Hi,

While playing around with fast-ipsec on a machine which also runs 
ipfilter, it became apparent that packets were being filtered twice; 
first the 'wire' packet, and then again after IPsec did its thing.

This means that fast-ipsec tunnels do not work when ipfilter is in the 
mix.

To address this, I've attached a patch which does pretty much the same 
thing for fast-ipsec as is currently done for Kame IPsec.

Comments?

Cheers, Steve

Index: netinet/ip_input.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_input.c,v
retrieving revision 1.185
diff -u -r1.185 ip_input.c
--- netinet/ip_input.c  19 Nov 2003 22:40:55 -0000      1.185
+++ netinet/ip_input.c  23 Nov 2003 19:04:01 -0000
@@ -588,6 +588,8 @@
         */
 #ifdef IPSEC
        if (!ipsec_getnhist(m))
+#elif defined(FAST_IPSEC)
+       if (!ipsec_indone(m))
 #else
        if (1)
 #endif
Index: netipsec/ipsec.h
===================================================================
RCS file: /cvsroot/src/sys/netipsec/ipsec.h,v
retrieving revision 1.3
diff -u -r1.3 ipsec.h
--- netipsec/ipsec.h    6 Oct 2003 22:05:15 -0000       1.3
+++ netipsec/ipsec.h    23 Nov 2003 19:04:02 -0000
@@ -411,6 +411,8 @@
 extern int ipsec4_process_packet __P((struct mbuf *, struct 
ipsecrequest *,
                        int, int));
 extern int ipsec_process_done __P((struct mbuf *, struct ipsecrequest 
*));
+#define ipsec_indone(m)        \
+       (m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)

 extern struct mbuf *ipsec_copypkt __P((struct mbuf *));