On 12 May 2017 at 15:29, Alexander Bluhm <alexander.bl...@gmx.net> wrote:
> Hi, > > IPsec packets are passed through ip_input() a second time after > they have been decrypted. That means that all the IP header fields > are checked twice. Also fragment reassembly is tried twice. > > In pf incoming packets in tunnel mode appear twice on the enc0 > interface. Once as IP-in-IP and once as the inner packet. In the > outgoing path we only see the inner packet. Asymmetry is bad for > stateful filtering. > > IPv6 shows that IPsec works without that. After decrypting we can > continue with local delivery. If we are in tunnel mode, the IP-in-IP > protocol functions do what we want. In transport mode only pf_test() > has to be called for the enc0 device. > > Introducing ip_local() means less needless processing and cleaner > pf behavior. > > ok? > > bluhm > > Nice. OK mikeb
