Re: deprecate sysctl net.inet.{etherip,gre,mobileip}.allow

2018-02-14 Thread David Gwynne

> On 14 Feb 2018, at 20:03, Stuart Henderson  wrote:
> 
> On 2018/02/14 18:05, David Gwynne wrote:
>> i dont understand the usefulness of the sysctls to turn etherip,
>> gre, and mobileip handling on. if you arent going to handle etherip,
>> gre, or mobileip, just dont create interfaces to handle them.
>> 
>> for now, this dummies up handling of the sysctls by letting userland
>> read that theyre allowed, but allow is readonly.
> 
> The etherip one is really "allow unprotected etherip" to give a foolproof
> way of ensuring it only works over ipsec by default. (otherwise you need
> to know about if-bound states in pf).

grumble grumble. id argue there are similar concerns for traffic over vxlan, 
tun, and tap, but they lack a magic sysctl.

ipsec.conf includes a "PACKET FILTERING" section that discusses this for 
ipencap, we could point etherip.4 at that or move this kind of into the pf.conf 
manpage.

another interesting idea would be to have tunnel interfaces take a "tagged" 
configuration option that would allow them to check that their encapsulated 
traffic has been tagged by some other subsystem, like ipsec or pf.

dlg


Re: deprecate sysctl net.inet.{etherip,gre,mobileip}.allow

2018-02-14 Thread Stuart Henderson
On 2018/02/14 18:05, David Gwynne wrote:
> i dont understand the usefulness of the sysctls to turn etherip,
> gre, and mobileip handling on. if you arent going to handle etherip,
> gre, or mobileip, just dont create interfaces to handle them.
> 
> for now, this dummies up handling of the sysctls by letting userland
> read that theyre allowed, but allow is readonly.

The etherip one is really "allow unprotected etherip" to give a foolproof
way of ensuring it only works over ipsec by default. (otherwise you need
to know about if-bound states in pf).