From owner-freebsd-net@FreeBSD.ORG  Mon Nov  1 09:32:43 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 02CD216A4CE
	for <freebsd-net@freebsd.org>; Mon,  1 Nov 2004 09:32:43 +0000 (GMT)
Received: from amsfep18-int.chello.nl (amsfep18-int.chello.nl [213.46.243.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2075443D2F
	for <freebsd-net@freebsd.org>; Mon,  1 Nov 2004 09:32:42 +0000 (GMT)
	(envelope-from joost@jodocus.org)
Received: from bps.jodocus.org ([80.57.157.16]) by amsfep18-int.chello.nl
	ESMTP
	<20041101093240.KUSU26310.amsfep18-int.chello.nl@bps.jodocus.org>;
	Mon, 1 Nov 2004 10:32:40 +0100
Received: from jodocus.org (localhost [127.0.0.1])
	by bps.jodocus.org (8.13.1/8.13.1) with ESMTP id iA19Wdj1034711;
	Mon, 1 Nov 2004 10:32:39 +0100 (CET)
	(envelope-from joost@jodocus.org)
Received: (from joost@localhost)
	by jodocus.org (8.13.1/8.13.1/Submit) id iA19WdAr034710;
	Mon, 1 Nov 2004 10:32:39 +0100 (CET)
	(envelope-from joost)
Date: Mon, 1 Nov 2004 10:32:39 +0100
From: Joost Bekkers <joost@jodocus.org>
To: Ari Suutari <ari@suutari.iki.fi>
Message-ID: <20041101093239.GA34571@bps.jodocus.org>
Mail-Followup-To: Joost Bekkers <joost@jodocus.org>,
	Ari Suutari <ari@suutari.iki.fi>, freebsd-net@freebsd.org
References: <200410300927.51286.ari@suutari.iki.fi>
	<20041030214212.GA1737@bps.jodocus.org>
	<018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <018a01c4bfe6$bea23020$2508473e@sad.syncrontech.com>
User-Agent: Mutt/1.4.2.1i
cc: freebsd-net@freebsd.org
Subject: Re: ipfw and ipsec processing order for outgoing packets wrong
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2004 09:32:43 -0000

On Mon, Nov 01, 2004 at 09:45:18AM +0200, Ari Suutari wrote:
> Hi,
> 
> 
>    ip_output()
>    {
> #if defined (IPSEC) || defined(FAST_IPSEC)
>        pfil_hooks()
> #endif
> #ifdef IPSEC
>        kame_ipsec_stuff()
> #endif
> #ifdef FAST_IPSEC
>        fast_ipsec_stuff()
> #endif
> #ifndef FAST_IPSEC
>    pfil_hooks()
> #endif
> 

But that gives us 2 blocks of identical code to maintain. To me that doesn't
seem The Right Way(tm), but I haven't yet thought of a way that is better.

I also noticed my patch violates pola if you are not using IPSEC_FILTERGIF
because then things should remain as they were.

-- 
greetz Joost
joost@jodocus.org