Add an ability accept encapsulated packets from different sources by one

gif(4) interface. Add new option "ignore_source" for gif(4) interface. When it is enabled, gif's encapcheck function requires match only for packet's destination address. Differential Revision: https://reviews.freebsd.org/D2004 Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC
svn path=/head/; revision=282965
2025-01-02 12:20:51 +00:00 · 2015-05-15 12:19:45 +00:00 · 2015-05-15 12:19:45 +00:00 · c1b4f79dfa · 2020-12-20 02:59:44 +00:00
commit c1b4f79dfa
parent 9be6046a47
5 changed files with 33 additions and 9 deletions
--- a/sbin/ifconfig/ifconfig.8
+++ b/sbin/ifconfig/ifconfig.8
@ -28,7 +28,7 @@
 .\"     From: @(#)ifconfig.8	8.3 (Berkeley) 1/5/94
 .\" $FreeBSD$
 .\"
-.Dd May 12, 2015
+.Dd May 15, 2015
 .Dt IFCONFIG 8
 .Os
 .Sh NAME
@ -2428,6 +2428,14 @@ This is for backward compatibility with
 .It Cm -accept_rev_ethip_ver
 Clear a flag
 .Cm accept_rev_ethip_ver .
+.It Cm ignore_source
+Set a flag to accept encapsulated packets destined to this host
+independently from source address.
+This may be useful for hosts, that receive encapsulated packets
+from the load balancers.
+.It Cm -ignore_source
+Clear a flag
+.Cm ignore_source .
 .It Cm send_rev_ethip_ver
 Set a flag to send EtherIP packets with reversed version
 field intentionally.
--- a/sbin/ifconfig/ifgif.c
+++ b/sbin/ifconfig/ifgif.c
@ -51,7 +51,7 @@ static const char rcsid[] =

 #include "ifconfig.h"

-#define	GIFBITS	"\020\1ACCEPT_REV_ETHIP_VER\5SEND_REV_ETHIP_VER"
+#define	GIFBITS	"\020\1ACCEPT_REV_ETHIP_VER\2IGNORE_SOURCE\5SEND_REV_ETHIP_VER"

 static void	gif_status(int);

@ -95,6 +95,8 @@ setgifopts(const char *val,
 static struct cmd gif_cmds[] = {
 	DEF_CMD("accept_rev_ethip_ver",	GIF_ACCEPT_REVETHIP,	setgifopts),
 	DEF_CMD("-accept_rev_ethip_ver",-GIF_ACCEPT_REVETHIP,	setgifopts),
+	DEF_CMD("ignore_source",	GIF_IGNORE_SOURCE,	setgifopts),
+	DEF_CMD("-ignore_source",	-GIF_IGNORE_SOURCE,	setgifopts),
 	DEF_CMD("send_rev_ethip_ver",	GIF_SEND_REVETHIP,	setgifopts),
 	DEF_CMD("-send_rev_ethip_ver",	-GIF_SEND_REVETHIP,	setgifopts),
 };
--- a/sys/net/if_gif.h
+++ b/sys/net/if_gif.h
@ -127,7 +127,9 @@ int in6_gif_attach(struct gif_softc *);
 #define GIFSOPTS	_IOW('i', 151, struct ifreq)

 #define	GIF_ACCEPT_REVETHIP	0x0001
+#define	GIF_IGNORE_SOURCE	0x0002
 #define	GIF_SEND_REVETHIP	0x0010
-#define	GIF_OPTMASK		(GIF_ACCEPT_REVETHIP|GIF_SEND_REVETHIP)
+#define	GIF_OPTMASK		(GIF_ACCEPT_REVETHIP|GIF_SEND_REVETHIP| \
+    GIF_IGNORE_SOURCE)

 #endif /* _NET_IF_GIF_H_ */
--- a/sys/netinet/in_gif.c
+++ b/sys/netinet/in_gif.c
@ -168,13 +168,19 @@ in_gif_input(struct mbuf **mp, int *offp, int proto)
 static int
 gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
 {
+	int ret;

 	GIF_RLOCK_ASSERT(sc);

 	/* check for address match */
-	if (sc->gif_iphdr->ip_src.s_addr != ip->ip_dst.s_addr ||
-	    sc->gif_iphdr->ip_dst.s_addr != ip->ip_src.s_addr)
+	if (sc->gif_iphdr->ip_src.s_addr != ip->ip_dst.s_addr)
 		return (0);
+	ret = 32;
+	if (sc->gif_iphdr->ip_dst.s_addr != ip->ip_src.s_addr) {
+		if ((sc->gif_options & GIF_IGNORE_SOURCE) == 0)
+			return (0);
+	} else
+		ret += 32;

 	/* martian filters on outer source - NOT done in ip_input! */
 	if (IN_MULTICAST(ntohl(ip->ip_src.s_addr)))
@ -205,7 +211,7 @@ gif_validate4(const struct ip *ip, struct gif_softc *sc, struct ifnet *ifp)
 		}
 		RTFREE_LOCKED(rt);
 	}
-	return (32 * 2);
+	return (ret);
 }

 /*
--- a/sys/netinet6/in6_gif.c
+++ b/sys/netinet6/in6_gif.c
@ -180,6 +180,7 @@ static int
 gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc,
    struct ifnet *ifp)
 {
+	int ret;

 	GIF_RLOCK_ASSERT(sc);
 	/*
@ -187,9 +188,14 @@ gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc,
 	 * packet.  We should compare the *source* address in our configuration
 	 * and the *destination* address of the packet, and vice versa.
 	 */
-	if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_src, &ip6->ip6_dst) ||
-	    !IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_dst, &ip6->ip6_src))
+	if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_src, &ip6->ip6_dst))
 		return (0);
+	ret = 128;
+	if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_dst, &ip6->ip6_src)) {
+		if ((sc->gif_options & GIF_IGNORE_SOURCE) == 0)
+			return (0);
+	} else
+		ret += 128;

 	/* martian filters on outer source - done in ip6_input */

@ -214,7 +220,7 @@ gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc,
 		RTFREE_LOCKED(rt);
 	}

-	return (128 * 2);
+	return (ret);
 }

 /*