In message <200311231905.18492.scw@netbsd.org>Steve Woodford writes


>This means that fast-ipsec tunnels do not work when ipfilter is in the 
>mix.

Far from unexpected. Thansk for trying it.

>To address this, I've attached a patch which does pretty much the same 
>thing for fast-ipsec as is currently done for Kame IPsec.
>
>Comments?

I havent tried compiling or running it, but it all looks reasonable.
The biggest comment I have that Sam Leffler and I try to keep the
FreeBSD (4.x) and NetBSD sys/netipsec in synch.  I think the patch
will compile on FreeBSD, but if you can wait a day or two to commit, I
can test it in FreeBSD 4.x kernel source. I can check whether Sam has
comments too, if he hasn't seen it already.

Should we put in IPv6 filtering hooks whilst we're at it?