On 2018/02/14 18:05, David Gwynne wrote:
> i dont understand the usefulness of the sysctls to turn etherip,
> gre, and mobileip handling on. if you arent going to handle etherip,
> gre, or mobileip, just dont create interfaces to handle them.
> for now, this dummies up handling of the sysctls by letting userland
> read that theyre allowed, but allow is readonly.
The etherip one is really "allow unprotected etherip" to give a foolproof
way of ensuring it only works over ipsec by default. (otherwise you need
to know about if-bound states in pf).