>Number:         28921
>Category:       kern
>Synopsis:       ipf not matching packets correctly
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 09 17:42:00 +0000 2005
>Originator:     Kimmo Suominen
>Release:        NetBSD 2.99.11 from between 2004-12-15 and 2005-01-01
>Organization:
Kimmo Suominen
>Environment:
System: NetBSD beowulf.gw.com 2.99.11 NetBSD 2.99.11 (GW-GENERIC) #85: Sat Jan 1 11:30:14 EST 2005 kim@hrothgar.gw.com:/usr/src/sys/arch/i386/compile/GW-GENERIC i386
Architecture: i386
Machine: i386
>Description:
Looking at "ipfstat -o -h" output:

    0 pass out quick proto udp from 216.46.73.198/32 port = isakmp to 212.83.96.
190/32
    0 pass out quick proto ah from 216.46.73.198/32 to 212.83.96.190/32
    0 pass out quick proto esp from 216.46.73.198/32 to 212.83.96.190/32

As you can see, no packets have matched.  On the other hand:

    32031 pass out quick all keep state

Lots of packets match there...

Looking at /var/log/ipmon I can see this:

    Jan  9 12:20:18 dit ipmon[536]: 12:20:18.020064
    STATE:NEW 216.46.73.198,500 -> 212.83.96.190,500 PR udp

That should clearly have matched the first of the rules shown in the
ipfstat output above.  Yet it seems to have gone all the way to the
last out rule matching all packets, and a state was created.
>How-To-Repeat:
Add similar rules and run racoon to negotate ISAKMP states.
>Fix: