From owner-freebsd-net@FreeBSD.ORG  Mon Dec  6 13:44:43 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7D24816A4CE; Mon,  6 Dec 2004 13:44:43 +0000 (GMT)
Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0940143D1D; Mon,  6 Dec 2004 13:44:43 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org (unknown [82.233.239.98])
	by postfix3-2.free.fr (Postfix) with ESMTP id A3720C035;
	Mon,  6 Dec 2004 14:44:41 +0100 (CET)
Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000)
	id 56798412C; Mon,  6 Dec 2004 14:43:16 +0100 (CET)
Date: Mon, 6 Dec 2004 14:43:15 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Andre Oppermann <andre@freebsd.org>
Message-ID: <20041206134315.GF79919@obiwan.tataz.chchile.org>
References: <20041129100949.GA19560@bps.jodocus.org>
	<41AAF696.6ED81FBF@freebsd.org> <20041129103031.GA19828@bps.jodocus.org>
	<41AB3A74.8C05601D@freebsd.org> <20041129174954.GA26532@bps.jodocus.org>
	<41AB65B2.A18534BF@freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <41AB65B2.A18534BF@freebsd.org>
User-Agent: Mutt/1.5.6i
cc: Joost Bekkers <joost@jodocus.org>
cc: freebsd-net@freebsd.org
Subject: Re: (review request) ipfw and ipsec processing order for
	outgoingpackets
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Dec 2004 13:44:43 -0000

> > > > I have some stuff wrt [Fast]IPSEC and your problem in the works and
> > > > it should become ready around christmas time (loadable [Fast]IPSEC, at
> > > > least for IPv4).
> > >
> > > While this way of 'fixing' the IPSEC problem works it is rather gross
> > > and not very stylish.  I prefer not to have this in the tree as makes
> > > maintainance a lot harder.
> > 
> > I totaly agree that it is not pretty. I was trying to avoid duplicating
> > the code (so every change would have to be made twice) and making it a
> > function didn't sit right for some reason. Hints/tips for dealing with
> > this kind of situation are welcome, but maybe better off-list.
> 
> As things currently are with IPSEC code weaved directly into ip_input()
> and ip_output() there is no better way than what you have proposed.
> 
> It will solve it much more nicely. :)

If I understand correctly, either Joost's patch or your nice changes
that-should-appear-before-christmas will achieve what the OpenBSD enc(4)
interface provides [1].  It would be really wonderful.  But I may be
missing something because I can see no way in firewall rules to
distinguish between the before IPSec processing hook and the after IPSec
processing one.  Could you clarify this for me please ?

Thanks in advance.
Best regards,
-- 
Jeremie Le Hen
jeremie@le-hen.org