aboutsummaryrefslogtreecommitdiffstats
path: root/core/linux-grsec-sources
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2009-02-16 18:55:25 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2009-02-16 18:55:25 +0000
commite0bb26315a4ac2199c791e310c1fdace1929e556 (patch)
treedee163f88ab3614550d3c928e56063cf53ddb576 /core/linux-grsec-sources
parent89a4e424fd4a1abec4e65a08d4f7cd48dd1acaef (diff)
downloadaports-e0bb26315a4ac2199c791e310c1fdace1929e556.tar.bz2
aports-e0bb26315a4ac2199c791e310c1fdace1929e556.tar.xz
core/linux-grsec-sources: upgrade to 2.6.28.5
Diffstat (limited to 'core/linux-grsec-sources')
-rw-r--r--core/linux-grsec-sources/0001-linux-2.6.28.5-ipgre-strict-binding.patch207
-rw-r--r--core/linux-grsec-sources/0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch140
-rw-r--r--core/linux-grsec-sources/APKBUILD24
3 files changed, 361 insertions, 10 deletions
diff --git a/core/linux-grsec-sources/0001-linux-2.6.28.5-ipgre-strict-binding.patch b/core/linux-grsec-sources/0001-linux-2.6.28.5-ipgre-strict-binding.patch
new file mode 100644
index 0000000000..fd0cfeb2a2
--- /dev/null
+++ b/core/linux-grsec-sources/0001-linux-2.6.28.5-ipgre-strict-binding.patch
@@ -0,0 +1,207 @@
+From: Timo Teras <timo.teras@iki.fi>
+Date: Tue, 20 Jan 2009 01:22:12 +0000 (-0800)
+Subject: gre: strict physical device binding
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-next-2.6.git;a=commitdiff_plain;h=749c10f931923451a4c59b4435d182aa9ae27a4f;hp=57a574993d94671b495cdbe8aeb78b745abfe14f
+
+gre: strict physical device binding
+
+Check the device on receive path and allow otherwise identical devices
+as long as the physical device differs.
+
+This is useful for NBMA tunnels, where you want to use different gre IP
+for each public IP available via different physical devices.
+
+Signed-off-by: Timo Teras <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 0101521..4a43739 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -164,67 +164,113 @@ static DEFINE_RWLOCK(ipgre_lock);
+
+ /* Given src, dst and key, find appropriate for input tunnel. */
+
+-static struct ip_tunnel * ipgre_tunnel_lookup(struct net *net,
++static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
+ __be32 remote, __be32 local,
+ __be32 key, __be16 gre_proto)
+ {
++ struct net *net = dev_net(dev);
++ int link = dev->ifindex;
+ unsigned h0 = HASH(remote);
+ unsigned h1 = HASH(key);
+- struct ip_tunnel *t;
+- struct ip_tunnel *t2 = NULL;
++ struct ip_tunnel *t, *sel[4] = { NULL, NULL, NULL, NULL };
+ struct ipgre_net *ign = net_generic(net, ipgre_net_id);
+ int dev_type = (gre_proto == htons(ETH_P_TEB)) ?
+ ARPHRD_ETHER : ARPHRD_IPGRE;
++ int idx;
+
+ for (t = ign->tunnels_r_l[h0^h1]; t; t = t->next) {
+- if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr) {
+- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
+- if (t->dev->type == dev_type)
+- return t;
+- if (t->dev->type == ARPHRD_IPGRE && !t2)
+- t2 = t;
+- }
+- }
++ if (local != t->parms.iph.saddr ||
++ remote != t->parms.iph.daddr ||
++ key != t->parms.i_key ||
++ !(t->dev->flags & IFF_UP))
++ continue;
++
++ if (t->dev->type != ARPHRD_IPGRE &&
++ t->dev->type != dev_type)
++ continue;
++
++ idx = 0;
++ if (t->parms.link != link)
++ idx |= 1;
++ if (t->dev->type != dev_type)
++ idx |= 2;
++ if (idx == 0)
++ return t;
++ if (sel[idx] == NULL)
++ sel[idx] = t;
+ }
+
+ for (t = ign->tunnels_r[h0^h1]; t; t = t->next) {
+- if (remote == t->parms.iph.daddr) {
+- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
+- if (t->dev->type == dev_type)
+- return t;
+- if (t->dev->type == ARPHRD_IPGRE && !t2)
+- t2 = t;
+- }
+- }
++ if (remote != t->parms.iph.daddr ||
++ key != t->parms.i_key ||
++ !(t->dev->flags & IFF_UP))
++ continue;
++
++ if (t->dev->type != ARPHRD_IPGRE &&
++ t->dev->type != dev_type)
++ continue;
++
++ idx = 0;
++ if (t->parms.link != link)
++ idx |= 1;
++ if (t->dev->type != dev_type)
++ idx |= 2;
++ if (idx == 0)
++ return t;
++ if (sel[idx] == NULL)
++ sel[idx] = t;
+ }
+
+ for (t = ign->tunnels_l[h1]; t; t = t->next) {
+- if (local == t->parms.iph.saddr ||
+- (local == t->parms.iph.daddr &&
+- ipv4_is_multicast(local))) {
+- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
+- if (t->dev->type == dev_type)
+- return t;
+- if (t->dev->type == ARPHRD_IPGRE && !t2)
+- t2 = t;
+- }
+- }
++ if ((local != t->parms.iph.saddr &&
++ (local != t->parms.iph.daddr ||
++ !ipv4_is_multicast(local))) ||
++ key != t->parms.i_key ||
++ !(t->dev->flags & IFF_UP))
++ continue;
++
++ if (t->dev->type != ARPHRD_IPGRE &&
++ t->dev->type != dev_type)
++ continue;
++
++ idx = 0;
++ if (t->parms.link != link)
++ idx |= 1;
++ if (t->dev->type != dev_type)
++ idx |= 2;
++ if (idx == 0)
++ return t;
++ if (sel[idx] == NULL)
++ sel[idx] = t;
+ }
+
+ for (t = ign->tunnels_wc[h1]; t; t = t->next) {
+- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
+- if (t->dev->type == dev_type)
+- return t;
+- if (t->dev->type == ARPHRD_IPGRE && !t2)
+- t2 = t;
+- }
++ if (t->parms.i_key != key ||
++ !(t->dev->flags & IFF_UP))
++ continue;
++
++ if (t->dev->type != ARPHRD_IPGRE &&
++ t->dev->type != dev_type)
++ continue;
++
++ idx = 0;
++ if (t->parms.link != link)
++ idx |= 1;
++ if (t->dev->type != dev_type)
++ idx |= 2;
++ if (idx == 0)
++ return t;
++ if (sel[idx] == NULL)
++ sel[idx] = t;
+ }
+
+- if (t2)
+- return t2;
++ for (idx = 1; idx < ARRAY_SIZE(sel); idx++)
++ if (sel[idx] != NULL)
++ return sel[idx];
+
+- if (ign->fb_tunnel_dev->flags&IFF_UP)
++ if (ign->fb_tunnel_dev->flags & IFF_UP)
+ return netdev_priv(ign->fb_tunnel_dev);
++
+ return NULL;
+ }
+
+@@ -284,6 +330,7 @@ static struct ip_tunnel *ipgre_tunnel_find(struct net *net,
+ __be32 remote = parms->iph.daddr;
+ __be32 local = parms->iph.saddr;
+ __be32 key = parms->i_key;
++ int link = parms->link;
+ struct ip_tunnel *t, **tp;
+ struct ipgre_net *ign = net_generic(net, ipgre_net_id);
+
+@@ -291,6 +338,7 @@ static struct ip_tunnel *ipgre_tunnel_find(struct net *net,
+ if (local == t->parms.iph.saddr &&
+ remote == t->parms.iph.daddr &&
+ key == t->parms.i_key &&
++ link == t->parms.link &&
+ type == t->dev->type)
+ break;
+
+@@ -421,7 +469,7 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
+ }
+
+ read_lock(&ipgre_lock);
+- t = ipgre_tunnel_lookup(dev_net(skb->dev), iph->daddr, iph->saddr,
++ t = ipgre_tunnel_lookup(skb->dev, iph->daddr, iph->saddr,
+ flags & GRE_KEY ?
+ *(((__be32 *)p) + (grehlen / 4) - 1) : 0,
+ p[1]);
+@@ -518,7 +566,7 @@ static int ipgre_rcv(struct sk_buff *skb)
+ gre_proto = *(__be16 *)(h + 2);
+
+ read_lock(&ipgre_lock);
+- if ((tunnel = ipgre_tunnel_lookup(dev_net(skb->dev),
++ if ((tunnel = ipgre_tunnel_lookup(skb->dev,
+ iph->saddr, iph->daddr, key,
+ gre_proto))) {
+ struct net_device_stats *stats = &tunnel->dev->stats;
diff --git a/core/linux-grsec-sources/0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch b/core/linux-grsec-sources/0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch
new file mode 100644
index 0000000000..fbfef33b9b
--- /dev/null
+++ b/core/linux-grsec-sources/0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch
@@ -0,0 +1,140 @@
+From: Timo Teras <timo.teras@iki.fi>
+Date: Tue, 27 Jan 2009 04:56:10 +0000 (-0800)
+Subject: gre: optimize hash lookup
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-next-2.6.git;a=commitdiff_plain;h=afcf12422ec8236dc8b9238fef7a475876eea8da;hp=3eacdf58c2c0b9507afedfc19108e98b992c31e4
+
+gre: optimize hash lookup
+
+Instead of keeping candidate tunnel device from all categories,
+keep only one candidate with best score. This optimizes stack
+usage and speeds up exit code.
+
+Signed-off-by: Timo Teras <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 4a43739..07a188a 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -172,11 +172,11 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
+ int link = dev->ifindex;
+ unsigned h0 = HASH(remote);
+ unsigned h1 = HASH(key);
+- struct ip_tunnel *t, *sel[4] = { NULL, NULL, NULL, NULL };
++ struct ip_tunnel *t, *cand = NULL;
+ struct ipgre_net *ign = net_generic(net, ipgre_net_id);
+ int dev_type = (gre_proto == htons(ETH_P_TEB)) ?
+ ARPHRD_ETHER : ARPHRD_IPGRE;
+- int idx;
++ int score, cand_score = 4;
+
+ for (t = ign->tunnels_r_l[h0^h1]; t; t = t->next) {
+ if (local != t->parms.iph.saddr ||
+@@ -189,15 +189,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
+ t->dev->type != dev_type)
+ continue;
+
+- idx = 0;
++ score = 0;
+ if (t->parms.link != link)
+- idx |= 1;
++ score |= 1;
+ if (t->dev->type != dev_type)
+- idx |= 2;
+- if (idx == 0)
++ score |= 2;
++ if (score == 0)
+ return t;
+- if (sel[idx] == NULL)
+- sel[idx] = t;
++
++ if (score < cand_score) {
++ cand = t;
++ cand_score = score;
++ }
+ }
+
+ for (t = ign->tunnels_r[h0^h1]; t; t = t->next) {
+@@ -210,15 +213,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
+ t->dev->type != dev_type)
+ continue;
+
+- idx = 0;
++ score = 0;
+ if (t->parms.link != link)
+- idx |= 1;
++ score |= 1;
+ if (t->dev->type != dev_type)
+- idx |= 2;
+- if (idx == 0)
++ score |= 2;
++ if (score == 0)
+ return t;
+- if (sel[idx] == NULL)
+- sel[idx] = t;
++
++ if (score < cand_score) {
++ cand = t;
++ cand_score = score;
++ }
+ }
+
+ for (t = ign->tunnels_l[h1]; t; t = t->next) {
+@@ -233,15 +239,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
+ t->dev->type != dev_type)
+ continue;
+
+- idx = 0;
++ score = 0;
+ if (t->parms.link != link)
+- idx |= 1;
++ score |= 1;
+ if (t->dev->type != dev_type)
+- idx |= 2;
+- if (idx == 0)
++ score |= 2;
++ if (score == 0)
+ return t;
+- if (sel[idx] == NULL)
+- sel[idx] = t;
++
++ if (score < cand_score) {
++ cand = t;
++ cand_score = score;
++ }
+ }
+
+ for (t = ign->tunnels_wc[h1]; t; t = t->next) {
+@@ -253,20 +262,22 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
+ t->dev->type != dev_type)
+ continue;
+
+- idx = 0;
++ score = 0;
+ if (t->parms.link != link)
+- idx |= 1;
++ score |= 1;
+ if (t->dev->type != dev_type)
+- idx |= 2;
+- if (idx == 0)
++ score |= 2;
++ if (score == 0)
+ return t;
+- if (sel[idx] == NULL)
+- sel[idx] = t;
++
++ if (score < cand_score) {
++ cand = t;
++ cand_score = score;
++ }
+ }
+
+- for (idx = 1; idx < ARRAY_SIZE(sel); idx++)
+- if (sel[idx] != NULL)
+- return sel[idx];
++ if (cand != NULL)
++ return cand;
+
+ if (ign->fb_tunnel_dev->flags & IFF_UP)
+ return netdev_priv(ign->fb_tunnel_dev);
diff --git a/core/linux-grsec-sources/APKBUILD b/core/linux-grsec-sources/APKBUILD
index 761407cee6..b91bbf8e1b 100644
--- a/core/linux-grsec-sources/APKBUILD
+++ b/core/linux-grsec-sources/APKBUILD
@@ -1,10 +1,10 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
_suff=grsec
pkgname=linux-$_suff-sources
-pkgver=2.6.26.8
+pkgver=2.6.28.5
pkgdesc="Linux kernel sources with grsecurity patch"
-_kernver=2.6.26
-_grsecver=2.1.12-2.6.26.6-200810131006
+_kernver=2.6.28
+_grsecver=2.1.12-$_kernver.5-200902121552
pkgrel=2
options="!strip"
license=GPL-2
@@ -12,7 +12,8 @@ url=http://kernel.org
source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
http://www.grsecurity.net/test/grsecurity-$_grsecver.patch
- linux-2.6.26.8-ipgre-strict-binding.diff
+ 0001-linux-2.6.28.5-ipgre-strict-binding.patch
+ 0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch
"
build() {
@@ -21,15 +22,18 @@ build() {
bunzip2 -c < ../patch-$pkgver.bz2 | patch -p1 || return 1
fi
- patch -p1 < ../grsecurity-$_grsecver.patch || return 1
- patch -p1 < ../linux-2.6.26.8-ipgre-strict-binding.diff || return 1
+ for i in ../*.patch; do
+ msg "Applying $i..."
+ patch -p1 < $i || return 1
+ done
mkdir -p "$pkgdir/usr/src"
cd "$srcdir"
mv "linux-$_kernver" "$pkgdir/usr/src/linux-$pkgver-$_suff"
}
-md5sums="5169d01c405bc3f866c59338e217968c linux-2.6.26.tar.bz2
-e27c07bb82e02532e874758980141281 patch-2.6.26.8.bz2
-5398417243c0abbcd8d94f5e52eff4bc grsecurity-2.1.12-2.6.26.6-200810131006.patch
-b83b352e8718c5c60accfb562482727f linux-2.6.26.8-ipgre-strict-binding.diff"
+md5sums="d351e44709c9810b85e29b877f50968a linux-2.6.28.tar.bz2
+7a062fcdec46cec78c3fedbf558e334b patch-2.6.28.5.bz2
+0ff9cf5f9c43797d30a0c90feea94e1e grsecurity-2.1.12-2.6.28.5-200902121552.patch
+7673b4521283ad41434a18ca18b16ad8 0001-linux-2.6.28.5-ipgre-strict-binding.patch
+8f405c738b150c532c46eaad5390cca2 0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch"