Index: if_gre.c
===================================================================
RCS file: /cvs/src/sys/net/if_gre.c,v
retrieving revision 1.100
diff -u -p -r1.100 if_gre.c
--- if_gre.c	12 Feb 2018 03:15:32 -0000	1.100
+++ if_gre.c	14 Feb 2018 08:02:30 -0000
@@ -288,7 +288,6 @@ struct gre_list egre_list = TAILQ_HEAD_I
  * allowed as well.
  *
  */
-int gre_allow = 0;
 int gre_wccp = 0;
 
 void
@@ -495,9 +494,6 @@ gre_input_key(struct mbuf **mp, int *off
 	int mcast = 0;
 	int ttloff;
 
-	if (!gre_allow)
-		goto decline;
-
 	hlen = iphlen + sizeof(*gh);
 	if (m->m_pkthdr.len < hlen)
 		goto decline;
@@ -555,7 +551,11 @@ gre_input_key(struct mbuf **mp, int *off
 	key->t_rtableid = m->m_pkthdr.ph_rtableid;
 
 	switch (gh->gre_proto) {
-	case htons(GRE_WCCP):
+	case htons(GRE_WCCP): {
+		struct mbuf *n;
+		int off;
+		uint8_t v;
+
 		/* WCCP/GRE:
 		 *   So far as I can see (and test) it seems that Cisco's WCCP
 		 *   GRE tunnel is precisely a IP-in-GRE tunnel that differs
@@ -569,11 +569,19 @@ gre_input_key(struct mbuf **mp, int *off
 		 *   So yes, we're doing a fall-through (unless, of course,
 		 *   net.inet.gre.wccp is 0).
 		 */
+
+		n = m_getptr(m, hlen, &off);
+		if (n == NULL)
+			goto decline;
+
+		v = n->m_data[off];
+		if (v >> 4 != IPVERSION)
+			hlen += sizeof(gre_wccp);
+
 		switch (gre_wccp) {
 		case 1:
 			break;
 		case 2:
-			hlen += sizeof(gre_wccp);
 			break;
 		case 0:
 		default:
@@ -811,11 +819,6 @@ gre_output(struct ifnet *ifp, struct mbu
 	struct m_tag *mtag;
 	int error = 0;
 
-	if (!gre_allow) {
-		error = EACCES;
-		goto drop;
-	}
-
 	if (!ISSET(ifp->if_flags, IFF_RUNNING)) {
 		error = ENETDOWN;
 		goto drop;
@@ -964,9 +967,6 @@ egre_start(struct ifnet *ifp)
 	caddr_t if_bpf;
 #endif
 
-	if (!gre_allow)
-		ifq_purge(&ifp->if_snd);
-
 	while ((m0 = ifq_dequeue(&ifp->if_snd)) != NULL) {
 #if NBPFILTER > 0
 		if_bpf = ifp->if_bpf;
@@ -1691,10 +1691,7 @@ gre_sysctl(int *name, u_int namelen, voi
 
 	switch (name[0]) {
 	case GRECTL_ALLOW:
-		NET_LOCK();
-		error = sysctl_int(oldp, oldlenp, newp, newlen, &gre_allow);
-		NET_UNLOCK();
-		return (error);
+		return (sysctl_rdint(oldp, oldlenp, newp, 1));
 	case GRECTL_WCCP:
 		NET_LOCK();
 		error = sysctl_int(oldp, oldlenp, newp, newlen, &gre_wccp);
Index: if_etherip.c
===================================================================
RCS file: /cvs/src/sys/net/if_etherip.c,v
retrieving revision 1.35
diff -u -p -r1.35 if_etherip.c
--- if_etherip.c	12 Feb 2018 01:43:42 -0000	1.35
+++ if_etherip.c	14 Feb 2018 08:02:30 -0000
@@ -88,12 +88,6 @@ struct etherip_softc {
 	uint8_t			sc_ttl;
 };
 
-/*
- * We can control the acceptance of EtherIP packets by altering the sysctl
- * net.inet.etherip.allow value. Zero means drop them, all else is acceptance.
- */
-int etherip_allow = 0;
-
 struct cpumem *etheripcounters;
 
 void etheripattach(int);
@@ -547,11 +541,6 @@ etherip_input(struct etherip_tunnel *key
 	struct ifnet *ifp;
 	struct etherip_header *eip;
 
-	if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) {
-		etheripstat_inc(etherips_pdrops);
-		goto drop;
-	}
-
 	key->t_rtableid = m->m_pkthdr.ph_rtableid;
 
 	NET_ASSERT_LOCKED();
@@ -696,10 +685,7 @@ etherip_sysctl(int *name, u_int namelen,
 
 	switch (name[0]) {
 	case ETHERIPCTL_ALLOW:
-		NET_LOCK();
-		error = sysctl_int(oldp, oldlenp, newp, newlen, &etherip_allow);
-		NET_UNLOCK();
-		return (error);
+		return (sysctl_rdint(oldp, oldlenp, newp, 1);
 	case ETHERIPCTL_STATS:
 		return (etherip_sysctl_etheripstat(oldp, oldlenp, newp));
 	default:
Index: if_mobileip.c
===================================================================
RCS file: /cvs/src/sys/net/if_mobileip.c,v
retrieving revision 1.7
diff -u -p -r1.7 if_mobileip.c
--- if_mobileip.c	12 Feb 2018 02:55:40 -0000	1.7
+++ if_mobileip.c	14 Feb 2018 08:02:30 -0000
@@ -100,8 +100,6 @@ static struct mobileip_softc *
  * let's begin
  */
 
-int	mobileip_allow = 0;
-
 void
 mobileipattach(int n)
 {
@@ -215,12 +213,6 @@ mobileip_output(struct ifnet *ifp, struc
 	struct m_tag *mtag;
 	int error = 0;
 
-	if (!mobileip_allow) {
-		m_freem(m);
-		error = EACCES;
-		goto end;
-	}
-
 	if (!ISSET(ifp->if_flags, IFF_RUNNING)) {
 		m_freem(m);
 		error = ENETDOWN;
@@ -540,9 +532,6 @@ mobileip_input(struct mbuf **mp, int *of
 	int iphlen = 0;
 	int hlen;
 
-	if (!mobileip_allow)
-		goto drop;
-
 	ip = mtod(m, struct ip *);
 
 	key.t_rtableid = m->m_pkthdr.ph_rtableid;
@@ -628,24 +617,13 @@ int
 mobileip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
     void *newp, size_t newlen)
 {
-	int allow;
-	int error;
-
 	/* All sysctl names at this level are terminal. */
 	if (namelen != 1)
 		return (ENOTDIR);
 
 	switch (name[0]) {
 	case MOBILEIPCTL_ALLOW:
-		allow = mobileip_allow;
-
-		error = sysctl_int(oldp, oldlenp, newp, newlen,
-		    &allow);
-		if (error != 0)
-			return (error);
-
-		mobileip_allow = allow;
-		break;
+		return (sysctl_rdint(oldp, oldlenp, newp, 1));
 	default:
 		return (ENOPROTOOPT);
 	}