--uRjmd8ppyyws0Tml
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

I've just switched an IPsec tunnel setup to an IPsec-protected gif
tunnel, and I was surprised that I still could not filter decapsulated
packets.  I was expecting to be able to use IPF for the decapsulated
gif packets, but apparently this is not possible (ipfstat shows that no
packets match the 'in' rules for the gif interface).

AFAICT, the ESP tag is not cleared when the packet is passed to the gif
layer, therefore it is still there when it is decapsulated, and the
pfil_hook in ip_input doesn't happen.

Should this be considered a bug?  While I'm using netbsd-2-0, I don't
think it was changed/fixed meanwhile.

In any case, considering outbound packets go through IPF twice (before
they are encapsulated by gif, and after they are encapsulated by IPsec)
there is a dyssymetry that should be fixed one way or another.

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"When I find the controls, I'll go where I like, I'll know where I want
to be, but maybe for now I'll stay right here on a silent sea."
KT Tunstall, Silent Sea, Eye to the Telescope, 2004.

--uRjmd8ppyyws0Tml
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQ52mi9goQloHrPnoAQKojQf+KZDX6CJKSsoHe8uoBkscH67mPWG0k+Dz
ixYaCdxApxU8V/v1cl28WzJSeb2wTN4oemOtlEmCvzoLEDIk5qihSiKCiShrXIqA
a06zK5Gmau7CZ6XnDTaQOTYm7B04yALI1JU1F5jD93mON4sOM/yqZIbOrrMkOtqs
wZZpohrrK4om9UkAx5EjkgsP9/DxUPHidWRa5RE2pDM7g928EyqkshT7gdKL2yXa
WW9fMANVjmG53Vd6UFnzJhJdbMRBsncS+R9KTLPnpe1uboUPO9188X6UG5wuQEHi
FNloz2ZNi0Z6mJvW80lBVcPZ4q9K9gkTpBIzfT6HGmGz0ufHpQWrgQ==
=jWdP
-----END PGP SIGNATURE-----

--uRjmd8ppyyws0Tml--