ipfw and ipsec processing order for outgoing packets wrong
Joost Bekkers
joost at jodocus.org
Mon Nov 1 01:32:43 PST 2004
On Mon, Nov 01, 2004 at 09:45:18AM +0200, Ari Suutari wrote:
> Hi,
>
>
> ip_output()
> {
> #if defined (IPSEC) || defined(FAST_IPSEC)
> pfil_hooks()
> #endif
> #ifdef IPSEC
> kame_ipsec_stuff()
> #endif
> #ifdef FAST_IPSEC
> fast_ipsec_stuff()
> #endif
> #ifndef FAST_IPSEC
> pfil_hooks()
> #endif
>
But that gives us 2 blocks of identical code to maintain. To me that doesn't
seem The Right Way(tm), but I haven't yet thought of a way that is better.
I also noticed my patch violates pola if you are not using IPSEC_FILTERGIF
because then things should remain as they were.
--
greetz Joost
joost at jodocus.org
More information about the freebsd-net
mailing list