Subject: filtering on virtual devices on NetBSD
To: Darren Reed <>
From: Michael Richardson <>
List: tech-net
Date: 08/11/2001 19:21:19
  If I have packets arriving IPIP (either proto 4 or 98), which I accept
on interface de0 (as proto 4, 98), do they then "arrive" on ipip0 or gif0 or
whatever I have configured as my tunnel end point? I.e. do I get a second
chance to filter?

  Ideally, my preference is to be able to set a flag on all tunnel devices
which cause them to pass them back to IPF with the physical device unchanged.
That way, I can accept proto 4 on "de0", knowing that "de0" rules would
really still apply.  The only time place I really want different rules is
with tun0 or something where the packets arrive through some "other"
mechanism which I may trust or less. (I'd still like to have "ipsecX" as

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [