From owner-freebsd-net@FreeBSD.ORG  Mon Oct 20 20:00:28 2014
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9DF4467B
 for <freebsd-net@freebsd.org>; Mon, 20 Oct 2014 20:00:28 +0000 (UTC)
Received: from mx2.shrew.net (mx2.shrew.net [38.97.5.132])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6F93E101
 for <freebsd-net@freebsd.org>; Mon, 20 Oct 2014 20:00:27 +0000 (UTC)
Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20])
 by mx2.shrew.net (8.14.7/8.14.7) with ESMTP id s9KJxM0R068771
 for <freebsd-net@freebsd.org>; Mon, 20 Oct 2014 14:59:22 -0500 (CDT)
 (envelope-from mgrooms@shrew.net)
Received: from [10.16.32.30] (rrcs-50-84-127-134.sw.biz.rr.com [50.84.127.134])
 by mail.shrew.net (Postfix) with ESMTPSA id F0D6E18A8BD
 for <freebsd-net@freebsd.org>; Mon, 20 Oct 2014 14:59:10 -0500 (CDT)
Message-ID: <544569CF.2060905@shrew.net>
Date: Mon, 20 Oct 2014 15:00:15 -0500
From: Matthew Grooms <mgrooms@shrew.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: freebsd-net@freebsd.org
Subject: Re: Broken IPsec + enc +pf/ipfw
References: <544535C2.9020301@shrew.net> <544566D2.40303@FreeBSD.org>
In-Reply-To: <544566D2.40303@FreeBSD.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3
 (mx2.shrew.net [10.24.10.11]); Mon, 20 Oct 2014 14:59:22 -0500 (CDT)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 20:00:28 -0000

On 10/20/2014 2:47 PM, Andrey V. Elsukov wrote:
> On 20.10.2014 20:18, Matthew Grooms wrote:
>> Lastly, I tried to locate a relevant PR but didn't find anything
>> concrete. Is this related to the issue? And if so, can it be MFCd?
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=110959
>
> Did you try the patch from last PR? It is small and should be applicable
> to stable/10.
>

As I mentioned, it's not clear to me if the patch was intended to fix 
the issue that I am describing. Is that the case? If so, I would be 
happy to apply it and report back. These are production firewalls, so 
I'd prefer to have some feedback before calculating that risk.

Thanks,

-Matthew