Handle IP over IP (IPPROTO_IPV4) properly.

We now unwrap IP/IP and apply filter rules to both the outer
  layer (with ``set filter blah x.x.x.x y.y.y.y ipip'') and to
  the payload (reinterpreted by the filter rules).

  ``set log tcp/ip'' will now show both the outer wrapper and
  the (reinterpreted) payload contents.

usr.sbin/ppp/filter.c

@@ -153,6 +153,9 @@ ParsePort(const char *service, int proto)
   int port;
 
   switch (proto) {
+  case P_IPIP:
+    protocol_name = "ipip";
+    break;
   case P_UDP:
     protocol_name = "udp";
     break;
@@ -483,6 +486,9 @@ Parse(struct ipcp *ipcp, int argc, char const *const *argv,
   case P_UDP:
     val = ParseUdpOrTcp(argc, argv, P_UDP, &filterdata);
     break;
+  case P_IPIP:
+    val = ParseUdpOrTcp(argc, argv, P_IPIP, &filterdata);
+    break;
   case P_ICMP:
     val = ParseIcmp(argc, argv, &filterdata);
     break;
@@ -641,7 +647,7 @@ filter_Show(struct cmdargs const *arg)
 }
 
 static const char * const protoname[] = {
-  "none", "tcp", "udp", "icmp", "ospf", "igmp", "gre"
+  "none", "tcp", "udp", "icmp", "ospf", "igmp", "gre", "ipip"
 };
 
 const char *

usr.sbin/ppp/filter.h

@@ -30,10 +30,11 @@
 #endif
 #define	P_IGMP	5
 #ifdef IPPROTO_GRE
-#define P_GRE   6
+#define P_GRE	6
 #endif
-#define P_ESP   7
-#define P_AH    8
+#define P_ESP	7
+#define P_AH	8
+#define P_IPIP	9
 
 /* Operations - f_srcop, f_dstop */
 #define	OP_NONE	0

usr.sbin/ppp/ip.c

@@ -279,11 +279,16 @@ FilterCheck(const struct ip *pip, const struct filter *filter, unsigned *psecs)
             estab = syn = finrst = -1;
             sport = ntohs(0);
             break;
-          case IPPROTO_UDP:
           case IPPROTO_IPIP:
+            cproto = P_IPIP;
+            sport = dport = 0;
+            estab = syn = finrst = -1;
+            break;
+          case IPPROTO_UDP:
             cproto = P_UDP;
             if (datalen < 8) {	/* UDP header is 8 octets */
-              log_Printf(LogFILTER, " error: UDP must be at least 8 octets\n");
+              log_Printf(LogFILTER, " error: UDP/IPIP"
+                         " must be at least 8 octets\n");
               return 1;
             }
 
@@ -635,14 +640,20 @@ PacketCheck(struct bundle *bundle, unsigned char *cp, int nb,
 
   case IPPROTO_IPIP:
     if (logit && loglen < sizeof logbuf) {
-      uh = (struct udphdr *) ptop;
       snprintf(logbuf + loglen, sizeof logbuf - loglen,
-               "IPIP: %s:%d ---> ", inet_ntoa(pip->ip_src),
-               ntohs(uh->uh_sport));
+               "IPIP: %s ---> ", inet_ntoa(pip->ip_src));
       loglen += strlen(logbuf + loglen);
       snprintf(logbuf + loglen, sizeof logbuf - loglen,
-               "%s:%d", inet_ntoa(pip->ip_dst), ntohs(uh->uh_dport));
+               "%s", inet_ntoa(pip->ip_dst));
       loglen += strlen(logbuf + loglen);
+
+      if (((struct ip *)ptop)->ip_v == 4) {
+        snprintf(logbuf + loglen, sizeof logbuf - loglen, " contains ");
+        result = PacketCheck(bundle, ptop, nb - (ptop - cp), filter,
+                             logbuf, psecs);
+        if (result != -2)
+          return result;
+      }
     }
     break;
 

usr.sbin/ppp/ppp.8

@@ -1702,6 +1702,7 @@ command below.
 must be one of
 .Sq icmp ,
 .Sq igmp ,
+.Sq ipip ,
 .Sq ospf ,
 .Sq udp
 or
@@ -4587,7 +4588,7 @@ as they travel across the link.
 .Oo Op host
 .Ar src_addr Ns Op / Ns Ar width
 .Op Ar dst_addr Ns Op / Ns Ar width
-.Oc [ tcp|udp|ospf|igmp|icmp Op src lt|eq|gt Ar port
+.Oc [ tcp|udp|ospf|ipip|igmp|icmp Op src lt|eq|gt Ar port
 .Op dst lt|eq|gt Ar port
 .Op estab
 .Op syn

usr.sbin/ppp/ppp.8.m4

@@ -1702,6 +1702,7 @@ command below.
 must be one of
 .Sq icmp ,
 .Sq igmp ,
+.Sq ipip ,
 .Sq ospf ,
 .Sq udp
 or
@@ -4587,7 +4588,7 @@ as they travel across the link.
 .Oo Op host
 .Ar src_addr Ns Op / Ns Ar width
 .Op Ar dst_addr Ns Op / Ns Ar width
-.Oc [ tcp|udp|ospf|igmp|icmp Op src lt|eq|gt Ar port
+.Oc [ tcp|udp|ospf|ipip|igmp|icmp Op src lt|eq|gt Ar port
 .Op dst lt|eq|gt Ar port
 .Op estab
 .Op syn