I found the  patch below necessary to get Fast-IPsec to work
correctly over the local-loopback interface (using static-keyed SAs).
That configuration is pointless for real use, but very useful for
development (I test fast-IPsec with just my laptop).   The patch
deletes packet-tags as a  packet ricochets off the loopback interface,
and before reflecting an inbound ICMP echo-request back as an echo-response.

From reading of the packet-tag code, needing the patch indicates a bug
somewhere in the packet-tag code (the tags for IPsec input and output
are distinct?).  I'd like to commit the patch below, at least until
the questionable behaviour is reslobved. Any objections to that?


Index: sys/net/if_loop.c
===================================================================
RCS file: /cvsroot/src/sys/net/if_loop.c,v
retrieving revision 1.48
diff -u -r1.48 if_loop.c
--- sys/net/if_loop.c	2003/08/15 19:22:08	1.48
+++ sys/net/if_loop.c	2003/08/15 20:12:29
@@ -259,6 +259,11 @@
 	}
 #endif /* ALTQ */
 
+	/*
+	 * Delete any packet tags, so ipsec over loopback will work
+	 */
+	m_tag_delete_chain(m, NULL);
+
 	switch (dst->sa_family) {
 
 #ifdef INET
Index: sys/netinet/ip_icmp.c
===================================================================
RCS file: /cvsroot/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.76
diff -u -r1.76 ip_icmp.c
--- sys/netinet/ip_icmp.c	2003/08/15 03:42:02	1.76
+++ sys/netinet/ip_icmp.c	2003/08/15 20:12:29
@@ -842,6 +842,11 @@
 	 */
 	m->m_pkthdr.csum_flags = 0;
 
+	/*
+	 * Clear any in-bound IPsec tags before sending back out.
+	 */
+	m_tag_delete_chain(m, NULL);
+
 	icmp_send(m, opts);
 done:
 	if (opts)