control gif/stf ingress filter by using IFF_LINK2. NetBSD PR 11163.

Note that ingress filter is now *off* by default.
not sure which makes more sense.  i may want to revert the default value.

kame/kame/man/man4/gif.4

@@ -1,4 +1,4 @@
-.\"	$KAME: gif.4,v 1.17 2000/06/30 18:31:27 itojun Exp $
+.\"	$KAME: gif.4,v 1.18 2000/11/06 06:46:30 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -206,6 +206,9 @@ performs martian filter and ingress filter against outer source address,
 on egress.
 Note that martian/ingress filters are no way complete.
 You may want to secure your node by using packet filters.
+Ingress filter is not turned on by default; you can enable it by
+.Dv IFF_LINK2
+bit.
 .Pp
 As mentioned above, multi-destination mode
 .Pq Dv IFF_LINK0

kame/kame/man/man4/stf.4

@@ -1,4 +1,4 @@
-.\"     $KAME: stf.4,v 1.24 2000/06/07 23:35:18 itojun Exp $
+.\"     $KAME: stf.4,v 1.25 2000/11/06 06:46:31 itojun Exp $
 .\"
 .\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 .\" All rights reserved.
@@ -140,6 +140,9 @@ all of the directly connected subnets.
 .It
 Packets that does not pass ingress filtering.
 Outer IPv4 source address must meet the IPv4 topology on the routing table.
+Ingress filter is not turned on by default; you can enable it by
+.Dv IFF_LINK2
+bit.
 .It
 The same set of rules are appplied against the IPv4 address embedded into
 inner IPv6 address, if the IPv6 address matches 6to4 prefix.

kame/sys/net/if_stf.c

@@ -1,4 +1,4 @@
-/*	$KAME: if_stf.c,v 1.42 2000/08/15 07:24:23 itojun Exp $	*/
+/*	$KAME: if_stf.c,v 1.43 2000/11/06 06:46:29 itojun Exp $	*/
 
 /*
  * Copyright (C) 2000 WIDE Project.
@@ -183,8 +183,10 @@ static int stf_encapcheck __P((const struct mbuf *, int, int, void *));
 static struct in6_ifaddr *stf_getsrcifa6 __P((struct ifnet *));
 static int stf_output __P((struct ifnet *, struct mbuf *, struct sockaddr *,
 	struct rtentry *));
-static int stf_checkaddr4 __P((struct in_addr *, struct ifnet *));
-static int stf_checkaddr6 __P((struct in6_addr *, struct ifnet *));
+static int stf_checkaddr4 __P((struct stf_softc *, struct in_addr *,
+	struct ifnet *));
+static int stf_checkaddr6 __P((struct stf_softc *, struct in6_addr *,
+	struct ifnet *));
 #if defined(__bsdi__) && _BSDI_VERSION >= 199802
 static void stf_rtrequest __P((int, struct rtentry *, struct rt_addrinfo *));
 #else
@@ -538,9 +540,10 @@ stf_output(ifp, m, dst, rt)
 }
 
 static int
-stf_checkaddr4(in, ifp)
+stf_checkaddr4(sc, in, inifp)
+	struct stf_softc *sc;
 	struct in_addr *in;
-	struct ifnet *ifp;	/* incoming interface */
+	struct ifnet *inifp;	/* incoming interface */
 {
 	struct in_ifaddr *ia4;
 
@@ -581,7 +584,7 @@ stf_checkaddr4(in, ifp)
 	/*
 	 * perform ingress filter
 	 */
-	if (ifp) {
+	if (sc && (sc->sc_if.if_flags & IFF_LINK2) != 0 && inifp) {
 		struct sockaddr_in sin;
 		struct rtentry *rt;
 
@@ -596,7 +599,7 @@ stf_checkaddr4(in, ifp)
 #endif
 		if (!rt)
 			return -1;
-		if (rt->rt_ifp != ifp) {
+		if (rt->rt_ifp != inifp) {
 			rtfree(rt);
 			return -1;
 		}
@@ -607,15 +610,16 @@ stf_checkaddr4(in, ifp)
 }
 
 static int
-stf_checkaddr6(in6, ifp)
+stf_checkaddr6(sc, in6, inifp)
+	struct stf_softc *sc;
 	struct in6_addr *in6;
-	struct ifnet *ifp;	/* incoming interface */
+	struct ifnet *inifp;	/* incoming interface */
 {
 	/*
 	 * check 6to4 addresses
 	 */
 	if (IN6_IS_ADDR_6TO4(in6))
-		return stf_checkaddr4(GET_V4(in6), ifp);
+		return stf_checkaddr4(sc, GET_V4(in6), inifp);
 
 	/*
 	 * reject anything that look suspicious.  the test is implemented
@@ -672,8 +676,8 @@ in_stf_input(m, va_alist)
 	 * perform sanity check against outer src/dst.
 	 * for source, perform ingress filter as well.
 	 */
-	if (stf_checkaddr4(&ip->ip_dst, NULL) < 0 ||
-	    stf_checkaddr4(&ip->ip_src, m->m_pkthdr.rcvif) < 0) {
+	if (stf_checkaddr4(sc, &ip->ip_dst, NULL) < 0 ||
+	    stf_checkaddr4(sc, &ip->ip_src, m->m_pkthdr.rcvif) < 0) {
 		m_freem(m);
 		return;
 	}
@@ -692,8 +696,8 @@ in_stf_input(m, va_alist)
 	 * perform sanity check against inner src/dst.
 	 * for source, perform ingress filter as well.
 	 */
-	if (stf_checkaddr6(&ip6->ip6_dst, NULL) < 0 ||
-	    stf_checkaddr6(&ip6->ip6_src, m->m_pkthdr.rcvif) < 0) {
+	if (stf_checkaddr6(sc, &ip6->ip6_dst, NULL) < 0 ||
+	    stf_checkaddr6(sc, &ip6->ip6_src, m->m_pkthdr.rcvif) < 0) {
 		m_freem(m);
 		return;
 	}

kame/sys/netinet/in_gif.c

@@ -1,4 +1,4 @@
-/*	$KAME: in_gif.c,v 1.44 2000/08/15 07:24:24 itojun Exp $	*/
+/*	$KAME: in_gif.c,v 1.45 2000/11/06 06:46:30 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -487,7 +487,8 @@ gif_encapcheck4(m, off, proto, arg)
 	}
 
 	/* ingress filters on outer source */
-	if ((m->m_flags & M_PKTHDR) != 0 && m->m_pkthdr.rcvif) {
+	if ((sc->gif_if.if_flags & IFF_LINK2) != 0 &&
+	    (m->m_flags & M_PKTHDR) != 0 && m->m_pkthdr.rcvif) {
 		struct sockaddr_in sin;
 		struct rtentry *rt;
 

kame/sys/netinet6/in6_gif.c

@@ -1,4 +1,4 @@
-/*	$KAME: in6_gif.c,v 1.38 2000/07/24 13:27:22 itojun Exp $	*/
+/*	$KAME: in6_gif.c,v 1.39 2000/11/06 06:46:30 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -457,7 +457,8 @@ gif_encapcheck6(m, off, proto, arg)
 	/* martian filters on outer source - done in ip6_input */
 
 	/* ingress filters on outer source */
-	if ((m->m_flags & M_PKTHDR) != 0 && m->m_pkthdr.rcvif) {
+	if ((sc->gif_if.if_flags & IFF_LINK2) != 0 &&
+	    (m->m_flags & M_PKTHDR) != 0 && m->m_pkthdr.rcvif) {
 		struct sockaddr_in6 sin6;
 		struct rtentry *rt;