main/linux-grsec: ipsec improvement patches

backport of net-next to improve ipsec send performance

1 files changed, 44 insertions, 0 deletions

diff --git a/main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch b/main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch
new file mode 100644
index 00000000..36a0ae44
--- /dev/null
+++ b/main/linux-grsec/0002-gre-fix-hard-header-destination-address-checking.patch
@@ -0,0 +1,44 @@
+From 9082391046940c410eac3bad065c8701998b5cab Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Wed, 3 Mar 2010 04:01:13 +0000
+Subject: [PATCH 02/18] gre: fix hard header destination address checking
+
+ipgre_header() can be called with zero daddr when the gre device is
+configured as multipoint tunnel and still has the NOARP flag set (which is
+typically cleared by the userspace arp daemon).  If the NOARP packets are
+not dropped, ipgre_tunnel_xmit() will take rt->rt_gateway (= NBMA IP) and
+use that for route look up (and may lead to bogus xfrm acquires).
+
+The multicast address check is removed as sending to multicast group should
+be ok.  In fact, if gre device has a multicast address as destination
+ipgre_header is always called with multicast address.
+
+Signed-off-by: Timo Teras <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+(cherry picked from commit 6d55cb91a0020ac0d78edcad61efd6c8cf5785a3)
+---
+ net/ipv4/ip_gre.c |    7 ++-----
+ 1 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index 1433338..ac88ce5 100644
+--- a/net/ipv4/ip_gre.c
++++ b/net/ipv4/ip_gre.c
+@@ -1137,12 +1137,9 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
+ 
+ 	if (saddr)
+ 		memcpy(&iph->saddr, saddr, 4);
+-
+-	if (daddr) {
++	if (daddr)
+ 		memcpy(&iph->daddr, daddr, 4);
+-		return t->hlen;
+-	}
+-	if (iph->daddr && !ipv4_is_multicast(iph->daddr))
++	if (iph->daddr)
+ 		return t->hlen;
+ 
+ 	return -t->hlen;
+-- 
+1.7.0.2
+