The following reply was made to PR kern/29560; it has been noted by GNATS.

From: Arto Selonen <arto@selonen.org>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
	gnats-admin@netbsd.org
Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related
	traffic through
Date: Tue, 1 Mar 2005 11:04:58 +0200 (EET)

 Hi!
 
 On Mon, 28 Feb 2005, Christos Zoulas wrote:
 
 > On Feb 28,  8:04pm, arto@selonen.org (arto@selonen.org) wrote:
 > -- Subject: kern/29560: latest ipfilter does not allow certain IPSEC related
 >
 > Does this fix the problem?
 
 [patch omitted]
 
 Yes, it does. Testing the connection with HTTP traffic prior to patching 
 showed that larger responses never reached the client. For typical web 
 pages the server returned MTU sized (1500 bytes for the connection 
 between problem box and web server) packets, that got stuck in the problem 
 box, as it needed to fragment them to squeeze them into the IPSEC pipe.
 DF was set, no need-to-fragment was sent, packets dropped (?, did not
 check counters, though), no traffic flow.
 
 After patching, the patched box responds to those larger packets (in 
 my case 1280 bytes was the largest that would fit into the IPSEC pipe) 
 with unreachable-need-to-frag ICMP message, and the server seems to adapt.
 Traffic flows, problem solved.
 
 My PR was far from reasonable, yet you have responded very quickly, and 
 with a seemingly complete fix. I apologize for my lack of self control,
 as I should have been able to communicate my frustration in a more
 constructive manner. And thank you for the quick fix!
 
 
 Artsi
 -- 
 #######======------  http://www.selonen.org/arto/  --------========########
 Everstinkuja 5 B 35                               Don't mind doing it.
 FIN-02600 Espoo        arto@selonen.org         Don't mind not doing it.
 Finland              tel +358 50 560 4826     Don't know anything about it.