I am engaged in a discussion on the Netfilter development list about Netfilter and IPSEC in the 2.6 kernels. There is uniform agreement that the current implementation is unacceptable and a design for an improved facility is emerging. Until that design is implemented and available, I will not be doing anything more in Shorewall to accommodate the current implementation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net