I sent this message to the IP Filter mailing list a week ago, but got no
response. I know this has come up before in other forms as
well, but I don't recall there being a firm response.
I'm running IP Filter v3.4.16 on OpenBSD-2.8 current.
I am wondering how to apply ipf rules to encapsulated traffic.
For instance, I have an IPv6 tunnel via gif0. Traffic arrives on xl0 as proto
41. After this, I assume it's de-encapsulated,
however, any resident IPv6 rules (via ipf -6) are not adhered to. Tcpdump on
xl0 recognizes the IPv6 traffic as encapsulated in
both directions. Tcpdump on gif0 only shows outgoing tunnel traffic. Nowhere
do I see de-encapsulated IPv6 traffic.
Also, rules applied to gif0 (blocking any and all traffic in this case) fail.
I tried this in both the IPv4 and IPv6 rulesets (both
at the same time, even!).
As a side note, I remember having a similar problem filtering IPsec
encapsulated traffic.
What are the issues preventing this from happening? How can I help?
- Rob
|