On Mon, 10 Feb 2003, Mike Durian wrote: > once in their decrypted form. So, despite the comment in the commit > message: > > Get rid of checking for ip sec history. It is true that > packets are not supposed to be checked by the firewall rules > twice. However, because the various ipsec handlers never > call ip_input(), this never happens anyway. > > It looks like ipsec must be calling ip_input() somewhere. > > I too would like to see ipfilter behave as documented (in -current too) > and not re-process decrypted ESP packets. Perhaps change 1.214 can > be reworked or reverted? I'll file a PR.
Mike, filing a PR is an excellent idea. I think that should have been from the start. Thank you. -- Andriy Gapon * "In my view XML is to data representation what Roman numerals are to math." (c) Bakul Shah To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
