On 04/06/2013, at 11:22 AM, Claudio Jeker <cje...@diehard.n-r-g.com> wrote:
> On Mon, Jun 03, 2013 at 11:49:58PM +0100, Stuart Henderson wrote: >> On a router running PF and isakmpd, I have a rule like this: >> >> match out on pppoe0 inet all received-on vlan5 nat-to $someip >> >> I was surprised to find this being applied to packets received on vlan5 >> and caught by an ipsec flow; the resulting *encapsulated* (proto ESP) packets >> (as in, generated on the router itself, not actually themselves received on >> vlan5) end up getting natted. >> >> What does anyone else think...expected or not? >> > > Question, would you expect the ipsec packets to match against this rule? > match out on pppoe0 inet all received-on enc0 nat-to $someip > > As in should we change the received interface when we hit ipsec? > Think carefully since this path is edged by dragons and deep dark > rabbit holes. there is precedence for virtual interfaces to overwrite the rcvif on the way through. eg, em0 could become trunk0 which could become vlan0. in this particular case though (ipsec gateway) id argue encapsulation by ipsec should clear the rcvif. is there any error handling for ipsec packets that relies on it? dlg
