From nobody@FreeBSD.org  Tue Sep 18 13:56:53 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9EC6C37B403
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 Sep 2001 13:56:53 -0700 (PDT)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f8IKurl34105;
	Tue, 18 Sep 2001 13:56:53 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200109182056.f8IKurl34105@freefall.freebsd.org>
Date: Tue, 18 Sep 2001 13:56:53 -0700 (PDT)
From: Lars Eggert <larse@isi.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: KAME option MAX_GIF_NEST missing from /usr/src/sys/conf/options
X-Send-Pr-Version: www-1.0

>Number:         30653
>Category:       kern
>Synopsis:       KAME option MAX_GIF_NEST missing from /usr/src/sys/conf/options
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    brooks
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 18 14:00:00 PDT 2001
>Closed-Date:    Mon Mar 25 02:55:51 PST 2002
>Last-Modified:  Mon Mar 25 02:55:51 PST 2002
>Originator:     Lars Eggert
>Release:        4.2-RELEASE
>Organization:
USC/ISI
>Environment:
FreeBSD dee.isi.edu 4.2-RELEASE FreeBSD 4.2-RELEASE #0: Thu May 24 16:51:34 PDT 2001     larse@dee.isi.edu:/usr/src/sys/compile/KERNEL-1.20  i386

>Description:
The KAME kernel option MAX_GIF_NEST limits the number of recursive gif tunnels that the system allows (tunnels in tunnels).

This option has never been merged into the FreeBSD options file. The code that goes with it *does* exist in the FreeBSD tree, the problem is that the option isn't included in /usr/src/sys/conf/options, and thus that code cannot be enabled.

The code enabled by MAX_GIF_NEST is cricital to the correct operation to the X-Bone port in net/xbone. Could this be added, please?

PS: Even though I'm running 4.2, this is still missing from 4.4-RC and -CURRENT.
>How-To-Repeat:

>Fix:
--- /usr/src/sys/conf/options   Thu Nov 16 09:28:30 2000
+++ /usr/src/sys/conf/options.new       Tue Mar  6 13:44:12 2001
@@ -448,3 +448,4 @@
 FDC_DEBUG              opt_fdc.h
 PCFCLOCK_VERBOSE       opt_pcfclock.h
 PCFCLOCK_MAX_RETRIES   opt_pcfclock.h
+MAX_GIF_NEST           opt_inet.h

>Release-Note:
>Audit-Trail:

From: Brooks Davis <brooks@one-eyed-alien.net>
To: Lars Eggert <larse@isi.edu>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: kern/30653: KAME option MAX_GIF_NEST missing from /usr/src/sys/conf/options
Date: Tue, 25 Sep 2001 16:10:54 -0700

 On Tue, Sep 18, 2001 at 01:56:53PM -0700, Lars Eggert wrote:
 > The KAME kernel option MAX_GIF_NEST limits the number of recursive gif
 > tunnels that the system allows (tunnels in tunnels).
 > 
 > This option has never been merged into the FreeBSD options file. The
 > code that goes with it *does* exist in the FreeBSD tree, the problem
 > is that the option isn't included in /usr/src/sys/conf/options, and
 > thus that code cannot be enabled.
 > 
 > The code enabled by MAX_GIF_NEST is cricital to the correct operation
 > to the X-Bone port in net/xbone. Could this be added, please?
 
 I think this is the wrong solution to this problem.  Instead, a sysctl
 under the currently non-existant net.link.gif branch should be used to
 control the value of max_gif_nesting at runtime.  IMO, XBONEHACK should
 probably be controled similarly so you don't need to recompile gif to
 use xbone.  I've added this to my todo list, but the funding I was using
 to hack gif dried up a month or so ago so I don't know what I'll get to
 it.
 
 FWIW, you can set this option in -current (and probably -stable) by
 adding a line like this to your kernel config:
 
 makeoptions	CONF_CFLAGS="-DMAX_GIF_NEST=32"
 
 -- Brooks

From: Lars Eggert <larse@ISI.EDU>
To: Brooks Davis <brooks@one-eyed-alien.net>
Cc: freebsd-gnats-submit@FreeBSD.ORG, xbone@ISI.EDU
Subject: Re: kern/30653: KAME option MAX_GIF_NEST missing from /usr/src/sys/conf/options
Date: Tue, 25 Sep 2001 16:37:51 -0700

 Brooks Davis wrote:
 
 > On Tue, Sep 18, 2001 at 01:56:53PM -0700, Lars Eggert wrote:
 > 
 >>The KAME kernel option MAX_GIF_NEST limits the number of recursive gif
 >>tunnels that the system allows (tunnels in tunnels).
 >>
 >>This option has never been merged into the FreeBSD options file. The
 >>code that goes with it *does* exist in the FreeBSD tree, the problem
 >>is that the option isn't included in /usr/src/sys/conf/options, and
 >>thus that code cannot be enabled.
 >>
 >>The code enabled by MAX_GIF_NEST is cricital to the correct operation
 >>to the X-Bone port in net/xbone. Could this be added, please?
 >>
 > 
 > I think this is the wrong solution to this problem.  Instead, a sysctl
 > under the currently non-existant net.link.gif branch should be used to
 > control the value of max_gif_nesting at runtime.  IMO, XBONEHACK should
 > probably be controled similarly so you don't need to recompile gif to
 > use xbone.  I've added this to my todo list, but the funding I was using
 > to hack gif dried up a month or so ago so I don't know what I'll get to
 > it.
 
 
 Brooks,
 
 thanks for looking into this!
 
 The MAX_GIF_NEST option is unrelated to the XBONEHACK option.
 
 XBONEHACK was neccessary, because one could not configure two parallel 
 gif tunnels between the same two physical endpoints with KAME. We have 
 since worked around the problem by using aliases on the first tunnel 
 instead of pulling up a second one in parallel. I still think KAME 
 should not prohibit parallel tunnels, but it's of secondary importance 
 since we switched to aliases. XBONEHACK could even be removed, if it 
 matters.
 
 MAX_GIF_NEST is not an X-Bone patch, it's standard KAME code that we 
 just happen to reply upon. Unlike XBONEHACK, there is no work-around: If 
 MAX_GIF_NEST isn't available it defaults to 1 (or 0, no recursion in any 
 case), which breaks ports/net/xbone.
 
 
 > FWIW, you can set this option in -current (and probably -stable) by
 > adding a line like this to your kernel config:
 > 
 > makeoptions	CONF_CFLAGS="-DMAX_GIF_NEST=32"
 
 If that works with 4.4-RELEASE, that'd be a good workaround! The reason 
 I submitted the PR originally was that people got a lot more nervous 
 when we asked them to patch their kernels (even though it's only a 
 config file) compared to simply setting a kernel option. CONF_FLAGS may 
 help with that.
 
 Lars
 -- 
 Lars Eggert <larse@isi.edu>               Information Sciences Institute
 http://www.isi.edu/larse/              University of Southern California
 
Responsible-Changed-From-To: freebsd-bugs->brooks 
Responsible-Changed-By: brooks 
Responsible-Changed-When: Tue Sep 25 17:27:28 PDT 2001 
Responsible-Changed-Why:  
I'll take this one. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30653 

From: Brooks Davis <brooks@one-eyed-alien.net>
To: Lars Eggert <larse@ISI.EDU>
Cc: freebsd-gnats-submit@FreeBSD.ORG, xbone@ISI.EDU
Subject: Re: kern/30653: KAME option MAX_GIF_NEST missing from /usr/src/sys/conf/options
Date: Tue, 25 Sep 2001 17:28:43 -0700

 On Tue, Sep 25, 2001 at 04:37:51PM -0700, Lars Eggert wrote:
 > XBONEHACK was neccessary, because one could not configure two parallel 
 > gif tunnels between the same two physical endpoints with KAME. We have 
 > since worked around the problem by using aliases on the first tunnel 
 > instead of pulling up a second one in parallel. I still think KAME 
 > should not prohibit parallel tunnels, but it's of secondary importance 
 > since we switched to aliases. XBONEHACK could even be removed, if it 
 > matters.
 
 I agree parallel tunnels should be allow.  I ran into a non X-Bone need
 for this so my feeling is that we should allow it to be controled at
 runtime.  That way, people who think parallel tunnels shouldn't work
 can "protect" themselves and the rest of use can have them without
 a recompile.
 
 > MAX_GIF_NEST is not an X-Bone patch, it's standard KAME code that we 
 > just happen to reply upon. Unlike XBONEHACK, there is no work-around: If 
 > MAX_GIF_NEST isn't available it defaults to 1 (or 0, no recursion in any 
 > case), which breaks ports/net/xbone.
 
 It looks like KAME ment to make this dynamic but never got around to it.
 I'd guess that's why there isn't a tweakable option.
 
 -- Brooks

From: Lars Eggert <larse@ISI.EDU>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/30653: KAME option MAX_GIF_NEST missing from /usr/src/sys/conf/options
Date: Mon, 04 Feb 2002 16:31:24 -0800

 This is a cryptographically signed message in MIME format.
 
 --------------ms010601060102010607040900
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 This can be closed, the work-around Brooks suggested (using CONF_FLAGS) 
 works fine.
 -- 
 Lars Eggert <larse@isi.edu>               Information Sciences Institute
 http://www.isi.edu/larse/              University of Southern California
 
 --------------ms010601060102010607040900
 Content-Type: application/x-pkcs7-signature; name="smime.p7s"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="smime.p7s"
 Content-Description: S/MIME Cryptographic Signature
 
 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIInzCC
 ArUwggIeoAMCAQICAwWBRzANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNV
 BAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUx
 HTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVl
 bWFpbCBSU0EgMjAwMC44LjMwMB4XDTAxMDgyNDE2NDAwMFoXDTAyMDgyNDE2NDAwMFowVDEP
 MA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVnZ2VydDEc
 MBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
 gYEA0AvLBsD78nxcUHeHkaMgl3b4qYPnfgbf8Lh+HQP8RgGMRG/Yb+vTpkGezlwt9pkJxiD1
 1uZDy4CNNJUu3gKxKSb+zRV70O+lkwwftuHoLHoH4xwo3LcQ2LGDpd+I95tUN4dfJ3TmeEcU
 SF50dC/SuUI4w8AlhXQ8IxrhgdayTpECAwEAAaNWMFQwKgYFK2UBBAEEITAfAgEAMBowGAIB
 BAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1MAwGA1Ud
 EwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAheZhn0pQA8zI7U2K1ZIAl11j0a1DKxnp3GtT
 vOUrGRB3WvYxidvdZ1kizhEsWeXU81TkNDH0DaRqtOEeu6Q2OhB+jeKEqY7IDAJE4/fI0e+d
 6PnG1hd+vEvYmsKHkmzBhPc94XUOKNWO+qVNP2NGyNI3QIDy5wX4fdcOo1S34r4wggK1MIIC
 HqADAgECAgMFgUcwDQYJKoZIhvcNAQECBQAwgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX
 ZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYD
 VQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwg
 UlNBIDIwMDAuOC4zMDAeFw0wMTA4MjQxNjQwMDBaFw0wMjA4MjQxNjQwMDBaMFQxDzANBgNV
 BAQTBkVnZ2VydDENMAsGA1UEKhMETGFyczEUMBIGA1UEAxMLTGFycyBFZ2dlcnQxHDAaBgkq
 hkiG9w0BCQEWDWxhcnNlQGlzaS5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANAL
 ywbA+/J8XFB3h5GjIJd2+KmD534G3/C4fh0D/EYBjERv2G/r06ZBns5cLfaZCcYg9dbmQ8uA
 jTSVLt4CsSkm/s0Ve9DvpZMMH7bh6Cx6B+McKNy3ENixg6XfiPebVDeHXyd05nhHFEhedHQv
 0rlCOMPAJYV0PCMa4YHWsk6RAgMBAAGjVjBUMCoGBStlAQQBBCEwHwIBADAaMBgCAQQEE0wy
 dU15ZmZCTlViTkpKY2RaMnMwGAYDVR0RBBEwD4ENbGFyc2VAaXNpLmVkdTAMBgNVHRMBAf8E
 AjAAMA0GCSqGSIb3DQEBAgUAA4GBAIXmYZ9KUAPMyO1NitWSAJddY9GtQysZ6dxrU7zlKxkQ
 d1r2MYnb3WdZIs4RLFnl1PNU5DQx9A2karThHrukNjoQfo3ihKmOyAwCROP3yNHvnej5xtYX
 frxL2JrCh5JswYT3PeF1DijVjvqlTT9jRsjSN0CA8ucF+H3XDqNUt+K+MIIDKTCCApKgAwIB
 AgIBDDANBgkqhkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g
 Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEo
 MCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhh
 d3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVl
 bWFpbEB0aGF3dGUuY29tMB4XDTAwMDgzMDAwMDAwMFoXDTAyMDgyOTIzNTk1OVowgZIxCzAJ
 BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEP
 MA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE
 AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMDCBnzANBgkqhkiG9w0BAQEFAAOB
 jQAwgYkCgYEA3jMypmPHCSVFPtJueCdngcXaiBmClw7jRCmKYzUqbXA8+tyu9+50bzC8M5B/
 +TRxoKNtmPHDT6Jl2w36S/HW3WGl+YXNVZo1Gp2Sdagnrthy+boC9tewkd4c6avgGAOofENC
 UFGHgzzwObSbVIoTh/+zm51JZgAtCYnslGvpoWkCAwEAAaNOMEwwKQYDVR0RBCIwIKQeMBwx
 GjAYBgNVBAMTEVByaXZhdGVMYWJlbDEtMjk3MBIGA1UdEwEB/wQIMAYBAf8CAQAwCwYDVR0P
 BAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAHMbbyZli/8VNEtZYortRL5Jx+gNu4+5DWomKmKE
 H7iHY3QcbbfPGlORS+HN5jjZ7VD0Omw0kqzmkpxuwSMBwgmn70uuct0GZ/VQby5YuLYLwVBX
 tewc1+8XttWIm7eiiBrtOVs5fTT8tpYYJU1q9J3Fw5EvqZa4BTxS/N3pYgNIMYICpjCCAqIC
 AQEwgZowgZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcT
 CUNhcGUgVG93bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2
 aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBYFHMAkG
 BSsOAwIaBQCgggFhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X
 DTAyMDIwNTAwMzEyNFowIwYJKoZIhvcNAQkEMRYEFOwzZXzkQwee8zhHaoYwBoAbO5z7MFIG
 CSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMC
 AgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGtBgsqhkiG9w0BCRACCzGBnaCBmjCBkjEL
 MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
 MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYD
 VQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwAgMFgUcwDQYJKoZIhvcNAQEB
 BQAEgYCcwOkqz4IqSh9mIvAFzi+8bcZOfqX/Nd66gC9+78uQFuA2mKr7yecZt/VyVWEXQ1lj
 gIQffgBexXTN/bJeQdjnLcME5yyI6Dq3PnqocbjmR9ufpzeRGsVJRvi55PPrANJl99+H2ILF
 FS06ZJLFQinwbFAsqWKe5LhSnyHmHxAwQwAAAAAAAA==
 --------------ms010601060102010607040900--
 
State-Changed-From-To: open->closed 
State-Changed-By: brooks 
State-Changed-When: Mon Mar 25 02:52:53 PST 2002 
State-Changed-Why:  
Support for a new sysctl, net.link.gif.max_nesting, which allows 
runtime tuning of the value previously set by MAX_GIF_NEST has been 
commited.  MAX_GIF_NEST will continue to work for the duration of 
the 4.x release cycle, but is depricated. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=30653 
>Unformatted:
