tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

ipip (gif) tunnels and npf


I've been playing with npf to get more comfortable with it. There really aren't all that many examples on the Internet to use, so I'm a bit stumped while trying to get a gif tunnel (ipip protocol) to work.

Of course, gif works across NAT - I've been using gif from behind ipfilter for ages, and it works behind most other types of NAT, too. However, npf doesn't seem to want to rewrite ipip traffic.

When I have the internal <-> other side endpoints in gif behind npf, I see the packets leaving the public interface looking like this:

01:20:16.772680 IP > IP > ICMP echo request, id 3384, seq 0, length 64 (ipip-proto-4)
01:20:17.777222 IP > IP > ICMP echo request, id 3384, seq 1, length 64 (ipip-proto-4)

They're clearly not rewritten.

As a test, I set the endpoint for the gif behind npf to the public address and saw what I expected:

01:27:02.753125 IP > IP > ICMP echo request, id 564, seq 5, length 64 (ipip-proto-4)
01:27:02.784180 IP > IP > ICMP echo reply, id 564, seq 5, length 64 (ipip-proto-4)

Of course, the npf machine has no idea what to do with this traffic, and I wouldn't have any idea how to use npf to forward this traffic anyway, but it shows that everything else is working as it should.

So what needs to be done to get npf to rewrite ipip packets?

John Klos

Home | Main Index | Thread Index | Old Index