> >I  have no argument that fast ipsec or any other user should remove their own 
> >tags before they hit if_loop (as appropriate).
> 
> The proposal to have if_loop() remove nonpersistent tags is for
> *consistency*: so that sending via if_loop() behaves the same as sending
> on a real interface, which then hears its own packet.
> 
> The other approach is to have fast-ipsec remove its tags on the way
> through ip_output(). I dont see how that can work. If we want to use
> NIC IPsec offload to perform encryptoion of outbound packets (and we
> do!), then ipsec tags have to stay on an outbound packet until the
> packet hits the NIC driver. The NIC driver inspects the tags, to
> decide whether set up NIC-specific commands to do the transform.
> 
> I suppose we could end up with a situation where sometimes ip_output()
> removes ipsec tags, and sometimes it inserts packet tags for the
> benefit of on-NIC ipsec offload engines. In that world, sometimes
> ifp->if_output() remove tags, and sometimes it doesn't.

	because L2 driver behavior is different, ip_output() needs to behave
	differently.  yes, ip_output() should remove ipsec tags used in L3
	logic, and then add ipsec-hardware tags to tell L2 to do special stuff.
	it is just like m_pkthdr flag for checksum offloading.  or do you
	suggest that m_pkthdr handling in ip_output() for checksum offloading
	"inconsistent"?

> I'd sooner have consisent behaviour (leading to robustness and
> reliability) than an API which goes in the other direction.

	i still don't see how your proposal would contribute to a consistent
	behavior.

itojun