aboutsummaryrefslogtreecommitdiffstats
path: root/main/linux-grsec
diff options
context:
space:
mode:
authorTimo Teräs <timo.teras@iki.fi>2010-11-18 11:47:40 +0200
committerTimo Teräs <timo.teras@iki.fi>2010-11-18 11:49:08 +0200
commit46d92312741bc36327d010dcf74c16d0dbe69b90 (patch)
tree621c82a708aa90b34821806f72e3ac90831905ba /main/linux-grsec
parenta8a0244c10bd91c9f60a4799507fc57f853f5816 (diff)
downloadaports-46d92312741bc36327d010dcf74c16d0dbe69b90.tar.bz2
aports-46d92312741bc36327d010dcf74c16d0dbe69b90.tar.xz
main/linux-grsec: add xfrm patch to support gre key in SPD
useful for certain gre tunneling scenarios.
Diffstat (limited to 'main/linux-grsec')
-rw-r--r--main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch139
-rw-r--r--main/linux-grsec/APKBUILD4
2 files changed, 142 insertions, 1 deletions
diff --git a/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch b/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
new file mode 100644
index 0000000000..4b260daccf
--- /dev/null
+++ b/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
@@ -0,0 +1,139 @@
+From e4e3789c1d6d9cd30267c4395763577ceedd7015 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Thu, 18 Nov 2010 11:42:16 +0200
+Subject: [PATCH] xfrm: use gre key as flow upper protocol info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The GRE Key field is intended to be used for identifying an individual
+traffic flow within a tunnel. It is useful to be able to have XFRM
+policy selector matches to have different policies for different
+GRE tunnels.
+
+Backported to linux-2.6.35 from the original version at:
+http://git.kernel.org/?p=linux/kernel/git/davem/net-next-2.6.git;
+a=commitdiff_plain;h=cc9ff19da9bf76a2f70bcb80225a1c587c162e52
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+ include/net/flow.h | 2 ++
+ include/net/xfrm.h | 6 ++++++
+ net/ipv4/ip_gre.c | 9 ++++++---
+ net/ipv4/xfrm4_policy.c | 15 +++++++++++++++
+ 4 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/include/net/flow.h b/include/net/flow.h
+index bb08692..240b7f3 100644
+--- a/include/net/flow.h
++++ b/include/net/flow.h
+@@ -66,6 +66,7 @@ struct flowi {
+ } dnports;
+
+ __be32 spi;
++ __be32 gre_key;
+
+ struct {
+ __u8 type;
+@@ -77,6 +78,7 @@ struct flowi {
+ #define fl_icmp_code uli_u.icmpt.code
+ #define fl_ipsec_spi uli_u.spi
+ #define fl_mh_type uli_u.mht.type
++#define fl_gre_key uli_u.gre_key
+ __u32 secid; /* used by xfrm; see secid.txt */
+ } __attribute__((__aligned__(BITS_PER_LONG/8)));
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index fc8f36d..1a57ff9 100644
+--- a/include/net/xfrm.h
++++ b/include/net/xfrm.h
+@@ -805,6 +805,9 @@ __be16 xfrm_flowi_sport(struct flowi *fl)
+ case IPPROTO_MH:
+ port = htons(fl->fl_mh_type);
+ break;
++ case IPPROTO_GRE:
++ port = htonl(fl->fl_gre_key) >> 16;
++ break;
+ default:
+ port = 0; /*XXX*/
+ }
+@@ -826,6 +829,9 @@ __be16 xfrm_flowi_dport(struct flowi *fl)
+ case IPPROTO_ICMPV6:
+ port = htons(fl->fl_icmp_code);
+ break;
++ case IPPROTO_GRE:
++ port = htonl(fl->fl_gre_key) & 0xffff;
++ break;
+ default:
+ port = 0; /*XXX*/
+ }
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 32618e1..d490d67 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -739,7 +739,8 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
+ { .daddr = dst,
+ .saddr = tiph->saddr,
+ .tos = RT_TOS(tos) } },
+- .proto = IPPROTO_GRE };
++ .proto = IPPROTO_GRE,
++ .fl_gre_key = tunnel->parms.o_key };
+ if (ip_route_output_key(dev_net(dev), &rt, &fl)) {
+ stats->tx_carrier_errors++;
+ goto tx_error;
+@@ -912,7 +913,8 @@ static int ipgre_tunnel_bind_dev(struct net_device *dev)
+ { .daddr = iph->daddr,
+ .saddr = iph->saddr,
+ .tos = RT_TOS(iph->tos) } },
+- .proto = IPPROTO_GRE };
++ .proto = IPPROTO_GRE,
++ .fl_gre_key = tunnel->parms.o_key };
+ struct rtable *rt;
+ if (!ip_route_output_key(dev_net(dev), &rt, &fl)) {
+ tdev = rt->u.dst.dev;
+@@ -1170,7 +1172,8 @@ static int ipgre_open(struct net_device *dev)
+ { .daddr = t->parms.iph.daddr,
+ .saddr = t->parms.iph.saddr,
+ .tos = RT_TOS(t->parms.iph.tos) } },
+- .proto = IPPROTO_GRE };
++ .proto = IPPROTO_GRE,
++ .fl_gre_key = t->parms.o_key };
+ struct rtable *rt;
+ if (ip_route_output_key(dev_net(dev), &rt, &fl))
+ return -EADDRNOTAVAIL;
+diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
+index 23883a4..ef36364 100644
+--- a/net/ipv4/xfrm4_policy.c
++++ b/net/ipv4/xfrm4_policy.c
+@@ -11,6 +11,7 @@
+ #include <linux/err.h>
+ #include <linux/kernel.h>
+ #include <linux/inetdevice.h>
++#include <linux/if_tunnel.h>
+ #include <net/dst.h>
+ #include <net/xfrm.h>
+ #include <net/ip.h>
+@@ -158,6 +159,20 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ fl->fl_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
+ }
+ break;
++
++ case IPPROTO_GRE:
++ if (pskb_may_pull(skb, xprth + 12 - skb->data)) {
++ __be16 *greflags = (__be16 *)xprth;
++ __be32 *gre_hdr = (__be32 *)xprth;
++
++ if (greflags[0] & GRE_KEY) {
++ if (greflags[0] & GRE_CSUM)
++ gre_hdr++;
++ fl->fl_gre_key = gre_hdr[1];
++ }
++ }
++ break;
++
+ default:
+ fl->fl_ipsec_spi = 0;
+ break;
+--
+1.7.1
+
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index ed87edb3be..96f513bb7d 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
pkgname=linux-${_flavor}
pkgver=2.6.35.8
_kernver=2.6.35
-pkgrel=3
+pkgrel=4
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -15,6 +15,7 @@ install=
source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
grsecurity-2.2.0-2.6.35.8-201011062054.patch
+ 0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
0004-arp-flush-arp-cache-on-device-change.patch
r8169-fix-rx-checksum-offload.patch
r8169-add-gro-support.patch
@@ -142,6 +143,7 @@ firmware() {
md5sums="091abeb4684ce03d1d936851618687b6 linux-2.6.35.tar.bz2
198e4e72ea9cc7f9f25bb5881167aa2e patch-2.6.35.8.bz2
d5832cb57522a666a80227f68b771552 grsecurity-2.2.0-2.6.35.8-201011062054.patch
+eed5bd98c0a3b976891c897763eceff5 0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
776adeeb5272093574f8836c5037dd7d 0004-arp-flush-arp-cache-on-device-change.patch
0ccecafd4123dcad0b0cd7787553d734 r8169-fix-rx-checksum-offload.patch
139b39da44ecb577275be53d7d365949 r8169-add-gro-support.patch