Hi All, I'm now analyzing ipfilter in 3.2 and our goal is to port our IPSec/firewall. I'm still in the beginning of reading the code so, at this time, I can't yet tell how nice it fits our needs. I just have some concerns which I'd like the people who are going to re-design the ipfilter to hear. I wouldn't be surprised to learn that you are already thinking about this, however, it's nice to know it for certain :-)
The things in the IPSec field are seemingly moving to using hardware accelerators for doing compression/encryption/authentication. This means that IP filters need to grab some of IP packets, process them on a specialized prosessor and then re-inject them into the IP packet stream. That is, the filter may decide to convert the packet, but it doesn't have it ready-to-go when it has to return. However, it may have it ready at some later time, possibly when it processes a hardware interrupt and sees that the co-processor has finished its work on the packet. Can ipfilter handle this? Thank you, Stan To Unsubscribe: send mail to majord...@freebsd.org with "unsubscribe freebsd-hackers" in the body of the message
