On Mon, May 08, 2017 at 20:22 +0200, Alexander Bluhm wrote: > Hi, > > IPv6 IPsec transport mode does not work if pf is enabled. The > problem is that the decrypted packets in the input path are not > checked with pf(4). So if you have stateful filtering on enc0 (the > default) direction aware protocols like ping or TCP do not pass. > Only the output packets are matched with the states. > > Adding an explicit pf_test() in ipsec_common_input_cb() fixes this. > In the IPv4 case the decrypted packet is enqueued again, so it hits > pf_test() in IPv4_input(). In IPv6 the ip6_local() shortcut is > taken. I like to keep the shortcut as it corresponds to the idea > of IPv6 header chains. > > ok? > > bluhm >
Looks good to me. Can you please put a comment in there saying that this is done for ipv6 only due to the ip6_local shortcut. With that OK mikeb
