Mac Developer Library Developer


This manual page is for Mac OS X version 10.9

If you are running a different version of Mac OS X, view the documentation locally:

  • In Terminal, using the man(1) command

Reading manual pages

Manual pages are intended as a quick reference for people who already understand a technology.

  • To learn how the manual is organized or to learn about command syntax, read the manual page for manpages(5).

  • For more information about this technology, look for other documentation in the Apple Developer Library.

  • For general information about writing shell scripts, read Shell Scripting Primer.

GIF(4)                   BSD Kernel Interfaces Manual                   GIF(4)

     gif -- generic tunnel interface

     pseudo-device gif

     The gif interface is a generic tunneling pseudo device for IPv4 and IPv6.  It can tunnel IPv[46] traf-fic traffic
     fic over IPv[46].  Therefore, there can be four possible configurations.  The behavior of gif is mainly
     based on RFC2893 IPv6-over-IPv4 configured tunnel.  On NetBSD, gif can also tunnel ISO traffic over
     IPv[46] using EON encapsulation.

     Each gif interface is created at runtime using interface cloning.  This is most easily done with the
     ifconfig(8) create command or using the gifconfig_<interface> variable in rc.conf(5).

     To use gif, administrator needs to configure protocol and addresses used for the outer header.  This
     can be done by using gifconfig(8), or SIOCSIFPHYADDR ioctl.  Also, administrator needs to configure
     protocol and addresses used for the inner header, by using ifconfig(8).  Note that IPv6 link-local
     address (those start with fe80::) will be automatically configured whenever possible.  You may need to
     remove IPv6 link-local address manually using ifconfig(8), when you would like to disable the use of
     IPv6 as inner header (like when you need pure IPv4-over-IPv6 tunnel).  Finally, use routing table to
     route the packets toward gif interface.

     gif can be configured to be ECN friendly.  This can be configured by IFF_LINK1.

   ECN friendly behavior
     gif can be configured to be ECN friendly, as described in draft-ietf-ipsec-ecn-02.txt.  This is turned
     off by default, and can be turned on by IFF_LINK1 interface flag.

     Without IFF_LINK1, gif will show a normal behavior, like described in RFC2893.  This can be summarized
     as follows:

           Ingress  Set outer TOS bit to 0.

           Egress   Drop outer TOS bit.

     With IFF_LINK1, gif will copy ECN bits (0x02 and 0x01 on IPv4 TOS byte or IPv6 traffic class byte) on
     egress and ingress, as follows:

           Ingress  Copy TOS bits except for ECN CE (masked with 0xfe) from inner to outer.  Set ECN CE bit
                    to 0.

           Egress   Use inner TOS bits with some change.  If outer ECN CE bit is 1, enable ECN CE bit on the

     Note that the ECN friendly behavior violates RFC2893.  This should be used in mutual agreement with the

     Malicious party may try to circumvent security filters by using tunnelled packets.  For better protec-tion, protection,
     tion, gif performs martian filter and ingress filter against outer source address, on egress.  Note
     that martian/ingress filters are no way complete.  You may want to secure your node by using packet
     filters.  Ingress filter can be turned off by IFF_LINK2 bit.

     By default, gif tunnels may not be nested.  This behavior may be modified at runtime by setting the
     sysctl(8) variable to the desired level of nesting.  Additionally, gif tunnels
     are restricted to one per pair of end points.  Parallel tunnels may be enabled by setting the sysctl(8)
     variable to 1.

     inet(4), inet6(4), gifconfig(8)

     R. Gilligan and E. Nordmark, "Transition Mechanisms for IPv6 Hosts and Routers", RFC2893, August 2000,

     Sally Floyd, David L. Black, and K. K. Ramakrishnan, IPsec Interactions with ECN, December 1999, draft-ietf-ipsec-ecn-02.txt. draftietf-ipsec-ecn-02.txt.

     The gif device first appeared in WIDE hydrangea IPv6 kit.

     There are many tunneling protocol specifications, defined differently from each other.  gif may not
     interoperate with peers which are based on different specifications, and are picky about outer header
     fields.  For example, you cannot usually use gif to talk with IPsec devices that use IPsec tunnel mode.

     The current code does not check if the ingress address (outer source address) configured to gif makes
     sense.  Make sure to configure an address which belongs to your node.  Otherwise, your node will not be
     able to receive packets from the peer, and your node will generate packets with a spoofed source

     If the outer protocol is IPv4, gif does not try to perform path MTU discovery for the encapsulated
     packet (DF bit is set to 0).

     If the outer protocol is IPv6, path MTU discovery for encapsulated packet may affect communication over
     the interface.  The first bigger-than-pmtu packet may be lost.  To avoid the problem, you may want to
     set the interface MTU for gif to 1240 or smaller, when outer header is IPv6 and inner header is IPv4.

     gif does not translate ICMP messages for outer header into inner header.

     In the past, gif had a multi-destination behavior, configurable via IFF_LINK0 flag.  The behavior was
     obsoleted and is no longer supported.

     It is thought that this is not actually a bug in gif, but rather lies somewhere around a manipulation
     of an IPv6 routing table.

BSD                             April 10, 1999                             BSD

Reporting Problems

The way to report a problem with this manual page depends on the type of problem:

Content errors
Report errors in the content of this documentation with the feedback links below.
Bug reports
Report bugs in the functionality of the described tool or API through Bug Reporter.
Formatting problems
Report formatting mistakes in the online version of these pages with the feedback links below.