kern/185876: ipfw not matching incoming packets decapsulating ipsec. example l2tp/ipsec

Mon Feb 24 21:30:53 UTC 2014

The problem seems to be that M_SKIP_FIREWALL (macro of M_PROTO3) is cleared through m_clrprotoflags(), i.e. not transferred between the layers.

This is a reversion of the 254519 on 10.0-STABLE:

Index: netinet/ip_var.h
===================================================================

--- netinet/ip_var.h    (revision 262459)
+++ netinet/ip_var.h    (working copy)
@@ -163,12 +163,10 @@
 #define IP_ALLOWBROADCAST    SO_BROADCAST    /* 0x20 can send broadcast packets */
 
 /*
- * IPv4 protocol layer specific mbuf flags.
+ * mbuf flag used by ip_fastfwd
  */
 #define    M_FASTFWD_OURS        M_PROTO1    /* changed dst to local */
 #define    M_IP_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IP6 */
 #define    M_IP_FRAG        M_PROTO4    /* fragment reassembly */
 
 #ifdef __NO_STRICT_ALIGNMENT
Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h    (revision 262459)
+++ netinet6/ip6_var.h    (working copy)
@@ -293,12 +293,7 @@
 #define    IPV6_FORWARDING        0x02    /* most of IPv6 header exists */
 #define    IPV6_MINMTU        0x04    /* use minimum MTU (IPV6_USE_MIN_MTU) */
 
-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define    M_IP6_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IPv4 */
+#define    M_IP6_NEXTHOP        M_PROTO7    /* explicit ip nexthop */
 
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP6_HDR_ALIGNED_P(ip)    1
Index: sys/mbuf.h
===================================================================
--- sys/mbuf.h    (revision 262459)
+++ sys/mbuf.h    (working copy)
@@ -235,7 +235,7 @@
 #define    M_PROTO9    0x00100000 /* protocol-specific */
 #define    M_PROTO10    0x00200000 /* protocol-specific */
 #define    M_PROTO11    0x00400000 /* protocol-specific */
-#define    M_PROTO12    0x00800000 /* protocol-specific */
+#define    M_SKIP_FIREWALL    0x00800000
 
 /*
  * Flags to purge when crossing layers.
@@ -242,13 +242,13 @@
  */
 #define    M_PROTOFLAGS \
     (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|M_PROTO7|M_PROTO8|\
-     M_PROTO9|M_PROTO10|M_PROTO11|M_PROTO12)
+     M_PROTO9|M_PROTO10|M_PROTO11)
 
 /*
  * Flags preserved when copying m_pkthdr.
  */
 #define M_COPYFLAGS \
-    (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
+    (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
      M_PROTOFLAGS)
 
 /*
@@ -255,12 +255,12 @@
  * Mbuf flag description for use with printf(9) %b identifier.
  */
 #define    M_FLAG_BITS \
-    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \
-    "\7M_PROMISC\10M_VLANTAG\11M_FLOWID"
+    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_SKIP_FIREWALL\6M_BCAST\7M_MCAST" \
+    "\8M_PROMISC\10M_VLANTAG\11M_FLOWID"
 #define    M_FLAG_PROTOBITS \
     "\15M_PROTO1\16M_PROTO2\17M_PROTO3\20M_PROTO4\21M_PROTO5" \
     "\22M_PROTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \
-    "\27M_PROTO11\30M_PROTO12"
+    "\27M_PROTO11"
 #define    M_FLAG_PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)
 
 /*

