From owner-freebsd-net@FreeBSD.ORG Mon Oct 20 20:52:51 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B6F34921 for ; Mon, 20 Oct 2014 20:52:51 +0000 (UTC) Received: from forward3l.mail.yandex.net (forward3l.mail.yandex.net [84.201.143.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6ABE0949 for ; Mon, 20 Oct 2014 20:52:51 +0000 (UTC) Received: from smtp3m.mail.yandex.net (smtp3m.mail.yandex.net [77.88.61.130]) by forward3l.mail.yandex.net (Yandex) with ESMTP id 587A3150056A; Tue, 21 Oct 2014 00:52:41 +0400 (MSK) Received: from smtp3m.mail.yandex.net (localhost [127.0.0.1]) by smtp3m.mail.yandex.net (Yandex) with ESMTP id E40CA27A00D3; Tue, 21 Oct 2014 00:52:40 +0400 (MSK) Received: from unknown (unknown [2a02:6b8:0:c33::9a]) by smtp3m.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id dmbAME88HL-qee0T4Vk; Tue, 21 Oct 2014 00:52:40 +0400 (using TLSv1.2 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) X-Yandex-Uniq: e0d4e6e6-22a7-4dbb-ba75-3f7abaf2e793 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1413838360; bh=YmkB+cke3vvhVA0Fugd2bZz8s96OsnSkqapmHPo45Mo=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:Content-Type; b=fEDLSzncQw2HCHLmuuZLSc6j9ksO7pgj2aoQqJK6qWDfAyZ/1V3o443vnDFdBsRgM bAh4O6byQmca22TVBvVD25HF8aH1stILZbYnBOpQhpgzxTCDy2+5Qu13XQcLZ9F1kM PVw28dLjp/0Q67WE+QEmZ2/m3gAxJWhHL6C1C8Vk= Authentication-Results: smtp3m.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <54457599.4060102@yandex.ru> Date: Tue, 21 Oct 2014 00:50:33 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 MIME-Version: 1.0 To: Matthew Grooms , freebsd-net@freebsd.org Subject: Re: Broken IPsec + enc +pf/ipfw References: <544535C2.9020301@shrew.net> <544566D2.40303@FreeBSD.org> <544569CF.2060905@shrew.net> In-Reply-To: <544569CF.2060905@shrew.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="694oOeL46xM7CU5VUMT1pFRaGVQNR1QmV" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 20:52:51 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --694oOeL46xM7CU5VUMT1pFRaGVQNR1QmV Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 21.10.2014 00:00, Matthew Grooms wrote: > On 10/20/2014 2:47 PM, Andrey V. Elsukov wrote: >> On 20.10.2014 20:18, Matthew Grooms wrote: >>> Lastly, I tried to locate a relevant PR but didn't find anything >>> concrete. Is this related to the issue? And if so, can it be MFCd? >>> >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D110959 >> >> Did you try the patch from last PR? It is small and should be applicab= le >> to stable/10. >> >=20 > As I mentioned, it's not clear to me if the patch was intended to fix > the issue that I am describing. Is that the case? If so, I would be > happy to apply it and report back. These are production firewalls, so > I'd prefer to have some feedback before calculating that risk. This commit fixes similar problem with ipfw in 11.0-CURRENT. But I think it won't help you with pf in 10. I guess r266800 is what you need. --=20 WBR, Andrey V. Elsukov --694oOeL46xM7CU5VUMT1pFRaGVQNR1QmV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJURXWeAAoJEAHF6gQQyKF6OvwH/1t3Y2wuJ7n6Mi4v2/xonGih 9ktSG5l3Cqc14x908xOXwMrmoOZllyved6iCFa1DazNa3NbK6VD//I89yi0/kW1O WEtIv5DGWb2jHn2io38Yj9Yn6I8r8K6qPuvx3j4moc0F9ZZrqGAG69wWvxkECHIL 8mHUzvzs4zw6wFufnjIs0i7p0Sf9Pz0LZdnPXMGZ+GM+7rfHXGkfAULkFqbQC8DR K6+jYkooZZHYndmf0RsBEaTL28nsaJZzaM6pgtEkz3H27/Z+B6oE1KYn4/ZjF9Xl EL7a6Q0NI35puPYJ15D5C/taMTHypBNpZ5prJC6k0RvjJw6UD9KUBuAUJPo29Ek= =40W2 -----END PGP SIGNATURE----- --694oOeL46xM7CU5VUMT1pFRaGVQNR1QmV--