On Thu, Jan 25, 2001 at 05:42:26PM +0900, Jun-ichiro itojun Hagino wrote:
> 	i made a change to ipsec logic, so that ipsec and ipf interact better.
> 

Any chance that those changes will make it in the release branch?
Bye,

Mipam.

> 	now, ipf looks into wire-format packet only.
> 
> 	suppose you have inbound packet genrated by IPsec tunnel device.
> 	the packet will be like:
> 		IP1 ESP IP2 payload
> 	"IP2 payload" is the encapsulated packet, and "IP1 ESP" wraps it up.
> 	ipf used to look at both wire-format packet (IP1 ESP IP2 payload),
> 	and decapsulated packet (IP2 payload), on inbound.  it made it
> 	ultra-hard to configure NAT box and IPsec gateway in the same box.
> 	now the trouble should have gone and it is simple to configure them
> 	in the same box.
> 
> 	WARNING: if you were using ipf to filter IPsec-decapsulated packets
> 	you may need to change your ruleset.  also, packets decapsulated
> 	by "gif" or "ipip" tunnelling device still go through ipf
> 	(you can recognize them by using matching rule based on inbound
> 	interface).
> 
> itojun