On 2018/02/14 18:05, David Gwynne wrote: > i dont understand the usefulness of the sysctls to turn etherip, > gre, and mobileip handling on. if you arent going to handle etherip, > gre, or mobileip, just dont create interfaces to handle them. > > for now, this dummies up handling of the sysctls by letting userland > read that theyre allowed, but allow is readonly.
The etherip one is really "allow unprotected etherip" to give a foolproof way of ensuring it only works over ipsec by default. (otherwise you need to know about if-bound states in pf).