From owner-freebsd-bugs@FreeBSD.ORG  Sun Feb 23 13:40:05 2014
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1A0C932E
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Sun, 23 Feb 2014 13:40:05 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 04A741D28
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Sun, 23 Feb 2014 13:40:05 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s1NDe4d9091189
 for <freebsd-bugs@freefall.freebsd.org>; Sun, 23 Feb 2014 13:40:04 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s1NDe4i7091188;
 Sun, 23 Feb 2014 13:40:04 GMT (envelope-from gnats)
Date: Sun, 23 Feb 2014 13:40:04 GMT
Message-Id: <201402231340.s1NDe4i7091188@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
Cc: 
From: Nicolas DEFFAYET <nicolas@deffayet.com>
Subject: Re: kern/186385: pf don't work as expected in 10.0 with same
 configuration used on 9.1
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Nicolas DEFFAYET <nicolas@deffayet.com>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Feb 2014 13:40:05 -0000

The following reply was made to PR kern/186385; it has been noted by GNATS.

From: Nicolas DEFFAYET <nicolas@deffayet.com>
To: bug-followup@FreeBSD.org, andre@freebsd.org
Cc:  
Subject: Re: kern/186385: pf don't work as expected in 10.0 with same
 configuration used on 9.1
Date: Sun, 23 Feb 2014 14:36:01 +0100

 Related to:
 kern/185876: ipfw not matching incoming packets decapsulating ipsec.
 example l2tp/ipsec
 kern/186755: ipsec tunnels don't work with pf or ipfw
 
 After very long testing, i have discovered the route cause.
 
 The revision 254519 break the firewall with IPsec.
 http://svnweb.freebsd.org/base?view=revision&revision=254519
 
 "Move the global M_SKIP_FIREWALL mbuf flags to a protocol layer specific
 flag instead.  The flag is only used within the IP and IPv6 layer 3
 protocols.
 
 Because some firewall packages treat IPv4 and IPv6 packets the same the
 flag should have the same value for both."
 
 It seem that some code doesn't have been updated for allow firewall to
 work with IPsec.
 
 -- 
 Nicolas DEFFAYET