diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-23 14:00:13 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-23 14:11:32 +0000 |
commit | d0149d1c8a6f773c34c018f6af4c6ba8177e5648 (patch) | |
tree | 4dd850a8b0bf7a84b6195d62cb2e5f94491e2d45 | |
parent | 3d1a1e68fdce015d921e87cbc4f409b46b6e89f7 (diff) | |
download | aports-d0149d1c8a6f773c34c018f6af4c6ba8177e5648.tar.bz2 aports-d0149d1c8a6f773c34c018f6af4c6ba8177e5648.tar.xz |
main/linux-grsec: fix for fragmentation issue on tunnel devices
ref #1782
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch | 178 |
2 files changed, 183 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 215678fa5..c6a209d9d 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD @@ -7,7 +7,7 @@ case $pkgver in *.*.*) _kernver=${pkgver%.*};; *.*) _kernver=${pkgver};; esac -pkgrel=1 +pkgrel=2 pkgdesc="Linux kernel with grsecurity" url=http://grsecurity.net depends="mkinitfs linux-firmware" @@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch leds-leds-gpio-reserve-gpio-before-using-it.patch ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch + RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch kernelconfig.x86 kernelconfig.x86_64 @@ -151,6 +152,7 @@ e881cf0db639205660f237ceea58f708 grsecurity-2.9.1-3.9.3-201305201732.patch 699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch 83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch +12d3647755bebcd3b114f50de2729455 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86 fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz @@ -159,6 +161,7 @@ c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c grsecurity-2.9 8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch +667babfafe4dc3449cd04853f532712188af557cbac41c461cf8236c4238f5a3 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz @@ -167,5 +170,6 @@ d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec5 772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch +d35c939967d5696e477e2c5181f96e9cb92e1db88477576615f36209d276e0a2a866111d43e4abe076c455e32b063d6a97d42e5bc9ca04702d78b13826bf3afb RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch 2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86 0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64" diff --git a/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch new file mode 100644 index 000000000..2310927e8 --- /dev/null +++ b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch @@ -0,0 +1,178 @@ +From patchwork Thu May 23 13:15:46 2013 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Subject: [RFC] net/ipv4: Use next hop exceptions also for input routes +Date: Thu, 23 May 2013 03:15:46 -0000 +From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi> +X-Patchwork-Id: 245949 +Message-Id: <1369314946-12692-1-git-send-email-timo.teras@iki.fi> +To: netdev@vger.kernel.org +Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> + +Commit d2d68ba9 (ipv4: Cache input routes in fib_info nexthops) +assmued that "locally destined, and routed packets, never trigger +PMTU events or redirects that will be processed by us". + +However, it seems that tunnel devices do trigger PMTU events in certain +cases. At least ip_gre, ip6_gre, sit, and ipip do use the inner flow's +skb_dst(skb)->ops->update_pmtu to propage mtu information from the +outer flows. These can cause the inner flow mtu to be decreased. If +next hop exceptions are not consulted for pmtu, IP fragmentation will +not be done properly for these routes. + +It also seems that we really need to have the PMTU information always +for netfilter TCPMSS' clamp-to-pmtu feature to work properly. + +So for the time being, cache separate copies of input routes for +each next hop exception. + +Signed-off-by: Timo Teräs <timo.teras@iki.fi> + +--- +I had ideas to make optimizations where pmtu information would not +be needed. This includes: +- Target devices with IFF_XMIT_DST_RELEASE set (practically all devices + except tunnels). If skb_dst() is early freed the target device cannot + generate PMTU events +- Add flag for input route generation if pmtu info is needed for + fragmentation. Basically a flag saying if DF bit was set in ip_hdr. + +However, TCPMSS clamp-to-pmtu prevents both optimizations. + +I'm not yet all familiar with the recent changes in routing caching, +so there might be caveats that I missed. Basic testing shows this fixes +the fragmentation issues I'm seeing, and I have not yet found any ill +side effects either. + + include/net/ip_fib.h | 3 ++- + net/ipv4/fib_semantics.c | 3 ++- + net/ipv4/route.c | 41 +++++++++++++++++++++++++++++++---------- + 3 files changed, 35 insertions(+), 12 deletions(-) + +diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h +index e49db91..20529a6 100644 +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -55,7 +55,8 @@ struct fib_nh_exception { + u32 fnhe_pmtu; + __be32 fnhe_gw; + unsigned long fnhe_expires; +- struct rtable __rcu *fnhe_rth; ++ struct rtable __rcu *fnhe_rth_input; ++ struct rtable __rcu *fnhe_rth_output; + unsigned long fnhe_stamp; + }; + +diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c +index 8f6cb7a..d5dbca5 100644 +--- a/net/ipv4/fib_semantics.c ++++ b/net/ipv4/fib_semantics.c +@@ -169,7 +169,8 @@ static void free_nh_exceptions(struct fib_nh *nh) + + next = rcu_dereference_protected(fnhe->fnhe_next, 1); + +- rt_fibinfo_free(&fnhe->fnhe_rth); ++ rt_fibinfo_free(&fnhe->fnhe_rth_input); ++ rt_fibinfo_free(&fnhe->fnhe_rth_output); + + kfree(fnhe); + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 550781a..073df96 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -576,9 +576,14 @@ static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash) + if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) + oldest = fnhe; + } +- orig = rcu_dereference(oldest->fnhe_rth); ++ orig = rcu_dereference(oldest->fnhe_rth_input); + if (orig) { +- RCU_INIT_POINTER(oldest->fnhe_rth, NULL); ++ RCU_INIT_POINTER(oldest->fnhe_rth_input, NULL); ++ rt_free(orig); ++ } ++ orig = rcu_dereference(oldest->fnhe_rth_output); ++ if (orig) { ++ RCU_INIT_POINTER(oldest->fnhe_rth_output, NULL); + rt_free(orig); + } + return oldest; +@@ -1209,7 +1214,15 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe, + spin_lock_bh(&fnhe_lock); + + if (daddr == fnhe->fnhe_daddr) { +- struct rtable *orig = rcu_dereference(fnhe->fnhe_rth); ++ struct rtable __rcu **porig; ++ struct rtable *orig; ++ ++ if (rt_is_input_route(rt)) ++ porig = &fnhe->fnhe_rth_input; ++ else ++ porig = &fnhe->fnhe_rth_output; ++ ++ orig = rcu_dereference(*porig); + if (orig && rt_is_expired(orig)) { + fnhe->fnhe_gw = 0; + fnhe->fnhe_pmtu = 0; +@@ -1231,12 +1244,14 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe, + } else if (!rt->rt_gateway) + rt->rt_gateway = daddr; + +- rcu_assign_pointer(fnhe->fnhe_rth, rt); +- if (orig) +- rt_free(orig); ++ if (!(rt->dst.flags & DST_NOCACHE)) { ++ rcu_assign_pointer(*porig, rt); ++ if (orig) ++ rt_free(orig); ++ ret = true; ++ } + + fnhe->fnhe_stamp = jiffies; +- ret = true; + } + spin_unlock_bh(&fnhe_lock); + +@@ -1468,6 +1483,7 @@ static int __mkroute_input(struct sk_buff *skb, + struct in_device *in_dev, + __be32 daddr, __be32 saddr, u32 tos) + { ++ struct fib_nh_exception *fnhe; + struct rtable *rth; + int err; + struct in_device *out_dev; +@@ -1514,8 +1530,13 @@ static int __mkroute_input(struct sk_buff *skb, + } + } + ++ fnhe = find_exception(&FIB_RES_NH(*res), daddr); + if (do_cache) { +- rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); ++ if (fnhe != NULL) ++ rth = rcu_dereference(fnhe->fnhe_rth_input); ++ else ++ rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); ++ + if (rt_cache_valid(rth)) { + skb_dst_set_noref(skb, &rth->dst); + goto out; +@@ -1543,7 +1564,7 @@ static int __mkroute_input(struct sk_buff *skb, + rth->dst.input = ip_forward; + rth->dst.output = ip_output; + +- rt_set_nexthop(rth, daddr, res, NULL, res->fi, res->type, itag); ++ rt_set_nexthop(rth, daddr, res, fnhe, res->fi, res->type, itag); + skb_dst_set(skb, &rth->dst); + out: + err = 0; +@@ -1858,7 +1879,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res, + + fnhe = find_exception(nh, fl4->daddr); + if (fnhe) +- prth = &fnhe->fnhe_rth; ++ prth = &fnhe->fnhe_rth_output; + else { + if (unlikely(fl4->flowi4_flags & + FLOWI_FLAG_KNOWN_NH && |