provide ip_tos_patch() for setting ip_tos and patching the ipv4 cksum.

previously the gif code would patch the tos field and not recalc
the cksum, which would cause ip input code to drop the packet due
to a cksum failure. the ipip code patched ip_tos and unconditionally
recalculated the cksum, making it correct, but also wiping out any
errors that may have been present before the recalculation. updating
the cksum rather than replacing it lets cksum failures still fire.

ip_tos_patch() is provided in the ecn code since it's because of ecn
propagation that we need to update the tos field. internally it
works like pf_patch_8 and pf_cksum_fixup, but since pf is optional
it rolls its own code. procter may fix that in the future...

ok claudio@

1 files changed, 3 insertions, 2 deletions

diff --git a/sys/net/if_gif.c b/sys/net/if_gif.c
index 093c4a95153..abec736b180 100644
--- a/sys/net/if_gif.c
+++ b/sys/net/if_gif.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_gif.c,v 1.123 2018/11/14 03:20:03 dlg Exp $	*/
+/*	$OpenBSD: if_gif.c,v 1.124 2018/11/14 23:55:04 dlg Exp $	*/
 /*	$KAME: if_gif.c,v 1.43 2001/02/20 08:51:07 itojun Exp $	*/
 
 /*
@@ -809,7 +809,8 @@ gif_input(struct gif_tunnel *key, struct mbuf **mp, int *offp, int proto,
 		if (ip_ecn_egress(ECN_ALLOWED, &otos, &itos) == 0)
 			goto drop;
 
-		ip->ip_tos = itos;
+		if (itos != ip->ip_tos)
+			ip_tos_patch(ip, itos);
 
 		m->m_pkthdr.ph_family = AF_INET;
 		input = ipv4_input;