IPSEC/PF (particularly NAT) problem? RC5,4,3

[Gleb Smirnoff]

  Nat,

On Tue, Jan 14, 2014 at 06:54:09PM -0500, Nat Howard wrote:
N> I'm encountering a problem in updating to 10.0, and wonder if
N> anything has changed with respect to the way in which you tell (the
N> new!) PF code to process stuff coming in via IPSEC -- if, for
N> example, there's a knob somewhere that say "yes, really, really,
N> do the NATing on incoming packets that came in on IPSEC and 
N> are going out (decrypted) in the clear." that wasn't required
N> in previous versions (up to 9.1) of FreeBSD.

AFAIR, nothing has changed in pf in regards to its ipsec handling.
The new part is only finer locking. Well, I could have broken
ipsec. But more probable is that problems lives somewhere out of
pf.

Can you please provide a minimal reproduction case, that does work
on 9.1, and doesn't work on 10.0? You can file it in GNATS as PR.
That would help.

-- 
Totus tuus, Glebius.