hi,

> Hi All,
> 
> At this pass on the ipsec/tcpdump/ipfilter problem, I think I'm
> approaching something very close to 100% working.  I'd really
> like some feedback from someone at KAME on the changes below as
> well as from people who can test it or just review the patches.
> I've also not yet tested IPv6, so if someone could give that a
> go, it'd be most welcome.

sorry for a dumb question;
i can't understand why you want to introduce such a 'virtual interface' hack.
what you need for ipf is just additional filtering points(pfil_head), isn't it?

> ***************
> *** 608,614 ****
>   				if (pr->pr_usrreq != NULL) {
>   					(void) (*pr->pr_usrreq)(&so,
>   					    PRU_PURGEIF, NULL, NULL,
> ! 					    (struct mbuf *) ifp, curproc);
>   					purged = 1;
>   				}
>   			}
> --- 664,670 ----
>   				if (pr->pr_usrreq != NULL) {
>   					(void) (*pr->pr_usrreq)(&so,
>   					    PRU_PURGEIF, NULL, NULL,
> ! 					    (struct mbuf *) ifp, curlwp);
>   					purged = 1;
>   				}
>   			}

why?

> Index: sys/net/if.h
> ===================================================================
> RCS file: /cvsroot/src/sys/net/if.h,v
> retrieving revision 1.88
> diff -c -r1.88 if.h
> *** sys/net/if.h	2003/04/30 18:50:26	1.88
> --- sys/net/if.h	2003/05/11 07:17:26
> ***************
> *** 292,297 ****
> --- 292,298 ----
>   
>   	void	*if_afdata[AF_MAX];
>   	struct	mowner *if_mowner;	/* who owns mbufs for this interface */
> + 	struct ifnet	*if_ipsec;
>   };
>   #define	if_mtu		if_data.ifi_mtu
>   #define	if_type		if_data.ifi_type

adding more protocol-specific member into struct ifnet seems a bad idea.

YAMAMOTO Takashi