Date: Wed, 15 Jan 2014 14:36:01 +0400 From: Gleb Smirnoff <glebius@FreeBSD.org> To: Nat Howard <freebsd-stable@track.pupworks.com> Cc: freebsd-stable@freebsd.org Subject: Re: IPSEC/PF (particularly NAT) problem? RC5,4,3 Message-ID: <20140115103601.GJ26504@FreeBSD.org> In-Reply-To: <CEB744A7-A970-4836-9C4B-B42D6F2B0B60@track.pupworks.com> References: <CEB744A7-A970-4836-9C4B-B42D6F2B0B60@track.pupworks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nat, On Tue, Jan 14, 2014 at 06:54:09PM -0500, Nat Howard wrote: N> I'm encountering a problem in updating to 10.0, and wonder if N> anything has changed with respect to the way in which you tell (the N> new!) PF code to process stuff coming in via IPSEC -- if, for N> example, there's a knob somewhere that say "yes, really, really, N> do the NATing on incoming packets that came in on IPSEC and N> are going out (decrypted) in the clear." that wasn't required N> in previous versions (up to 9.1) of FreeBSD. AFAIR, nothing has changed in pf in regards to its ipsec handling. The new part is only finer locking. Well, I could have broken ipsec. But more probable is that problems lives somewhere out of pf. Can you please provide a minimal reproduction case, that does work on 9.1, and doesn't work on 10.0? You can file it in GNATS as PR. That would help. -- Totus tuus, Glebius.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140115103601.GJ26504>