The following reply was made to PR kern/29560; it has been noted by GNATS.

From: christos@zoulas.com (Christos Zoulas)
To: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
	gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: 
Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related traffic through
Date: Tue, 1 Mar 2005 08:44:49 -0500

 On Mar 1,  9:06am, arto@selonen.org (Arto Selonen) wrote:
 -- Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC rela
 
 |  Yes, it does. Testing the connection with HTTP traffic prior to patching 
 |  showed that larger responses never reached the client. For typical web 
 |  pages the server returned MTU sized (1500 bytes for the connection 
 |  between problem box and web server) packets, that got stuck in the problem 
 |  box, as it needed to fragment them to squeeze them into the IPSEC pipe.
 |  DF was set, no need-to-fragment was sent, packets dropped (?, did not
 |  check counters, though), no traffic flow.
 |  
 |  After patching, the patched box responds to those larger packets (in 
 |  my case 1280 bytes was the largest that would fit into the IPSEC pipe) 
 |  with unreachable-need-to-frag ICMP message, and the server seems to adapt.
 |  Traffic flows, problem solved.
 |  
 |  My PR was far from reasonable, yet you have responded very quickly, and 
 |  with a seemingly complete fix. I apologize for my lack of self control,
 |  as I should have been able to communicate my frustration in a more
 |  constructive manner. And thank you for the quick fix!
 
 Sorry for the trouble. Importing a new IPF seems to be constantly frustrating
 because of the silly bugs. Usually now that the diffs between versions are
 not that big, it is usually easy to fix in a few days. Of course we have the
 ipfs issue that we have not been able to get working reliably yet... But that
 is another story. For the most part now ipf imports fix things and have more
 fixes that regressions, so they are worth doing.
 
 christos