diff options
Diffstat (limited to 'main/linux-grsec/5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch')
| -rw-r--r-- | main/linux-grsec/5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/main/linux-grsec/5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch b/main/linux-grsec/5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch new file mode 100644 index 0000000000..4d75cf36ad --- /dev/null +++ b/main/linux-grsec/5-5-xfrm4-Invalidate-all-ipv4-routes-on-IPsec-pmtu-events.patch @@ -0,0 +1,84 @@ +From patchwork Tue Jan 22 09:06:36 2013 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: [5/5] xfrm4: Invalidate all ipv4 routes on IPsec pmtu events +Date: Mon, 21 Jan 2013 23:06:36 -0000 +From: Steffen Klassert <steffen.klassert@secunet.com> +X-Patchwork-Id: 214475 +Message-Id: <1358845596-2066-6-git-send-email-steffen.klassert@secunet.com> +To: David Miller <davem@davemloft.net> +Cc: Herbert Xu <herbert@gondor.apana.org.au>, + Steffen Klassert <steffen.klassert@secunet.com>, netdev@vger.kernel.org + +On IPsec pmtu events we can't access the transport headers of +the original packet, so we can't find the socket that sent +the packet. The only chance to notify the socket about the +pmtu change is to force a relookup for all routes. This +patch implenents this for the IPsec protocols. + +Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> + +--- +net/ipv4/ah4.c | 7 +++++-- + net/ipv4/esp4.c | 7 +++++-- + net/ipv4/ipcomp.c | 7 +++++-- + 3 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c +index a154d0a..a69b4e4 100644 +--- a/net/ipv4/ah4.c ++++ b/net/ipv4/ah4.c +@@ -420,9 +420,12 @@ static void ah4_err(struct sk_buff *skb, u32 info) + if (!x) + return; + +- if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) ++ if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) { ++ atomic_inc(&flow_cache_genid); ++ rt_genid_bump(net); ++ + ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_AH, 0); +- else ++ } else + ipv4_redirect(skb, net, 0, 0, IPPROTO_AH, 0); + xfrm_state_put(x); + } +diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c +index fd26ff4..3b4f0cd 100644 +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -502,9 +502,12 @@ static void esp4_err(struct sk_buff *skb, u32 info) + if (!x) + return; + +- if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) ++ if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) { ++ atomic_inc(&flow_cache_genid); ++ rt_genid_bump(net); ++ + ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_ESP, 0); +- else ++ } else + ipv4_redirect(skb, net, 0, 0, IPPROTO_ESP, 0); + xfrm_state_put(x); + } +diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c +index d3ab47e..9a46dae 100644 +--- a/net/ipv4/ipcomp.c ++++ b/net/ipv4/ipcomp.c +@@ -47,9 +47,12 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info) + if (!x) + return; + +- if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) ++ if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) { ++ atomic_inc(&flow_cache_genid); ++ rt_genid_bump(net); ++ + ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_COMP, 0); +- else ++ } else + ipv4_redirect(skb, net, 0, 0, IPPROTO_COMP, 0); + xfrm_state_put(x); + } |