Include PIPEX in kernel by default. And add new sysctl variable

`net.pipex.enable' to enable PIPEX.   By default, pipex is disabled
and it will not process packets from wire.  Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.

discussed with dlg@, ok deraadt@ mcbride@ claudio@

11 files changed, 129 insertions, 42 deletions

diff --git a/lib/libc/gen/sysctl.3 b/lib/libc/gen/sysctl.3
index e38835aa08b..4071be1a5a4 100644
--- a/lib/libc/gen/sysctl.3
+++ b/lib/libc/gen/sysctl.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: sysctl.3,v 1.205 2011/07/07 13:23:46 jmc Exp $
+.\"	$OpenBSD: sysctl.3,v 1.206 2011/07/08 18:30:17 yasuoka Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -27,7 +27,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 7 2011 $
+.Dd $Mdocdate: July 8 2011 $
 .Dt SYSCTL 3
 .Os
 .Sh NAME
@@ -1124,6 +1124,7 @@ privileges may change the value.
 .It Dv PF_INET No "	IPv4 values	yes"
 .It Dv PF_INET6 No "	IPv6 values	yes"
 .It Dv PF_KEY No "	key management	no"
+.It Dv PF_PIPEX No "	PIPEX values	yes"
 .El
 .Bl -tag -width "123456"
 .It Dv PF_ROUTE
@@ -1914,6 +1915,17 @@ Security Association database (SADB).
 .It Dv NET_KEY_SPD_DUMP
 IPsec flow database (SPD).
 .El
+.It Dv PF_PIPEX
+Get or set global information about PIPEX.
+.Pp
+The currently defined variable names are:
+.Bl -column "Third level nameXXXXXX" "struct loadavgXXX" -offset indent
+.It Sy Third level name	Type	Changeable
+.It Dv PIPEXCTL_ENABLE	integer	yes
+.El
+.Bl -tag -width "123456"
+.It Dv PIPEXCTL_ENABLE	
+If set to 1, enable the PIPEX processing.  The default is 0.
 .El
 .Ss CTL_USER
 The string and integer information available for the
@@ -2207,6 +2219,8 @@ definitions for third level virtual file system identifiers
 definitions for second level virtual memory identifiers
 .It Aq Pa uvm/uvm_swap_encrypt.h
 definitions for third level virtual memory identifiers
+.It Aq Pa net/pipex.h
+definitions for third level PIPEX identifiers
 .It Aq Pa netinet/in.h
 definitions for third level IPv4/v6 identifiers and
 fourth level
diff --git a/sbin/sysctl/sysctl.8 b/sbin/sysctl/sysctl.8
index 6bb7064dba1..d1311f0b6a1 100644
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: sysctl.8,v 1.160 2011/07/06 23:44:20 sthen Exp $
+.\"	$OpenBSD: sysctl.8,v 1.161 2011/07/08 18:30:17 yasuoka Exp $
 .\"	$NetBSD: sysctl.8,v 1.4 1995/09/30 07:12:49 thorpej Exp $
 .\"
 .\" Copyright (c) 1993
@@ -30,7 +30,7 @@
 .\"
 .\"	@(#)sysctl.8	8.2 (Berkeley) 5/9/95
 .\"
-.Dd $Mdocdate: July 6 2011 $
+.Dd $Mdocdate: July 8 2011 $
 .Dt SYSCTL 8
 .Os
 .Sh NAME
@@ -317,6 +317,7 @@ and a few require a kernel compiled with non-standard
 .It net.inet6.icmp6.mtudisc_hiwat	integer	yes
 .It net.inet6.icmp6.mtudisc_lowat	integer	yes
 .It net.inet6.icmp6.nd6_debug	integer	yes
+.It net.pipex.enable	integer	yes
 .It debug.syncprt	integer	yes
 .It debug.busyprt	integer	yes
 .It debug.doclusterread	integer	yes
diff --git a/sbin/sysctl/sysctl.c b/sbin/sysctl/sysctl.c
index c9476e84666..fe26c1f0107 100644
--- a/sbin/sysctl/sysctl.c
+++ b/sbin/sysctl/sysctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sysctl.c,v 1.176 2011/05/23 01:33:20 djm Exp $	*/
+/*	$OpenBSD: sysctl.c,v 1.177 2011/07/08 18:30:17 yasuoka Exp $	*/
 /*	$NetBSD: sysctl.c,v 1.9 1995/09/30 07:12:50 thorpej Exp $	*/
 
 /*
@@ -72,6 +72,7 @@
 
 #include <net/pfvar.h>
 #include <net/if_pfsync.h>
+#include <net/pipex.h>
 
 #ifdef INET6
 #include <netinet/ip6.h>
@@ -591,6 +592,12 @@ parse(char *string, int flags)
 				return;
 			break;
 		}
+		if (mib[1] == PF_PIPEX) {
+			len = sysctl_pipex(string, &bufp, mib, flags, &type);
+			if (len < 0)
+				return;
+			break;
+		}
 		if (flags == 0)
 			return;
 		warnx("use netstat to view %s information", string);
@@ -1346,6 +1353,7 @@ struct ctlname pfsyncname[] = PFSYNCCTL_NAMES;
 struct ctlname divertname[] = DIVERTCTL_NAMES;
 struct ctlname bpfname[] = CTL_NET_BPF_NAMES;
 struct ctlname ifqname[] = CTL_IFQ_NAMES;
+struct ctlname pipexname[] = PIPEXCTL_NAMES;
 struct list inetlist = { inetname, IPPROTO_MAXID };
 struct list inetvars[] = {
 	{ ipname, IPCTL_MAXID },	/* ip */
@@ -1610,6 +1618,7 @@ struct list inetvars[] = {
 };
 struct list bpflist = { bpfname, NET_BPF_MAXID };
 struct list ifqlist = { ifqname, IFQCTL_MAXID };
+struct list pipexlist = { pipexname, PIPEXCTL_MAXID };
 
 struct list kernmalloclist = { kernmallocname, KERN_MALLOC_MAXID };
 struct list forkstatlist = { forkstatname, KERN_FORKSTAT_MAXID };
@@ -2171,6 +2180,24 @@ sysctl_mpls(char *string, char **bufpp, int mib[], int flags, int *typep)
 	return (3);
 }
 
+/* handle PIPEX requests */
+int
+sysctl_pipex(char *string, char **bufpp, int mib[], int flags, int *typep)
+{
+	struct list *lp;
+	int indx;
+
+	if (*bufpp == NULL) {
+		listall(string, &pipexlist);
+		return (-1);
+	}
+	if ((indx = findname(string, "third", bufpp, &pipexlist)) == -1)
+		return (-1);
+	mib[2] = indx;
+	*typep = pipexlist.list[indx].ctl_type;
+	return (3);
+}
+
 /*
  * Handle SysV semaphore info requests
  */
diff --git a/share/man/man4/options.4 b/share/man/man4/options.4
index 4828c477810..feaf6f03ed7 100644
--- a/share/man/man4/options.4
+++ b/share/man/man4/options.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: options.4,v 1.219 2011/07/05 15:36:13 jmc Exp $
+.\"	$OpenBSD: options.4,v 1.220 2011/07/08 18:30:17 yasuoka Exp $
 .\"	$NetBSD: options.4,v 1.21 1997/06/25 03:13:00 thorpej Exp $
 .\"
 .\" Copyright (c) 1998 Theo de Raadt
@@ -34,7 +34,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\"
-.Dd $Mdocdate: July 5 2011 $
+.Dd $Mdocdate: July 8 2011 $
 .Dt OPTIONS 4
 .Os
 .Sh NAME
@@ -580,6 +580,9 @@ Include kernel support for the AppleTalk family of protocols.
 This suite of supporting code is sometimes called
 .Em netatalk
 support.
+.It Cd option PIPEX
+Includes PIPEX in-kernel acceleration for PPPoE, L2TP or PPTP.
+This is used by npppd(8).
 .It Cd option PPP_BSDCOMP
 Enables BSD compressor for PPP connections.
 .It Cd option PPP_DEFLATE
diff --git a/sys/kern/uipc_domain.c b/sys/kern/uipc_domain.c
index 0098c12af3f..a30d326b5be 100644
--- a/sys/kern/uipc_domain.c
+++ b/sys/kern/uipc_domain.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_domain.c,v 1.30 2010/07/02 15:02:38 blambert Exp $	*/
+/*	$OpenBSD: uipc_domain.c,v 1.31 2011/07/08 18:30:16 yasuoka Exp $	*/
 /*	$NetBSD: uipc_domain.c,v 1.14 1996/02/09 19:00:44 christos Exp $	*/
 
 /*
@@ -208,6 +208,11 @@ net_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
 		return (pflow_sysctl(name + 1, namelen - 1, oldp, oldlenp,
 		    newp, newlen));
 #endif
+#ifdef PIPEX
+	if (family == PF_PIPEX)
+		return (pipex_sysctl(name + 1, namelen - 1, oldp, oldlenp,
+		    newp, newlen));
+#endif
 	dp = pffinddomain(family);
 	if (dp == NULL)
 		return (ENOPROTOOPT);
diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c
index d5b77eb20aa..0321a33726f 100644
--- a/sys/net/if_ethersubr.c
+++ b/sys/net/if_ethersubr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_ethersubr.c,v 1.149 2011/07/04 23:58:26 claudio Exp $	*/
+/*	$OpenBSD: if_ethersubr.c,v 1.150 2011/07/08 18:30:16 yasuoka Exp $	*/
 /*	$NetBSD: if_ethersubr.c,v 1.19 1996/05/07 02:40:30 thorpej Exp $	*/
 
 /*
@@ -750,14 +750,14 @@ decapsulate:
 		eh_tmp = mtod(m, struct ether_header *);
 		bcopy(eh, eh_tmp, sizeof(struct ether_header));
 #ifdef PIPEX
-	{
-		struct pipex_session *session;
+		if (pipex_enable) {
+			struct pipex_session *session;
 
-		if ((session = pipex_pppoe_lookup_session(m)) != NULL) {
-			pipex_pppoe_input(m, session);
-			goto done;
+			if ((session = pipex_pppoe_lookup_session(m)) != NULL) {
+				pipex_pppoe_input(m, session);
+				goto done;
+			}
 		}
-	}
 #endif
 		if (etype == ETHERTYPE_PPPOEDISC)
 			inq = &pppoediscinq;
diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index 6ee41c1e46c..f5db7bf21e2 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.c,v 1.18 2011/07/07 22:32:51 mcbride Exp $	*/
+/*	$OpenBSD: pipex.c,v 1.19 2011/07/08 18:30:17 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -36,6 +36,7 @@
 #include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <sys/select.h>
+#include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/conf.h>
 #include <sys/time.h>
@@ -84,6 +85,7 @@
 /*
  * static/global variables
  */
+int	pipex_enable = 0;
 struct pipex_hash_head
     pipex_session_list,				/* master session list */
     pipex_close_wait_list,			/* expired session list */
@@ -2978,3 +2980,21 @@ pipex_sockaddr_compar_addr(struct sockaddr *a, struct sockaddr *b)
 	panic("pipex_sockaddr_compar_addr: unknown address family");
 	return -1;
 }
+
+int
+pipex_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
+    size_t newlen)
+{
+	/* All sysctl names at this level are terminal. */
+	if (namelen != 1)
+		return (ENOTDIR);
+
+	switch (name[0]) {
+	case PIPEXCTL_ENABLE:
+		return (sysctl_int(oldp, oldlenp, newp, newlen,
+		    &pipex_enable));
+	default:
+		return (ENOPROTOOPT);
+	}
+	/* NOTREACHED */
+}
diff --git a/sys/net/pipex.h b/sys/net/pipex.h
index 063ea59e596..391e69ea54d 100644
--- a/sys/net/pipex.h
+++ b/sys/net/pipex.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pipex.h,v 1.8 2011/04/02 11:52:44 dlg Exp $	*/
+/*	$OpenBSD: pipex.h,v 1.9 2011/07/08 18:30:17 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -29,6 +29,23 @@
 #ifndef NET_PIPEX_H
 #define NET_PIPEX_H 1
 
+/*
+ * Names for pipex sysctl objects
+ */
+#define PIPEXCTL_ENABLE		1
+#define PIPEXCTL_MAXID		2
+
+#define PIPEXCTL_NAMES { \
+        { 0, 0 }, \
+        { "enable", CTLTYPE_INT }, \
+}
+
+#define PIPEXCTL_VARS { \
+	NULL, \
+	&pipex_enable \
+	NULL \
+}
+
 #define PIPEX_ENABLE			1
 #define PIPEX_DISABLE			0
 
@@ -163,6 +180,7 @@ struct pipex_session_descr_req {
 #define PIPEXSIFDESCR	_IOW ('p',  8, struct pipex_session_descr_req)
 
 #ifdef _KERNEL
+extern int	pipex_enable;
 
 struct pipex_session;
 
diff --git a/sys/netinet/ip_gre.c b/sys/netinet/ip_gre.c
index 11d1ee761ea..7edc239d8dc 100644
--- a/sys/netinet/ip_gre.c
+++ b/sys/netinet/ip_gre.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ip_gre.c,v 1.42 2011/07/05 21:40:38 dhill Exp $ */
+/*      $OpenBSD: ip_gre.c,v 1.43 2011/07/08 18:30:17 yasuoka Exp $ */
 /*	$NetBSD: ip_gre.c,v 1.9 1999/10/25 19:18:11 drochner Exp $ */
 
 /*
@@ -249,14 +249,14 @@ gre_input(struct mbuf *m, ...)
 	}
 
 #ifdef PIPEX
-    {
-	struct pipex_session *session;
+	if (pipex_enable) {
+		struct pipex_session *session;
 
-	if ((session = pipex_pptp_lookup_session(m)) != NULL) {
-		if (pipex_pptp_input(m, session) == NULL)
-			return;
+		if ((session = pipex_pptp_lookup_session(m)) != NULL) {
+			if (pipex_pptp_input(m, session) == NULL)
+				return;
+		}
 	}
-    }
 #endif
 
 	ret = gre_input2(m, hlen, IPPROTO_GRE);
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index d2479425074..b3fd28f017e 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: udp_usrreq.c,v 1.144 2011/05/13 14:31:17 oga Exp $	*/
+/*	$OpenBSD: udp_usrreq.c,v 1.145 2011/07/08 18:30:17 yasuoka Exp $	*/
 /*	$NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $	*/
 
 /*
@@ -692,7 +692,7 @@ udp_input(struct mbuf *m, ...)
 		    IP_RECVDSTPORT, IPPROTO_IP);
 	}
 #ifdef PIPEX
-	if (inp->inp_pipex) {
+	if (pipex_enable && inp->inp_pipex) {
 		struct pipex_session *session;
 		int off = iphlen + sizeof(struct udphdr);
 		if ((session = pipex_l2tp_lookup_session(m, off)) != NULL) {
diff --git a/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt b/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt
index 58ab59329a1..c2ca9d358ae 100644
--- a/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt
+++ b/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt
@@ -1,4 +1,4 @@
-$Id: HOWTO_PIPEX_NPPPD.txt,v 1.4 2011/07/06 20:52:28 yasuoka Exp $
+$Id: HOWTO_PIPEX_NPPPD.txt,v 1.5 2011/07/08 18:30:17 yasuoka Exp $
 
 How to test npppd and pipex
 ---------------------------
@@ -10,36 +10,33 @@ on server
 
   1. update your source tree
 
-  2. enable PIPEX on your kernel and reboot with the kernel
-     Add bellow line to your kernel configuration file
+  2. build and update kernel
 
-	option          PIPEX           # Pppac IP EXtension, for npppd
-
-  3. build and update kernel
-
-  4. build npppd
+  3. build npppd
 
 	% cd /usr/src/usr.sbin/npppd
 	% make
 	% sudo make install
 
-  5. install npppd.conf and npppd-users.csv to /etc/npppd/
-
+  4. install npppd.conf and npppd-users.csv to /etc/npppd/
      sample npppd.conf and npppd-user.csv attached below on this file.
 
 	% sudo mkdir 0755 /etc/npppd
 	% sudo cp npppd.conf /etc/npppd/
 	% sudo cp npppd-users.csv /etc/npppd/
 
-  6. create user '_npppd'
+  5. create user '_npppd'
 
-     	% sudo groupadd _npppd
-     	% sudo useradd -d /var/empty -s /sbin/nologin -g _npppd _npppd
+	% sudo groupadd _npppd
+	% sudo useradd -d /var/empty -s /sbin/nologin -g _npppd _npppd
 
-  6. set net.inet.gre.allow=1
-	% sudo sysctl net.inet.gre.allow=1
+  6. enable PIPEX and GRE by sysctl
+
+	% sudo sysctl net.inet.gre.allow=1  (for PPTP)
+	% sudo sysctl net.pipex.enable=1    (for PIPEX)
 
   7. run npppd
+
 	% sudo /usr/sbin/npppd -d
 
 on client
@@ -88,7 +85,7 @@ How to test L2TP/IPsec
 #
 # Simplest npppd.conf sample
 #
-# $Id: HOWTO_PIPEX_NPPPD.txt,v 1.4 2011/07/06 20:52:28 yasuoka Exp $
+# $Id: HOWTO_PIPEX_NPPPD.txt,v 1.5 2011/07/08 18:30:17 yasuoka Exp $
 
 interface_list:                         tun0
 interface.tun0.ip4addr:                 10.0.0.1
@@ -134,6 +131,8 @@ l2tpd.require_ipsec:                    false
 # PPPoE daemon
 #pppoed.enabled:                                true
 #pppoed.interface:                      PPPoE vic0
+
+#pipex.enabled:				false
 -------------------------------------------------------------------------------
 
 [npppd-users.csv]