Subject: Re: filtering on virtual devices on NetBSD
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
List: tech-net
Date: 08/12/2001 18:42:41
>  If I have packets arriving IPIP (either proto 4 or 98), which I accept
>on interface de0 (as proto 4, 98), do they then "arrive" on ipip0 or gif0 or
>whatever I have configured as my tunnel end point? I.e. do I get a second
>chance to filter?

	filter them as "some packet from gif0".

>  Ideally, my preference is to be able to set a flag on all tunnel devices
>which cause them to pass them back to IPF with the physical device unchanged.
>That way, I can accept proto 4 on "de0", knowing that "de0" rules would
>really still apply.  The only time place I really want different rules is
>with tun0 or something where the packets arrive through some "other"
>mechanism which I may trust or less.
 
	I don't think it right.  if you model tunnels as interface,
	m->m_pkthdr.rcvif must switch.

>(I'd still like to have "ipsecX" as well) 

	your argument conflicts with the idea by yourself....

	while sometimes I like ipsecX, this means a total departure from
	RFC2401.  we may lose our interoperability with normal IPsec tunnel
	mode devices.  I'm experimenting something in KAME tree, which is
	rather horrible at this moment.  see the latest KAME IMPLEMENTATION
	document, section 4.8.
	http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION

itojun