Add a new config option IPSEC_FILTERGIF to control whether or not

packets coming out of a GIF tunnel are re-processed by ipfw, et. al.
By default they are not reprocessed.  With the option they are.

This reverts 1.214.  Prior to that change packets were not re-processed.
After they were which caused problems because packets do not have
distinguishing characteristics (like a special network if) that allows
them to be filtered specially.

This is really a stopgap measure designed for immediate MFC so that
4.8 has consistent handling to what was in 4.7.

PR:		48159
Reviewed by:	Guido van Rooij <guido@gvr.org>
MFC after:	1 day

sys/conf/NOTES

@@ -364,6 +364,17 @@ options 	INET6			#IPv6 communications protocols
 options 	IPSEC			#IP security
 options 	IPSEC_ESP		#IP security (crypto; define w/ IPSEC)
 options 	IPSEC_DEBUG		#debug for IP security
+#
+# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
+# to be processed by any configured packet filtering (ipfw, ipf).
+# The default is that packets coming from a tunnel are _not_ processed;
+# they are assumed trusted.
+#
+# Note that enabling this can be problematic as there are no mechanisms
+# in place for distinguishing packets coming out of a tunnel (e.g. no
+# encX devices as found on openbsd).
+#
+#options 	IPSEC_FILTERGIF		#filter ipsec packets from a tunnel
 
 #options 	FAST_IPSEC		#new IPsec (cannot define w/ IPSEC)
 

sys/conf/options

@@ -327,6 +327,7 @@ INET6			opt_inet6.h
 IPSEC			opt_ipsec.h
 IPSEC_ESP		opt_ipsec.h
 IPSEC_DEBUG		opt_ipsec.h
+IPSEC_FILTERGIF		opt_ipsec.h
 FAST_IPSEC		opt_ipsec.h
 IPDIVERT
 DUMMYNET		opt_ipdn.h

sys/netinet/ip_input.c

@@ -427,6 +427,13 @@ tooshort:
 		} else
 			m_adj(m, ip->ip_len - m->m_pkthdr.len);
 	}
+#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
+	/*
+	 * Bypass packet filtering for packets from a tunnel (gif).
+	 */
+	if (ipsec_gethist(m, NULL))
+		goto pass;
+#endif
 
 	/*
 	 * IpHack's section.