>I thought this was a discussion of why "persistent tags" were needed.  

Me too. That's why the comment in the patch mentions mandatory access
controls.  Maybe that should be more explicit?


>I  have no argument that fast ipsec or any other user should remove their own 
>tags before they hit if_loop (as appropriate).

The proposal to have if_loop() remove nonpersistent tags is for
*consistency*: so that sending via if_loop() behaves the same as sending
on a real interface, which then hears its own packet.

The other approach is to have fast-ipsec remove its tags on the way
through ip_output(). I dont see how that can work. If we want to use
NIC IPsec offload to perform encryptoion of outbound packets (and we
do!), then ipsec tags have to stay on an outbound packet until the
packet hits the NIC driver. The NIC driver inspects the tags, to
decide whether set up NIC-specific commands to do the transform.

I suppose we could end up with a situation where sometimes ip_output()
removes ipsec tags, and sometimes it inserts packet tags for the
benefit of on-NIC ipsec offload engines. In that world, sometimes
ifp->if_output() remove tags, and sometimes it doesn't.

I'd sooner have consisent behaviour (leading to robustness and
reliability) than an API which goes in the other direction.