From 4d2455bbfbd536dd04535b592b5008bd1680184c Mon Sep 17 00:00:00 2001
From: Giorgos Keramidas <keramida@FreeBSD.org>
Date: Mon, 26 Jun 2006 13:06:22 +0000
Subject: [PATCH] When IPSEC is configured according to the Handbook[1], pf
 fails to track connection state properly, because it does not see packets
 coming from the tunneled interface to gif(4).  Rebuilding with
 IPSEC_FILTERGIF fixes the problem.

According to mlaier@ we cannot change GENERIC for this, but it's
ok to document the requirement for IPSEC_FILTERGIF.  Add a note
to this effect.

[1] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html

PR:		kern/97057
Submitted by:	Dmitry Andrianov <freebsd@dima.spb.ru>
Suggested by:	mlaier
Reviewed by:	remko
---
 en_US.ISO8859-1/books/handbook/security/chapter.sgml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index 1c9373f03d..c28bc1878c 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -3116,7 +3116,17 @@ options	  FAST_IPSEC  # new IPsec (cannot define w/ IPSEC)
 	  <quote>Fast IPsec</quote> subsystem in lieu of the KAME
 	  implementation of IPsec.  Consult the &man.fast.ipsec.4;
 	  manual page for more information.</para>
+      </note>
 
+      <note>
+	<para>To let firewalls properly track state for &man.gif.4;
+	  tunnels too, you have to enable the
+	  <option>IPSEC_FILTERGIF</option> in your kernel
+	  configuration:</para>
+
+	<screen>
+options   IPSEC_FILTERGIF  #filter ipsec packets from a tunnel
+	</screen>
       </note>
   
       <indexterm>