> On 14 Feb 2018, at 20:03, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2018/02/14 18:05, David Gwynne wrote: >> i dont understand the usefulness of the sysctls to turn etherip, >> gre, and mobileip handling on. if you arent going to handle etherip, >> gre, or mobileip, just dont create interfaces to handle them. >> >> for now, this dummies up handling of the sysctls by letting userland >> read that theyre allowed, but allow is readonly. > > The etherip one is really "allow unprotected etherip" to give a foolproof > way of ensuring it only works over ipsec by default. (otherwise you need > to know about if-bound states in pf).
grumble grumble. id argue there are similar concerns for traffic over vxlan, tun, and tap, but they lack a magic sysctl. ipsec.conf includes a "PACKET FILTERING" section that discusses this for ipencap, we could point etherip.4 at that or move this kind of into the pf.conf manpage. another interesting idea would be to have tunnel interfaces take a "tagged" configuration option that would allow them to check that their encapsulated traffic has been tagged by some other subsystem, like ipsec or pf. dlg