From owner-freebsd-net@FreeBSD.ORG  Mon Aug 21 16:49:54 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3575016A4DF;
	Mon, 21 Aug 2006 16:49:54 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from smtp3-g19.free.fr (smtp3-g19.free.fr [212.27.42.29])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BCD5D43D5D;
	Mon, 21 Aug 2006 16:49:48 +0000 (GMT)
	(envelope-from tataz@tataz.chchile.org)
Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98])
	by smtp3-g19.free.fr (Postfix) with ESMTP id 1BD0049927;
	Mon, 21 Aug 2006 18:49:48 +0200 (CEST)
Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25])
	by tatooine.tataz.chchile.org (Postfix) with ESMTP id 1654E9C329;
	Mon, 21 Aug 2006 16:50:26 +0000 (UTC)
Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000)
	id F0218405B; Mon, 21 Aug 2006 18:50:25 +0200 (CEST)
Date: Mon, 21 Aug 2006 18:50:25 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Andrew Pantyukhin <infofarmer@FreeBSD.org>
Message-ID: <20060821165025.GB58048@obiwan.tataz.chchile.org>
References: <44E58E9E.1030401@FreeBSD.org> <44E5F19E.9070600@isi.edu>
	<cb5206420608181236h34c0b85fwffc93bdd6c6979f4@mail.gmail.com>
	<44E619F7.7030300@isi.edu>
	<cb5206420608181258w3c845f93w589525e4c7293816@mail.gmail.com>
	<20060821162830.GA58048@obiwan.tataz.chchile.org>
	<cb5206420608210945q2c6659f8oa52644727510dd18@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cb5206420608210945q2c6659f8oa52644727510dd18@mail.gmail.com>
User-Agent: Mutt/1.5.12-2006-07-14
Cc: net@freebsd.org
Subject: Re: [fbsd] Re: Routing IPSEC packets?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2006 16:49:54 -0000

Anndrew,

On Mon, Aug 21, 2006 at 08:45:54PM +0400, Andrew Pantyukhin wrote:
> On 8/21/06, Jeremie Le Hen <jeremie@le-hen.org> wrote:
> >As is has indeed already been stated in this thread, IPSec tunnel mode
> >shunts the routing table.  However the new enc(4) interface that Andrew
> >Thompson has imported from OpenBSD allows to filter IPSec traffic in a
> >more natural way.
> 
> My understanding is that "options IPSEC_FILTERGIF"
> already forces decoded packets to show up on the
> interface:
> 
> http://lists.freebsd.org/pipermail/freebsd-bugs/2005-December/016074.html

I agree with this, that's why I said "... allows to filter IPSec traffic
_in a more natural way_".  IPSEC_FILTERGIF is a kind of hack IMHO, though
it has revealed itself to be very useful for many years.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >