> Nope, it is impossible in code "as is".
> It requires a bit of trickery.
> You could hack it to select a tunnel to assign
> all not classified IPIP packets to it f.e. to hook netdev notifier
> at ipip.c, catch the moment when the first tunnel goes up
> and select it, or catch when tunl or tunl0 goes up, and
> until this moment drop all such packets. Ugly.
Another solution would be to modify ip_find_tunnel to allow
a "catch all" tunnel interface (e.g., by setting the broadcast
flag or some similar hack) to be defined.
> Beware, if you just deleted ip_find_tunnel, firewall would
> not able to segregate packets arrived from tunnel and normal traffic.
No, for that experiment I've replaced ip_find_tunnel by a hacked
version which accepted the _first_ tunnel device it spotted.
Have a nice fortnight
-- Martin `MJ' Mares <mj@gts.cz> http://atrey.karlin.mff.cuni.cz/~mj/ Faculty of Math and Physics, Charles University, Prague, Czech Rep., Earth "Purchasing Windows is an Unrecoverable Application Error."