From owner-freebsd-net@freebsd.org  Sun Dec 11 15:28:10 2016
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E1EB7C729FC
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sun, 11 Dec 2016 15:28:10 +0000 (UTC) (envelope-from slw@zxy.spb.ru)
Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9FA8A89C;
 Sun, 11 Dec 2016 15:28:10 +0000 (UTC) (envelope-from slw@zxy.spb.ru)
Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD))
 (envelope-from <slw@zxy.spb.ru>)
 id 1cG62o-0009UK-Kj; Sun, 11 Dec 2016 18:28:06 +0300
Date: Sun, 11 Dec 2016 18:28:06 +0300
From: Slawa Olhovchenkov <slw@zxy.spb.ru>
To: "Andrey V. Elsukov" <ae@FreeBSD.org>
Cc: freebsd-net@FreeBSD.org, Eugene Grosbein <eugen@grosbein.net>
Subject: Re: [RFC/RFT] projects/ipsec
Message-ID: <20161211152806.GG31311@zxy.spb.ru>
References: <2bd32791-944f-2417-41e9-e0fe1c705502@FreeBSD.org>
 <584D18D1.8090400@grosbein.net>
 <36fa749c-f284-1d96-704c-b7118a574dd0@FreeBSD.org>
 <20161211115802.GD31311@zxy.spb.ru>
 <4f8ad6e3-8028-8656-d286-caa391960632@FreeBSD.org>
 <20161211121515.GE31311@zxy.spb.ru>
 <dd5c2077-c897-a732-c35f-fc7620dd0a81@FreeBSD.org>
 <20161211125004.GF31311@zxy.spb.ru>
 <a6d6de20-d41c-da4f-3ab4-1f384508f5b4@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a6d6de20-d41c-da4f-3ab4-1f384508f5b4@FreeBSD.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: slw@zxy.spb.ru
X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Dec 2016 15:28:11 -0000

On Sun, Dec 11, 2016 at 03:53:49PM +0300, Andrey V. Elsukov wrote:

> On 11.12.2016 15:50, Slawa Olhovchenkov wrote:
> >> You can specify what you want, but this just will not work as you
> >> expect. A router usually must not handle all TCP sessions that it
> > 
> > You mean forward to IPSec system only packets with DST_IP = my_ip?
> > I that case, why you talk only about not handled returned packets?
> > Originated packets also don't address to me.
> 
> I already described how it works and that you can configure what
> you want.
> 
>   https://lists.freebsd.org/pipermail/freebsd-net/2016-December/046616.html

This is don't clean about "we can't handle the returned packets".
If we can handle originated packets (encryped by outbound police,
yes?) what is problem handle returned packets by other outbound police
and decrypt it?