Re: Adding packet filtering to tun interfaces

Maxime Villard <> writes:

>> When can it do that?
> It can do that in L4 when handling fragments. [...]

Ah, thanks for the explanation!  I've got a better overview, now.

>> I adapted the pfil_run_hooks() calls from those in if_vlan.c, so they'll
>> need fixing, too.
> Mmh yes, they will need fixing, I missed that.

I'll post a new proposal when I have all of this sorted out and tested.

> But now that I'm thinking about it... Are you sure that your change
> indeed enforces NPF policies? If you pass ifp->if_pfil normally it
> doesn't do IP filtering, unless I missed something else.

My change to if_tun.c does make NPF work as expected.  I've tested it
carefully, in both directions.  (NPF also works correctly for VLANs.)

