On Tue, Oct 23, 2007 at 02:10:43PM +0200, Henning Brauer wrote: > * Brian <[EMAIL PROTECTED]> [2007-10-22 20:39]: > > Joshua Smith wrote: > > > Out of curiosity what are these two extremely rare cases? > > [snip] > > > > One example off the top of my head (and ipsec.conf(5)) is the enc0 > > interface. You wouldn't set your state-policy to this, but each > > individual rule would use if-bound to prevent traffic from going out > > your egress when an IPsec SA is removed/expires before the state is > > removed/expires (think isakmpd and the various reasons an SA can disappear). > > that is indeed one case. wether you really want ifbound for ipsec or not > depends on teh setup, you have to think it through on a case-by-case > basis. > > the otehr case is so bizarre that I forgot the details. basically a > case where a packet goes thru the stack 3 times instead of 2 with the > normal forwarding. I think you could trigger that with very very very > very very strange use of the evil route-to (which should be avoided > wherever possible in the first place). >
Everything that moves through your stack multiple times need if-bound states or no statesi at all. I use multiple qemus with bridge(4) that show the same problem and yes, this is a very bizarre setup. The other case where you may need if-bound states is when doing NAT in a multipath setup. This is another uncommon setup and you may get away with non if-bound states. -- :wq Claudio
