The culprit is the "#define M_DECRYPTED M_PROTO3" in "netinet6/in6.h" (that is regardless of whether or not INET6 has been set). It gets mixed up (netipsec includes in.h, in.h includes in6.h) and so when the M_DECRYPTED flag is set, M_SKIP_FIREWALL flag is also set.