From owner-freebsd-net Thu Feb 13 12:44:46 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E44537B401; Thu, 13 Feb 2003 12:44:45 -0800 (PST) Received: from mta5.srv.hcvlny.cv.net (mta5.srv.hcvlny.cv.net [167.206.5.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id D234643F85; Thu, 13 Feb 2003 12:44:41 -0800 (PST) (envelope-from agapon@cv-nj.com) Received: from asv11.srv.hcvlny.cv.net (asv11.srv.hcvlny.cv.net [167.206.5.145]) by mta5.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 1.05 (built Nov 6 2002)) with ESMTP id <0HA900DIJLMETU@mta5.srv.hcvlny.cv.net>; Thu, 13 Feb 2003 15:44:41 -0500 (EST) Received: from terminus.foundation.invalid (ool-4355489e.dyn.optonline.net [67.85.72.158]) by asv11.srv.hcvlny.cv.net (8.12.6/8.11.6) with ESMTP id h1DKiMiS007332; Thu, 13 Feb 2003 15:44:25 -0500 (EST) Received: from edge.foundation.invalid (edge.foundation.invalid [192.168.1.12]) by terminus.foundation.invalid (8.12.6/8.12.3) with ESMTP id h1DKiW4t060139; Thu, 13 Feb 2003 15:44:32 -0500 (EST envelope-from agapon@cv-nj.com) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.6) with ESMTP id h1DKiNWl065521; Thu, 13 Feb 2003 15:44:31 -0500 (EST envelope-from agapon@cv-nj.com) Date: Thu, 13 Feb 2003 15:44:23 -0500 (EST) From: Andriy Gapon Subject: Re: ipsec & ipfw: 4.7-release vs -stable In-reply-to: <200302101137.45763.durian@boogie.com> X-X-Sender: avg@edge.foundation.invalid To: Mike Durian Cc: freebsd-net@FreeBSD.ORG, Guido van Rooij Message-id: <20030213154234.P65520@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT References: <20030210114109.G53494@edge.foundation.invalid> <200302101137.45763.durian@boogie.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 10 Feb 2003, Mike Durian wrote: > once in their decrypted form. So, despite the comment in the commit > message: > > Get rid of checking for ip sec history. It is true that > packets are not supposed to be checked by the firewall rules > twice. However, because the various ipsec handlers never > call ip_input(), this never happens anyway. > > It looks like ipsec must be calling ip_input() somewhere. > > I too would like to see ipfilter behave as documented (in -current too) > and not re-process decrypted ESP packets. Perhaps change 1.214 can > be reworked or reverted? I'll file a PR. Mike, filing a PR is an excellent idea. I think that should have been from the start. Thank you. -- Andriy Gapon * "In my view XML is to data representation what Roman numerals are to math." (c) Bakul Shah To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message