main/linux-grsec: fix for fragmentation issue on tunnel devices

ref #1782 (cherry picked from commit d0149d1c8a6f773c34c018f6af4c6ba8177e5648)
author: Natanael Copa <ncopa@alpinelinux.org> 2013-05-23 14:00:13 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2013-06-03 13:59:51 +0000
commit: 4d918a907f0cde4ac412b82ba2f9fef910490ef2 (patch)
tree: 17cc42fd147ca39441703a6b9332e813964a1f68
parent: 9c577e498442db707d92db0b6733a4f6bff21cae (diff)
download: alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.tar.bz2
alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.tar.xz
alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.zip
2 files changed, 183 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD
index 215678fa53..c6a209d9df 100644
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
 *.*.*)  _kernver=${pkgver%.*};;
 *.*)    _kernver=${pkgver};;
 esac
-pkgrel=1
+pkgrel=2
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
        v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
        leds-leds-gpio-reserve-gpio-before-using-it.patch
        ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+        RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
        kernelconfig.x86
        kernelconfig.x86_64
@@ -151,6 +152,7 @@ e881cf0db639205660f237ceea58f708  grsecurity-2.9.1-3.9.3-201305201732.patch
 699e92148cc9a55b6fc4d7d81e476717  v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 83db7136608d8101ae130728539dc376  leds-leds-gpio-reserve-gpio-before-using-it.patch
 ac9a50bdbe91ba6e5205e83f7e734ff5  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+12d3647755bebcd3b114f50de2729455  RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
 fd6fd35309c0e8c1f05cb725df958f22  kernelconfig.x86
 fd61ff58d25155997c0d6f73e7ca7a7d  kernelconfig.x86_64"
 sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541  linux-3.9.tar.xz
@@ -159,6 +161,7 @@ c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c  grsecurity-2.9
 8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3  v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4  leds-leds-gpio-reserve-gpio-before-using-it.patch
 ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+667babfafe4dc3449cd04853f532712188af557cbac41c461cf8236c4238f5a3  RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
 b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a  kernelconfig.x86
 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79  kernelconfig.x86_64"
 sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790  linux-3.9.tar.xz
@@ -167,5 +170,6 @@ d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec5
 772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b  v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d  leds-leds-gpio-reserve-gpio-before-using-it.patch
 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327  ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
+d35c939967d5696e477e2c5181f96e9cb92e1db88477576615f36209d276e0a2a866111d43e4abe076c455e32b063d6a97d42e5bc9ca04702d78b13826bf3afb  RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
 2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611  kernelconfig.x86
 0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9  kernelconfig.x86_64"
diff --git a/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
new file mode 100644
index 0000000000..2310927e81
--- /dev/null
+++ b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
@@ -0,0 +1,178 @@
+From patchwork Thu May 23 13:15:46 2013
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Subject: [RFC] net/ipv4: Use next hop exceptions also for input routes
+Date: Thu, 23 May 2013 03:15:46 -0000
+From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
+X-Patchwork-Id: 245949
+Message-Id: <1369314946-12692-1-git-send-email-timo.teras@iki.fi>
+To: netdev@vger.kernel.org
+Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Commit d2d68ba9 (ipv4: Cache input routes in fib_info nexthops)
+assmued that "locally destined, and routed packets, never trigger
+PMTU events or redirects that will be processed by us".
+However, it seems that tunnel devices do trigger PMTU events in certain
+cases. At least ip_gre, ip6_gre, sit, and ipip do use the inner flow's
+skb_dst(skb)->ops->update_pmtu to propage mtu information from the
+outer flows. These can cause the inner flow mtu to be decreased. If
+next hop exceptions are not consulted for pmtu, IP fragmentation will
+not be done properly for these routes.
+It also seems that we really need to have the PMTU information always
+for netfilter TCPMSS' clamp-to-pmtu feature to work properly.
+So for the time being, cache separate copies of input routes for
+each next hop exception.
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+---
+I had ideas to make optimizations where pmtu information would not
+be needed. This includes:
+- Target devices with IFF_XMIT_DST_RELEASE set (practically all devices
+  except tunnels). If skb_dst() is early freed the target device cannot
+  generate PMTU events
+- Add flag for input route generation if pmtu info is needed for
+  fragmentation. Basically a flag saying if DF bit was set in ip_hdr.
+However, TCPMSS clamp-to-pmtu prevents both optimizations.
+I'm not yet all familiar with the recent changes in routing caching,
+so there might be caveats that I missed. Basic testing shows this fixes
+the fragmentation issues I'm seeing, and I have not yet found any ill
+side effects either.
+ include/net/ip_fib.h     |  3 ++-
+ net/ipv4/fib_semantics.c |  3 ++-
+ net/ipv4/route.c         | 41 +++++++++++++++++++++++++++++++----------
+ 3 files changed, 35 insertions(+), 12 deletions(-)
+diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
+index e49db91..20529a6 100644
+--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
+@@ -55,7 +55,8 @@ struct fib_nh_exception {
+        u32                             fnhe_pmtu;
+        __be32                          fnhe_gw;
+        unsigned long                   fnhe_expires;
+-       struct rtable __rcu             *fnhe_rth;
+       struct rtable __rcu             *fnhe_rth_input;
+       struct rtable __rcu             *fnhe_rth_output;
+        unsigned long                   fnhe_stamp;
+ };
+ 
+diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
+index 8f6cb7a..d5dbca5 100644
+--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
+@@ -169,7 +169,8 @@ static void free_nh_exceptions(struct fib_nh *nh)
+                        
+                        next = rcu_dereference_protected(fnhe->fnhe_next, 1);
+ 
+-                       rt_fibinfo_free(&fnhe->fnhe_rth);
+                       rt_fibinfo_free(&fnhe->fnhe_rth_input);
+                       rt_fibinfo_free(&fnhe->fnhe_rth_output);
+ 
+                        kfree(fnhe);
+ 
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 550781a..073df96 100644
+--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
+@@ -576,9 +576,14 @@ static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash)
+                if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp))
+                        oldest = fnhe;
+        }
+-       orig = rcu_dereference(oldest->fnhe_rth);
+       orig = rcu_dereference(oldest->fnhe_rth_input);
+        if (orig) {
+-               RCU_INIT_POINTER(oldest->fnhe_rth, NULL);
+               RCU_INIT_POINTER(oldest->fnhe_rth_input, NULL);
+               rt_free(orig);
+       }
+       orig = rcu_dereference(oldest->fnhe_rth_output);
+       if (orig) {
+               RCU_INIT_POINTER(oldest->fnhe_rth_output, NULL);
+                rt_free(orig);
+        }
+        return oldest;
+@@ -1209,7 +1214,15 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
+        spin_lock_bh(&fnhe_lock);
+ 
+        if (daddr == fnhe->fnhe_daddr) {
+-               struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
+               struct rtable __rcu **porig;
+               struct rtable *orig;
+
+               if (rt_is_input_route(rt))
+                       porig = &fnhe->fnhe_rth_input;
+               else
+                       porig = &fnhe->fnhe_rth_output;
+
+               orig = rcu_dereference(*porig);
+                if (orig && rt_is_expired(orig)) {
+                        fnhe->fnhe_gw = 0;
+                        fnhe->fnhe_pmtu = 0;
+@@ -1231,12 +1244,14 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
+                } else if (!rt->rt_gateway)
+                        rt->rt_gateway = daddr;
+ 
+-               rcu_assign_pointer(fnhe->fnhe_rth, rt);
+-               if (orig)
+-                       rt_free(orig);
+               if (!(rt->dst.flags & DST_NOCACHE)) {
+                       rcu_assign_pointer(*porig, rt);
+                       if (orig)
+                               rt_free(orig);
+                       ret = true;
+               }
+ 
+                fnhe->fnhe_stamp = jiffies;
+-               ret = true;
+        }
+        spin_unlock_bh(&fnhe_lock);
+ 
+@@ -1468,6 +1483,7 @@ static int __mkroute_input(struct sk_buff *skb,
+                           struct in_device *in_dev,
+                           __be32 daddr, __be32 saddr, u32 tos)
+ {
+       struct fib_nh_exception *fnhe;
+        struct rtable *rth;
+        int err;
+        struct in_device *out_dev;
+@@ -1514,8 +1530,13 @@ static int __mkroute_input(struct sk_buff *skb,
+                }
+        }
+ 
+       fnhe = find_exception(&FIB_RES_NH(*res), daddr);
+        if (do_cache) {
+-               rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
+               if (fnhe != NULL)
+                       rth = rcu_dereference(fnhe->fnhe_rth_input);
+               else
+                       rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
+
+                if (rt_cache_valid(rth)) {
+                        skb_dst_set_noref(skb, &rth->dst);
+                        goto out;
+@@ -1543,7 +1564,7 @@ static int __mkroute_input(struct sk_buff *skb,
+        rth->dst.input = ip_forward;
+        rth->dst.output = ip_output;
+ 
+-       rt_set_nexthop(rth, daddr, res, NULL, res->fi, res->type, itag);
+       rt_set_nexthop(rth, daddr, res, fnhe, res->fi, res->type, itag);
+        skb_dst_set(skb, &rth->dst);
+ out:
+        err = 0;
+@@ -1858,7 +1879,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
+ 
+                fnhe = find_exception(nh, fl4->daddr);
+                if (fnhe)
+-                       prth = &fnhe->fnhe_rth;
+                       prth = &fnhe->fnhe_rth_output;
+                else {
+                        if (unlikely(fl4->flowi4_flags &
+                                     FLOWI_FLAG_KNOWN_NH &&
author	Natanael Copa <ncopa@alpinelinux.org>	2013-05-23 14:00:13 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2013-06-03 13:59:51 +0000
commit	4d918a907f0cde4ac412b82ba2f9fef910490ef2 (patch)
tree	17cc42fd147ca39441703a6b9332e813964a1f68
parent	9c577e498442db707d92db0b6733a4f6bff21cae (diff)
download	alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.tar.bz2 alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.tar.xz alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.zip

diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 215678fa53..c6a209d9df 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD
@@ -7,7 +7,7 @@ case $pkgver in
7	..) _kernver=${pkgver%.};;	7	..) _kernver=${pkgver%.};;
8	.) _kernver=${pkgver};;	8	.) _kernver=${pkgver};;
9	esac	9	esac
10	pkgrel=1	10	pkgrel=2
11	pkgdesc="Linux kernel with grsecurity"	11	pkgdesc="Linux kernel with grsecurity"
12	url=http://grsecurity.net	12	url=http://grsecurity.net
13	depends="mkinitfs linux-firmware"	13	depends="mkinitfs linux-firmware"
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz
22	v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch	22	v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
23	leds-leds-gpio-reserve-gpio-before-using-it.patch	23	leds-leds-gpio-reserve-gpio-before-using-it.patch
24	ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch	24	ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
		25	RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
25		26
26	kernelconfig.x86	27	kernelconfig.x86
27	kernelconfig.x86_64	28	kernelconfig.x86_64
@@ -151,6 +152,7 @@ e881cf0db639205660f237ceea58f708 grsecurity-2.9.1-3.9.3-201305201732.patch
151	699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch	152	699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
152	83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch	153	83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch
153	ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch	154	ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
		155	12d3647755bebcd3b114f50de2729455 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
154	fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86	156	fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86
155	fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64"	157	fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64"
156	sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz	158	sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz
@@ -159,6 +161,7 @@ c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c grsecurity-2.9
159	8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch	161	8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
160	13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch	162	13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch
161	ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch	163	ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
		164	667babfafe4dc3449cd04853f532712188af557cbac41c461cf8236c4238f5a3 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
162	b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86	165	b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86
163	7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64"	166	7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64"
164	sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz	167	sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz
@@ -167,5 +170,6 @@ d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec5
167	772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch	170	772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch
168	10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch	171	10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch
169	769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch	172	769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch
		173	d35c939967d5696e477e2c5181f96e9cb92e1db88477576615f36209d276e0a2a866111d43e4abe076c455e32b063d6a97d42e5bc9ca04702d78b13826bf3afb RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
170	2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86	174	2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86
171	0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64"	175	0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64"


diff --git a/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch new file mode 100644 index 0000000000..2310927e81 --- /dev/null +++ b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch
@@ -0,0 +1,178 @@
		1	From patchwork Thu May 23 13:15:46 2013
		2	Content-Type: text/plain; charset="utf-8"
		3	MIME-Version: 1.0
		4	Content-Transfer-Encoding: 8bit
		5	Subject: [RFC] net/ipv4: Use next hop exceptions also for input routes
		6	Date: Thu, 23 May 2013 03:15:46 -0000
		7	From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi>
		8	X-Patchwork-Id: 245949
		9	Message-Id: <1369314946-12692-1-git-send-email-timo.teras@iki.fi>
		10	To: netdev@vger.kernel.org
		11	Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
		12
		13	Commit d2d68ba9 (ipv4: Cache input routes in fib_info nexthops)
		14	assmued that "locally destined, and routed packets, never trigger
		15	PMTU events or redirects that will be processed by us".
		16
		17	However, it seems that tunnel devices do trigger PMTU events in certain
		18	cases. At least ip_gre, ip6_gre, sit, and ipip do use the inner flow's
		19	skb_dst(skb)->ops->update_pmtu to propage mtu information from the
		20	outer flows. These can cause the inner flow mtu to be decreased. If
		21	next hop exceptions are not consulted for pmtu, IP fragmentation will
		22	not be done properly for these routes.
		23
		24	It also seems that we really need to have the PMTU information always
		25	for netfilter TCPMSS' clamp-to-pmtu feature to work properly.
		26
		27	So for the time being, cache separate copies of input routes for
		28	each next hop exception.
		29
		30	Signed-off-by: Timo Teräs <timo.teras@iki.fi>
		31
		32	---
		33	I had ideas to make optimizations where pmtu information would not
		34	be needed. This includes:
		35	- Target devices with IFF_XMIT_DST_RELEASE set (practically all devices
		36	except tunnels). If skb_dst() is early freed the target device cannot
		37	generate PMTU events
		38	- Add flag for input route generation if pmtu info is needed for
		39	fragmentation. Basically a flag saying if DF bit was set in ip_hdr.
		40
		41	However, TCPMSS clamp-to-pmtu prevents both optimizations.
		42
		43	I'm not yet all familiar with the recent changes in routing caching,
		44	so there might be caveats that I missed. Basic testing shows this fixes
		45	the fragmentation issues I'm seeing, and I have not yet found any ill
		46	side effects either.
		47
		48	include/net/ip_fib.h \| 3 ++-
		49	net/ipv4/fib_semantics.c \| 3 ++-
		50	net/ipv4/route.c \| 41 +++++++++++++++++++++++++++++++----------
		51	3 files changed, 35 insertions(+), 12 deletions(-)
		52
		53	diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
		54	index e49db91..20529a6 100644
		55	--- a/include/net/ip_fib.h
		56	+++ b/include/net/ip_fib.h
		57	@@ -55,7 +55,8 @@ struct fib_nh_exception {
		58	u32 fnhe_pmtu;
		59	__be32 fnhe_gw;
		60	unsigned long fnhe_expires;
		61	- struct rtable __rcu *fnhe_rth;
		62	+ struct rtable __rcu *fnhe_rth_input;
		63	+ struct rtable __rcu *fnhe_rth_output;
		64	unsigned long fnhe_stamp;
		65	};
		66
		67	diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
		68	index 8f6cb7a..d5dbca5 100644
		69	--- a/net/ipv4/fib_semantics.c
		70	+++ b/net/ipv4/fib_semantics.c
		71	@@ -169,7 +169,8 @@ static void free_nh_exceptions(struct fib_nh *nh)
		72
		73	next = rcu_dereference_protected(fnhe->fnhe_next, 1);
		74
		75	- rt_fibinfo_free(&fnhe->fnhe_rth);
		76	+ rt_fibinfo_free(&fnhe->fnhe_rth_input);
		77	+ rt_fibinfo_free(&fnhe->fnhe_rth_output);
		78
		79	kfree(fnhe);
		80
		81	diff --git a/net/ipv4/route.c b/net/ipv4/route.c
		82	index 550781a..073df96 100644
		83	--- a/net/ipv4/route.c
		84	+++ b/net/ipv4/route.c
		85	@@ -576,9 +576,14 @@ static struct fib_nh_exception fnhe_oldest(struct fnhe_hash_bucket hash)
		86	if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp))
		87	oldest = fnhe;
		88	}
		89	- orig = rcu_dereference(oldest->fnhe_rth);
		90	+ orig = rcu_dereference(oldest->fnhe_rth_input);
		91	if (orig) {
		92	- RCU_INIT_POINTER(oldest->fnhe_rth, NULL);
		93	+ RCU_INIT_POINTER(oldest->fnhe_rth_input, NULL);
		94	+ rt_free(orig);
		95	+ }
		96	+ orig = rcu_dereference(oldest->fnhe_rth_output);
		97	+ if (orig) {
		98	+ RCU_INIT_POINTER(oldest->fnhe_rth_output, NULL);
		99	rt_free(orig);
		100	}
		101	return oldest;
		102	@@ -1209,7 +1214,15 @@ static bool rt_bind_exception(struct rtable rt, struct fib_nh_exception fnhe,
		103	spin_lock_bh(&fnhe_lock);
		104
		105	if (daddr == fnhe->fnhe_daddr) {
		106	- struct rtable *orig = rcu_dereference(fnhe->fnhe_rth);
		107	+ struct rtable __rcu **porig;
		108	+ struct rtable *orig;
		109	+
		110	+ if (rt_is_input_route(rt))
		111	+ porig = &fnhe->fnhe_rth_input;
		112	+ else
		113	+ porig = &fnhe->fnhe_rth_output;
		114	+
		115	+ orig = rcu_dereference(*porig);
		116	if (orig && rt_is_expired(orig)) {
		117	fnhe->fnhe_gw = 0;
		118	fnhe->fnhe_pmtu = 0;
		119	@@ -1231,12 +1244,14 @@ static bool rt_bind_exception(struct rtable rt, struct fib_nh_exception fnhe,
		120	} else if (!rt->rt_gateway)
		121	rt->rt_gateway = daddr;
		122
		123	- rcu_assign_pointer(fnhe->fnhe_rth, rt);
		124	- if (orig)
		125	- rt_free(orig);
		126	+ if (!(rt->dst.flags & DST_NOCACHE)) {
		127	+ rcu_assign_pointer(*porig, rt);
		128	+ if (orig)
		129	+ rt_free(orig);
		130	+ ret = true;
		131	+ }
		132
		133	fnhe->fnhe_stamp = jiffies;
		134	- ret = true;
		135	}
		136	spin_unlock_bh(&fnhe_lock);
		137
		138	@@ -1468,6 +1483,7 @@ static int __mkroute_input(struct sk_buff *skb,
		139	struct in_device *in_dev,
		140	__be32 daddr, __be32 saddr, u32 tos)
		141	{
		142	+ struct fib_nh_exception *fnhe;
		143	struct rtable *rth;
		144	int err;
		145	struct in_device *out_dev;
		146	@@ -1514,8 +1530,13 @@ static int __mkroute_input(struct sk_buff *skb,
		147	}
		148	}
		149
		150	+ fnhe = find_exception(&FIB_RES_NH(*res), daddr);
		151	if (do_cache) {
		152	- rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
		153	+ if (fnhe != NULL)
		154	+ rth = rcu_dereference(fnhe->fnhe_rth_input);
		155	+ else
		156	+ rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input);
		157	+
		158	if (rt_cache_valid(rth)) {
		159	skb_dst_set_noref(skb, &rth->dst);
		160	goto out;
		161	@@ -1543,7 +1564,7 @@ static int __mkroute_input(struct sk_buff *skb,
		162	rth->dst.input = ip_forward;
		163	rth->dst.output = ip_output;
		164
		165	- rt_set_nexthop(rth, daddr, res, NULL, res->fi, res->type, itag);
		166	+ rt_set_nexthop(rth, daddr, res, fnhe, res->fi, res->type, itag);
		167	skb_dst_set(skb, &rth->dst);
		168	out:
		169	err = 0;
		170	@@ -1858,7 +1879,7 @@ static struct rtable __mkroute_output(const struct fib_result res,
		171
		172	fnhe = find_exception(nh, fl4->daddr);
		173	if (fnhe)
		174	- prth = &fnhe->fnhe_rth;
		175	+ prth = &fnhe->fnhe_rth_output;
		176	else {
		177	if (unlikely(fl4->flowi4_flags &
		178	FLOWI_FLAG_KNOWN_NH &&