From fd855fa2283d640768a2d4d7d17dc12e1663f3c1 Mon Sep 17 00:00:00 2001
From: Zhenlei Huang <zlei@FreeBSD.org>
Date: Tue, 16 Sep 2025 23:58:24 +0800
Subject: [PATCH] ipfw: Teach ipfw that EtherIP is an upper layer protocol

so that we do not discard EtherIP packets ( over IPv6 network ) when
net.inet6.ip6.fw.deny_unknown_exthdrs is set to 1 ( which is the default
value ).

PR:		227450
Reviewed by:	ae, #network
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D52566

(cherry picked from commit 0418e6690e91aa6c38dd9af9da43c4c5a9dc1cd2)
(cherry picked from commit b1c96e54b906d0cdea0b5a9c74cc295803dfe50e)
---
 sys/netpfil/ipfw/ip_fw2.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index 0e0ecd3c6b2..928ccefe480 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -67,6 +67,7 @@
 #include <net/route/nhop.h>
 #include <net/pfil.h>
 #include <net/vnet.h>
+#include <net/if_gif.h>
 #include <net/if_pfsync.h>
 
 #include <netpfil/pf/pf_mtag.h>
@@ -1717,6 +1718,12 @@ do {								\
 				PULLUP_TO(hlen, ulp, struct ip);
 				break;
 
+			case IPPROTO_ETHERIP:	/* RFC 3378 */
+				PULLUP_LEN(hlen, ulp,
+				    sizeof(struct etherip_header) +
+				    sizeof(struct ether_header));
+				break;
+
 			case IPPROTO_PFSYNC:
 				PULLUP_TO(hlen, ulp, struct pfsync_header);
 				break;