Page MenuHomeFreeBSD
Files F134796908

D53517.diff
No OneTemporary
Actions

D53517.diff
View Options

diff --git a/share/man/man9/Makefile b/share/man/man9/Makefile
--- a/share/man/man9/Makefile
+++ b/share/man/man9/Makefile
@@ -144,6 +144,7 @@
drbr.9 \
driver.9 \
DRIVER_MODULE.9 \
+ ecn.9 \
efirt.9 \
epoch.9 \
ether_gen_addr.9 \
@@ -1106,6 +1107,10 @@
MLINKS+=DRIVER_MODULE.9 DRIVER_MODULE_ORDERED.9 \
DRIVER_MODULE.9 EARLY_DRIVER_MODULE.9 \
DRIVER_MODULE.9 EARLY_DRIVER_MODULE_ORDERED.9
+MLINKS+=ecn.9 ip_ecn_ingress.9 \
+ ecn.9 ip_ecn_egress.9 \
+ ecn.9 ip6_ecn_ingress.9 \
+ ecn.9 ip6_ecn_egress.9
MLINKS+=epoch.9 epoch_context.9 \
epoch.9 epoch_alloc.9 \
epoch.9 epoch_free.9 \
diff --git a/share/man/man9/ecn.9 b/share/man/man9/ecn.9
new file mode 100644
--- /dev/null
+++ b/share/man/man9/ecn.9
@@ -0,0 +1,157 @@
+.Dd November 1, 2025
+.Dt ECN 9
+.Os
+.Sh NAME
+.Nm ecn ,
+.Nm ip_ecn_ingress ,
+.Nm ip_ecn_egress ,
+.Nm ip6_ecn_ingress ,
+.Nm ip6_ecn_egress
+.Nd IP ECN interfaces for tunnel encapsulation/decapsulation
+.Sh SYNOPSIS
+.In sys/netinet/ip_ecn.h
+.In sys/netinet6/ip6_ecn.h
+.\"
+.Ss "Constants"
+.Dv ECN_COMPLETE
+.Dv ECN_ALLOWED
+.Dv ECN_FORBIDDEN
+.Dv ECN_NOCARE
+.\"
+.Ss "ECN Manipulation Functions"
+.Ft "void"
+.Fn ip_ecn_ingress "int mode" "u_int8_t *outer" "const u_int8_t *inner"
+.Ft "void"
+.Fn "ip6_ecn_ingress" "int mode" "u_int32_t *outer" "const u_int32_t *inner"
+.Ft "int"
+.Fn "ip_ecn_egress" "int mode" "u_int8_t *outer" "const u_int8_t *inner"
+.Ft "int"
+.Fn "ip6_ecn_egress" "int mode" "u_int32_t *outer" "const u_int32_t *inner"
+.\"
+.Sh DESCRIPTION
+The
+.Fn ip_ecn_ingress
+and
+.Fn ip_ecn_egress
+interfaces implement Explicit Congestion Notification (ECN) processing for
+tunnel encapsulation (ingress) and decapsulation (egress). They operate on
+the ECN bits in the IP Type of Service (TOS) or
+IPv6 Traffic Class (TCLASS) header field.
+These functions implements the standard specification of RFC6040 in
+.Vt ECN_ALLOWED
+mode for
+.Fn ip_ecn_egress
+with addition of
+.Vt ECN_FORBIDDEN
+mode as compatibility mode in
+.Fn ip_ecn_ingress .
+.Ss Interface
+The functions for manipulating
+.Vt ip_tos
+and
+.Vt ipv6_flow
+are as follows:
+.Bl -tag -width indent -offset indent
+.It Fn ip_ecn_ingress Fn ip6_ecn_ingress
+Perform ECN processing at encapsulation time (ingress) based on the ECN bits of
+.Vt ip_tos
+field in
+.Vt "struct ip"
+or
+.Vt ip6_flow
+field in
+.Vt "struct ip6_hdr"
+as
+.Va inner
+to
+.Va outer .
+It also copies the DSCP value from
+.Va inner
+to
+.Va outer .
+.It Fn ip_ecn_egress Fn ip6_ecn_egress
+Perform ECN processing at decapsulation time (egress) based on
+the ECN bits of
+.Va outer
+to
+.Va inner .
+.Vt ECN_ALLOWED
+mode may modify the
+.Va inner
+ECN bits or instruct the caller to drop or log
+by returning
+.Vt ECN_WARN
+or
+.Vt ECN_ALARM
+values.
+.El
+.Pp
+Return codes for
+.Fn ip_ecn_egress
+are as follows:
+.Bl -tag -width ".Dv ECN_SUCCESS" -offset indent
+.It Dv ECN_DROP
+(0) Caller MUST drop the packet.
+.It Dv ECN_SUCCESS
+(1) Processing succeeded;
+inner ECN bits may have been updated.
+.It Dv ECN_WARN
+(2) Processing succeeded;
+caller MAY log a warning for an anomalous ECN combination.
+.It Dv ECN_ALARM
+(3) Processing succeeded;
+caller SHOULD log and MAY raise an alarm for a serious ECN anomaly.
+.El
+.Pp
+The following modes are handled by functions:
+.Bl -tag -width ".Dv ECN_FORBIDDEN" -offset indent
+.It Dv ECN_COMPLETE
+Normal mode as defined in RFC6040.
+ECN bits are preserved through encapsulation;
+decapsulation follows RFC6040 rules and it returns
+.Vt ECN_WARN
+or
+.Vt ECN_ALARM
+values when a potentially dangerous packet detected.
+.It Dv ECN_ALLOWED
+Normal mode as defined in RFC6040 without security checks.
+ECN bits are preserved through encapsulation;
+decapsulation follows RFC6040 rules.
+.It Dv ECN_FORBIDDEN
+Compatibility mode.
+ECN is stripped on encapsulation and decapsulation will
+drop packets that carry CE in the outer header.
+This mode should not be used in the
+.Fn ip_ecn_egress
+or
+.Fn ip6_ecn_egress
+since
+.Vt ECN_ALLOWED
+mode already covers all possible scenarios as specified in RFC6040.
+.It Dv ECN_NOCARE
+leave ECN bits unchanged and ignored.
+.El
+.Ss IPV6 HANDLING
+IPv6 interfaces
+.Fn ip6_ecn_ingress
+and
+.Fn ip6_ecn_egress
+extract the 8‑bit DSCP and ECN values from the 32‑bit
+.Vt ip6_flow
+and insert it to IPv4 equivalent interfaces.
+.Sh SEE ALSO
+.Xr ip 4 ,
+.Xr ip6 4 ,
+.Xr ipsec 4
+.Sh HISTORY
+Historically
+.Fn ip_ecn_egress
+used a boolean-style return.
+The current API preserves numeric mapping for drop (ECN_DROP == 0)
+and success (ECN_SUCCESS == 1) but defines additional non‑zero
+status codes (ECN_WARN, ECN_ALARM).
+Callers that only test for non‑zero success will continue to
+treat WARN/ALARM as success.
+.Sh AUTHORS
+This manual page was written by
+.An Seyed Pouria Mousavizadeh Tehrani .

File Metadata

Mime Type
text/plain
Expires
Wed, Nov 5, 4:36 PM (10 m, 18 s)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
24779815
Default Alt Text
D53517.diff (4 KB)

Event Timeline