tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
ipip (gif) tunnels and npf
Hi,
I've been playing with npf to get more comfortable with it. There really
aren't all that many examples on the Internet to use, so I'm a bit stumped
while trying to get a gif tunnel (ipip protocol) to work.
Of course, gif works across NAT - I've been using gif from behind ipfilter
for ages, and it works behind most other types of NAT, too. However, npf
doesn't seem to want to rewrite ipip traffic.
When I have the internal <-> other side endpoints in gif behind npf, I see
the packets leaving the public interface looking like this:
01:20:16.772680 IP 10.0.100.97 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 3384, seq 0, length 64 (ipip-proto-4)
01:20:17.777222 IP 10.0.100.97 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 3384, seq 1, length 64 (ipip-proto-4)
They're clearly not rewritten.
As a test, I set the endpoint for the gif behind npf to the public address
and saw what I expected:
01:27:02.753125 IP 76.169.240.26 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 564, seq 5, length 64 (ipip-proto-4)
01:27:02.784180 IP 74.118.183.200 > 76.169.240.26: IP 192.80.49.78 > 192.80.49.79: ICMP echo reply, id 564, seq 5, length 64 (ipip-proto-4)
Of course, the npf machine has no idea what to do with this traffic, and I
wouldn't have any idea how to use npf to forward this traffic anyway, but
it shows that everything else is working as it should.
So what needs to be done to get npf to rewrite ipip packets?
Thanks,
John Klos
Home |
Main Index |
Thread Index |
Old Index