From owner-freebsd-bugs@FreeBSD.ORG  Fri Feb 28 22:36:46 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A6CFA5D4;
 Fri, 28 Feb 2014 22:36:46 +0000 (UTC)
Received: from smtp.novso.com (smtp1.novso.com [IPv6:2a00:14e8:28:3::5])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6942910B4;
 Fri, 28 Feb 2014 22:36:46 +0000 (UTC)
Message-ID: <1393627004.8727.3.camel@fr-wks3.corp.novso.com>
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
From: Nicolas DEFFAYET <nicolas@deffayet.com>
To: Georgios Amanakis <gamanakis@gmail.com>
Date: Fri, 28 Feb 2014 23:36:44 +0100
In-Reply-To: <1393369044.21345.1.camel@fr-wks3.corp.novso.com>
References: <CACvFP_g4L=pK3ZmZ_kSq=OO+aZANA9k--n7Uhi1Tp6ULO0JHdw@mail.gmail.com>
 <CACvFP_hUOjNJ69MH7Lj5thvPjCtA_81+j-YbJMFqk6VfQbg2LQ@mail.gmail.com>
 <1393369044.21345.1.camel@fr-wks3.corp.novso.com>
Organization: DEFFAYET.COM
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.4.4-3 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: andre@freebsd.org, melifaro@freebsd.org,
 =?UTF-8?Q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80_?=
 =?UTF-8?Q?=D0=92=D0=BE=D0=BB=D0=BE=D0=B1=D1=83=D0=B5=D0=B2?=
 <a.v.volobuev@gmail.com>, freebsd-bugs@freebsd.org, bug-followup@freebsd.org
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2014 22:36:46 -0000

The following patch seem to be the only working workaround for IPsec
transport mode and tunnel mode. Please note the use of M_PROTO7 instead
of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
for another purpose and so using it may create a conflict like M_PROTO3.

---
Index: netinet/ip_var.h
===================================================================
--- netinet/ip_var.h    (revision 262470)
+++ netinet/ip_var.h    (working copy)
@@ -167,7 +167,7 @@
  */
#define        M_FASTFWD_OURS          M_PROTO1        /* changed dst to
local */
#define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip
nexthop */
-#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
processing,
+#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
processing,
                                                   keep in sync with IP6
*/
#define        M_IP_FRAG               M_PROTO4        /* fragment
reassembly */

Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h  (revision 262470)
+++ netinet6/ip6_var.h  (working copy)
@@ -297,7 +297,7 @@
  * IPv6 protocol layer specific mbuf flags.
  */
#define        M_IP6_NEXTHOP           M_PROTO2        /* explicit ip
nexthop */
-#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
processing,
+#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
processing,
                                                   keep in sync with
IPv4 */

#ifdef __NO_STRICT_ALIGNMENT
---


-- 
Nicolas DEFFAYET