From 48bb658413077ba7785377ef6a8ca437cfef7a21 Mon Sep 17 00:00:00 2001
From: philip <philip@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Tue, 1 Aug 2017 13:40:37 +0000
Subject: [PATCH] MFC r320941: Fix GRE over IPv6 tunnels with IPFW

Previously, GRE packets in IPv6 tunnels would be dropped by IPFW (unless
net.inet6.ip6.fw.deny_unknown_exthdrs was unset).

PR:		220640
Submitted by:	Kun Xie <kxie@xiplink.com>


git-svn-id: svn://svn.freebsd.org/base/stable/9@321874 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 sys/netpfil/ipfw/ip_fw2.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index 4642f690b..2eb42af25 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -86,6 +86,8 @@ __FBSDID("$FreeBSD$");
 #include <netinet6/ip6_var.h>
 #endif
 
+#include <net/if_gre.h> /* for struct gre_h */
+
 #include <netpfil/ipfw/ip_fw_private.h>
 
 #include <machine/in_cksum.h>	/* XXX for in_cksum */
@@ -1144,6 +1146,11 @@ do {								\
 				PULLUP_TO(hlen, ulp, struct pim);
 				break;
 
+			case IPPROTO_GRE:	/* RFC 1701 */
+				/* XXX GRE header check? */
+				PULLUP_TO(hlen, ulp, struct gre_h);
+				break;
+
 			case IPPROTO_CARP:
 				PULLUP_TO(hlen, ulp, struct carp_header);
 				if (((struct carp_header *)ulp)->carp_version !=
-- 
2.42.0