Date: Thu, 13 Feb 2003 15:44:23 -0500 (EST) From: Andriy Gapon <agapon@cv-nj.com> To: Mike Durian <durian@boogie.com> Cc: freebsd-net@FreeBSD.ORG, Guido van Rooij <guido@FreeBSD.ORG> Subject: Re: ipsec & ipfw: 4.7-release vs -stable Message-ID: <20030213154234.P65520@edge.foundation.invalid> In-Reply-To: <200302101137.45763.durian@boogie.com> References: <20030210114109.G53494@edge.foundation.invalid> <200302101137.45763.durian@boogie.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 10 Feb 2003, Mike Durian wrote: > once in their decrypted form. So, despite the comment in the commit > message: > > Get rid of checking for ip sec history. It is true that > packets are not supposed to be checked by the firewall rules > twice. However, because the various ipsec handlers never > call ip_input(), this never happens anyway. > > It looks like ipsec must be calling ip_input() somewhere. > > I too would like to see ipfilter behave as documented (in -current too) > and not re-process decrypted ESP packets. Perhaps change 1.214 can > be reworked or reverted? I'll file a PR. Mike, filing a PR is an excellent idea. I think that should have been from the start. Thank you. -- Andriy Gapon * "In my view XML is to data representation what Roman numerals are to math." (c) Bakul Shah To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030213154234.P65520>