man/man4/tun.4

.\" $NetBSD: tun.4,v 1.1 1996/06/25 22:17:37 pk Exp $
.\" $FreeBSD: src/share/man/man4/tun.4,v 1.9.2.4 2001/08/17 13:08:39 ru Exp $
.\" Based on PR#2411
.\"
.Dd August 3, 2018
.Dt TUN 4
.Os
.Sh NAME
.Nm tun
.Nd tunnel software network interface
.Sh SYNOPSIS
.Cd pseudo-device tun
.Sh DESCRIPTION
The
.Nm
interface is a software loopback mechanism that can be loosely
described as the network interface analog of the
.Xr pty 4 ,
that is,
.Nm
does for network interfaces what the
.Xr pty 4
driver does for terminals.
.Pp
The
.Nm
driver, like the
.Xr pty 4
driver, provides two interfaces: an interface like the usual facility
it is simulating
(a network interface in the case of
.Nm ,
or a terminal for
.Xr pty 4 ) ,
and a character-special device
.Dq control
interface.
A client program transfers IP (by default) packets to or from the
.Nm
.Dq control
interface.
The
.Xr tap 4
interface provides similar functionality at the Ethernet layer:
a client will transfer Ethernet frames to or from a
.Xr tap 4
.Dq control
interface.
.Pp
The network interfaces are named
.Dq Li tun0 ,
.Dq Li tun1 ,
etc., one for each control device that has been opened.
These network interfaces persist until the
.Pa if_tun.ko
module is unloaded, or until removed with the
.Xr ifconfig 8
command (see below).
.Pp
The
.Nm
devices are created using interface cloning.
This is done using the
.Dq ifconfig tun Ns Sy N No create
command.
This is the preferred method of creating
.Nm
devices.
The same method allows removal of interfaces by using the
.Dq ifconfig tun Ns Sy N No destroy
command.
.Pp
The
.Nm
interface permits opens on the special control device
.Pa /dev/tun .
When this device is opened,
.Nm
will return a handle for the lowest unused
.Nm
device (use
.Xr devname 3
to determine which).
.Pp
Control devices (once successfully opened) persist until the
.Pa if_tun.ko
module is unloaded or the interface is destroyed.
.Pp
Each interface supports the usual network-interface
.Xr ioctl 2 Ns s
and thus can be used with
.Xr ifconfig 8
like any other interface.
At boot time, they are
.Dv POINTOPOINT
interfaces, but this can be changed; see the description of the control
device, below.
When the system chooses to transmit a packet on the
network interface, the packet can be read from the control device
(it appears as
.Dq input
there);
writing a packet to the control device generates an input
packet on the network interface, as if the (non-existent)
hardware had just received it.
.Pp
The tunnel device
.Pq Pa /dev/tun Ns Ar N
is exclusive-open
(it cannot be opened if it is already open).
A
.Xr read 2
call will return an error
.Pq Er EHOSTDOWN
if the interface is not
.Dq ready
(which means that the control device is open and the interface's
address has been set).
.Pp
Once the interface is ready,
.Xr read 2
will return a packet if one is available; if not, it will either block
until one is or return
.Er EWOULDBLOCK ,
depending on whether non-blocking I/O has been enabled.
If the packet is longer than is allowed for in the buffer passed to
.Xr read 2 ,
the extra data will be silently dropped.
.Pp
If the
.Dv TUNSLMODE
ioctl has been set (i.e.,
.Dq link-layer
mode), packets read from the control device will be prepended
with the destination address as presented to the network interface output
routine.
The destination address is in
.Vt struct sockaddr
format.
The actual length of the prepended address is in the member
.Va sa_len .
If the
.Dv TUNSIFHEAD
ioctl has been set (i.e.,
.Dq multi-af
mode), packets will be prepended with a 4-byte address
family in network byte order.
.Dv TUNSLMODE
and
.Dv TUNSIFHEAD
are mutually exclusive.
In any case, the packet data follows immediately.
.Pp
A
.Xr write 2
call passes a packet in to be
.Dq received
on the pseudo-interface.
Each
.Xr write 2
call supplies exactly one packet; the packet length is taken from the
amount of data provided to
.Xr write 2
(minus any supplied address family).
Writes will not block; if the packet cannot be accepted for a
transient reason
(e.g., no buffer space available),
it is silently dropped; if the reason is not transient
(e.g., packet too large),
an error is returned.
.Pp
If the
.Dv TUNSLMODE
ioctl has been set (i.e.,
.Dq link-layer
mode), the actual packet data must be preceded by a
.Vt struct sockaddr .
The driver currently only inspects the
.Va sa_family
field.
If the
.Dv TUNSIFHEAD
ioctl has been set (i.e.,
.Dq multi-af
mode), the address family must be prepended, otherwise the
packet is assumed to be of type
.Dv AF_INET .
.Pp
The following
.Xr ioctl 2
calls are supported
(defined in
.In net/tun/if_tun.h ) :
.Bl -tag -width ".Dv TUNSIFMODE"
.It Dv TUNSDEBUG
The argument should be a pointer to an
.Vt int ;
this sets the internal debugging variable to that value.
What, if anything, this variable controls is not documented here; see
the source code.
.It Dv TUNGDEBUG
The argument should be a pointer to an
.Vt int ;
this stores the internal debugging variable's value into it.
.It Dv TUNSIFINFO
The argument should be a pointer to an
.Vt struct tuninfo
and allows setting the MTU and the baudrate of the tunnel device.
The type must be the same as returned by
.Dv TUNGIFINFO
or set to
.Dv IFT_PPP ,
otherwise the
.Xr ioctl 2
call will fail.
.Vt struct tuninfo
is declared in
.In net/tun/if_tun.h .
.It Dv TUNGIFINFO
The argument should be a pointer to an
.Vt struct tuninfo ,
where the current MTU, type, and baudrate will be stored.
.It Dv TUNGIFNAME
Retrieve the name of the network interface that is associated with the
control device.
The argument should be a pointer to a
.Va struct ifreq .
The interface name will be returned in the
.Va ifr_name
field.
.It Dv TUNSIFMODE
The argument should be a pointer to an
.Vt int ;
its value must be either
.Dv IFF_POINTOPOINT
or
.Dv IFF_BROADCAST
and should have
.Dv IFF_MULTICAST
OR'd into the value if multicast support is required.
The type of the corresponding
.Dq Li tun Ns Ar N
interface is set to the supplied type.
If the value is anything else, an
.Er EINVAL
error is returned.
The interface must be down at the time; if it is up, an
.Er EBUSY
error is returned.
.It Dv TUNSLMODE
The argument should be a pointer to an
.Vt int ;
a non-zero value turns off
.Dq multi-af
mode and turns on
.Dq link-layer
mode, causing packets read from the tunnel device to be prepended with
the network destination address (see above).
.It Dv TUNSIFPID
Will set the PID owning the tunnel device to the current process's PID.
.It Dv TUNSIFHEAD
The argument should be a pointer to an
.Vt int ;
a non-zero value turns off
.Dq link-layer
mode, and enables
.Dq multi-af
mode, where every packet is preceded with a 4-byte address family.
.It Dv TUNGIFHEAD
The argument should be a pointer to an
.Vt int ;
the ioctl sets the value to one if the device is in
.Dq multi-af
mode, and zero otherwise.
.It Dv FIOASYNC
Turn asynchronous I/O for reads
(i.e., generation of
.Dv SIGIO
when data is available to be read)
off or on, according as the argument
.Vt int Ns 's
value is or is not zero.
.It Dv FIONREAD
If any packets are queued to be read, store the size of the first one
into the argument
.Vt int ;
otherwise, store zero.
.It Dv TIOCSPGRP
Set the process group to receive
.Dv SIGIO
signals, when asynchronous I/O is enabled, to the argument
.Vt int
value.
.It Dv TIOCGPGRP
Retrieve the process group value for
.Dv SIGIO
signals into the argument
.Vt int
value.
.El
.Pp
The control device also supports
.Xr select 2
for read; selecting for write is pointless, and always succeeds, since
writes are always non-blocking.
.Pp
On the last close of the data device, by default, the interface is
brought down
(as if with
.Nm ifconfig Ar tunN Cm down ) .
All queued packets are thrown away.
If the interface is up when the data device is not open
output packets are always thrown away rather than letting
them pile up.
.Sh SEE ALSO
.Xr ioctl 2 ,
.Xr devname 3 ,
.Xr inet 4 ,
.Xr tap 4 ,
.Xr ifconfig 8