Add a new config option IPSEC_FILTERGIF to control whether or not

packets coming out of a GIF tunnel are re-processed by ipfw, et. al.
By default they are not reprocessed.  With the option they are.

This reverts 1.214.  Prior to that change packets were not re-processed.
After they were which caused problems because packets do not have
distinguishing characteristics (like a special network if) that allows
them to be filtered specially.

This is really a stopgap measure designed for immediate MFC so that
4.8 has consistent handling to what was in 4.7.

PR:		48159
Reviewed by:	Guido van Rooij <guido@gvr.org>
MFC after:	1 day

2 files changed, 12 insertions, 0 deletions

diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index cc511e4..f03279a 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -364,6 +364,17 @@ options 	INET6			#IPv6 communications protocols
 options 	IPSEC			#IP security
 options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
 options 	IPSEC_DEBUG		#debug for IP security
+#
+# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
+# to be processed by any configured packet filtering (ipfw, ipf).
+# The default is that packets coming from a tunnel are _not_ processed;
+# they are assumed trusted.
+#
+# Note that enabling this can be problematic as there are no mechanisms
+# in place for distinguishing packets coming out of a tunnel (e.g. no
+# encX devices as found on openbsd).
+#
+#options 	IPSEC_FILTERGIF		#filter ipsec packets from a tunnel
 
 #options 	FAST_IPSEC		#new IPsec (cannot define w/ IPSEC)
 
diff --git a/sys/conf/options b/sys/conf/options
index 4ec220d..7a16efc 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -327,6 +327,7 @@ INET6			opt_inet6.h
 IPSEC			opt_ipsec.h
 IPSEC_ESP		opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
+IPSEC_FILTERGIF		opt_ipsec.h
 FAST_IPSEC		opt_ipsec.h
 IPDIVERT
 DUMMYNET		opt_ipdn.h