Hi,
I've been pondering the same issue and am currently running 5.3-R modified in the
way you've described. (diff at http://jodocus.org/ipsec-pfil.diff I'm not an
experienced kernel-hacker, so use at own risk)
Great, I'll have to try this.
For IPSEC this also means that the resulting ESP and AH packets don't traverse the
firewall when leaving the system. (at least if I read the code correctly; not tested)
Yes, it looks like that with kame ipsec one should leave the or9iginal pfil_hook code *also* in place. Maybe something like
ip_output()
{
#if defined (IPSEC) || defined(FAST_IPSEC)
pfil_hooks()
#endif
#ifdef IPSEC
kame_ipsec_stuff()
#endif
#ifdef FAST_IPSEC
fast_ipsec_stuff()
#endif
#ifndef FAST_IPSEC
pfil_hooks()
#endifAri S.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
