kern/58013: tun(4) with TUNSLMODE enabled is hard-coded to be IPv4-only

[campbell+netbsd%mumble.net@localhost]

>Number:         58013
>Category:       kern
>Synopsis:       tun(4) with TUNSLMODE enabled is hard-coded to be IPv4-only
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 09 06:40:00 +0000 2024
>Originator:     Taylor R Campbell
>Release:        current, 10, 9, 8, ...
>Organization:
The NetBSD Foundatun
>Environment:
>Description:
When a tun(4) instance is configured with ioctl(TUNSLMODE), every packet put out by the kernel and read by the process backing the tun(4) instance has the destination socket address prepended, length-delimited by the .sa_len member.

However, it is hard-coded to be IPv4-only, i.e., to handle only destination socket addresses with .sa_family = AF_INET.

This happens because:

1. ioctl(TUNSLMODE) sets the TUN_PREPADDR flag internally, which is exclusive with the TUN_IFHEAD flag set by ioctl(TUNSIFHEAD).
2. When TUN_IFHEAD is _not_ set, tun_output explicitly restricts dst->sa_family to be AF_INET:

    590 	switch(dst->sa_family) {
    591 #ifdef INET6
    592 	case AF_INET6:
    593 #endif
    594 #ifdef INET
    595 	case AF_INET:
    596 #endif
    597 #if defined(INET) || defined(INET6)
    598 		if (tp->tun_flags & TUN_PREPADDR) {
...
    607 		}
    608 
    609 		if (tp->tun_flags & TUN_IFHEAD) {
...
    619 		} else {
    620 #ifdef INET
    621 			if (dst->sa_family != AF_INET)
    622 #endif
    623 			{
    624 				error = EAFNOSUPPORT;
    625 				goto out;
    626 			}
    627 		}
...
    641 	default:
    642 		error = EAFNOSUPPORT;
    643 		goto out;

https://nxr.netbsd.org/xref/src/sys/net/if_tun.c?r=1.174#590
>How-To-Repeat:
set up wg-userspace with IPv6
>Fix:
Lines 607-609 quoted above should maybe be `} else if ...' instead of `} if ...'.