Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related traffic through
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Christos Zoulas <christos@zoulas.com>
List: netbsd-bugs
Date: 02/28/2005 21:47:01
The following reply was made to PR kern/29560; it has been noted by GNATS.

From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related traffic through
Date: Mon, 28 Feb 2005 16:46:50 -0500

 On Feb 28,  8:04pm, arto@selonen.org (arto@selonen.org) wrote:
 -- Subject: kern/29560: latest ipfilter does not allow certain IPSEC related 
 
 Does this fix the problem?
 
 christos
 
 Index: fil.c
 ===================================================================
 RCS file: /cvsroot/src/sys/dist/ipf/netinet/fil.c,v
 retrieving revision 1.9
 diff -u -u -r1.9 fil.c
 --- fil.c	19 Feb 2005 21:30:25 -0000	1.9
 +++ fil.c	28 Feb 2005 21:42:19 -0000
 @@ -2090,11 +2090,20 @@
  		if (fr_addstate(fin, NULL, 0) != NULL) {
  			ATOMIC_INCL(frstats[out].fr_ads);
  		} else {
 +#ifdef notdef
 +			/*
 +			 * This blocks ICMP ECHOREPLY. fr_addstate returning
 +			 * NULL is not necessary a bad thing because there
 +			 * is no state to be added on some packets, eg.
 +			 * icmp reply packets. XXX: but for others this
 +			 * is wrong.
 +			 */
  			ATOMIC_INCL(frstats[out].fr_bads);
  			if (FR_ISPASS(pass)) {
  				pass &= ~FR_CMDMASK;
  				pass |= FR_BLOCK;
  			}
 +#endif
  		}
  	}