diff options
Diffstat (limited to 'main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch')
| -rw-r--r-- | main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch b/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch new file mode 100644 index 0000000000..b34c640f2d --- /dev/null +++ b/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch @@ -0,0 +1,139 @@ +From cc9ff19da9bf76a2f70bcb80225a1c587c162e52 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> +Date: Wed, 3 Nov 2010 04:41:38 +0000 +Subject: [PATCH] xfrm: use gre key as flow upper protocol info +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The GRE Key field is intended to be used for identifying an individual +traffic flow within a tunnel. It is useful to be able to have XFRM +policy selector matches to have different policies for different +GRE tunnels. + +Signed-off-by: Timo Teräs <timo.teras@iki.fi> +Signed-off-by: David S. Miller <davem@davemloft.net> +--- + include/net/flow.h | 2 ++ + include/net/xfrm.h | 6 ++++++ + net/ipv4/ip_gre.c | 12 +++++++----- + net/ipv4/xfrm4_policy.c | 15 +++++++++++++++ + 4 files changed, 30 insertions(+), 5 deletions(-) + +diff --git a/include/net/flow.h b/include/net/flow.h +index 0ac3fb5..7196e68 100644 +--- a/include/net/flow.h ++++ b/include/net/flow.h +@@ -67,6 +67,7 @@ struct flowi { + } dnports; + + __be32 spi; ++ __be32 gre_key; + + struct { + __u8 type; +@@ -78,6 +79,7 @@ struct flowi { + #define fl_icmp_code uli_u.icmpt.code + #define fl_ipsec_spi uli_u.spi + #define fl_mh_type uli_u.mht.type ++#define fl_gre_key uli_u.gre_key + __u32 secid; /* used by xfrm; see secid.txt */ + } __attribute__((__aligned__(BITS_PER_LONG/8))); + +diff --git a/include/net/xfrm.h b/include/net/xfrm.h +index bcfb6b2..54b2832 100644 +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -805,6 +805,9 @@ __be16 xfrm_flowi_sport(struct flowi *fl) + case IPPROTO_MH: + port = htons(fl->fl_mh_type); + break; ++ case IPPROTO_GRE: ++ port = htonl(fl->fl_gre_key) >> 16; ++ break; + default: + port = 0; /*XXX*/ + } +@@ -826,6 +829,9 @@ __be16 xfrm_flowi_dport(struct flowi *fl) + case IPPROTO_ICMPV6: + port = htons(fl->fl_icmp_code); + break; ++ case IPPROTO_GRE: ++ port = htonl(fl->fl_gre_key) & 0xffff; ++ break; + default: + port = 0; /*XXX*/ + } +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index cab2057..aace653 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -779,9 +779,9 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev + .tos = RT_TOS(tos) + } + }, +- .proto = IPPROTO_GRE +- } +-; ++ .proto = IPPROTO_GRE, ++ .fl_gre_key = tunnel->parms.o_key ++ }; + if (ip_route_output_key(dev_net(dev), &rt, &fl)) { + dev->stats.tx_carrier_errors++; + goto tx_error; +@@ -958,7 +958,8 @@ static int ipgre_tunnel_bind_dev(struct net_device *dev) + .tos = RT_TOS(iph->tos) + } + }, +- .proto = IPPROTO_GRE ++ .proto = IPPROTO_GRE, ++ .fl_gre_key = tunnel->parms.o_key + }; + struct rtable *rt; + +@@ -1223,7 +1224,8 @@ static int ipgre_open(struct net_device *dev) + .tos = RT_TOS(t->parms.iph.tos) + } + }, +- .proto = IPPROTO_GRE ++ .proto = IPPROTO_GRE, ++ .fl_gre_key = t->parms.o_key + }; + struct rtable *rt; + +diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c +index dd1fd8c..4a8c533 100644 +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -11,6 +11,7 @@ + #include <linux/err.h> + #include <linux/kernel.h> + #include <linux/inetdevice.h> ++#include <linux/if_tunnel.h> + #include <net/dst.h> + #include <net/xfrm.h> + #include <net/ip.h> +@@ -154,6 +155,20 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) + fl->fl_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); + } + break; ++ ++ case IPPROTO_GRE: ++ if (pskb_may_pull(skb, xprth + 12 - skb->data)) { ++ __be16 *greflags = (__be16 *)xprth; ++ __be32 *gre_hdr = (__be32 *)xprth; ++ ++ if (greflags[0] & GRE_KEY) { ++ if (greflags[0] & GRE_CSUM) ++ gre_hdr++; ++ fl->fl_gre_key = gre_hdr[1]; ++ } ++ } ++ break; ++ + default: + fl->fl_ipsec_spi = 0; + break; +-- +1.7.4.1 + |