ipsec is glued into the stack in a very weird way, violating all kinds

of expected semantics. thus, for return packets coming out of an ipsec
tunnel, we need to clear the pf state key pointer in the mbuf header
to prevent a state for encapsulated traffic to be linked to the
decapsulated traffic one.
problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some
time to understand what the hell was going on. ok ryan

diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index e64b7a7..93ab99f 100644 (file)
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ipsec_input.c,v 1.87 2008/06/14 23:18:20 todd Exp $   */
+/*     $OpenBSD: ipsec_input.c,v 1.88 2008/07/24 10:55:44 henning Exp $        */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -563,6 +563,9 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff,
        /* Add pf tag if requested. */
        if (pf_tag_packet(m, tdbp->tdb_tag, -1))
                DPRINTF(("failed to tag ipsec packet\n"));
+
+       /* clear state key ptr to prevent incorrect linking */
+       m->m_pkthdr.pf.statekey = NULL;
 #endif
 
        if (tdbp->tdb_flags & TDBF_TUNNELING)