On Fri, 12 Jun 2009, Greg Troxel wrote:
Start by reading netinet/ip_output.c. IPSEC is before PFIL_HOOKS. I think right now munging in there is the only way.
My hope was to avoid this...
You could also have a second machine and NAT but not IPsec on that, and separate NAT and IPsec functionality. Kludgy perhaps (xen?), but it might be fewer hours to what you want.
The Netscreen that I've been playing with basically has two machines in one, which allows doing this in a ~sane way. Running something as heavy-weighted as Xen to just do NAT sounds pretty sub-optimal.
I wonder if all this could be done on a single machine, with some bridge interfaces in between, or similar...
- Hubert