On Wed, 30 Jul 2003, Chris Wilson wrote: > Logically, it makes sense to me that the packet should pass through the > whole of Netfilter _again_ after it's been decapsulated, similarly to what > now happens with FreeS/WAN (but presumably without an ipsec0 interface > being involved). Or, maybe it should be decapsulated before routing (and > hence visible unencrypted in FORWARD, INPUT and OUTPUT). It needs to pass routing first unless something has changed drastically in the 2.6 IP networking code, or else the kernel won't know if the ipsec packet is to be decapsulated or routed. Regards Henrik
