"handle" wccp2 packets if net.inet.gre.wccp is set to 2 by truncating

skipping the wccp 2 header. Tested with Cisco ASA.

"looks correct" claudio
ok yasuoka

2 files changed, 20 insertions, 10 deletions

diff --git a/share/man/man4/gre.4 b/share/man/man4/gre.4
index 950c86405c0..9041c684852 100644
--- a/share/man/man4/gre.4
+++ b/share/man/man4/gre.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: gre.4,v 1.39 2013/10/19 16:53:15 schwarze Exp $
+.\" $OpenBSD: gre.4,v 1.40 2015/03/18 01:12:16 mcbride Exp $
 .\" $NetBSD: gre.4,v 1.10 1999/12/22 14:55:49 kleink Exp $
 .\"
 .\" Copyright 1998 (c) The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
 .\" ARISING IN ANY WAY  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 19 2013 $
+.Dd $Mdocdate: March 18 2015 $
 .Dt GRE 4
 .Os
 .Sh NAME
@@ -54,7 +54,10 @@ variables respectively in
 .It Va net.inet.gre.allow
 Allow GRE packets in and out of the system.
 .It Va net.inet.gre.wccp
-Allow WCCPv1-style GRE packets into the system (depends on the above).
+Set to 1 to allow WCCPv1-style GRE packets into the system,
+set to 2 to handle the the packets as WCCPv2-style GRE, truncating
+the redirect header.
+This variable depends on the above.
 .It Va net.inet.mobileip.allow
 Allow MobileIP packets in and out of the system.
 .El
@@ -235,8 +238,8 @@ The kernel must be set to forward datagrams by issuing the appropriate
 option to
 .Xr sysctl 8 .
 .Pp
-The GRE interface will accept WCCPv1-style GRE encapsulated packets
-from a Cisco router.
+The GRE interface will accept WCCPv1-style or WWCPv2-style GRE
+encapsulated packets from a Cisco router.
 Some magic with the packet filter configuration
 and a caching proxy like squid are needed to do anything useful with
 these packets.
@@ -292,6 +295,5 @@ these packets.
 .Sh BUGS
 GRE RFC not yet fully implemented (no GRE options).
 .Pp
-For the WCCP GRE encapsulated packets we can only reliably accept
-WCCPv1 format; WCCPv2 formatted packets add another header which will
-skew the decode, and results are not defined (i.e. don't do WCCPv2).
+For WCCPv2 GRE encapsulated packets we don't handle the redirect
+header, but simply skip it.
diff --git a/sys/netinet/ip_gre.c b/sys/netinet/ip_gre.c
index 6d713b6d388..10d4b6c90a0 100644
--- a/sys/netinet/ip_gre.c
+++ b/sys/netinet/ip_gre.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ip_gre.c,v 1.52 2014/12/19 17:14:40 tedu Exp $ */
+/*      $OpenBSD: ip_gre.c,v 1.53 2015/03/18 01:12:16 mcbride Exp $ */
 /*	$NetBSD: ip_gre.c,v 1.9 1999/10/25 19:18:11 drochner Exp $ */
 
 /*
@@ -145,14 +145,22 @@ gre_input2(struct mbuf *m, int hlen, u_char proto)
 			 *   GRE tunnel is precisely a IP-in-GRE tunnel that differs
 			 *   only in its protocol number.  At least, it works for me.
 			 *
-			 *   The Internet Draft can be found if you look for
+			 *   The Internet Drafts can be found if you look for
+			 *   the following:
 			 *     draft-forster-wrec-wccp-v1-00.txt
+			 *     draft-wilson-wrec-wccp-v2-01.txt
 			 *
 			 *   So yes, we're doing a fall-through (unless, of course,
 			 *   net.inet.gre.wccp is 0).
 			 */
 			if (!gre_wccp)
 				return (0);
+			/*
+			 * For WCCPv2, additionally skip the 4 byte
+			 * redirect header.
+			 */
+			if (gre_wccp == 2) 
+				hlen += 4;
 		case ETHERTYPE_IP: /* shouldn't need a schednetisr(), as */
 			ifq = &ipintrq;          /* we are in ip_input */
 			af = AF_INET;