MLINKS+=epoch.9 epoch_context.9 \ epoch.9 epoch_alloc.9 \ epoch.9 epoch_free.9 \ diff --git a/share/man/man9/ecn.9 b/share/man/man9/ecn.9 new file mode 100644 --- /dev/null +++ b/share/man/man9/ecn.9 @@ -0,0 +1,158 @@ +.Dd November 1, 2025 +.Dt ECN 9 +.Os +.Sh NAME +.Nm ecn , +.Nm ip_ecn_ingress , +.Nm ip_ecn_egress , +.Nm ip6_ecn_ingress , +.Nm ip6_ecn_egress +.Nd IP ECN interfaces for tunnel encapsulation/decapsulation +.Sh SYNOPSIS +.In sys/netinet/ip_ecn.h +.In sys/netinet6/ip6_ecn.h +.\" +.Ss "Constants" +.Dv ECN_COMPLETE +.Dv ECN_ALLOWED +.Dv ECN_FORBIDDEN +.Dv ECN_NOCARE +.\" +.Ss "ECN Manipulation Functions" +.Ft "void" +.Fn ip_ecn_ingress "int mode" "uint8_t *outer" "const uint8_t *inner" +.Ft "void" +.Fn "ip6_ecn_ingress" "int mode" "uint32_t *outer" "const uint32_t *inner" +.Ft "int" +.Fn "ip_ecn_egress" "int mode" "uint8_t *outer" "const uint8_t *inner" +.Ft "int" +.Fn "ip6_ecn_egress" "int mode" "uint32_t *outer" "const uint32_t *inner" +.\" +.Sh DESCRIPTION +The +.Fn ip_ecn_ingress +and +.Fn ip_ecn_egress +interfaces implement Explicit Congestion Notification (ECN) processing for +tunnel encapsulation (ingress) and decapsulation (egress). They operate on +the ECN bits in the IP Type of Service (TOS) or +IPv6 Traffic Class (TCLASS) header field. +These functions implements the standard specification of RFC6040 in +.Vt ECN_ALLOWED +mode for +.Fn ip_ecn_egress +with addition of +.Vt ECN_FORBIDDEN +mode as compatibility mode in +.Fn ip_ecn_ingress . +.Ss Interface +The functions for manipulating +.Vt ip_tos +and +.Vt ipv6_flow +are as follows: +.Bl -tag -width indent -offset indent +.It Fn ip_ecn_ingress Fn ip6_ecn_ingress +Perform ECN processing at encapsulation time (ingress) based on +the ECN bits of the +.Vt ip_tos +field in +.Vt "struct ip" +or the +.Vt ip6_flow +field in +.Vt "struct ip6_hdr" +as +.Va inner +to +.Va outer . +It also copies the DSCP value from +.Va inner +to +.Va outer . +.It Fn ip_ecn_egress Fn ip6_ecn_egress +Perform ECN processing at decapsulation time (egress) based on +the ECN bits of +.Va outer +to +.Va inner . +.Vt ECN_ALLOWED +mode may modify the +.Va inner +ECN bits or instruct the caller to drop or log +by returning +.Vt ECN_WARN +or +.Vt ECN_ALARM +values. +.El +.Pp +Return codes for +.Fn ip_ecn_egress +are as follows: +.Bl -tag -width ".Dv ECN_SUCCESS" -offset indent +.It Dv ECN_DROP +(0) Caller MUST drop the packet. +.It Dv ECN_SUCCESS +(1) Processing succeeded; +inner ECN bits may have been updated. +.It Dv ECN_WARN +(2) Processing succeeded; +caller MAY log a warning for an anomalous ECN combination. +.It Dv ECN_ALARM +(3) Processing succeeded; +caller SHOULD log and MAY raise an alarm for a serious ECN anomaly. +.El +.Pp +The following modes are handled by functions: +.Bl -tag -width ".Dv ECN_FORBIDDEN" -offset indent +.It Dv ECN_COMPLETE +Normal mode as defined in RFC6040. +ECN bits are preserved through encapsulation; +decapsulation follows RFC6040 rules and it returns +.Vt ECN_WARN +or +.Vt ECN_ALARM +values when a potentially dangerous packet detected. +.It Dv ECN_ALLOWED +Normal mode as defined in RFC6040 without security checks. +ECN bits are preserved through encapsulation; +decapsulation follows RFC6040 rules. +.It Dv ECN_FORBIDDEN +Compatibility mode. +ECN is stripped on encapsulation and decapsulation will +drop packets that carry CE in the outer header. +This mode should not be used in +.Fn ip_ecn_egress +or +.Fn ip6_ecn_egress +since the +.Vt ECN_ALLOWED +mode already covers all possible scenarios as specified in RFC6040. +.It Dv ECN_NOCARE +leave ECN bits unchanged and ignored. +.El +.Ss IPV6 HANDLING +IPv6 interfaces +.Fn ip6_ecn_ingress +and +.Fn ip6_ecn_egress +extract the 8‑bit DSCP and ECN values from the 32‑bit +.Vt ip6_flow +and insert it to IPv4 equivalent interfaces. +.Sh SEE ALSO +.Xr ip 4 , +.Xr ip6 4 , +.Xr ipsec 4 +.Sh HISTORY +Historically +.Fn ip_ecn_egress +used a boolean-style return. +The current API preserves numeric mapping for drop (ECN_DROP == 0) +and success (ECN_SUCCESS == 1) but defines additional non‑zero +status codes (ECN_WARN, ECN_ALARM). +Callers that only test for non‑zero success will continue to +treat WARN/ALARM as success. +.Sh AUTHORS +This manual page was written by +.An Seyed Pouria Mousavizadeh Tehrani .