i dont understand the usefulness of the sysctls to turn etherip,
gre, and mobileip handling on. if you arent going to handle etherip,
gre, or mobileip, just dont create interfaces to handle them.

for now, this dummies up handling of the sysctls by letting userland
read that theyre allowed, but allow is readonly.

ok?

Index: if_gre.c
===================================================================
RCS file: /cvs/src/sys/net/if_gre.c,v
retrieving revision 1.100
diff -u -p -r1.100 if_gre.c
--- if_gre.c    12 Feb 2018 03:15:32 -0000      1.100
+++ if_gre.c    14 Feb 2018 08:02:30 -0000
@@ -288,7 +288,6 @@ struct gre_list egre_list = TAILQ_HEAD_I
  * allowed as well.
  *
  */
-int gre_allow = 0;
 int gre_wccp = 0;
 
 void
@@ -495,9 +494,6 @@ gre_input_key(struct mbuf **mp, int *off
        int mcast = 0;
        int ttloff;
 
-       if (!gre_allow)
-               goto decline;
-
        hlen = iphlen + sizeof(*gh);
        if (m->m_pkthdr.len < hlen)
                goto decline;
@@ -555,7 +551,11 @@ gre_input_key(struct mbuf **mp, int *off
        key->t_rtableid = m->m_pkthdr.ph_rtableid;
 
        switch (gh->gre_proto) {
-       case htons(GRE_WCCP):
+       case htons(GRE_WCCP): {
+               struct mbuf *n;
+               int off;
+               uint8_t v;
+
                /* WCCP/GRE:
                 *   So far as I can see (and test) it seems that Cisco's WCCP
                 *   GRE tunnel is precisely a IP-in-GRE tunnel that differs
@@ -569,11 +569,19 @@ gre_input_key(struct mbuf **mp, int *off
                 *   So yes, we're doing a fall-through (unless, of course,
                 *   net.inet.gre.wccp is 0).
                 */
+
+               n = m_getptr(m, hlen, &off);
+               if (n == NULL)
+                       goto decline;
+
+               v = n->m_data[off];
+               if (v >> 4 != IPVERSION)
+                       hlen += sizeof(gre_wccp);
+
                switch (gre_wccp) {
                case 1:
                        break;
                case 2:
-                       hlen += sizeof(gre_wccp);
                        break;
                case 0:
                default:
@@ -811,11 +819,6 @@ gre_output(struct ifnet *ifp, struct mbu
        struct m_tag *mtag;
        int error = 0;
 
-       if (!gre_allow) {
-               error = EACCES;
-               goto drop;
-       }
-
        if (!ISSET(ifp->if_flags, IFF_RUNNING)) {
                error = ENETDOWN;
                goto drop;
@@ -964,9 +967,6 @@ egre_start(struct ifnet *ifp)
        caddr_t if_bpf;
 #endif
 
-       if (!gre_allow)
-               ifq_purge(&ifp->if_snd);
-
        while ((m0 = ifq_dequeue(&ifp->if_snd)) != NULL) {
 #if NBPFILTER > 0
                if_bpf = ifp->if_bpf;
@@ -1691,10 +1691,7 @@ gre_sysctl(int *name, u_int namelen, voi
 
        switch (name[0]) {
        case GRECTL_ALLOW:
-               NET_LOCK();
-               error = sysctl_int(oldp, oldlenp, newp, newlen, &gre_allow);
-               NET_UNLOCK();
-               return (error);
+               return (sysctl_rdint(oldp, oldlenp, newp, 1));
        case GRECTL_WCCP:
                NET_LOCK();
                error = sysctl_int(oldp, oldlenp, newp, newlen, &gre_wccp);
Index: if_etherip.c
===================================================================
RCS file: /cvs/src/sys/net/if_etherip.c,v
retrieving revision 1.35
diff -u -p -r1.35 if_etherip.c
--- if_etherip.c        12 Feb 2018 01:43:42 -0000      1.35
+++ if_etherip.c        14 Feb 2018 08:02:30 -0000
@@ -88,12 +88,6 @@ struct etherip_softc {
        uint8_t                 sc_ttl;
 };
 
-/*
- * We can control the acceptance of EtherIP packets by altering the sysctl
- * net.inet.etherip.allow value. Zero means drop them, all else is acceptance.
- */
-int etherip_allow = 0;
-
 struct cpumem *etheripcounters;
 
 void etheripattach(int);
@@ -547,11 +541,6 @@ etherip_input(struct etherip_tunnel *key
        struct ifnet *ifp;
        struct etherip_header *eip;
 
-       if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) {
-               etheripstat_inc(etherips_pdrops);
-               goto drop;
-       }
-
        key->t_rtableid = m->m_pkthdr.ph_rtableid;
 
        NET_ASSERT_LOCKED();
@@ -696,10 +685,7 @@ etherip_sysctl(int *name, u_int namelen,
 
        switch (name[0]) {
        case ETHERIPCTL_ALLOW:
-               NET_LOCK();
-               error = sysctl_int(oldp, oldlenp, newp, newlen, &etherip_allow);
-               NET_UNLOCK();
-               return (error);
+               return (sysctl_rdint(oldp, oldlenp, newp, 1);
        case ETHERIPCTL_STATS:
                return (etherip_sysctl_etheripstat(oldp, oldlenp, newp));
        default:
Index: if_mobileip.c
===================================================================
RCS file: /cvs/src/sys/net/if_mobileip.c,v
retrieving revision 1.7
diff -u -p -r1.7 if_mobileip.c
--- if_mobileip.c       12 Feb 2018 02:55:40 -0000      1.7
+++ if_mobileip.c       14 Feb 2018 08:02:30 -0000
@@ -100,8 +100,6 @@ static struct mobileip_softc *
  * let's begin
  */
 
-int    mobileip_allow = 0;
-
 void
 mobileipattach(int n)
 {
@@ -215,12 +213,6 @@ mobileip_output(struct ifnet *ifp, struc
        struct m_tag *mtag;
        int error = 0;
 
-       if (!mobileip_allow) {
-               m_freem(m);
-               error = EACCES;
-               goto end;
-       }
-
        if (!ISSET(ifp->if_flags, IFF_RUNNING)) {
                m_freem(m);
                error = ENETDOWN;
@@ -540,9 +532,6 @@ mobileip_input(struct mbuf **mp, int *of
        int iphlen = 0;
        int hlen;
 
-       if (!mobileip_allow)
-               goto drop;
-
        ip = mtod(m, struct ip *);
 
        key.t_rtableid = m->m_pkthdr.ph_rtableid;
@@ -628,24 +617,13 @@ int
 mobileip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
     void *newp, size_t newlen)
 {
-       int allow;
-       int error;
-
        /* All sysctl names at this level are terminal. */
        if (namelen != 1)
                return (ENOTDIR);
 
        switch (name[0]) {
        case MOBILEIPCTL_ALLOW:
-               allow = mobileip_allow;
-
-               error = sysctl_int(oldp, oldlenp, newp, newlen,
-                   &allow);
-               if (error != 0)
-                       return (error);
-
-               mobileip_allow = allow;
-               break;
+               return (sysctl_rdint(oldp, oldlenp, newp, 1));
        default:
                return (ENOPROTOOPT);
        }

Reply via email to