>| >And if that fails, I can always use
>| >stf.. btw my server at home is running 1.5R. What's IFF_LINK2?
>| gif(4) talks about it.  IFF_LINK2 on gif(4) turns off ingress filtering.
>It seems strangely bogus that gif(4) does this kind of filtering
>and no other interface does. Why is gif special?
>It seems to violate the principle of least surprise that this filtering
>happens, so I wonder about the default.

	RFC2893 suggests it (SHOULD).
>Wouldn't it be best if the filtering took place at another layer?

	since ipf has no support for encapsulated packets, it looked to me gif
	is the best place to do this.  once you decapsulate it, you have no
	chance checking it so checks in (2nd invocation of) ip_input is
	not useful.

itojun