MFC r282965:

  Add an ability accept encapsulated packets from different sources by one
  gif(4) interface. Add new option "ignore_source" for gif(4) interface.
  When it is enabled, gif's encapcheck function requires match only for
  packet's destination address.

  Differential Revision:	https://reviews.freebsd.org/D2004
  Sponsored by:	Yandex LLC

1 files changed, 9 insertions, 3 deletions

diff --git a/sys/netinet6/in6_gif.c b/sys/netinet6/in6_gif.c
index 1872f5c..002bf53 100644
--- a/sys/netinet6/in6_gif.c
+++ b/sys/netinet6/in6_gif.c
@@ -180,6 +180,7 @@ static int
 gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc,
     struct ifnet *ifp)
 {
+	int ret;
 
 	GIF_RLOCK_ASSERT(sc);
 	/*
@@ -187,9 +188,14 @@ gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc,
 	 * packet.  We should compare the *source* address in our configuration
 	 * and the *destination* address of the packet, and vice versa.
 	 */
-	if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_src, &ip6->ip6_dst) ||
-	    !IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_dst, &ip6->ip6_src))
+	if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_src, &ip6->ip6_dst))
 		return (0);
+	ret = 128;
+	if (!IN6_ARE_ADDR_EQUAL(&sc->gif_ip6hdr->ip6_dst, &ip6->ip6_src)) {
+		if ((sc->gif_options & GIF_IGNORE_SOURCE) == 0)
+			return (0);
+	} else
+		ret += 128;
 
 	/* martian filters on outer source - done in ip6_input */
 
@@ -214,7 +220,7 @@ gif_validate6(const struct ip6_hdr *ip6, struct gif_softc *sc,
 		RTFREE_LOCKED(rt);
 	}
 
-	return (128 * 2);
+	return (ret);
 }
 
 /*