>>>>> "Darren" == Darren Reed <darrenr@reed.wattle.id.au> writes:
    Darren> to add filtering hooks needs to be addressed.  Having spent some time
    Darren> looking at it, I think the correct hooks need to be added at about line
    Darren> 292 of ip6_input.c (after the version check, but prior to any scope checks).
    Darren> If the stats counter was moved further down, then I'd be tempted to let at
    Darren> least the first scope check be done before doing pfil checks.  My preference
 
  For the benefit of new NIC cards that can offload a lot of the inbound
hooks, it would be nice if there was a way to mark an mbuf as having been
already processed by the inbound filters. It may be that this should be
integer that gets incremented so that some can run feed packets back into the 
bottom of the stack and have only the appropriate level of filtering
apply. (This isn't just for the IPsec case, for which we already have policy code)

] Train travel features AC outlets with no take-off restrictions|  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [