I've got a router set up with a few GRE tunnels, gre0 and gre1 along with local WAN / trusted LAN / untrusted LAN interfaces. I use packet tagging as described in the PF handbook to classify ingress traffic and then filter on egress. However it seems that I can't tag the packets ingress from gre0 or gre1.
I've tried a few things, including just putting a
Are the gre interfaces special in some way? Can I get pf to see and act on those packets?
This is on FreeBSD 10.2-RELEASE-p12, custom kernel to enable ALTQ and IPSEC.
pf.conf https://gist.github.com/2bithacker/2a172222485ab6c032d6
I've tried a few things, including just putting a
block in log quick on gre0
at the top of my rule set, but that rule doesn't get matched at all, according to pfctl -s rules -v
.Are the gre interfaces special in some way? Can I get pf to see and act on those packets?
This is on FreeBSD 10.2-RELEASE-p12, custom kernel to enable ALTQ and IPSEC.
pf.conf https://gist.github.com/2bithacker/2a172222485ab6c032d6