Joshua Smith wrote: > Out of curiosity what are these two extremely rare cases? [snip]
One example off the top of my head (and ipsec.conf(5)) is the enc0 interface. You wouldn't set your state-policy to this, but each individual rule would use if-bound to prevent traffic from going out your egress when an IPsec SA is removed/expires before the state is removed/expires (think isakmpd and the various reasons an SA can disappear). Of course, if I am wrong and if-bound shouldn't be used in this case, ipsec.conf(5) should be updated appropriately. -Brian [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
