From owner-freebsd-bugs@FreeBSD.ORG  Tue Feb 25 21:01:51 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 39515FFC;
 Tue, 25 Feb 2014 21:01:51 +0000 (UTC)
Received: from mail-pd0-x243.google.com (mail-pd0-x243.google.com
 [IPv6:2607:f8b0:400e:c02::243])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id E21171934;
 Tue, 25 Feb 2014 21:01:50 +0000 (UTC)
Received: by mail-pd0-f195.google.com with SMTP id y10so1434198pdj.10
 for <multiple recipients>; Tue, 25 Feb 2014 13:01:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=ffsTdvES7DCZEEjd/O7WkZLWpdAZANhY71M++XLVYPY=;
 b=MbZAt8BAqpbJpMvEXckz/G1GL1zg1tyHL9bkW4rheoNrkEDmUFw0LKAN4xb1PMYEJt
 KcYKbDIb1FMB+ZvA+VOO0d8oTo/s5EvJo67CdG+2lqTBNqpeA72lY++a8hcQZNYMTt6S
 XSa2l6TYaZRdqFcfWczypRcJ/FOSy4mRKoB1FdqWfOGcwzKGi3WlJUZ7OHEbuKySZ1V1
 JHa49/AvTho9+CdZrU/bNvi6fVIw8CI8XEdUORglYc5ie0VEkTixc9oie8bTrl5g43Xh
 SY81Z8Q8rJS8RhimqIMTC6VlbQ/REAMYbP5AUEYuHy2dqieNqT4ffdpdqC5E5OikkXNY
 CUJg==
MIME-Version: 1.0
X-Received: by 10.66.148.230 with SMTP id tv6mr3839834pab.155.1393362110273;
 Tue, 25 Feb 2014 13:01:50 -0800 (PST)
Received: by 10.68.29.41 with HTTP; Tue, 25 Feb 2014 13:01:50 -0800 (PST)
Date: Tue, 25 Feb 2014 22:01:50 +0100
Message-ID: <CACvFP_g4L=pK3ZmZ_kSq=OO+aZANA9k--n7Uhi1Tp6ULO0JHdw@mail.gmail.com>
Subject: kern/185876: ipfw not matching incoming packets decapsulating ipsec.
 example l2tp/ipsec
From: Georgios Amanakis <gamanakis@gmail.com>
To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com, andre@freebsd.org, 
 melifaro@FreeBSD.org, freebsd-bugs@freebsd.org, nicolas@deffayet.com
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.17
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 21:01:51 -0000

The following patch resolves it (it has to be tested thoroughly).

Index: netipsec/xform_ipip.c
===================================================================
--- netipsec/xform_ipip.c       (revision 262492)
+++ netipsec/xform_ipip.c       (working copy)
@@ -181,6 +181,7 @@
        IPIPSTAT_INC(ipips_ipackets);

        m_copydata(m, 0, 1, &v);
+       m_clrprotoflags(m);

        switch (v >> 4) {
 #ifdef INET