From nobody@FreeBSD.org  Sun Jan 19 05:46:20 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 1BD66192
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jan 2014 05:46:20 +0000 (UTC)
Received: from oldred.freebsd.org (oldred.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 050E01105
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jan 2014 05:46:20 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id s0J5kJ5d024996
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 19 Jan 2014 05:46:19 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id s0J5kJVG024941;
	Sun, 19 Jan 2014 05:46:19 GMT
	(envelope-from nobody)
Message-Id: <201401190546.s0J5kJVG024941@oldred.freebsd.org>
Date: Sun, 19 Jan 2014 05:46:19 GMT
From: Alexander <a.v.volobuev@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         185876
>Category:       kern
>Synopsis:       ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 19 05:50:00 UTC 2014
>Closed-Date:    Tue Mar 18 16:56:42 UTC 2014
>Last-Modified:  Tue Mar 18 17:00:00 UTC 2014
>Originator:     Alexander
>Release:        Freebsd 10.0
>Organization:
itm holding
>Environment:
FreeBSD evridika.solaris.local 10.0-RELEASE FreeBSD 10.0-RELEASE #0 d44ce30(releng/10.0): Sun Jan 19 11:05:14 YEKT 2014     root@evridika.solaris.local:/usr/obj/usr/src/sys/solaris.v10.0d  amd64
>Description:
mpd connect work vpn l2tp/ipsec
daemon ike: strongswan
vpn connected and fine work, but if matching ipfw rule:
ipfw add allow ip from any to $me_ip_vpn_address
then not work, not matching.
It problem if strongswan use for ike2 vpn and do ipfw nat:
ipfw nat 1 ip from $virtual_ip to any

In releng/9.2 this work fine


>How-To-Repeat:
ipfw matching incoming packets decapsulating ipsec on releneg/10.0
>Fix:
unknow

>Release-Note:
>Audit-Trail:

From: hshh <hunreal@gmail.com>
To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Thu, 23 Jan 2014 19:08:14 +0800

 --047d7b34330e051a7804f0a142c8
 Content-Type: text/plain; charset=UTF-8
 
 It also effect ipsec gif tunnel. And it can not match or NAT the traffic in
 tunnel neither.
 
 -- 
 @hshh
 
 --047d7b34330e051a7804f0a142c8
 Content-Type: text/html; charset=UTF-8
 
 <div dir="ltr">It also effect ipsec gif tunnel. And it can not match or NAT the traffic in tunnel neither.<br clear="all"><div><br></div>-- <br>@hshh
 </div>
 
 --047d7b34330e051a7804f0a142c8--

From: "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>
To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Fri, 24 Jan 2014 14:25:59 +0600

 This is a cryptographically signed message in MIME format.
 
 --------------ms070605050302040606090309
 Content-Type: multipart/alternative;
  boundary="------------080309020405020503050500"
 
 This is a multi-part message in MIME format.
 --------------080309020405020503050500
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Also problem with pseudo interface enc(4). For example:
 # sysctl -a | i ipsec | i enc
 net.enc.in.ipsec_filter_mask: 2
 net.enc.in.ipsec_bpf_mask: 2
 net.enc.out.ipsec_filter_mask: 0
 net.enc.out.ipsec_bpf_mask: 0
 # tcpdump -n -i enc0 host 10.10.3.1
 /14:07:09.516262 (authentic,confidential): SPI 0xced105ce: IP
 10.10.3.1.58822 > 188.225.33.52.80: Flags [S], seq 317580935, win 13600,
 options [mss 1360,sackOK,TS val 3559730 ecr 0,nop,wscale 6], length /0
 , but ipfw rule:
 ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in
 not match
 
 --------------080309020405020503050500
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <html>
   <head>
 
     <meta http-equiv=3D"content-type" content=3D"text/html; charset=3DISO=
 -8859-1">
   </head>
   <body text=3D"#000000" bgcolor=3D"#FFFFFF">
     Also problem with pseudo interface enc(4). For example:<br>
     # sysctl -a | i ipsec | i enc<br>
     net.enc.in.ipsec_filter_mask: 2<br>
     net.enc.in.ipsec_bpf_mask: 2<br>
     net.enc.out.ipsec_filter_mask: 0<br>
     net.enc.out.ipsec_bpf_mask: 0<br>
     # tcpdump -n -i enc0 host 10.10.3.1<br>
     <font color=3D"#003300"><i>14:07:09.516262 (authentic,confidential):
         SPI 0xced105ce: IP 10.10.3.1.58822 &gt; 188.225.33.52.80: Flags
         [S], seq 317580935, win 13600, options [mss 1360,sackOK,TS val
         3559730 ecr 0,nop,wscale 6], length </i>0</font><br>
     , but ipfw rule:<br>
     ipfw add 10 nat 1 ip from 10.0.150.3/32 to any in<br>
     not match<br>
   </body>
 </html>
 
 --------------080309020405020503050500--
 
 --------------ms070605050302040606090309
 Content-Type: application/pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: Криптографическая подпись S/MIME
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIDlzCC
 A5MwggL2oAMCAQICCQDn42yJUQ9YQDAJBgcqhkjOPQQBMIHDMQswCQYDVQQGEwJSVTEaMBgG
 A1UECBMRU3ZlcmRsb3Zza2F5YU9ibC4xFTATBgNVBAcTDEVrYXRlcmluYnVyZzETMBEGA1UE
 ChMKU29sYXJpcy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MS4wLAYDVQQDEyVTb2xhcmlz
 LlYuIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZhLnYudm9s
 b2J1ZXZAZ21haWwuY29tMB4XDTEzMDYwNDIwNDUwMFoXDTE0MDYwNDIwNDUwMFowgbQxCzAJ
 BgNVBAYTAlJVMRowGAYDVQQIExFTdmVyZGxvdnNrYXlhT2JsLjETMBEGA1UEChMKU29sYXJp
 cy5WLjEVMBMGA1UECxMMSVQgRGVwYXJtZW50MR8wHQYDVQQDFBZhLnYudm9sb2J1ZXZAZ21h
 aWwuY29tMSUwIwYJKoZIhvcNAQkBFhZhLnYudm9sb2J1ZXZAZ21haWwuY29tMRUwEwYDVQQH
 EwxFa2F0ZXJpbmJ1cmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANheLWqKf9TkPaXU
 NAj8rMjEmO22BBcaajTr4sTRnCS2pFGoCNcXy0ndkJRN/A+8olgYEeek4GcjJoDd8MfzIcN/
 uhjApevc8Tzj5BSj+GPDtQ2s9+1VjR9lo/TyoBa60tnD6ciRIb3cgk6C+nrJLbIkWPSAo3Rn
 Caze0LL0KAIzAgMBAAGjgZkwgZYwCQYDVR0TBAIwADAdBgNVHQ4EFgQU/7IGI3MTVNLcnWK9
 nDbJ47W9xokwHwYDVR0jBBgwFoAUuZsUohloQPGGaxcO7ooNvFiA9l8wDgYDVR0PAQH/BAQD
 AgWgMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMEMCEGA1UdEQQaMBiBFmEudi52b2xvYnVldkBn
 bWFpbC5jb20wCQYHKoZIzj0EAQOBiwAwgYcCQSBcjSh5h+6/EGVpvtxZNZSgD8s9rgwRo/9I
 n/o20wh/0fAfYYUUYqDRJsXAtdjQNYlXcBrEuJLdiJ5rnbB06KE6AkIAhTZoTpbuBZLIEU4z
 /flnW573pYV0yJKxvUFqea08eeSjO35tUSF0O1Mnu/sDH3MdE/Jkc6B9sDErM4svTYTrwhcx
 ggQTMIIEDwIBATCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFP
 YmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNV
 BAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRl
 IEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfj
 bIlRD1hAMAkGBSsOAwIaBQCgggKXMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
 hvcNAQkFMQ8XDTE0MDEyNDA4MjU1OVowIwYJKoZIhvcNAQkEMRYEFHGZg1OO7OPiScRbdTu8
 Yn6iB+WZMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq
 hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI
 hvcNAwICASgwgeIGCSsGAQQBgjcQBDGB1DCB0TCBwzELMAkGA1UEBhMCUlUxGjAYBgNVBAgT
 EVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1cmcxEzARBgNVBAoTClNv
 bGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UEAxMlU29sYXJpcy5WLiBS
 b290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJARYWYS52LnZvbG9idWV2
 QGdtYWlsLmNvbQIJAOfjbIlRD1hAMIHkBgsqhkiG9w0BCRACCzGB1KCB0TCBwzELMAkGA1UE
 BhMCUlUxGjAYBgNVBAgTEVN2ZXJkbG92c2theWFPYmwuMRUwEwYDVQQHEwxFa2F0ZXJpbmJ1
 cmcxEzARBgNVBAoTClNvbGFyaXMuVi4xFTATBgNVBAsTDElUIERlcGFybWVudDEuMCwGA1UE
 AxMlU29sYXJpcy5WLiBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTElMCMGCSqGSIb3DQEJ
 ARYWYS52LnZvbG9idWV2QGdtYWlsLmNvbQIJAOfjbIlRD1hAMA0GCSqGSIb3DQEBAQUABIGA
 j5cqxjhHPU5SG1S4Nacg2zXwK6+KzBaS6Iv3cMkBv31eRbr26XfZlpJVJZs+hTWwINO5q0Qv
 aMM9Q3rExkio6gO2l1bu9pwH4wLiX66v3uRC1xyzRkkC/F5l3oypwZ/gei2GSPjV3sIvHAHW
 Y9A4SPXab0LMUWGyz7hJZHQo/wkAAAAAAAA=
 --------------ms070605050302040606090309--

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Thu, 30 Jan 2014 03:45:07 -0800 (PST)

 ---599881721-1133769227-1391082307=:60515
 Content-Type: text/plain; charset=us-ascii
 
 Case confirmed. 
 
 See also:
 http://forums.freebsd.org/viewtopic.php?f=44&t=44414
 http://forums.freebsd.org/viewtopic.php?f=39&t=26755&start=100#p248323
 
 ---599881721-1133769227-1391082307=:60515
 Content-Type: text/html; charset=us-ascii
 
 <html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10pt"><div>Case confirmed. <br></div><div style="color: rgb(0, 0, 0); font-size: 13.3333px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>See also:</span></div><div style="color: rgb(0, 0, 0); font-size: 13.3333px; font-family: HelveticaNeue,Helvetica Neue,He lvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>http://forums.freebsd.org/viewtopic.php?f=44&amp;t=44414</span></div><div style="color: rgb(0, 0, 0); font-size: 13.3333px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style:
  normal;"><span>http://forums.freebsd.org/viewtopic.php?f=39&amp;t=26755&amp;start=100#p248323<br></span></div></div></body></html>
 ---599881721-1133769227-1391082307=:60515--

From: Nicolas DEFFAYET <nicolas@deffayet.com>
To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Mon, 03 Feb 2014 23:39:07 +0100

 Hello,
 
 Same issue with pf. It's not specific to ipfw.
 
 
 -- 
 Nicolas DEFFAYET
 
Responsible-Changed-From-To: freebsd-bugs->melifaro 
Responsible-Changed-By: melifaro 
Responsible-Changed-When: Fri Feb 7 05:53:58 UTC 2014 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 

From: Nicolas DEFFAYET <nicolas@deffayet.com>
To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com, andre@freebsd.org
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Sun, 23 Feb 2014 14:33:19 +0100

 After very long testing, i have discovered the route cause.
 
 The revision 254519 break the firewall with IPsec.
 http://svnweb.freebsd.org/base?view=revision&revision=254519
 
 "Move the global M_SKIP_FIREWALL mbuf flags to a protocol layer specific
 flag instead.  The flag is only used within the IP and IPv6 layer 3
 protocols.
 
 Because some firewall packages treat IPv4 and IPv6 packets the same the
 flag should have the same value for both."
 
 It seem that some code doesn't have been updated for allow firewall to
 work with IPsec.
 
 -- 
 Nicolas DEFFAYET
 

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>,
  "andre@freebsd.org" <andre@freebsd.org>,
  "melifaro@FreeBSD.org" <melifaro@FreeBSD.org>
Cc:  
Subject: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Sun, 23 Feb 2014 09:35:21 -0800 (PST)

 --285087016-313696102-1393176921=:3248
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 Case confirmed. Reversing revision 254519 on 10-STABLE resolves the problem=
 . Because there is a conflict on"sys/sys/mbuf.h" with svn when applying "sv=
 n merge -c -254519" I used the following patch:=0A=0A--- sys/sys/mbuf.h=A0=
 =A0=A0=A0=A0 (revision 262373)=0A+++ sys/sys/mbuf.h=A0=A0=A0=A0=A0 (working=
  copy)=0A@@ -221,6 +221,7 @@=0A=A0#define=A0=A0=A0=A0=A0=A0=A0 M_MCAST=A0=
 =A0=A0=A0=A0=A0=A0=A0 0x00000020 /* send/received as link-level multicast *=
 /=0A=A0#define=A0=A0=A0=A0=A0=A0=A0 M_PROMISC=A0=A0=A0=A0=A0=A0 0x00000040 =
 /* packet was not for us */=0A=A0#define=A0=A0=A0=A0=A0=A0=A0 M_VLANTAG=A0=
 =A0=A0=A0=A0=A0 0x00000080 /* ether_vtag is valid */=0A+#define=A0=A0=A0=A0=
 =A0=A0 M_SKIP_FIREWALL 0x00000090=0A=A0#define=A0=A0=A0=A0=A0=A0=A0 M_FLOWI=
 D=A0=A0=A0=A0=A0=A0=A0 0x00000100 /* deprecated: flowid is valid */=0A=A0#d=
 efine=A0=A0=A0=A0=A0=A0=A0 M_NOFREE=A0=A0=A0=A0=A0=A0=A0 0x00000200 /* do n=
 ot free mbuf, embedded in cluster */=0A=A0=0A@@ -248,7 +249,7 @@=0A=A0 * Fl=
 ags preserved when copying m_pkthdr.=0A=A0 */=0A=A0#define M_COPYFLAGS \=0A=
 -=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \=
 =0A+=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VL=
 ANTAG|M_PROMISC| \=0A=A0=A0=A0=A0=A0 M_PROTOFLAGS)=0A=A0=0A=A0/*
 --285087016-313696102-1393176921=:3248
 Content-Type: text/html; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <html><body><div style=3D"color:#000; background-color:#fff; font-family:He=
 lveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;fo=
 nt-size:10pt">Case confirmed. Reversing revision 254519 on 10-STABLE resolv=
 es the problem. Because there is a conflict on"sys/sys/mbuf.h" with svn whe=
 n applying "svn merge -c -254519" I used the following patch:<br><br>--- sy=
 s/sys/mbuf.h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (revision 262373)<br>+++ sys/sys=
 /mbuf.h&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (working copy)<br>@@ -221,6 +221,7 @@=
 <br>&nbsp;#define&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; M_MCAST&nbsp;&n=
 bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000020 /* send/received as lin=
 k-level multicast */<br>&nbsp;#define&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
 bsp; M_PROMISC&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000040 /* packet was=
  not for us */<br>&nbsp;#define&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; M=
 _VLANTAG&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000080 /* ether_vtag
  is valid */<br>+#define<span class=3D"tab">&nbsp;&nbsp;&nbsp;&nbsp;<span c=
 lass=3D"tab">&nbsp;&nbsp; </span></span>M_SKIP_FIREWALL 0x00000090<br>&nbsp=
 ;#define&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; M_FLOWID&nbsp;&nbsp;&nbs=
 p;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000100 /* deprecated: flowid is valid */<br>=
 &nbsp;#define&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; M_NOFREE&nbsp;&nbsp=
 ;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x00000200 /* do not free mbuf, embedded in=
  cluster */<br>&nbsp;<br>@@ -248,7 +249,7 @@<br>&nbsp; * Flags preserved wh=
 en copying m_pkthdr.<br>&nbsp; */<br>&nbsp;#define M_COPYFLAGS \<br>-&nbsp;=
 &nbsp;&nbsp; (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| =
 \<br>+&nbsp;&nbsp;&nbsp; (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M=
 _MCAST|M_VLANTAG|M_PROMISC| \<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; M_PROTOFLAG=
 S)<br>&nbsp;<br>&nbsp;/*<br><br></div></body></html>
 --285087016-313696102-1393176921=:3248--

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>,
  "andre@freebsd.org" <andre@freebsd.org>,
  "melifaro@FreeBSD.org" <melifaro@FreeBSD.org>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Sun, 23 Feb 2014 15:18:08 -0800 (PST)

 Correction of the patch for "sys/sys/mbuf.h":=0A=0A=0A--- sys/sys/mbuf.h=A0=
  =A0 =A0 (revision 262373)=0A+++ sys/sys/mbuf.h=A0 =A0 =A0 (working copy)=
 =0A@@ -221,6 +221,7 @@=0A=A0#define=A0 =A0 =A0 =A0 M_MCAST=A0 =A0 =A0 =A0 =
 =A00x00000020 /* send/received as link-level multicast */=0A=A0#define=A0 =
 =A0 =A0 =A0 M_PROMISC=A0 =A0 =A0 =A00x00000040 /* packet was not for us */=
 =0A=A0#define=A0 =A0 =A0 =A0 M_VLANTAG=A0 =A0 =A0 =A00x00000080 /* ether_vt=
 ag is valid */=0A+#define=A0 =A0 =A0 =A0 M_SKIP_FIREWALL 0x01000000=0A=A0#d=
 efine=A0 =A0 =A0 =A0 M_FLOWID=A0 =A0 =A0 =A0 0x00000100 /* deprecated: flow=
 id is valid */=0A=A0#define=A0 =A0 =A0 =A0 M_NOFREE=A0 =A0 =A0 =A0 0x000002=
 00 /* do not free mbuf, embedded in cluster */=0A=0A=0A@@ -248,7 +249,7 @@=
 =0A=A0 * Flags preserved when copying m_pkthdr.=0A=A0 */=0A=A0#define M_COP=
 YFLAGS \=0A-=A0 =A0 (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PR=
 OMISC| \=0A+=A0 =A0 (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAS=
 T|M_VLANTAG|M_PROMISC| \=0A=A0 =A0 =A0 M_PROTOFLAGS)=0A=0A=A0/*=A0=A0

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>,
  "andre@freebsd.org" <andre@freebsd.org>,
  "melifaro@FreeBSD.org" <melifaro@FreeBSD.org>,
  "freebsd-bugs@freebsd.org" <freebsd-bugs@freebsd.org>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Mon, 24 Feb 2014 13:30:50 -0800 (PST)

 =0AThe problem seems to be that M_SKIP_FIREWALL (macro of M_PROTO3) is clea=
 red through m_clrprotoflags(), i.e. not transferred between the layers.=0A=
 =0AThis is a reversion of the 254519 on 10.0-STABLE:=0A=0AIndex: netinet/ip=
 _var.h=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A--- netinet/=
 ip_var.h=A0=A0=A0 (revision 262459)=0A+++ netinet/ip_var.h=A0=A0=A0 (workin=
 g copy)=0A@@ -163,12 +163,10 @@=0A=A0#define IP_ALLOWBROADCAST=A0=A0=A0 SO_=
 BROADCAST=A0=A0=A0 /* 0x20 can send broadcast packets */=0A=A0=0A=A0/*=0A- =
 * IPv4 protocol layer specific mbuf flags.=0A+ * mbuf flag used by ip_fastf=
 wd=0A=A0 */=0A=A0#define=A0=A0=A0 M_FASTFWD_OURS=A0=A0=A0 =A0=A0=A0 M_PROTO=
 1=A0=A0=A0 /* changed dst to local */=0A=A0#define=A0=A0=A0 M_IP_NEXTHOP=A0=
 =A0=A0 =A0=A0=A0 M_PROTO2=A0=A0=A0 /* explicit ip nexthop */=0A-#define=A0=
 =A0=A0 M_SKIP_FIREWALL=A0=A0=A0 =A0=A0=A0 M_PROTO3=A0=A0=A0 /* skip firewal=
 l processing,=0A-=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=
 =A0 =A0=A0 keep in sync with IP6 */=0A=A0#define=A0=A0=A0 M_IP_FRAG=A0=A0=
 =A0 =A0=A0=A0 M_PROTO4=A0=A0=A0 /* fragment reassembly */=0A=A0=0A=A0#ifdef=
  __NO_STRICT_ALIGNMENT=0AIndex: netinet6/ip6_var.h=0A=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A--- netinet6/ip6_var.h=A0=A0=A0 (revision =
 262459)=0A+++ netinet6/ip6_var.h=A0=A0=A0 (working copy)=0A@@ -293,12 +293,=
 7 @@=0A=A0#define=A0=A0=A0 IPV6_FORWARDING=A0=A0=A0 =A0=A0=A0 0x02=A0=A0=A0=
  /* most of IPv6 header exists */=0A=A0#define=A0=A0=A0 IPV6_MINMTU=A0=A0=
 =A0 =A0=A0=A0 0x04=A0=A0=A0 /* use minimum MTU (IPV6_USE_MIN_MTU) */=0A=A0=
 =0A-/*=0A- * IPv6 protocol layer specific mbuf flags.=0A- */=0A-#define=A0=
 =A0=A0 M_IP6_NEXTHOP=A0=A0=A0 =A0=A0=A0 M_PROTO2=A0=A0=A0 /* explicit ip ne=
 xthop */=0A-#define=A0=A0=A0 M_SKIP_FIREWALL=A0=A0=A0 =A0=A0=A0 M_PROTO3=A0=
 =A0=A0 /* skip firewall processing,=0A-=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=
 =A0 =A0=A0=A0 =A0=A0=A0 =A0=A0 keep in sync with IPv4 */=0A+#define=A0=A0=
 =A0 M_IP6_NEXTHOP=A0=A0=A0 =A0=A0=A0 M_PROTO7=A0=A0=A0 /* explicit ip nexth=
 op */=0A=A0=0A=A0#ifdef __NO_STRICT_ALIGNMENT=0A=A0#define IP6_HDR_ALIGNED_=
 P(ip)=A0=A0=A0 1=0AIndex: sys/mbuf.h=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=0A--- sys/mbuf.h=A0=A0=A0 (revision 262459)=0A+++ sys/mbuf.=
 h=A0=A0=A0 (working copy)=0A@@ -235,7 +235,7 @@=0A=A0#define=A0=A0=A0 M_PRO=
 TO9=A0=A0=A0 0x00100000 /* protocol-specific */=0A=A0#define=A0=A0=A0 M_PRO=
 TO10=A0=A0=A0 0x00200000 /* protocol-specific */=0A=A0#define=A0=A0=A0 M_PR=
 OTO11=A0=A0=A0 0x00400000 /* protocol-specific */=0A-#define=A0=A0=A0 M_PRO=
 TO12=A0=A0=A0 0x00800000 /* protocol-specific */=0A+#define=A0=A0=A0 M_SKIP=
 _FIREWALL=A0=A0=A0 0x00800000=0A=A0=0A=A0/*=0A=A0 * Flags to purge when cro=
 ssing layers.=0A@@ -242,13 +242,13 @@=0A=A0 */=0A=A0#define=A0=A0=A0 M_PROT=
 OFLAGS \=0A=A0=A0=A0=A0 (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|M_PRO=
 TO6|M_PROTO7|M_PROTO8|\=0A-=A0=A0=A0=A0 M_PROTO9|M_PROTO10|M_PROTO11|M_PROT=
 O12)=0A+=A0=A0=A0=A0 M_PROTO9|M_PROTO10|M_PROTO11)=0A=A0=0A=A0/*=0A=A0 * Fl=
 ags preserved when copying m_pkthdr.=0A=A0 */=0A=A0#define M_COPYFLAGS \=0A=
 -=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \=
 =0A+=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VL=
 ANTAG|M_PROMISC| \=0A=A0=A0=A0=A0=A0 M_PROTOFLAGS)=0A=A0=0A=A0/*=0A@@ -255,=
 12 +255,12 @@=0A=A0 * Mbuf flag description for use with printf(9) %b ident=
 ifier.=0A=A0 */=0A=A0#define=A0=A0=A0 M_FLAG_BITS \=0A-=A0=A0=A0 "\20\1M_EX=
 T\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \=0A-=A0=A0=A0 "\7M_PROMISC=
 \10M_VLANTAG\11M_FLOWID"=0A+=A0=A0=A0 "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONL=
 Y\5M_SKIP_FIREWALL\6M_BCAST\7M_MCAST" \=0A+=A0=A0=A0 "\8M_PROMISC\10M_VLANT=
 AG\11M_FLOWID"=0A=A0#define=A0=A0=A0 M_FLAG_PROTOBITS \=0A=A0=A0=A0=A0 "\15=
 M_PROTO1\16M_PROTO2\17M_PROTO3\20M_PROTO4\21M_PROTO5" \=0A=A0=A0=A0=A0 "\22=
 M_PROTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \=0A-=A0=A0=A0 "\27M=
 _PROTO11\30M_PROTO12"=0A+=A0=A0=A0 "\27M_PROTO11"=0A=A0#define=A0=A0=A0 M_F=
 LAG_PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)=0A=A0=0A=A0/*=0A

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>,
  "andre@freebsd.org" <andre@freebsd.org>,
  "melifaro@FreeBSD.org" <melifaro@FreeBSD.org>,
  "freebsd-bugs@freebsd.org" <freebsd-bugs@freebsd.org>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Mon, 24 Feb 2014 13:51:33 -0800 (PST)

 ---2027350018-1634682983-1393278693=:34428
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 The problem seems to be that M_SKIP_FIREWALL (macro of M_PROTO3) is =0Aclea=
 red through m_clrprotoflags(), i.e. not transferred between the =0Alayers.=
 =0A=0AThis is a reversion of the 254519 on 10.0-STABLE:=0A=0AIndex: netinet=
 /ip_var.h=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A--- netin=
 et/ip_var.h=A0=A0=A0 (revision 262459)=0A+++ netinet/ip_var.h=A0=A0=A0 (wor=
 king copy)=0A@@ -163,12 +163,10 @@=0A=A0#define IP_ALLOWBROADCAST=A0=A0=A0 =
 SO_BROADCAST=A0=A0=A0 /* 0x20 can send broadcast packets */=0A=A0=0A=A0/*=
 =0A- * IPv4 protocol layer specific mbuf flags.=0A+ * mbuf flag used by ip_=
 fastfwd=0A=A0 */=0A=A0#define=A0=A0=A0 M_FASTFWD_OURS=A0=A0=A0 =A0=A0=A0 M_=
 PROTO1=A0=A0=A0 /* changed dst to local */=0A=A0#define=A0=A0=A0 M_IP_NEXTH=
 OP=A0=A0=A0 =A0=A0=A0 M_PROTO2=A0=A0=A0 /* explicit ip nexthop */=0A-#defin=
 e=A0=A0=A0 M_SKIP_FIREWALL=A0=A0=A0 =A0=A0=A0 M_PROTO3=A0=A0=A0 /* skip fir=
 ewall processing,=0A-=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=
 =A0=A0 =A0=A0 keep in sync with IP6 */=0A=A0#define=A0=A0=A0 M_IP_FRAG=A0=
 =A0=A0 =A0=A0=A0 M_PROTO4=A0=A0=A0 /* fragment reassembly */=0A=A0=0A=A0#if=
 def __NO_STRICT_ALIGNMENT=0AIndex: netinet6/ip6_var.h=0A=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A--- netinet6/ip6_var.h=A0=A0=A0 (revisi=
 on 262459)=0A+++ netinet6/ip6_var.h=A0=A0=A0 (working copy)=0A@@ -293,12 +2=
 93,7 @@=0A=A0#define=A0=A0=A0 IPV6_FORWARDING=A0=A0=A0 =A0=A0=A0 0x02=A0=A0=
 =A0 /* most of IPv6 header exists */=0A=A0#define=A0=A0=A0 IPV6_MINMTU=A0=
 =A0=A0 =A0=A0=A0 0x04=A0=A0=A0 /* use minimum MTU (IPV6_USE_MIN_MTU) */=0A=
 =A0=0A-/*=0A- * IPv6 protocol layer specific mbuf flags.=0A- */=0A-#define=
 =A0=A0=A0 M_IP6_NEXTHOP=A0=A0=A0 =A0=A0=A0 M_PROTO2=A0=A0=A0 /* explicit ip=
  nexthop */=0A-#define=A0=A0=A0 M_SKIP_FIREWALL=A0=A0=A0 =A0=A0=A0 M_PROTO3=
 =A0=A0=A0 /* skip firewall processing,=0A-=A0=A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=
 =A0=A0 =A0=A0=A0 =A0=A0=A0 =A0=A0 keep in sync with IPv4 */=0A+#define=A0=
 =A0=A0 M_IP6_NEXTHOP=A0=A0=A0 =A0=A0=A0 M_PROTO7=A0=A0=A0 /* explicit ip ne=
 xthop */=0A=A0=0A=A0#ifdef __NO_STRICT_ALIGNMENT=0A=A0#define IP6_HDR_ALIGN=
 ED_P(ip)=A0=A0=A0 1=0AIndex: sys/mbuf.h=0A=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=0A--- sys/mbuf.h=A0=A0=A0 (revision 262459)=0A+++ sys/mb=
 uf.h=A0=A0=A0 (working copy)=0A@@ -235,7 +235,7 @@=0A=A0#define=A0=A0=A0 M_=
 PROTO9=A0=A0=A0 0x00100000 /* protocol-specific */=0A=A0#define=A0=A0=A0 M_=
 PROTO10=A0=A0=A0 0x00200000 /* protocol-specific */=0A=A0#define=A0=A0=A0 M=
 _PROTO11=A0=A0=A0 0x00400000 /* protocol-specific */=0A-#define=A0=A0=A0 M_=
 PROTO12=A0=A0=A0 0x00800000 /* protocol-specific */=0A+#define=A0=A0=A0 M_S=
 KIP_FIREWALL=A0=A0=A0 0x00800000=0A=A0=0A=A0/*=0A=A0 * Flags to purge when =
 crossing layers.=0A@@ -242,13 +242,13 @@=0A=A0 */=0A=A0#define=A0=A0=A0 M_P=
 ROTOFLAGS \=0A=A0=A0=A0=A0 (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|M_=
 PROTO6|M_PROTO7|M_PROTO8|\=0A-=A0=A0=A0=A0 M_PROTO9|M_PROTO10|M_PROTO11|M_P=
 ROTO12)=0A+=A0=A0=A0=A0 M_PROTO9|M_PROTO10|M_PROTO11)=0A=0A=A0 /*=0A=A0 * F=
 lags preserved when copying m_pkthdr.=0A=A0 */=0A=A0#define M_COPYFLAGS \=
 =0A-=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC|=
  \=0A+=A0=A0=A0 (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_=
 VLANTAG|M_PROMISC| \=0A=A0=A0=A0=A0=A0 M_PROTOFLAGS)=0A=A0/*=0A@@ -255,12 +=
 255,12 @@=0A=A0 * Mbuf flag description for use with printf(9) %b identifie=
 r.=0A=A0 */=0A=A0#define=A0=A0=A0 M_FLAG_BITS \=0A-=A0=A0=A0 "\20\1M_EXT\2M=
 _PKTHDR\3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \=0A-=A0=A0=A0 "\7M_PROMISC\10M=
 _VLANTAG\11M_FLOWID"=0A+=A0=A0=A0 "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M=
 _SKIP_FIREWALL\6M_BCAST\7M_MCAST" \=0A+=A0=A0=A0 "\8M_PROMISC\10M_VLANTAG\1=
 1M_FLOWID"=0A=A0#define=A0=A0=A0 M_FLAG_PROTOBITS \=0A=A0=A0=A0=A0 "\15M_PR=
 OTO1\16M_PROTO2\17M_PROTO3\20M_PROTO4\21M_PROTO5" \=0A=A0=A0=A0=A0 "\22M_PR=
 OTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \=0A-=A0=A0=A0 "\27M_PRO=
 TO11\30M_PROTO12"=0A+=A0=A0=A0 "\27M_PROTO11"=0A=A0#define=A0=A0=A0 M_FLAG_=
 PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)=0A=A0=0A=A0/*=0A
 ---2027350018-1634682983-1393278693=:34428
 Content-Type: text/html; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <html><body><div style=3D"color:#000; background-color:#fff; font-family:He=
 lveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;fo=
 nt-size:10pt"><div id=3D"yiv3679058489"><div class=3D"yiv3679058489yqt83276=
 55796" id=3D"yiv3679058489yqtfd86375"><div><div style=3D"color:#000;backgro=
 und-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,=
  Lucida Grande, sans-serif;font-size:10pt;"><div></div><div class=3D"yiv367=
 9058489yqt0082799383" id=3D"yiv3679058489yqtfd73328">The problem seems to b=
 e that M_SKIP_FIREWALL (macro of M_PROTO3) is =0Acleared through m_clrproto=
 flags(), i.e. not transferred between the =0Alayers.<br clear=3D"none"><br =
 clear=3D"none">This is a reversion of the 254519 on 10.0-STABLE:<br clear=
 =3D"none"><br clear=3D"none">Index: netinet/ip_var.h<br clear=3D"none">=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br clear=3D"none">--- neti=
 net/ip_var.h&nbsp;&nbsp;&nbsp; (revision 262459)<br clear=3D"none">+++ neti=
 net/ip_var.h&nbsp;&nbsp;&nbsp; (working copy)<br clear=3D"none">@@ -163,12 =
 +163,10 @@<br clear=3D"none">&nbsp;#define IP_ALLOWBROADCAST&nbsp;&nbsp;&nb=
 sp; SO_BROADCAST&nbsp;&nbsp;&nbsp; /* 0x20 can send broadcast packets */<br=
  clear=3D"none">&nbsp;<br clear=3D"none">&nbsp;/*<br clear=3D"none">- * IPv=
 4 protocol layer specific mbuf flags.<br clear=3D"none">+ * mbuf flag used =
 by ip_fastfwd<br clear=3D"none">&nbsp; */<br clear=3D"none">&nbsp;#define&n=
 bsp;&nbsp;&nbsp; M_FASTFWD_OURS&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; M_PROT=
 O1&nbsp;&nbsp;&nbsp; /* changed dst to local */<br clear=3D"none">&nbsp;#de=
 fine&nbsp;&nbsp;&nbsp; M_IP_NEXTHOP&nbsp;&nbsp;&nbsp;
  &nbsp;&nbsp;&nbsp; M_PROTO2&nbsp;&nbsp;&nbsp; /* explicit ip nexthop */<br=
  clear=3D"none">-#define&nbsp;&nbsp;&nbsp; M_SKIP_FIREWALL&nbsp;&nbsp;&nbsp=
 ; &nbsp;&nbsp;&nbsp; M_PROTO3&nbsp;&nbsp;&nbsp; /* skip firewall processing=
 ,<br clear=3D"none">-&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbs=
 p; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp; ke=
 ep in sync with IP6 */<br clear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp; M_=
 IP_FRAG&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; M_PROTO4&nbsp;&nbsp;&nbsp; /* =
 fragment reassembly */<br clear=3D"none">&nbsp;<br clear=3D"none">&nbsp;#if=
 def __NO_STRICT_ALIGNMENT<br clear=3D"none">Index: netinet6/ip6_var.h<br cl=
 ear=3D"none">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br clear=
 =3D"none">--- netinet6/ip6_var.h&nbsp;&nbsp;&nbsp; (revision 262459)<br cle=
 ar=3D"none">+++ netinet6/ip6_var.h&nbsp;&nbsp;&nbsp; (working copy)<br clea=
 r=3D"none">@@ -293,12 +293,7 @@<br
  clear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp; IPV6_FORWARDING&nbsp;&nbsp;=
 &nbsp; &nbsp;&nbsp;&nbsp; 0x02&nbsp;&nbsp;&nbsp; /* most of IPv6 header exi=
 sts */<br clear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp; IPV6_MINMTU&nbsp;&=
 nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 0x04&nbsp;&nbsp;&nbsp; /* use minimum MTU (I=
 PV6_USE_MIN_MTU) */<br clear=3D"none">&nbsp;<br clear=3D"none">-/*<br clear=
 =3D"none">- * IPv6 protocol layer specific mbuf flags.<br clear=3D"none">- =
 */<br clear=3D"none">-#define&nbsp;&nbsp;&nbsp; M_IP6_NEXTHOP&nbsp;&nbsp;&n=
 bsp; &nbsp;&nbsp;&nbsp; M_PROTO2&nbsp;&nbsp;&nbsp; /* explicit ip nexthop *=
 /<br clear=3D"none">-#define&nbsp;&nbsp;&nbsp; M_SKIP_FIREWALL&nbsp;&nbsp;&=
 nbsp; &nbsp;&nbsp;&nbsp; M_PROTO3&nbsp;&nbsp;&nbsp; /* skip firewall proces=
 sing,<br clear=3D"none">-&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;=
 &nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; &nbsp;&nbsp=
 ; keep in sync with IPv4 */<br clear=3D"none">+#define&nbsp;&nbsp;&nbsp;
  M_IP6_NEXTHOP&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; M_PROTO7&nbsp;&nbsp;&nb=
 sp; /* explicit ip nexthop */<br clear=3D"none">&nbsp;<br clear=3D"none">&n=
 bsp;#ifdef __NO_STRICT_ALIGNMENT<br clear=3D"none">&nbsp;#define IP6_HDR_AL=
 IGNED_P(ip)&nbsp;&nbsp;&nbsp; 1<br clear=3D"none">Index: sys/mbuf.h<br clea=
 r=3D"none">=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br clear=3D=
 "none">--- sys/mbuf.h&nbsp;&nbsp;&nbsp; (revision 262459)<br clear=3D"none"=
 >+++ sys/mbuf.h&nbsp;&nbsp;&nbsp; (working copy)<br clear=3D"none">@@ -235,=
 7 +235,7 @@<br clear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp; M_PROTO9&nbsp=
 ;&nbsp;&nbsp; 0x00100000 /* protocol-specific */<br clear=3D"none">&nbsp;#d=
 efine&nbsp;&nbsp;&nbsp; M_PROTO10&nbsp;&nbsp;&nbsp; 0x00200000 /* protocol-=
 specific */<br clear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp; M_PROTO11&nbs=
 p;&nbsp;&nbsp; 0x00400000 /* protocol-specific */<br clear=3D"none">-#defin=
 e&nbsp;&nbsp;&nbsp; M_PROTO12&nbsp;&nbsp;&nbsp; 0x00800000 /*
  protocol-specific */<br clear=3D"none">+#define&nbsp;&nbsp;&nbsp; M_SKIP_F=
 IREWALL&nbsp;&nbsp;&nbsp; 0x00800000<br clear=3D"none">&nbsp;<br clear=3D"n=
 one">&nbsp;/*<br clear=3D"none">&nbsp; * Flags to purge when crossing layer=
 s.<br clear=3D"none">@@ -242,13 +242,13 @@<br clear=3D"none">&nbsp; */<br c=
 lear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp; M_PROTOFLAGS \<br clear=3D"no=
 ne">&nbsp;&nbsp;&nbsp;&nbsp; (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|=
 M_PROTO6|M_PROTO7|M_PROTO8|\<br clear=3D"none">-&nbsp;&nbsp;&nbsp;&nbsp; M_=
 PROTO9|M_PROTO10|M_PROTO11|M_PROTO12)<br clear=3D"none">+&nbsp;&nbsp;&nbsp;=
 &nbsp; M_PROTO9|M_PROTO10|M_PROTO11)<br clear=3D"none"><br>&nbsp; /*<br cle=
 ar=3D"none">&nbsp; * Flags preserved when copying m_pkthdr.<br clear=3D"non=
 e">&nbsp; */<br clear=3D"none">&nbsp;#define M_COPYFLAGS \<br clear=3D"none=
 ">-&nbsp;&nbsp;&nbsp; (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_=
 PROMISC| \<br clear=3D"none">+&nbsp;&nbsp;&nbsp;
  (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VLANTAG|M_PROMI=
 SC| \<br clear=3D"none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; M_PROTOFLAGS)<br cle=
 ar=3D"none">&nbsp;/*<br clear=3D"none">@@ -255,12 +255,12 @@<br clear=3D"no=
 ne">&nbsp; * Mbuf flag description for use with printf(9) %b identifier.<br=
  clear=3D"none">&nbsp; */<br clear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp;=
  M_FLAG_BITS \<br clear=3D"none">-&nbsp;&nbsp;&nbsp; "\20\1M_EXT\2M_PKTHDR\=
 3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \<br clear=3D"none">-&nbsp;&nbsp;&nbsp;=
  "\7M_PROMISC\10M_VLANTAG\11M_FLOWID"<br clear=3D"none">+&nbsp;&nbsp;&nbsp;=
  "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_SKIP_FIREWALL\6M_BCAST\7M_MCAST"=
  \<br clear=3D"none">+&nbsp;&nbsp;&nbsp; "\8M_PROMISC\10M_VLANTAG\11M_FLOWI=
 D"<br clear=3D"none">&nbsp;#define&nbsp;&nbsp;&nbsp; M_FLAG_PROTOBITS \<br =
 clear=3D"none">&nbsp;&nbsp;&nbsp;&nbsp; "\15M_PROTO1\16M_PROTO2\17M_PROTO3\=
 20M_PROTO4\21M_PROTO5" \<br clear=3D"none">&nbsp;&nbsp;&nbsp;&nbsp;
  "\22M_PROTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \<br clear=3D"n=
 one">-&nbsp;&nbsp;&nbsp; "\27M_PROTO11\30M_PROTO12"<br clear=3D"none">+&nbs=
 p;&nbsp;&nbsp; "\27M_PROTO11"<br clear=3D"none">&nbsp;#define&nbsp;&nbsp;&n=
 bsp; M_FLAG_PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)<br clear=3D"none">&nbsp;<=
 br clear=3D"none">&nbsp;/*<br clear=3D"none"></div><span></span><div></div>=
 </div></div></div></div></div></body></html>
 ---2027350018-1634682983-1393278693=:34428--

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>,
  "andre@freebsd.org" <andre@freebsd.org>,
  "melifaro@FreeBSD.org" <melifaro@FreeBSD.org>,
  "freebsd-bugs@freebsd.org" <freebsd-bugs@freebsd.org>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Tue, 25 Feb 2014 02:19:50 -0800 (PST)

 It is not related to m_clrprotoflags().
 

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>,
  "andre@freebsd.org" <andre@freebsd.org>,
  "melifaro@FreeBSD.org" <melifaro@FreeBSD.org>,
  "freebsd-bugs@freebsd.org" <freebsd-bugs@freebsd.org>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Tue, 25 Feb 2014 02:17:23 -0800 (PST)

 Another series of testing. In r254519, when the "#define M_SKIP_FIREWALL M_PROTO3" is replaced with "#define M_SKIP_FIREWALL M_PROTO12" the problem disappears. It seems to be a bug related to the definition of M_PROTO3.

From: George Amanakis <g_amanakis@yahoo.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
  "a.v.volobuev@gmail.com" <a.v.volobuev@gmail.com>,
  "andre@freebsd.org" <andre@freebsd.org>,
  "melifaro@FreeBSD.org" <melifaro@FreeBSD.org>,
  "freebsd-bugs@freebsd.org" <freebsd-bugs@freebsd.org>,
  "nicolas@deffayet.com" <nicolas@deffayet.com>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec
Date: Tue, 25 Feb 2014 06:34:59 -0800 (PST)

 ---2027350018-2059981475-1393338899=:78804
 Content-Type: text/plain; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 The culprit is the "#define M_DECRYPTED M_PROTO3" in "netinet6/in6.h" (that=
  is regardless of whether or not INET6 has been set). It gets mixed up (net=
 ipsec includes in.h, in.h includes in6.h) and so when the M_DECRYPTED flag =
 is set, M_SKIP_FIREWALL flag is also set.=A0
 ---2027350018-2059981475-1393338899=:78804
 Content-Type: text/html; charset=iso-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <html><body><div style=3D"color:#000; background-color:#fff; font-family:He=
 lveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;fo=
 nt-size:10pt"><div>The culprit is the "#define M_DECRYPTED M_PROTO3" in "ne=
 tinet6/in6.h" (that is regardless of whether or not INET6 has been set). It=
  gets mixed up (netipsec includes in.h, in.h includes in6.h) and so when th=
 e M_DECRYPTED flag is set, M_SKIP_FIREWALL flag is also set.&nbsp;</div> </=
 div></body></html>
 ---2027350018-2059981475-1393338899=:78804--

From: Georgios Amanakis <gamanakis@gmail.com>
To: bug-followup@FreeBSD.org, a.v.volobuev@gmail.com, andre@freebsd.org, 
	melifaro@FreeBSD.org, freebsd-bugs@freebsd.org, nicolas@deffayet.com
Cc:  
Subject: kern/185876: ipfw not matching incoming packets decapsulating ipsec.
 example l2tp/ipsec
Date: Tue, 25 Feb 2014 22:01:50 +0100

 --047d7b677b20a05e4c04f3416563
 Content-Type: text/plain; charset=ISO-8859-1
 
 The following patch resolves it (it has to be tested thoroughly).
 
 Index: netipsec/xform_ipip.c
 ===================================================================
 --- netipsec/xform_ipip.c       (revision 262492)
 +++ netipsec/xform_ipip.c       (working copy)
 @@ -181,6 +181,7 @@
         IPIPSTAT_INC(ipips_ipackets);
 
         m_copydata(m, 0, 1, &v);
 +       m_clrprotoflags(m);
 
         switch (v >> 4) {
  #ifdef INET
 
 --047d7b677b20a05e4c04f3416563
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: base64
 
 PGRpdiBkaXI9Imx0ciI+VGhlIGZvbGxvd2luZyBwYXRjaCByZXNvbHZlcyBpdCAoaXQgaGFzIHRv
 IGJlIHRlc3RlZCB0aG9yb3VnaGx5KS48YnI+PGJyPkluZGV4OiBuZXRpcHNlYy94Zm9ybV9pcGlw
 LmM8YnI+PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PTxicj4tLS0gbmV0aXBzZWMveGZvcm1faXBpcC5jIKAgoCCgIChyZXZp
 c2lvbiAyNjI0OTIpPGJyPg0KKysrIG5ldGlwc2VjL3hmb3JtX2lwaXAuYyCgIKAgoCAod29ya2lu
 ZyBjb3B5KTxicj5AQCAtMTgxLDYgKzE4MSw3IEBAPGJyPqAgoCCgIKAgSVBJUFNUQVRfSU5DKGlw
 aXBzX2lwYWNrZXRzKTs8YnI+oDxicj6gIKAgoCCgIG1fY29weWRhdGEobSwgMCwgMSwgJmFtcDt2
 KTs8YnI+KyCgIKAgoCBtX2NscnByb3RvZmxhZ3MobSk7PGJyPqA8YnI+oCCgIKAgoCBzd2l0Y2gg
 KHYgJmd0OyZndDsgNCkgezxicj4NCqAjaWZkZWYgSU5FVDwvZGl2Pg0K
 --047d7b677b20a05e4c04f3416563--

From: Georgios Amanakis <gamanakis@gmail.com>
To: bug-followup@freebsd.org, 
	=?KOI8-U?B?4czFy9PBzsTSIPfPzM/C1cXX?= <a.v.volobuev@gmail.com>, 
	andre@freebsd.org, melifaro@freebsd.org, freebsd-bugs@freebsd.org, 
	Nicolas DEFFAYET <nicolas@deffayet.com>
Cc:  
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Tue, 25 Feb 2014 23:24:09 +0100

 --047d7b86f7600edc4f04f3428cd0
 Content-Type: text/plain; charset=ISO-8859-1
 
 > Index: netipsec/xform_ipip.c
 > ===================================================================
 > --- netipsec/xform_ipip.c       (revision 262492)
 > +++ netipsec/xform_ipip.c       (working copy)
 > @@ -181,6 +181,7 @@
 >         IPIPSTAT_INC(ipips_ipackets);
 >
 >         m_copydata(m, 0, 1, &v);
 > +       m_clrprotoflags(m);
 >
 >         switch (v >> 4) {
 >  #ifdef INET
 
 That one does not resolve it correctly, i.e. not all ipsec packets are
 captured. Furthermore, the captured packets have both directions, in and
 out (as captured by: allow ip from any to any in, allow ip from any to any
 out)
 
 --047d7b86f7600edc4f04f3428cd0
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <div dir=3D"ltr"><div>&gt; Index: netipsec/xform_ipip.c<br>&gt; =3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>&gt; --- netipsec/xform_ipip.=
 c =A0 =A0 =A0 (revision 262492)<br>&gt; +++ netipsec/xform_ipip.c =A0 =A0 =
 =A0 (working copy)<br>
 &gt; @@ -181,6 +181,7 @@<br>&gt; =A0 =A0 =A0 =A0 IPIPSTAT_INC(ipips_ipacket=
 s);<br>&gt; =A0<br>&gt; =A0 =A0 =A0 =A0 m_copydata(m, 0, 1, &amp;v);<br>&gt=
 ; + =A0 =A0 =A0 m_clrprotoflags(m);<br>&gt; =A0<br>&gt; =A0 =A0 =A0 =A0 swi=
 tch (v &gt;&gt; 4) {<br>&gt; =A0#ifdef INET<br>
 <br></div>That one does not resolve it correctly, i.e. not all ipsec packet=
 s are captured. Furthermore, the captured packets have both directions, in =
 and out (as captured by: allow ip from any to any in, allow ip from any to =
 any out)<br>
 </div>
 
 --047d7b86f7600edc4f04f3428cd0--

From: Nicolas DEFFAYET <nicolas@deffayet.com>
To: Georgios Amanakis <gamanakis@gmail.com>
Cc: bug-followup@freebsd.org, 
	=?UTF-8?Q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80_?=
	=?UTF-8?Q?=D0=92=D0=BE=D0=BB=D0=BE=D0=B1=D1=83=D0=B5=D0=B2?=
	 <a.v.volobuev@gmail.com>, andre@freebsd.org, melifaro@freebsd.org, 
	freebsd-bugs@freebsd.org
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Tue, 25 Feb 2014 23:57:24 +0100

 On Tue, 2014-02-25 at 23:24 +0100, Georgios Amanakis wrote: 
 > > Index: netipsec/xform_ipip.c
 > > ===================================================================
 > > --- netipsec/xform_ipip.c       (revision 262492)
 > > +++ netipsec/xform_ipip.c       (working copy)
 > > @@ -181,6 +181,7 @@
 > >         IPIPSTAT_INC(ipips_ipackets);
 > >  
 > >         m_copydata(m, 0, 1, &v);
 > > +       m_clrprotoflags(m);
 > >  
 > >         switch (v >> 4) {
 > >  #ifdef INET
 > 
 > 
 > That one does not resolve it correctly, i.e. not all ipsec packets are
 > captured. Furthermore, the captured packets have both directions, in
 > and out (as captured by: allow ip from any to any in, allow ip from
 > any to any out)
 
 Did you test with IPsec as transport mode or as tunnel mode ? 
 -- 
 Nicolas DEFFAYET
 

From: Nicolas DEFFAYET <nicolas@deffayet.com>
To: Georgios Amanakis <gamanakis@gmail.com>
Cc: bug-followup@freebsd.org, 
	=?UTF-8?Q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=80_?=
	=?UTF-8?Q?=D0=92=D0=BE=D0=BB=D0=BE=D0=B1=D1=83=D0=B5=D0=B2?=
	 <a.v.volobuev@gmail.com>, andre@freebsd.org, melifaro@freebsd.org, 
	freebsd-bugs@freebsd.org
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Fri, 28 Feb 2014 23:36:44 +0100

 The following patch seem to be the only working workaround for IPsec
 transport mode and tunnel mode. Please note the use of M_PROTO7 instead
 of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
 for another purpose and so using it may create a conflict like M_PROTO3.
 
 ---
 Index: netinet/ip_var.h
 ===================================================================
 --- netinet/ip_var.h    (revision 262470)
 +++ netinet/ip_var.h    (working copy)
 @@ -167,7 +167,7 @@
   */
 #define        M_FASTFWD_OURS          M_PROTO1        /* changed dst to
 local */
 #define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip
 nexthop */
 -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
 processing,
 +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
 processing,
                                                    keep in sync with IP6
 */
 #define        M_IP_FRAG               M_PROTO4        /* fragment
 reassembly */
 
 Index: netinet6/ip6_var.h
 ===================================================================
 --- netinet6/ip6_var.h  (revision 262470)
 +++ netinet6/ip6_var.h  (working copy)
 @@ -297,7 +297,7 @@
   * IPv6 protocol layer specific mbuf flags.
   */
 #define        M_IP6_NEXTHOP           M_PROTO2        /* explicit ip
 nexthop */
 -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
 processing,
 +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
 processing,
                                                    keep in sync with
 IPv4 */
 
 #ifdef __NO_STRICT_ALIGNMENT
 ---
 
 
 -- 
 Nicolas DEFFAYET
 

From: Robert Sevat <robert.sevat@live.nl>
To: Nicolas DEFFAYET <nicolas@deffayet.com>, Georgios Amanakis
	<gamanakis@gmail.com>
Cc: "andre@freebsd.org" <andre@freebsd.org>, "melifaro@freebsd.org"
	<melifaro@freebsd.org>, =?koi8-r?B?4czFy9PBzsTSIPfPzM/C1cXX?=
	<a.v.volobuev@gmail.com>, "freebsd-bugs@freebsd.org"
	<freebsd-bugs@freebsd.org>, "bug-followup@freebsd.org"
	<bug-followup@freebsd.org>
Subject: RE: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Tue, 11 Mar 2014 19:57:35 +0100

 --_83bbfb26-cbd8-4d84-97df-666fd06fa145_
 Content-Type: text/plain; charset="koi8-r"
 Content-Transfer-Encoding: quoted-printable
 
 Hey=2C
 
 First off all=2C thanks for the patch=2C should we wait for FreeBSD 10.1=2C=
  use 10.0/stable or patch it our selves?
 
 Or is this going to be issued as Errata patch for FreeBSD 10.0-Release? (wh=
 ich I think it should be)
 
 Kind Regards=2C
 Robert Sevat
 
 
 > Subject: Re: kern/185876: ipfw not matching incoming packets decapsulatin=
 g ipsec. example l2tp/ipsec
 > From: nicolas@deffayet.com
 > To: gamanakis@gmail.com
 > Date: Fri=2C 28 Feb 2014 23:36:44 +0100
 > CC: andre@freebsd.org=3B melifaro@freebsd.org=3B a.v.volobuev@gmail.com=
 =3B freebsd-bugs@freebsd.org=3B bug-followup@freebsd.org
 >=20
 > The following patch seem to be the only working workaround for IPsec
 > transport mode and tunnel mode. Please note the use of M_PROTO7 instead
 > of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
 > for another purpose and so using it may create a conflict like M_PROTO3.
 >=20
 > ---
 > Index: netinet/ip_var.h
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > --- netinet/ip_var.h    (revision 262470)
 > +++ netinet/ip_var.h    (working copy)
 > @@ -167=2C7 +167=2C7 @@
 >   */
 > #define        M_FASTFWD_OURS          M_PROTO1        /* changed dst to
 > local */
 > #define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip
 > nexthop */
 > -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
 > processing=2C
 > +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
 > processing=2C
 >                                                    keep in sync with IP6
 > */
 > #define        M_IP_FRAG               M_PROTO4        /* fragment
 > reassembly */
 >=20
 > Index: netinet6/ip6_var.h
 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 > --- netinet6/ip6_var.h  (revision 262470)
 > +++ netinet6/ip6_var.h  (working copy)
 > @@ -297=2C7 +297=2C7 @@
 >   * IPv6 protocol layer specific mbuf flags.
 >   */
 > #define        M_IP6_NEXTHOP           M_PROTO2        /* explicit ip
 > nexthop */
 > -#define        M_SKIP_FIREWALL         M_PROTO3        /* skip firewall
 > processing=2C
 > +#define        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall
 > processing=2C
 >                                                    keep in sync with
 > IPv4 */
 >=20
 > #ifdef __NO_STRICT_ALIGNMENT
 > ---
 >=20
 >=20
 > --=20
 > Nicolas DEFFAYET
 >=20
 > _______________________________________________
 > freebsd-bugs@freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
 > To unsubscribe=2C send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
  		 	   		  =
 
 --_83bbfb26-cbd8-4d84-97df-666fd06fa145_
 Content-Type: text/html; charset="koi8-r"
 Content-Transfer-Encoding: quoted-printable
 
 <html>
 <head>
 <style><!--
 .hmmessage P
 {
 margin:0px=3B
 padding:0px
 }
 body.hmmessage
 {
 font-size: 12pt=3B
 font-family:Calibri
 }
 --></style></head>
 <body class=3D'hmmessage'><div dir=3D'ltr'>Hey=2C<br><br>First off all=2C t=
 hanks for the patch=2C should we wait for FreeBSD 10.1=2C use 10.0/stable o=
 r patch it our selves?<br><br>Or is this going to be issued as Errata patch=
  for FreeBSD 10.0-Release? (which I think it should be)<br><br>Kind Regards=
 =2C<br>Robert Sevat<br><br><br><div>&gt=3B Subject: Re: kern/185876: ipfw n=
 ot matching incoming packets decapsulating ipsec. example l2tp/ipsec<br>&gt=
 =3B From: nicolas@deffayet.com<br>&gt=3B To: gamanakis@gmail.com<br>&gt=3B =
 Date: Fri=2C 28 Feb 2014 23:36:44 +0100<br>&gt=3B CC: andre@freebsd.org=3B =
 melifaro@freebsd.org=3B a.v.volobuev@gmail.com=3B freebsd-bugs@freebsd.org=
 =3B bug-followup@freebsd.org<br>&gt=3B <br>&gt=3B The following patch seem =
 to be the only working workaround for IPsec<br>&gt=3B transport mode and tu=
 nnel mode. Please note the use of M_PROTO7 instead<br>&gt=3B of M_PROTO5 as=
  that is not used in netinet &amp=3B netinet6. M_PROTO5 is used<br>&gt=3B f=
 or another purpose and so using it may create a conflict like M_PROTO3.<br>=
 &gt=3B <br>&gt=3B ---<br>&gt=3B Index: netinet/ip_var.h<br>&gt=3B =3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>&gt=3B --- netinet/ip_var.h  =
   (revision 262470)<br>&gt=3B +++ netinet/ip_var.h    (working copy)<br>&gt=
 =3B @@ -167=2C7 +167=2C7 @@<br>&gt=3B   */<br>&gt=3B #define        M_FASTF=
 WD_OURS          M_PROTO1        /* changed dst to<br>&gt=3B local */<br>&g=
 t=3B #define        M_IP_NEXTHOP            M_PROTO2        /* explicit ip<=
 br>&gt=3B nexthop */<br>&gt=3B -#define        M_SKIP_FIREWALL         M_PR=
 OTO3        /* skip firewall<br>&gt=3B processing=2C<br>&gt=3B +#define    =
     M_SKIP_FIREWALL         M_PROTO7        /* skip firewall<br>&gt=3B proc=
 essing=2C<br>&gt=3B                                                    keep=
  in sync with IP6<br>&gt=3B */<br>&gt=3B #define        M_IP_FRAG          =
      M_PROTO4        /* fragment<br>&gt=3B reassembly */<br>&gt=3B <br>&gt=
 =3B Index: netinet6/ip6_var.h<br>&gt=3B =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D<br>&gt=3B --- netinet6/ip6_var.h  (revision 262470)<br>&=
 gt=3B +++ netinet6/ip6_var.h  (working copy)<br>&gt=3B @@ -297=2C7 +297=2C7=
  @@<br>&gt=3B   * IPv6 protocol layer specific mbuf flags.<br>&gt=3B   */<b=
 r>&gt=3B #define        M_IP6_NEXTHOP           M_PROTO2        /* explicit=
  ip<br>&gt=3B nexthop */<br>&gt=3B -#define        M_SKIP_FIREWALL         =
 M_PROTO3        /* skip firewall<br>&gt=3B processing=2C<br>&gt=3B +#define=
         M_SKIP_FIREWALL         M_PROTO7        /* skip firewall<br>&gt=3B =
 processing=2C<br>&gt=3B                                                    =
 keep in sync with<br>&gt=3B IPv4 */<br>&gt=3B <br>&gt=3B #ifdef __NO_STRICT=
 _ALIGNMENT<br>&gt=3B ---<br>&gt=3B <br>&gt=3B <br>&gt=3B -- <br>&gt=3B Nico=
 las DEFFAYET<br>&gt=3B <br>&gt=3B _________________________________________=
 ______<br>&gt=3B freebsd-bugs@freebsd.org mailing list<br>&gt=3B http://lis=
 ts.freebsd.org/mailman/listinfo/freebsd-bugs<br>&gt=3B To unsubscribe=2C se=
 nd any mail to "freebsd-bugs-unsubscribe@freebsd.org"<br></div> 		 	   		  =
 </div></body>
 </html>=
 
 --_83bbfb26-cbd8-4d84-97df-666fd06fa145_--

From: Georgios Amanakis <gamanakis@gmail.com>
To: Robert Sevat <robert.sevat@live.nl>
Cc: Nicolas DEFFAYET <nicolas@deffayet.com>, "andre@freebsd.org" <andre@freebsd.org>, 
	"melifaro@freebsd.org" <melifaro@freebsd.org>, 
	=?KOI8-U?B?4czFy9PBzsTSIPfPzM/C1cXX?= <a.v.volobuev@gmail.com>, 
	"freebsd-bugs@freebsd.org" <freebsd-bugs@freebsd.org>, 
	"bug-followup@freebsd.org" <bug-followup@freebsd.org>
Subject: Re: kern/185876: ipfw not matching incoming packets decapsulating
 ipsec. example l2tp/ipsec
Date: Tue, 11 Mar 2014 22:14:34 +0100

 --047d7bacbb46f09aaf04f45b34b3
 Content-Type: text/plain; charset=ISO-8859-1
 
 Glebius is working on a patch. I hope it will be commited soon to stable.
 
 
 On Tue, Mar 11, 2014 at 7:57 PM, Robert Sevat <robert.sevat@live.nl> wrote:
 
 > Hey,
 >
 > First off all, thanks for the patch, should we wait for FreeBSD 10.1, use
 > 10.0/stable or patch it our selves?
 >
 > Or is this going to be issued as Errata patch for FreeBSD 10.0-Release?
 > (which I think it should be)
 >
 > Kind Regards,
 > Robert Sevat
 >
 >
 > > Subject: Re: kern/185876: ipfw not matching incoming packets
 > decapsulating ipsec. example l2tp/ipsec
 > > From: nicolas@deffayet.com
 > > To: gamanakis@gmail.com
 > > Date: Fri, 28 Feb 2014 23:36:44 +0100
 > > CC: andre@freebsd.org; melifaro@freebsd.org; a.v.volobuev@gmail.com;
 > freebsd-bugs@freebsd.org; bug-followup@freebsd.org
 >
 > >
 > > The following patch seem to be the only working workaround for IPsec
 > > transport mode and tunnel mode. Please note the use of M_PROTO7 instead
 > > of M_PROTO5 as that is not used in netinet & netinet6. M_PROTO5 is used
 > > for another purpose and so using it may create a conflict like M_PROTO3.
 > >
 > > ---
 > > Index: netinet/ip_var.h
 > > ===================================================================
 > > --- netinet/ip_var.h (revision 262470)
 > > +++ netinet/ip_var.h (working copy)
 > > @@ -167,7 +167,7 @@
 > > */
 > > #define M_FASTFWD_OURS M_PROTO1 /* changed dst to
 > > local */
 > > #define M_IP_NEXTHOP M_PROTO2 /* explicit ip
 > > nexthop */
 > > -#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall
 > > processing,
 > > +#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall
 > > processing,
 > > keep in sync with IP6
 > > */
 > > #define M_IP_FRAG M_PROTO4 /* fragment
 > > reassembly */
 > >
 > > Index: netinet6/ip6_var.h
 > > ===================================================================
 > > --- netinet6/ip6_var.h (revision 262470)
 > > +++ netinet6/ip6_var.h (working copy)
 > > @@ -297,7 +297,7 @@
 > > * IPv6 protocol layer specific mbuf flags.
 > > */
 > > #define M_IP6_NEXTHOP M_PROTO2 /* explicit ip
 > > nexthop */
 > > -#define M_SKIP_FIREWALL M_PROTO3 /* skip firewall
 > > processing,
 > > +#define M_SKIP_FIREWALL M_PROTO7 /* skip firewall
 > > processing,
 > > keep in sync with
 > > IPv4 */
 > >
 > > #ifdef __NO_STRICT_ALIGNMENT
 > > ---
 > >
 > >
 > > --
 > > Nicolas DEFFAYET
 > >
 > > _______________________________________________
 > > freebsd-bugs@freebsd.org mailing list
 > > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
 > > To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
 >
 
 --047d7bacbb46f09aaf04f45b34b3
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <div dir=3D"ltr">Glebius is working on a patch. I hope it will be commited =
 soon to stable. <br></div><div class=3D"gmail_extra"><br><br><div class=3D"=
 gmail_quote">On Tue, Mar 11, 2014 at 7:57 PM, Robert Sevat <span dir=3D"ltr=
 ">&lt;<a href=3D"mailto:robert.sevat@live.nl" target=3D"_blank">robert.seva=
 t@live.nl</a>&gt;</span> wrote:<br>
 <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
 x #ccc solid;padding-left:1ex">
 
 
 <div><div dir=3D"ltr">Hey,<br><br>First off all, thanks for the patch, shou=
 ld we wait for FreeBSD 10.1, use 10.0/stable or patch it our selves?<br><br=
 >Or is this going to be issued as Errata patch for FreeBSD 10.0-Release? (w=
 hich I think it should be)<br>
 <br>Kind Regards,<br>Robert Sevat<br><br><br><div>&gt; Subject: Re: kern/18=
 5876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/=
 ipsec<br>&gt; From: <a href=3D"mailto:nicolas@deffayet.com" target=3D"_blan=
 k">nicolas@deffayet.com</a><br>
 &gt; To: <a href=3D"mailto:gamanakis@gmail.com" target=3D"_blank">gamanakis=
 @gmail.com</a><br>&gt; Date: Fri, 28 Feb 2014 23:36:44 +0100<br>&gt; CC: <a=
  href=3D"mailto:andre@freebsd.org" target=3D"_blank">andre@freebsd.org</a>;=
  <a href=3D"mailto:melifaro@freebsd.org" target=3D"_blank">melifaro@freebsd=
 .org</a>; <a href=3D"mailto:a.v.volobuev@gmail.com" target=3D"_blank">a.v.v=
 olobuev@gmail.com</a>; <a href=3D"mailto:freebsd-bugs@freebsd.org" target=
 =3D"_blank">freebsd-bugs@freebsd.org</a>; <a href=3D"mailto:bug-followup@fr=
 eebsd.org" target=3D"_blank">bug-followup@freebsd.org</a><div>
 <div class=3D"h5"><br>&gt; <br>&gt; The following patch seem to be the only=
  working workaround for IPsec<br>&gt; transport mode and tunnel mode. Pleas=
 e note the use of M_PROTO7 instead<br>&gt; of M_PROTO5 as that is not used =
 in netinet &amp; netinet6. M_PROTO5 is used<br>
 &gt; for another purpose and so using it may create a conflict like M_PROTO=
 3.<br>&gt; <br>&gt; ---<br>&gt; Index: netinet/ip_var.h<br>&gt; =3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>&gt; --- netinet/ip_var.h    =
 (revision 262470)<br>
 &gt; +++ netinet/ip_var.h    (working copy)<br>&gt; @@ -167,7 +167,7 @@<br>=
 &gt;   */<br>&gt; #define        M_FASTFWD_OURS          M_PROTO1        /*=
  changed dst to<br>&gt; local */<br>&gt; #define        M_IP_NEXTHOP       =
      M_PROTO2        /* explicit ip<br>
 &gt; nexthop */<br>&gt; -#define        M_SKIP_FIREWALL         M_PROTO3   =
      /* skip firewall<br>&gt; processing,<br>&gt; +#define        M_SKIP_FI=
 REWALL         M_PROTO7        /* skip firewall<br>&gt; processing,<br>
 &gt;                                                    keep in sync with I=
 P6<br>&gt; */<br>&gt; #define        M_IP_FRAG               M_PROTO4      =
   /* fragment<br>&gt; reassembly */<br>&gt; <br>&gt; Index: netinet6/ip6_va=
 r.h<br>
 &gt; =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>&gt; --- netin=
 et6/ip6_var.h  (revision 262470)<br>&gt; +++ netinet6/ip6_var.h  (working c=
 opy)<br>&gt; @@ -297,7 +297,7 @@<br>&gt;   * IPv6 protocol layer specific m=
 buf flags.<br>
 &gt;   */<br>&gt; #define        M_IP6_NEXTHOP           M_PROTO2        /*=
  explicit ip<br>&gt; nexthop */<br>&gt; -#define        M_SKIP_FIREWALL    =
      M_PROTO3        /* skip firewall<br>&gt; processing,<br>&gt; +#define =
        M_SKIP_FIREWALL         M_PROTO7        /* skip firewall<br>
 &gt; processing,<br>&gt;                                                   =
  keep in sync with<br>&gt; IPv4 */<br>&gt; <br>&gt; #ifdef __NO_STRICT_ALIG=
 NMENT<br>&gt; ---<br>&gt; <br>&gt; <br>&gt; -- <br>&gt; Nicolas DEFFAYET<br=
 >
 &gt; <br></div></div>&gt; _______________________________________________<b=
 r>&gt; <a href=3D"mailto:freebsd-bugs@freebsd.org" target=3D"_blank">freebs=
 d-bugs@freebsd.org</a> mailing list<br>&gt; <a href=3D"http://lists.freebsd=
 .org/mailman/listinfo/freebsd-bugs" target=3D"_blank">http://lists.freebsd.=
 org/mailman/listinfo/freebsd-bugs</a><br>
 &gt; To unsubscribe, send any mail to &quot;<a href=3D"mailto:freebsd-bugs-=
 unsubscribe@freebsd.org" target=3D"_blank">freebsd-bugs-unsubscribe@freebsd=
 .org</a>&quot;<br></div> 		 	   		  </div></div>
 </blockquote></div><br></div>
 
 --047d7bacbb46f09aaf04f45b34b3--

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/185876: commit references a PR
Date: Wed, 12 Mar 2014 14:29:23 +0000 (UTC)

 Author: glebius
 Date: Wed Mar 12 14:29:08 2014
 New Revision: 263091
 URL: http://svnweb.freebsd.org/changeset/base/263091
 
 Log:
   Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
   the protocol specific mbuf flags are shared between them.
   
   - Move all M_FOO definitions into a single place: netinet/in6.h, to
     avoid future  clashes.
   - Resolve clash between M_DECRYPTED and M_SKIP_FIREWALL which resulted
     in a failure of operation of IPSEC and packet filters.
   
   Thanks to Nicolas and Georgios for all the hard work on bisecting,
   testing and finally finding the root of the problem.
   
   PR:			kern/186755
   PR:			kern/185876
   In collaboration with:	Georgios Amanakis <gamanakis gmail.com>
   In collaboration with:	Nicolas DEFFAYET <nicolas-ml deffayet.com>
   Sponsored by:		Nginx, Inc.
 
 Modified:
   head/sys/netinet/ip_input.c
   head/sys/netinet/ip_var.h
   head/sys/netinet6/in6.h
   head/sys/netinet6/ip6_var.h
 
 Modified: head/sys/netinet/ip_input.c
 ==============================================================================
 --- head/sys/netinet/ip_input.c	Wed Mar 12 12:27:13 2014	(r263090)
 +++ head/sys/netinet/ip_input.c	Wed Mar 12 14:29:08 2014	(r263091)
 @@ -702,6 +702,7 @@ ours:
  	 * ip_reass() will return a different mbuf.
  	 */
  	if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) {
 +		/* XXXGL: shouldn't we save & set m_flags? */
  		m = ip_reass(m);
  		if (m == NULL)
  			return;
 @@ -794,6 +795,8 @@ SYSCTL_PROC(_net_inet_ip, OID_AUTO, maxf
      NULL, 0, sysctl_maxnipq, "I",
      "Maximum number of IPv4 fragment reassembly queue entries");
  
 +#define	M_IP_FRAG	M_PROTO9
 +
  /*
   * Take incoming datagram fragment and try to reassemble it into
   * whole datagram.  If the argument is the first fragment or one
 
 Modified: head/sys/netinet/ip_var.h
 ==============================================================================
 --- head/sys/netinet/ip_var.h	Wed Mar 12 12:27:13 2014	(r263090)
 +++ head/sys/netinet/ip_var.h	Wed Mar 12 14:29:08 2014	(r263091)
 @@ -162,15 +162,6 @@ void	kmod_ipstat_dec(int statnum);
  #define IP_ROUTETOIF		SO_DONTROUTE	/* 0x10 bypass routing tables */
  #define IP_ALLOWBROADCAST	SO_BROADCAST	/* 0x20 can send broadcast packets */
  
 -/*
 - * IPv4 protocol layer specific mbuf flags.
 - */
 -#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
 -#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 -#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
 -						   keep in sync with IP6 */
 -#define	M_IP_FRAG		M_PROTO4	/* fragment reassembly */
 -
  #ifdef __NO_STRICT_ALIGNMENT
  #define IP_HDR_ALIGNED_P(ip)	1
  #else
 
 Modified: head/sys/netinet6/in6.h
 ==============================================================================
 --- head/sys/netinet6/in6.h	Wed Mar 12 12:27:13 2014	(r263090)
 +++ head/sys/netinet6/in6.h	Wed Mar 12 14:29:08 2014	(r263091)
 @@ -622,13 +622,18 @@ struct ip6_mtuinfo {
  #endif /* __BSD_VISIBLE */
  
  /*
 - * Redefinition of mbuf flags
 + * Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
 + * the protocol specific mbuf flags are shared between them.
   */
 -#define	M_AUTHIPHDR	M_PROTO2
 -#define	M_DECRYPTED	M_PROTO3
 -#define	M_LOOP		M_PROTO4
 -#define	M_AUTHIPDGM	M_PROTO5
 -#define	M_RTALERT_MLD	M_PROTO6
 +#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
 +#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 +#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 +#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing */
 +#define	M_AUTHIPHDR		M_PROTO4
 +#define	M_DECRYPTED		M_PROTO5
 +#define	M_LOOP			M_PROTO6
 +#define	M_AUTHIPDGM		M_PROTO7
 +#define	M_RTALERT_MLD		M_PROTO8
  
  #ifdef _KERNEL
  struct cmsghdr;
 
 Modified: head/sys/netinet6/ip6_var.h
 ==============================================================================
 --- head/sys/netinet6/ip6_var.h	Wed Mar 12 12:27:13 2014	(r263090)
 +++ head/sys/netinet6/ip6_var.h	Wed Mar 12 14:29:08 2014	(r263091)
 @@ -293,13 +293,6 @@ struct ip6aux {
  #define	IPV6_FORWARDING		0x02	/* most of IPv6 header exists */
  #define	IPV6_MINMTU		0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */
  
 -/*
 - * IPv6 protocol layer specific mbuf flags.
 - */
 -#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 -#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
 -						   keep in sync with IPv4 */
 -
  #ifdef __NO_STRICT_ALIGNMENT
  #define IP6_HDR_ALIGNED_P(ip)	1
  #else
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Wed Mar 12 14:30:07 UTC 2014 
State-Changed-Why:  
Fixed in head/. 


Responsible-Changed-From-To: melifaro->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Wed Mar 12 14:30:07 UTC 2014 
Responsible-Changed-Why:  
Fixed in head/. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Tue Mar 18 16:56:31 UTC 2014 
State-Changed-Why:  
Merged to stable/10. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=185876 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/185876: commit references a PR
Date: Tue, 18 Mar 2014 16:56:15 +0000 (UTC)

 Author: glebius
 Date: Tue Mar 18 16:56:05 2014
 New Revision: 263307
 URL: http://svnweb.freebsd.org/changeset/base/263307
 
 Log:
   Merge r263091: fix mbuf flags clash that lead to failure of operation
   of IPSEC and packet filters.
   
   PR:		kern/185876
   PR:		kern/186755
 
 Modified:
   stable/10/sys/netinet/ip_input.c
   stable/10/sys/netinet/ip_var.h
   stable/10/sys/netinet6/in6.h
   stable/10/sys/netinet6/ip6_var.h
 Directory Properties:
   stable/10/   (props changed)
 
 Modified: stable/10/sys/netinet/ip_input.c
 ==============================================================================
 --- stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:41:32 2014	(r263306)
 +++ stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:56:05 2014	(r263307)
 @@ -707,6 +707,7 @@ ours:
  	 * ip_reass() will return a different mbuf.
  	 */
  	if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) {
 +		/* XXXGL: shouldn't we save & set m_flags? */
  		m = ip_reass(m);
  		if (m == NULL)
  			return;
 @@ -799,6 +800,8 @@ SYSCTL_PROC(_net_inet_ip, OID_AUTO, maxf
      NULL, 0, sysctl_maxnipq, "I",
      "Maximum number of IPv4 fragment reassembly queue entries");
  
 +#define	M_IP_FRAG	M_PROTO9
 +
  /*
   * Take incoming datagram fragment and try to reassemble it into
   * whole datagram.  If the argument is the first fragment or one
 
 Modified: stable/10/sys/netinet/ip_var.h
 ==============================================================================
 --- stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:41:32 2014	(r263306)
 +++ stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:56:05 2014	(r263307)
 @@ -162,15 +162,6 @@ void	kmod_ipstat_dec(int statnum);
  #define IP_ROUTETOIF		SO_DONTROUTE	/* 0x10 bypass routing tables */
  #define IP_ALLOWBROADCAST	SO_BROADCAST	/* 0x20 can send broadcast packets */
  
 -/*
 - * IPv4 protocol layer specific mbuf flags.
 - */
 -#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
 -#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 -#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
 -						   keep in sync with IP6 */
 -#define	M_IP_FRAG		M_PROTO4	/* fragment reassembly */
 -
  #ifdef __NO_STRICT_ALIGNMENT
  #define IP_HDR_ALIGNED_P(ip)	1
  #else
 
 Modified: stable/10/sys/netinet6/in6.h
 ==============================================================================
 --- stable/10/sys/netinet6/in6.h	Tue Mar 18 16:41:32 2014	(r263306)
 +++ stable/10/sys/netinet6/in6.h	Tue Mar 18 16:56:05 2014	(r263307)
 @@ -622,13 +622,18 @@ struct ip6_mtuinfo {
  #endif /* __BSD_VISIBLE */
  
  /*
 - * Redefinition of mbuf flags
 + * Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
 + * the protocol specific mbuf flags are shared between them.
   */
 -#define	M_AUTHIPHDR	M_PROTO2
 -#define	M_DECRYPTED	M_PROTO3
 -#define	M_LOOP		M_PROTO4
 -#define	M_AUTHIPDGM	M_PROTO5
 -#define	M_RTALERT_MLD	M_PROTO6
 +#define	M_FASTFWD_OURS		M_PROTO1	/* changed dst to local */
 +#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 +#define	M_IP_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 +#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing */
 +#define	M_AUTHIPHDR		M_PROTO4
 +#define	M_DECRYPTED		M_PROTO5
 +#define	M_LOOP			M_PROTO6
 +#define	M_AUTHIPDGM		M_PROTO7
 +#define	M_RTALERT_MLD		M_PROTO8
  
  #ifdef _KERNEL
  struct cmsghdr;
 
 Modified: stable/10/sys/netinet6/ip6_var.h
 ==============================================================================
 --- stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:41:32 2014	(r263306)
 +++ stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:56:05 2014	(r263307)
 @@ -293,13 +293,6 @@ struct ip6aux {
  #define	IPV6_FORWARDING		0x02	/* most of IPv6 header exists */
  #define	IPV6_MINMTU		0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */
  
 -/*
 - * IPv6 protocol layer specific mbuf flags.
 - */
 -#define	M_IP6_NEXTHOP		M_PROTO2	/* explicit ip nexthop */
 -#define	M_SKIP_FIREWALL		M_PROTO3	/* skip firewall processing,
 -						   keep in sync with IPv4 */
 -
  #ifdef __NO_STRICT_ALIGNMENT
  #define IP6_HDR_ALIGNED_P(ip)	1
  #else
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
