From owner-svn-src-all@FreeBSD.ORG Sun May 31 22:58:44 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EF3F1F96; Sun, 31 May 2015 22:58:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D00561E90; Sun, 31 May 2015 22:58:43 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t4VMwhN5041561; Sun, 31 May 2015 22:58:43 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t4VMwggt041556; Sun, 31 May 2015 22:58:42 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201505312258.t4VMwggt041556@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 31 May 2015 22:58:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r283852 - in stable/10: sbin/ifconfig sys/net sys/netinet sys/netinet6 X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2015 22:58:44 -0000 Author: ae Date: Sun May 31 22:58:41 2015 New Revision: 283852 URL: https://svnweb.freebsd.org/changeset/base/283852 Log: MFC r282965: Add an ability accept encapsulated packets from different sources by one gif(4) interface. Add new option "ignore_source" for gif(4) interface. When it is enabled, gif's encapcheck function requires match only for packet's destination address. Differential Revision: https://reviews.freebsd.org/D2004 Sponsored by: Yandex LLC Modified: stable/10/sbin/ifconfig/ifconfig.8 stable/10/sbin/ifconfig/ifgif.c stable/10/sys/net/if_gif.h stable/10/sys/netinet/in_gif.c stable/10/sys/netinet6/in6_gif.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sbin/ifconfig/ifconfig.8 ============================================================================== --- stable/10/sbin/ifconfig/ifconfig.8 Sun May 31 22:56:03 2015 (r283851) +++ stable/10/sbin/ifconfig/ifconfig.8 Sun May 31 22:58:41 2015 (r283852) @@ -28,7 +28,7 @@ .\" From: @(#)ifconfig.8 8.3 (Berkeley) 1/5/94 .\" $FreeBSD$ .\" -.Dd March 6, 2015 +.Dd May 15, 2015 .Dt IFCONFIG 8 .Os .Sh NAME @@ -2444,6 +2444,14 @@ This is for backward compatibility with .It Cm -accept_rev_ethip_ver Clear a flag .Cm accept_rev_ethip_ver . +.It Cm ignore_source +Set a flag to accept encapsulated packets destined to this host +independently from source address. +This may be useful for hosts, that receive encapsulated packets +from the load balancers. +.It Cm -ignore_source +Clear a flag +.Cm ignore_source . .It Cm send_rev_ethip_ver Set a flag to send EtherIP packets with reversed version field intentionally. Modified: stable/10/sbin/ifconfig/ifgif.c ============================================================================== --- stable/10/sbin/ifconfig/ifgif.c Sun May 31 22:56:03 2015 (r283851) +++ stable/10/sbin/ifconfig/ifgif.c Sun May 31 22:58:41 2015 (r283852) @@ -51,7 +51,7 @@ static const char rcsid[] = #include "ifconfig.h" -#define GIFBITS "\020\1ACCEPT_REV_ETHIP_VER\5SEND_REV_ETHIP_VER" +#define GIFBITS "\020\1ACCEPT_REV_ETHIP_VER\2IGNORE_SOURCE\5SEND_REV_ETHIP_VER" static void gif_status(int); @@ -95,6 +95,8 @@ setgifopts(const char *val, static struct cmd gif_cmds[] = { DEF_CMD("accept_rev_ethip_ver", GIF_ACCEPT_REVETHIP, setgifopts), DEF_CMD("-accept_rev_ethip_ver",-GIF_ACCEPT_REVETHIP, setgifopts), + DEF_CMD("ignore_source", GIF_IGNORE_SOURCE, setgifopts), + DEF_CMD("-ignore_source", -GIF_IGNORE_SOURCE, setgifopts), DEF_CMD("send_rev_ethip_ver", GIF_SEND_REVETHIP, setgifopts), DEF_CMD("-send_rev_ethip_ver", -GIF_SEND_REVETHIP, setgifopts), }; Modified: stable/10/sys/net/if_gif.h ============================================================================== --- stable/10/sys/net/if_gif.h Sun May 31 22:56:03 2015 (r283851) +++ stable/10/sys/net/if_gif.h Sun May 31 22:58:41 2015 (r283852) @@ -117,7 +117,9 @@ int gif_encapcheck(const struct mbuf *, #define GIFSOPTS _IOW('i', 151, struct ifreq) #define GIF_ACCEPT_REVETHIP 0x0001 +#define GIF_IGNORE_SOURCE 0x0002 #define GIF_SEND_REVETHIP 0x0010 -#define GIF_OPTMASK (GIF_ACCEPT_REVETHIP|GIF_SEND_REVETHIP) +#define GIF_OPTMASK (GIF_ACCEPT_REVETHIP|GIF_SEND_REVETHIP| \ + GIF_IGNORE_SOURCE) #endif /* _NET_IF_GIF_H_ */ Modified: stable/10/sys/netinet/in_gif.c ============================================================================== --- stable/10/sys/netinet/in_gif.c Sun May 31 22:56:03 2015 (r283851) +++ stable/10/sys/netinet/in_gif.c Sun May 31 22:58:41 2015 (r283852) @@ -177,13 +177,19 @@ in_gif_input(struct mbuf **mp, int *offp static int gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp) { + int ret; GIF_RLOCK_ASSERT(sc); /* check for address match */ - if (sc->gif_iphdr->ip_src.s_addr != ip->ip_dst.s_addr || - sc->gif_iphdr->ip_dst.s_addr != ip->ip_src.s_addr) + if (sc->gif_iphdr->ip_src.s_addr != ip->ip_dst.s_addr) return (0); + ret = 32; + if (sc->gif_iphdr->ip_dst.s_addr != ip->ip_src.s_addr) { + if ((sc->gif_options & GIF_IGNORE_SOURCE) == 0) + return (0); + } else + ret += 32; /* martian filters on outer source - NOT done in ip_input! */ if (IN_MULTICAST(ntohl(ip->ip_src.s_addr))) @@ -214,7 +220,7 @@ gif_validate4(const struct ip *ip, struc } RTFREE_LOCKED(rt); } - return (32 * 2); + return (ret); } /* Modified: stable/10/sys/netinet6/in6_gif.c ============================================================================== --- stable/10/sys/netinet6/in6_gif.c Sun May 31 22:56:03 2015 (r283851) +++ stable/10/sys/netinet6/in6_gif.c Sun May 31 22:58:41 2015 (r283852) @@ -180,6 +180,7 @@ static int gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc, struct ifnet *ifp) { + int ret; GIF_RLOCK_ASSERT(sc); /* @@ -187,9 +188,14 @@ gif_validate6(const struct ip6_hdr *ip6, * packet. We should compare the *source* address in our configuration * and the *destination* address of the packet, and vice versa. */ - if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_src, &ip6->ip6_dst) || - !IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_dst, &ip6->ip6_src)) + if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_src, &ip6->ip6_dst)) return (0); + ret = 128; + if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_dst, &ip6->ip6_src)) { + if ((sc->gif_options & GIF_IGNORE_SOURCE) == 0) + return (0); + } else + ret += 128; /* martian filters on outer source - done in ip6_input */ @@ -214,7 +220,7 @@ gif_validate6(const struct ip6_hdr *ip6, RTFREE_LOCKED(rt); } - return (128 * 2); + return (ret); } /*