[strongSwan] libipsec design decision - using NFQUEUE vs virtual interfaces
phlevin at runbox.com
Thu Jul 7 14:32:30 CEST 2016
I have a need for a userspace IPsec stack along with Strongswan (IKEv2) for keying. While examining the libipsec
implementation, I became curious about the decision to use virtual interfaces vs. using kernel mechanisms such as
Netfilter and Netfilter Queues to divert traffic to a userspace IPsec datapath stack.
No doubt I'm unaware of some of the design constraints, so to simplify the question, I'd ask:
"is there any reason one should *not* implement a userspace IPsec stack using Netfilter and NFQUEUEs in combination
Thank you in advance.
More information about the Users