on Tue, Apr 22, 2003 at 11:55:14AM +0900, Curt Sampson wrote:
> With a gif tunnel and without IPSec, everything was fine. When I turned
> on IPSec in transport mode between B and C, however, the gif interface
> on C no longer saw the packets from B.

I am using transport IPsec (ah+esp) for everything between two hosts,
with a gif tunnel inside the IPsec. Both ends are using ipfilter for
various things. This has worked for me for at least the last year.

> Unfortunately, though the tunnel now works with IPSec ESP, and bpf sees
> the packets going both ways, inbound packets are still not seen by
> ipfilter. (I checked the incoming stats for the rules on that interface,
> and they remain at zero hits for all rules, no matter what traffic I
> send through.) Anybody know what could be going on here? How about a fix?

I see the same limitation with gif tunnels too. I also recall it was
something to do with how and when packets were flagged as being
ipsec packets. ip_input() checking ipsec_getnhist() before
pfil_run_hooks() perhaps?