summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-23 14:00:13 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-23 14:11:32 +0000
commitd0149d1c8a6f773c34c018f6af4c6ba8177e5648 (patch)
tree4dd850a8b0bf7a84b6195d62cb2e5f94491e2d45
parent3d1a1e68fdce015d921e87cbc4f409b46b6e89f7 (diff)
downloadaports-d0149d1c8a6f773c34c018f6af4c6ba8177e5648.tar.bz2
aports-d0149d1c8a6f773c34c018f6af4c6ba8177e5648.tar.xz
main/linux-grsec: fix for fragmentation issue on tunnel devices
ref #1782
-rw-r--r--main/linux-grsec/APKBUILD6
-rw-r--r--main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch178
2 files changed, 183 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 215678fa5..c6a209d9d 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
*.*.*) _kernver=${pkgver%.*};;
*.*) _kernver=${pkgver};;
esac
-pkgrel=1
+pkgrel=2
pkgdesc="Linux kernel with grsecurity"
url=http://grsecurity.net
depends="mkinitfs linux-firmware"
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
leds-leds-gpio-reserve-gpio-before-using-it.patch
ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+ RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
kernelconfig.x86
kernelconfig.x86_64
@@ -151,6 +152,7 @@ e881cf0db639205660f237ceea58f708 grsecurity-2.9.1-3.9.3-201305201732.patch
699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch
ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+12d3647755bebcd3b114f50de2729455 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86
fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64"
sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
@@ -159,6 +161,7 @@ c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c grsecurity-2.9
8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch
ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+667babfafe4dc3449cd04853f532712188af557cbac41c461cf8236c4238f5a3 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86
7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64"
sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
@@ -167,5 +170,6 @@ d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec5
772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch
769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+d35c939967d5696e477e2c5181f96e9cb92e1db88477576615f36209d276e0a2a866111d43e4abe076c455e32b063d6a97d42e5bc9ca04702d78b13826bf3afb RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86
0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64"
diff --git a/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
new file mode 100644
index 000000000..2310927e8
--- /dev/null
+++ b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
@@ -0,0 +1,178 @@
+From patchwork Thu May 23 13:15:46 2013
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: [RFC] net/ipv4: Use next hop exceptions also for input routes
+Date: Thu, 23 May 2013 03:15:46 -0000
+From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
+X-Patchwork-Id: 245949
+Message-Id: <1369314946-12692-1-git-send-email-timo.teras@iki.fi>
+To: netdev@vger.kernel.org
+Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+
+Commit d2d68ba9 (ipv4: Cache input routes in fib_info nexthops)
+assmued that "locally destined, and routed packets, never trigger
+PMTU events or redirects that will be processed by us".
+
+However, it seems that tunnel devices do trigger PMTU events in certain
+cases. At least ip_gre, ip6_gre, sit, and ipip do use the inner flow's
+skb_dst(skb)->ops->update_pmtu to propage mtu information from the
+outer flows. These can cause the inner flow mtu to be decreased. If
+next hop exceptions are not consulted for pmtu, IP fragmentation will
+not be done properly for these routes.
+
+It also seems that we really need to have the PMTU information always
+for netfilter TCPMSS' clamp-to-pmtu feature to work properly.
+
+So for the time being, cache separate copies of input routes for
+each next hop exception.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+
+---
+I had ideas to make optimizations where pmtu information would not
+be needed. This includes:
+- Target devices with IFF_XMIT_DST_RELEASE set (practically all devices
+ except tunnels). If skb_dst() is early freed the target device cannot
+ generate PMTU events
+- Add flag for input route generation if pmtu info is needed for
+ fragmentation. Basically a flag saying if DF bit was set in ip_hdr.
+
+However, TCPMSS clamp-to-pmtu prevents both optimizations.
+
+I'm not yet all familiar with the recent changes in routing caching,
+so there might be caveats that I missed. Basic testing shows this fixes
+the fragmentation issues I'm seeing, and I have not yet found any ill
+side effects either.
+
+ include/net/ip_fib.h | 3 ++-
+ net/ipv4/fib_semantics.c | 3 ++-
+ net/ipv4/route.c | 41 +++++++++++++++++++++++++++++++----------
+ 3 files changed, 35 insertions(+), 12 deletions(-)
+
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index e49db91..20529a6 100644
+--- a/include/net/ip_fib.h
++++ b/include/net/ip_fib.h
+@@ -55,7 +55,8 @@ struct fib_nh_exception {
+ u32 fnhe_pmtu;
+ __be32 fnhe_gw;
+ unsigned long fnhe_expires;
+- struct rtable __rcu *fnhe_rth;
++ struct rtable __rcu *fnhe_rth_input;
++ struct rtable __rcu *fnhe_rth_output;
+ unsigned long fnhe_stamp;
+ };
+
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 8f6cb7a..d5dbca5 100644
+--- a/net/ipv4/fib_semantics.c
++++ b/net/ipv4/fib_semantics.c
+@@ -169,7 +169,8 @@ static void free_nh_exceptions(struct fib_nh *nh)
+
+ next = rcu_dereference_protected(fnhe->fnhe_next, 1);
+
+- rt_fibinfo_free(&fnhe->fnhe_rth);
++ rt_fibinfo_free(&fnhe->fnhe_rth_input);
++ rt_fibinfo_free(&fnhe->fnhe_rth_output);
+
+ kfree(fnhe);
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 550781a..073df96 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -576,9 +576,14 @@ static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash)
+ if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp))
+ oldest = fnhe;
+ }
+- orig = rcu_dereference(oldest->fnhe_rth);
++ orig = rcu_dereference(oldest->fnhe_rth_input);
+ if (orig) {
+- RCU_INIT_POINTER(oldest->fnhe_rth, NULL);
++ RCU_INIT_POINTER(oldest->fnhe_rth_input, NULL);
++ rt_free(orig);
++ }
++ orig = rcu_dereference(oldest->fnhe_rth_output);
++ if (orig) {
++ RCU_INIT_POINTER(oldest->fnhe_rth_output, NULL);
+ rt_free(orig);
+ }
+ return oldest;
+@@ -1209,7 +1214,15 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
+ spin_lock_bh(&fnhe_lock);
+
+ if (daddr == fnhe->fnhe_daddr) {
+- struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
++ struct rtable __rcu **porig;
++ struct rtable *orig;
++
++ if (rt_is_input_route(rt))
++ porig = &fnhe->fnhe_rth_input;
++ else
++ porig = &fnhe->fnhe_rth_output;
++
++ orig = rcu_dereference(*porig);
+ if (orig && rt_is_expired(orig)) {
+ fnhe->fnhe_gw = 0;
+ fnhe->fnhe_pmtu = 0;
+@@ -1231,12 +1244,14 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
+ } else if (!rt->rt_gateway)
+ rt->rt_gateway = daddr;
+
+- rcu_assign_pointer(fnhe->fnhe_rth, rt);
+- if (orig)
+- rt_free(orig);
++ if (!(rt->dst.flags & DST_NOCACHE)) {
++ rcu_assign_pointer(*porig, rt);
++ if (orig)
++ rt_free(orig);
++ ret = true;
++ }
+
+ fnhe->fnhe_stamp = jiffies;
+- ret = true;
+ }
+ spin_unlock_bh(&fnhe_lock);
+
+@@ -1468,6 +1483,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ struct in_device *in_dev,
+ __be32 daddr, __be32 saddr, u32 tos)
+ {
++ struct fib_nh_exception *fnhe;
+ struct rtable *rth;
+ int err;
+ struct in_device *out_dev;
+@@ -1514,8 +1530,13 @@ static int __mkroute_input(struct sk_buff *skb,
+ }
+ }
+
++ fnhe = find_exception(&FIB_RES_NH(*res), daddr);
+ if (do_cache) {
+- rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
++ if (fnhe != NULL)
++ rth = rcu_dereference(fnhe->fnhe_rth_input);
++ else
++ rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
++
+ if (rt_cache_valid(rth)) {
+ skb_dst_set_noref(skb, &rth->dst);
+ goto out;
+@@ -1543,7 +1564,7 @@ static int __mkroute_input(struct sk_buff *skb,
+ rth->dst.input = ip_forward;
+ rth->dst.output = ip_output;
+
+- rt_set_nexthop(rth, daddr, res, NULL, res->fi, res->type, itag);
++ rt_set_nexthop(rth, daddr, res, fnhe, res->fi, res->type, itag);
+ skb_dst_set(skb, &rth->dst);
+ out:
+ err = 0;
+@@ -1858,7 +1879,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
+
+ fnhe = find_exception(nh, fl4->daddr);
+ if (fnhe)
+- prth = &fnhe->fnhe_rth;
++ prth = &fnhe->fnhe_rth_output;
+ else {
+ if (unlikely(fl4->flowi4_flags &
+ FLOWI_FLAG_KNOWN_NH &&