From 7bfc98af12d6155e2efca171cffe6c441ca6b6e1 Mon Sep 17 00:00:00 2001
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Date: Thu, 28 May 2020 07:26:18 +0000
Subject: [PATCH] Switch gif(4) path verification to fib[46]_check_urfp().

fibX_lookup_nh_ represents pre-epoch generation of fib api,
providing less guarantees over pointer validness and requiring
on-stack data copying.
Use specialized fib[46]_check_urpf() from newer KPI instead,
to allow removal of older KPI.

Reviewed by:	ae
Differential Revision:	https://reviews.freebsd.org/D24978
---
 sys/netinet/in_gif.c   |  9 ++-------
 sys/netinet6/in6_gif.c | 10 +++-------
 2 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c
index b1167054cb0..46752534626 100644
--- a/sys/netinet/in_gif.c
+++ b/sys/netinet/in_gif.c
@@ -379,13 +379,8 @@ done:
 		return (0);
 	/* ingress filters on outer source */
 	if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0) {
-		struct nhop4_basic nh4;
-		struct in_addr dst;
-
-		dst = ip->ip_src;
-		if (fib4_lookup_nh_basic(sc->gif_fibnum, dst, 0, 0, &nh4) != 0)
-			return (0);
-		if (nh4.nh_ifp != m->m_pkthdr.rcvif)
+		if (fib4_check_urpf(sc->gif_fibnum, ip->ip_src, 0, NHR_NONE,
+					m->m_pkthdr.rcvif) == 0)
 			return (0);
 	}
 	*arg = sc;
diff --git a/sys/netinet6/in6_gif.c b/sys/netinet6/in6_gif.c
index 4bd2dc9d594..33cc06d065b 100644
--- a/sys/netinet6/in6_gif.c
+++ b/sys/netinet6/in6_gif.c
@@ -402,13 +402,9 @@ done:
 		return (0);
 	/* ingress filters on outer source */
 	if ((GIF2IFP(sc)->if_flags & IFF_LINK2) == 0) {
-		struct nhop6_basic nh6;
-
-		if (fib6_lookup_nh_basic(sc->gif_fibnum, &ip6->ip6_src,
-		    ntohs(in6_getscope(&ip6->ip6_src)), 0, 0, &nh6) != 0)
-			return (0);
-
-		if (nh6.nh_ifp != m->m_pkthdr.rcvif)
+		if (fib6_check_urpf(sc->gif_fibnum, &ip6->ip6_src,
+		    ntohs(in6_getscope(&ip6->ip6_src)), NHR_NONE,
+		    m->m_pkthdr.rcvif) == 0)
 			return (0);
 	}
 	*arg = sc;