Subject: filtering on virtual devices on NetBSD
To: Darren Reed <email@example.com>
From: Michael Richardson <firstname.lastname@example.org>
Date: 08/11/2001 19:21:19
If I have packets arriving IPIP (either proto 4 or 98), which I accept
on interface de0 (as proto 4, 98), do they then "arrive" on ipip0 or gif0 or
whatever I have configured as my tunnel end point? I.e. do I get a second
chance to filter?
Ideally, my preference is to be able to set a flag on all tunnel devices
which cause them to pass them back to IPF with the physical device unchanged.
That way, I can accept proto 4 on "de0", knowing that "de0" rules would
really still apply. The only time place I really want different rules is
with tun0 or something where the packets arrive through some "other"
mechanism which I may trust or less. (I'd still like to have "ipsecX" as
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] email@example.com http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [