diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2009-02-16 18:55:25 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2009-02-16 18:55:25 +0000 |
commit | e0bb26315a4ac2199c791e310c1fdace1929e556 (patch) | |
tree | dee163f88ab3614550d3c928e56063cf53ddb576 /core/linux-grsec-sources | |
parent | 89a4e424fd4a1abec4e65a08d4f7cd48dd1acaef (diff) | |
download | aports-e0bb26315a4ac2199c791e310c1fdace1929e556.tar.bz2 aports-e0bb26315a4ac2199c791e310c1fdace1929e556.tar.xz |
core/linux-grsec-sources: upgrade to 2.6.28.5
Diffstat (limited to 'core/linux-grsec-sources')
3 files changed, 361 insertions, 10 deletions
diff --git a/core/linux-grsec-sources/0001-linux-2.6.28.5-ipgre-strict-binding.patch b/core/linux-grsec-sources/0001-linux-2.6.28.5-ipgre-strict-binding.patch new file mode 100644 index 0000000000..fd0cfeb2a2 --- /dev/null +++ b/core/linux-grsec-sources/0001-linux-2.6.28.5-ipgre-strict-binding.patch @@ -0,0 +1,207 @@ +From: Timo Teras <timo.teras@iki.fi> +Date: Tue, 20 Jan 2009 01:22:12 +0000 (-0800) +Subject: gre: strict physical device binding +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-next-2.6.git;a=commitdiff_plain;h=749c10f931923451a4c59b4435d182aa9ae27a4f;hp=57a574993d94671b495cdbe8aeb78b745abfe14f + +gre: strict physical device binding + +Check the device on receive path and allow otherwise identical devices +as long as the physical device differs. + +This is useful for NBMA tunnels, where you want to use different gre IP +for each public IP available via different physical devices. + +Signed-off-by: Timo Teras <timo.teras@iki.fi> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 0101521..4a43739 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -164,67 +164,113 @@ static DEFINE_RWLOCK(ipgre_lock); + + /* Given src, dst and key, find appropriate for input tunnel. */ + +-static struct ip_tunnel * ipgre_tunnel_lookup(struct net *net, ++static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev, + __be32 remote, __be32 local, + __be32 key, __be16 gre_proto) + { ++ struct net *net = dev_net(dev); ++ int link = dev->ifindex; + unsigned h0 = HASH(remote); + unsigned h1 = HASH(key); +- struct ip_tunnel *t; +- struct ip_tunnel *t2 = NULL; ++ struct ip_tunnel *t, *sel[4] = { NULL, NULL, NULL, NULL }; + struct ipgre_net *ign = net_generic(net, ipgre_net_id); + int dev_type = (gre_proto == htons(ETH_P_TEB)) ? + ARPHRD_ETHER : ARPHRD_IPGRE; ++ int idx; + + for (t = ign->tunnels_r_l[h0^h1]; t; t = t->next) { +- if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr) { +- if (t->parms.i_key == key && t->dev->flags & IFF_UP) { +- if (t->dev->type == dev_type) +- return t; +- if (t->dev->type == ARPHRD_IPGRE && !t2) +- t2 = t; +- } +- } ++ if (local != t->parms.iph.saddr || ++ remote != t->parms.iph.daddr || ++ key != t->parms.i_key || ++ !(t->dev->flags & IFF_UP)) ++ continue; ++ ++ if (t->dev->type != ARPHRD_IPGRE && ++ t->dev->type != dev_type) ++ continue; ++ ++ idx = 0; ++ if (t->parms.link != link) ++ idx |= 1; ++ if (t->dev->type != dev_type) ++ idx |= 2; ++ if (idx == 0) ++ return t; ++ if (sel[idx] == NULL) ++ sel[idx] = t; + } + + for (t = ign->tunnels_r[h0^h1]; t; t = t->next) { +- if (remote == t->parms.iph.daddr) { +- if (t->parms.i_key == key && t->dev->flags & IFF_UP) { +- if (t->dev->type == dev_type) +- return t; +- if (t->dev->type == ARPHRD_IPGRE && !t2) +- t2 = t; +- } +- } ++ if (remote != t->parms.iph.daddr || ++ key != t->parms.i_key || ++ !(t->dev->flags & IFF_UP)) ++ continue; ++ ++ if (t->dev->type != ARPHRD_IPGRE && ++ t->dev->type != dev_type) ++ continue; ++ ++ idx = 0; ++ if (t->parms.link != link) ++ idx |= 1; ++ if (t->dev->type != dev_type) ++ idx |= 2; ++ if (idx == 0) ++ return t; ++ if (sel[idx] == NULL) ++ sel[idx] = t; + } + + for (t = ign->tunnels_l[h1]; t; t = t->next) { +- if (local == t->parms.iph.saddr || +- (local == t->parms.iph.daddr && +- ipv4_is_multicast(local))) { +- if (t->parms.i_key == key && t->dev->flags & IFF_UP) { +- if (t->dev->type == dev_type) +- return t; +- if (t->dev->type == ARPHRD_IPGRE && !t2) +- t2 = t; +- } +- } ++ if ((local != t->parms.iph.saddr && ++ (local != t->parms.iph.daddr || ++ !ipv4_is_multicast(local))) || ++ key != t->parms.i_key || ++ !(t->dev->flags & IFF_UP)) ++ continue; ++ ++ if (t->dev->type != ARPHRD_IPGRE && ++ t->dev->type != dev_type) ++ continue; ++ ++ idx = 0; ++ if (t->parms.link != link) ++ idx |= 1; ++ if (t->dev->type != dev_type) ++ idx |= 2; ++ if (idx == 0) ++ return t; ++ if (sel[idx] == NULL) ++ sel[idx] = t; + } + + for (t = ign->tunnels_wc[h1]; t; t = t->next) { +- if (t->parms.i_key == key && t->dev->flags & IFF_UP) { +- if (t->dev->type == dev_type) +- return t; +- if (t->dev->type == ARPHRD_IPGRE && !t2) +- t2 = t; +- } ++ if (t->parms.i_key != key || ++ !(t->dev->flags & IFF_UP)) ++ continue; ++ ++ if (t->dev->type != ARPHRD_IPGRE && ++ t->dev->type != dev_type) ++ continue; ++ ++ idx = 0; ++ if (t->parms.link != link) ++ idx |= 1; ++ if (t->dev->type != dev_type) ++ idx |= 2; ++ if (idx == 0) ++ return t; ++ if (sel[idx] == NULL) ++ sel[idx] = t; + } + +- if (t2) +- return t2; ++ for (idx = 1; idx < ARRAY_SIZE(sel); idx++) ++ if (sel[idx] != NULL) ++ return sel[idx]; + +- if (ign->fb_tunnel_dev->flags&IFF_UP) ++ if (ign->fb_tunnel_dev->flags & IFF_UP) + return netdev_priv(ign->fb_tunnel_dev); ++ + return NULL; + } + +@@ -284,6 +330,7 @@ static struct ip_tunnel *ipgre_tunnel_find(struct net *net, + __be32 remote = parms->iph.daddr; + __be32 local = parms->iph.saddr; + __be32 key = parms->i_key; ++ int link = parms->link; + struct ip_tunnel *t, **tp; + struct ipgre_net *ign = net_generic(net, ipgre_net_id); + +@@ -291,6 +338,7 @@ static struct ip_tunnel *ipgre_tunnel_find(struct net *net, + if (local == t->parms.iph.saddr && + remote == t->parms.iph.daddr && + key == t->parms.i_key && ++ link == t->parms.link && + type == t->dev->type) + break; + +@@ -421,7 +469,7 @@ static void ipgre_err(struct sk_buff *skb, u32 info) + } + + read_lock(&ipgre_lock); +- t = ipgre_tunnel_lookup(dev_net(skb->dev), iph->daddr, iph->saddr, ++ t = ipgre_tunnel_lookup(skb->dev, iph->daddr, iph->saddr, + flags & GRE_KEY ? + *(((__be32 *)p) + (grehlen / 4) - 1) : 0, + p[1]); +@@ -518,7 +566,7 @@ static int ipgre_rcv(struct sk_buff *skb) + gre_proto = *(__be16 *)(h + 2); + + read_lock(&ipgre_lock); +- if ((tunnel = ipgre_tunnel_lookup(dev_net(skb->dev), ++ if ((tunnel = ipgre_tunnel_lookup(skb->dev, + iph->saddr, iph->daddr, key, + gre_proto))) { + struct net_device_stats *stats = &tunnel->dev->stats; diff --git a/core/linux-grsec-sources/0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch b/core/linux-grsec-sources/0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch new file mode 100644 index 0000000000..fbfef33b9b --- /dev/null +++ b/core/linux-grsec-sources/0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch @@ -0,0 +1,140 @@ +From: Timo Teras <timo.teras@iki.fi> +Date: Tue, 27 Jan 2009 04:56:10 +0000 (-0800) +Subject: gre: optimize hash lookup +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-next-2.6.git;a=commitdiff_plain;h=afcf12422ec8236dc8b9238fef7a475876eea8da;hp=3eacdf58c2c0b9507afedfc19108e98b992c31e4 + +gre: optimize hash lookup + +Instead of keeping candidate tunnel device from all categories, +keep only one candidate with best score. This optimizes stack +usage and speeds up exit code. + +Signed-off-by: Timo Teras <timo.teras@iki.fi> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 4a43739..07a188a 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -172,11 +172,11 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev, + int link = dev->ifindex; + unsigned h0 = HASH(remote); + unsigned h1 = HASH(key); +- struct ip_tunnel *t, *sel[4] = { NULL, NULL, NULL, NULL }; ++ struct ip_tunnel *t, *cand = NULL; + struct ipgre_net *ign = net_generic(net, ipgre_net_id); + int dev_type = (gre_proto == htons(ETH_P_TEB)) ? + ARPHRD_ETHER : ARPHRD_IPGRE; +- int idx; ++ int score, cand_score = 4; + + for (t = ign->tunnels_r_l[h0^h1]; t; t = t->next) { + if (local != t->parms.iph.saddr || +@@ -189,15 +189,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev, + t->dev->type != dev_type) + continue; + +- idx = 0; ++ score = 0; + if (t->parms.link != link) +- idx |= 1; ++ score |= 1; + if (t->dev->type != dev_type) +- idx |= 2; +- if (idx == 0) ++ score |= 2; ++ if (score == 0) + return t; +- if (sel[idx] == NULL) +- sel[idx] = t; ++ ++ if (score < cand_score) { ++ cand = t; ++ cand_score = score; ++ } + } + + for (t = ign->tunnels_r[h0^h1]; t; t = t->next) { +@@ -210,15 +213,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev, + t->dev->type != dev_type) + continue; + +- idx = 0; ++ score = 0; + if (t->parms.link != link) +- idx |= 1; ++ score |= 1; + if (t->dev->type != dev_type) +- idx |= 2; +- if (idx == 0) ++ score |= 2; ++ if (score == 0) + return t; +- if (sel[idx] == NULL) +- sel[idx] = t; ++ ++ if (score < cand_score) { ++ cand = t; ++ cand_score = score; ++ } + } + + for (t = ign->tunnels_l[h1]; t; t = t->next) { +@@ -233,15 +239,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev, + t->dev->type != dev_type) + continue; + +- idx = 0; ++ score = 0; + if (t->parms.link != link) +- idx |= 1; ++ score |= 1; + if (t->dev->type != dev_type) +- idx |= 2; +- if (idx == 0) ++ score |= 2; ++ if (score == 0) + return t; +- if (sel[idx] == NULL) +- sel[idx] = t; ++ ++ if (score < cand_score) { ++ cand = t; ++ cand_score = score; ++ } + } + + for (t = ign->tunnels_wc[h1]; t; t = t->next) { +@@ -253,20 +262,22 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev, + t->dev->type != dev_type) + continue; + +- idx = 0; ++ score = 0; + if (t->parms.link != link) +- idx |= 1; ++ score |= 1; + if (t->dev->type != dev_type) +- idx |= 2; +- if (idx == 0) ++ score |= 2; ++ if (score == 0) + return t; +- if (sel[idx] == NULL) +- sel[idx] = t; ++ ++ if (score < cand_score) { ++ cand = t; ++ cand_score = score; ++ } + } + +- for (idx = 1; idx < ARRAY_SIZE(sel); idx++) +- if (sel[idx] != NULL) +- return sel[idx]; ++ if (cand != NULL) ++ return cand; + + if (ign->fb_tunnel_dev->flags & IFF_UP) + return netdev_priv(ign->fb_tunnel_dev); diff --git a/core/linux-grsec-sources/APKBUILD b/core/linux-grsec-sources/APKBUILD index 761407cee6..b91bbf8e1b 100644 --- a/core/linux-grsec-sources/APKBUILD +++ b/core/linux-grsec-sources/APKBUILD @@ -1,10 +1,10 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> _suff=grsec pkgname=linux-$_suff-sources -pkgver=2.6.26.8 +pkgver=2.6.28.5 pkgdesc="Linux kernel sources with grsecurity patch" -_kernver=2.6.26 -_grsecver=2.1.12-2.6.26.6-200810131006 +_kernver=2.6.28 +_grsecver=2.1.12-$_kernver.5-200902121552 pkgrel=2 options="!strip" license=GPL-2 @@ -12,7 +12,8 @@ url=http://kernel.org source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2 ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2 http://www.grsecurity.net/test/grsecurity-$_grsecver.patch - linux-2.6.26.8-ipgre-strict-binding.diff + 0001-linux-2.6.28.5-ipgre-strict-binding.patch + 0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch " build() { @@ -21,15 +22,18 @@ build() { bunzip2 -c < ../patch-$pkgver.bz2 | patch -p1 || return 1 fi - patch -p1 < ../grsecurity-$_grsecver.patch || return 1 - patch -p1 < ../linux-2.6.26.8-ipgre-strict-binding.diff || return 1 + for i in ../*.patch; do + msg "Applying $i..." + patch -p1 < $i || return 1 + done mkdir -p "$pkgdir/usr/src" cd "$srcdir" mv "linux-$_kernver" "$pkgdir/usr/src/linux-$pkgver-$_suff" } -md5sums="5169d01c405bc3f866c59338e217968c linux-2.6.26.tar.bz2 -e27c07bb82e02532e874758980141281 patch-2.6.26.8.bz2 -5398417243c0abbcd8d94f5e52eff4bc grsecurity-2.1.12-2.6.26.6-200810131006.patch -b83b352e8718c5c60accfb562482727f linux-2.6.26.8-ipgre-strict-binding.diff" +md5sums="d351e44709c9810b85e29b877f50968a linux-2.6.28.tar.bz2 +7a062fcdec46cec78c3fedbf558e334b patch-2.6.28.5.bz2 +0ff9cf5f9c43797d30a0c90feea94e1e grsecurity-2.1.12-2.6.28.5-200902121552.patch +7673b4521283ad41434a18ca18b16ad8 0001-linux-2.6.28.5-ipgre-strict-binding.patch +8f405c738b150c532c46eaad5390cca2 0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch" |