Make gif(4) nesting level and parallel tunnel support tunable at runtime

via sysctl's.  The old #defines, MAX_GIF_NEST and XBONEHACK are
currently supported for backwards compatability, but will probably be
removed at some point in the future.

share/man/man4/gif.4

@@ -153,6 +153,24 @@ Ingress filter can be turned off by
 .Dv IFF_LINK2
 bit.
 .\"
+.Pp
+.Ss Miscellaneous
+By default
+.Nm
+tunnels may not be nested.
+This behavior may be modified at runtime by setting the
+.Xr sysctl 8
+variable
+.Va net.link.gif.max_nesting
+to the desired level of nesting.
+Additionally,
+.Nm
+tunnels are restricted to one per pair of end points.
+Parallel tunnels may be enabled by setting the
+.Xr sysctl 8
+variable
+.Va net.link.gif.parallel_tunnels
+to 1.
 .Sh SEE ALSO
 .Xr inet 4 ,
 .Xr inet6 4 ,

sys/net/if_gif.c

@@ -42,6 +42,7 @@
 #include <sys/sockio.h>
 #include <sys/errno.h>
 #include <sys/time.h>
+#include <sys/sysctl.h>
 #include <sys/syslog.h>
 #include <sys/protosw.h>
 #include <sys/conf.h>
@@ -123,9 +124,12 @@ struct ip6protosw in6_gif_protosw =
 };
 #endif
 
+SYSCTL_DECL(_net_link);
+SYSCTL_NODE(_net_link, IFT_GIF, gif, CTLFLAG_RW, 0,
+    "Generic Tunnel Interface");
 #ifndef MAX_GIF_NEST
 /*
- * This macro controls the upper limitation on nesting of gif tunnels.
+ * This macro controls the default upper limitation on nesting of gif tunnels.
  * Since, setting a large value to this macro with a careless configuration
  * may introduce system crash, we don't allow any nestings by default.
  * If you need to configure nested gif tunnels, you can define this macro
@@ -135,6 +139,21 @@ struct ip6protosw in6_gif_protosw =
 #define MAX_GIF_NEST 1
 #endif
 static int max_gif_nesting = MAX_GIF_NEST;
+SYSCTL_INT(_net_link_gif, OID_AUTO, max_nesting, CTLFLAG_RW,
+    &max_gif_nesting, 0, "Max nested tunnels");
+
+/*
+ * By default, we disallow creation of multiple tunnels between the same
+ * pair of addresses.  Some applications require this functionality so
+ * we allow control over this check here.
+ */
+#ifdef XBONEHACK
+static int parallel_tunnels = 1;
+#else
+static int parallel_tunnels = 0;
+#endif
+SYSCTL_INT(_net_link_gif, OID_AUTO, parallel_tunnels, CTLFLAG_RW,
+    &parallel_tunnels, 0, "Allow parallel tunnels?");
 
 int
 gif_clone_create(ifc, unit)
@@ -659,14 +678,17 @@ gif_ioctl(ifp, cmd, data)
 			    sc2->gif_psrc->sa_family != src->sa_family ||
 			    sc2->gif_psrc->sa_len != src->sa_len)
 				continue;
-#ifndef XBONEHACK
-			/* can't configure same pair of address onto two gifs */
-			if (bcmp(sc2->gif_pdst, dst, dst->sa_len) == 0 &&
+
+			/*
+			 * Disallow parallel tunnels unless instructed
+			 * otherwise.
+			 */
+			if (!parallel_tunnels &&
+			    bcmp(sc2->gif_pdst, dst, dst->sa_len) == 0 &&
 			    bcmp(sc2->gif_psrc, src, src->sa_len) == 0) {
 				error = EADDRNOTAVAIL;
 				goto bad;
 			}
-#endif
 
 			/* can't configure multiple multi-dest interfaces */
 #define multidest(x) \