Joshua Smith wrote:
> Out of curiosity what are these two extremely rare cases?
[snip]

One example off the top of my head (and ipsec.conf(5)) is the enc0
interface.  You wouldn't set your state-policy to this, but each
individual rule would use if-bound to prevent traffic from going out
your egress when an IPsec SA is removed/expires before the state is
removed/expires (think isakmpd and the various reasons an SA can disappear).

Of course, if I am wrong and if-bound shouldn't be used in this case,
ipsec.conf(5) should be updated appropriately.

-Brian

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Reply via email to