Re: reverse processing order: NAT, IPsec ?

[Hubert Feyrer <hubert%feyrer.de@localhost>]

On Thu, 25 Jun 2009, Hubert Feyrer wrote:
> > You could attach to an IPsec pseudo-interface both a BPF tap, packet
> > filters and translators.  It seems that a second attachment point for
> > packet filters is what you need here.
> > </soapbox>

You mean like OpenBSD's enc(4)?

FWIW, I wonder if there is any difference between IPfilter and PF (and 
their NAT routines, respectively) with respect to processing order. To my 
understanding there isn't as both are called via pfil_hooks(), or am I 
wrong here?


 - Hubert (trapped in a maze :)