ipip (gif) tunnels and npf

[John Klos <john%ziaspace.com@localhost>]

Hi,

I've been playing with npf to get more comfortable with it. There really 
aren't all that many examples on the Internet to use, so I'm a bit stumped 
while trying to get a gif tunnel (ipip protocol) to work.

Of course, gif works across NAT - I've been using gif from behind ipfilter 
for ages, and it works behind most other types of NAT, too. However, npf 
doesn't seem to want to rewrite ipip traffic.

When I have the internal <-> other side endpoints in gif behind npf, I see 
the packets leaving the public interface looking like this:

01:20:16.772680 IP 10.0.100.97 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 3384, seq 0, length 64 (ipip-proto-4)
01:20:17.777222 IP 10.0.100.97 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 3384, seq 1, length 64 (ipip-proto-4)

They're clearly not rewritten.

As a test, I set the endpoint for the gif behind npf to the public address 
and saw what I expected:

01:27:02.753125 IP 76.169.240.26 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 564, seq 5, length 64 (ipip-proto-4)
01:27:02.784180 IP 74.118.183.200 > 76.169.240.26: IP 192.80.49.78 > 192.80.49.79: ICMP echo reply, id 564, seq 5, length 64 (ipip-proto-4)

Of course, the npf machine has no idea what to do with this traffic, and I 
wouldn't have any idea how to use npf to forward this traffic anyway, but 
it shows that everything else is working as it should.

So what needs to be done to get npf to rewrite ipip packets?

Thanks,
John Klos