Date: Mon, 1 Nov 2004 10:32:39 +0100 From: Joost Bekkers <joost@jodocus.org> To: Ari Suutari <ari@suutari.iki.fi> Cc: freebsd-net@freebsd.org Subject: Re: ipfw and ipsec processing order for outgoing packets wrong Message-ID: <20041101093239.GA34571@bps.jodocus.org> In-Reply-To: <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com> References: <200410300927.51286.ari@suutari.iki.fi> <20041030214212.GA1737@bps.jodocus.org> <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 01, 2004 at 09:45:18AM +0200, Ari Suutari wrote:
> Hi,
>
>
> ip_output()
> {
> #if defined (IPSEC) || defined(FAST_IPSEC)
> pfil_hooks()
> #endif
> #ifdef IPSEC
> kame_ipsec_stuff()
> #endif
> #ifdef FAST_IPSEC
> fast_ipsec_stuff()
> #endif
> #ifndef FAST_IPSEC
> pfil_hooks()
> #endif
>
But that gives us 2 blocks of identical code to maintain. To me that doesn't
seem The Right Way(tm), but I haven't yet thought of a way that is better.
I also noticed my patch violates pola if you are not using IPSEC_FILTERGIF
because then things should remain as they were.
--
greetz Joost
joost@jodocus.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041101093239.GA34571>