diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-23 14:00:13 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-03 13:59:51 +0000 |
commit | 4d918a907f0cde4ac412b82ba2f9fef910490ef2 (patch) | |
tree | 17cc42fd147ca39441703a6b9332e813964a1f68 | |
parent | 9c577e498442db707d92db0b6733a4f6bff21cae (diff) | |
download | alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.tar.bz2 alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.tar.xz alpine_aports-4d918a907f0cde4ac412b82ba2f9fef910490ef2.zip |
main/linux-grsec: fix for fragmentation issue on tunnel devices
ref #1782
(cherry picked from commit d0149d1c8a6f773c34c018f6af4c6ba8177e5648)
-rw-r--r-- | main/linux-grsec/APKBUILD | 6 | ||||
-rw-r--r-- | main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch | 178 |
2 files changed, 183 insertions, 1 deletions
diff --git a/main/linux-grsec/APKBUILD b/main/linux-grsec/APKBUILD index 215678fa53..c6a209d9df 100644 --- a/main/linux-grsec/APKBUILD +++ b/main/linux-grsec/APKBUILD | |||
@@ -7,7 +7,7 @@ case $pkgver in | |||
7 | *.*.*) _kernver=${pkgver%.*};; | 7 | *.*.*) _kernver=${pkgver%.*};; |
8 | *.*) _kernver=${pkgver};; | 8 | *.*) _kernver=${pkgver};; |
9 | esac | 9 | esac |
10 | pkgrel=1 | 10 | pkgrel=2 |
11 | pkgdesc="Linux kernel with grsecurity" | 11 | pkgdesc="Linux kernel with grsecurity" |
12 | url=http://grsecurity.net | 12 | url=http://grsecurity.net |
13 | depends="mkinitfs linux-firmware" | 13 | depends="mkinitfs linux-firmware" |
@@ -22,6 +22,7 @@ source="http://ftp.kernel.org/pub/linux/kernel/v3.x/linux-$_kernver.tar.xz | |||
22 | v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 22 | v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
23 | leds-leds-gpio-reserve-gpio-before-using-it.patch | 23 | leds-leds-gpio-reserve-gpio-before-using-it.patch |
24 | ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 24 | ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
25 | RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch | ||
25 | 26 | ||
26 | kernelconfig.x86 | 27 | kernelconfig.x86 |
27 | kernelconfig.x86_64 | 28 | kernelconfig.x86_64 |
@@ -151,6 +152,7 @@ e881cf0db639205660f237ceea58f708 grsecurity-2.9.1-3.9.3-201305201732.patch | |||
151 | 699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 152 | 699e92148cc9a55b6fc4d7d81e476717 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
152 | 83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch | 153 | 83db7136608d8101ae130728539dc376 leds-leds-gpio-reserve-gpio-before-using-it.patch |
153 | ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 154 | ac9a50bdbe91ba6e5205e83f7e734ff5 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
155 | 12d3647755bebcd3b114f50de2729455 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch | ||
154 | fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86 | 156 | fd6fd35309c0e8c1f05cb725df958f22 kernelconfig.x86 |
155 | fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" | 157 | fd61ff58d25155997c0d6f73e7ca7a7d kernelconfig.x86_64" |
156 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz | 158 | sha256sums="60bc3e64ee5dc778de2cd7cd7640abf518a4c9d4f31b8ed624e16fad53f54541 linux-3.9.tar.xz |
@@ -159,6 +161,7 @@ c1b4310085ff07200131dc841a0a22f84a7f166c3b25464e27dd2694584bc72c grsecurity-2.9 | |||
159 | 8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 161 | 8e2f41605937eecd47cefe62daefd372dbf1e63cf956ab3ced3213ac2b508ee3 v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
160 | 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch | 162 | 13676bc5610a8d03e788ac76734babd1338b023bb39559452ee54652b046e6f4 leds-leds-gpio-reserve-gpio-before-using-it.patch |
161 | ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 163 | ab0dcb52342990ad05af5ce21acd1e95fb65cc7e76ec98e45c7ece7433bc9f23 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
164 | 667babfafe4dc3449cd04853f532712188af557cbac41c461cf8236c4238f5a3 RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch | ||
162 | b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86 | 165 | b44c6671b344ddae1da94e6c051a0e708af8609c1f2ff40d962301ed5023c83a kernelconfig.x86 |
163 | 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" | 166 | 7a6700a6db89f8c2c7f8cce7d77f4ddb3fcad889d72c709c2833af795ef1bc79 kernelconfig.x86_64" |
164 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz | 167 | sha512sums="77fa521f42380409f8ab400c26f7b00e225cb075ef40834bb263325cfdcc3e65aef8511ec2fc2b50bbf4f50e226fb5ab07d7a479aaf09162adbbf318325d0790 linux-3.9.tar.xz |
@@ -167,5 +170,6 @@ d6aa751d1fac8c4d758f9479bc6b08f70d8725c6c74b63446def044f42260a8beb1f540ae4473ec5 | |||
167 | 772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch | 170 | 772c847cd74b12ed22266042c0902d8a3cf09c897b6e1c01148dfcd2f01aed331f292e82c34bb718090dc0898e1ef364196272bff885a32378f7fbc8bfc06a9b v2-net-next-arp-flush-arp-cache-on-IFF_NOARP-change.patch |
168 | 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch | 171 | 10d2cf4fb308d1bc8cb5b9df3f9a6d7b9cef453244673bcbe66bd9b64af410a498e203d4dfa51f53461362ad981736eadc46537616b2c0514f57f4d8864c830d leds-leds-gpio-reserve-gpio-before-using-it.patch |
169 | 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch | 172 | 769291e92f2f5ae5375d98b80bf8790b089c87437f1660cf8d5e9d45d7221280b6824bcb1d2564cbe12310a88df48443c56ecc9ce5468858829088221aa80327 ipsec-xfrm-properly-handle-invalid-states-as-an-error.patch |
173 | d35c939967d5696e477e2c5181f96e9cb92e1db88477576615f36209d276e0a2a866111d43e4abe076c455e32b063d6a97d42e5bc9ca04702d78b13826bf3afb RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch | ||
170 | 2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86 | 174 | 2516c47145f53cfa5624a9a8839b3590fd16a980aa4c8c48af4db025960d33abe855a5c698ee701a0d3704a96a9a3f93cd6c3cc8c9b8fdf73f230c15ad2f7611 kernelconfig.x86 |
171 | 0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64" | 175 | 0a3739e5e1fe29fcce8c686d8ac223316467a2efaaa18cb3d1abf6c7a66dc86be12c26755dff1aef6d0f5a028ce4f6dfc5664ab42b484046949f401f3b9198f9 kernelconfig.x86_64" |
diff --git a/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch new file mode 100644 index 0000000000..2310927e81 --- /dev/null +++ b/main/linux-grsec/RFC-net-ipv4-Use-next-hop-exceptions-also-for-input-routes.patch | |||
@@ -0,0 +1,178 @@ | |||
1 | From patchwork Thu May 23 13:15:46 2013 | ||
2 | Content-Type: text/plain; charset="utf-8" | ||
3 | MIME-Version: 1.0 | ||
4 | Content-Transfer-Encoding: 8bit | ||
5 | Subject: [RFC] net/ipv4: Use next hop exceptions also for input routes | ||
6 | Date: Thu, 23 May 2013 03:15:46 -0000 | ||
7 | From: =?utf-8?q?Timo_Ter=C3=A4s?= <timo.teras@iki.fi> | ||
8 | X-Patchwork-Id: 245949 | ||
9 | Message-Id: <1369314946-12692-1-git-send-email-timo.teras@iki.fi> | ||
10 | To: netdev@vger.kernel.org | ||
11 | Cc: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi> | ||
12 | |||
13 | Commit d2d68ba9 (ipv4: Cache input routes in fib_info nexthops) | ||
14 | assmued that "locally destined, and routed packets, never trigger | ||
15 | PMTU events or redirects that will be processed by us". | ||
16 | |||
17 | However, it seems that tunnel devices do trigger PMTU events in certain | ||
18 | cases. At least ip_gre, ip6_gre, sit, and ipip do use the inner flow's | ||
19 | skb_dst(skb)->ops->update_pmtu to propage mtu information from the | ||
20 | outer flows. These can cause the inner flow mtu to be decreased. If | ||
21 | next hop exceptions are not consulted for pmtu, IP fragmentation will | ||
22 | not be done properly for these routes. | ||
23 | |||
24 | It also seems that we really need to have the PMTU information always | ||
25 | for netfilter TCPMSS' clamp-to-pmtu feature to work properly. | ||
26 | |||
27 | So for the time being, cache separate copies of input routes for | ||
28 | each next hop exception. | ||
29 | |||
30 | Signed-off-by: Timo Teräs <timo.teras@iki.fi> | ||
31 | |||
32 | --- | ||
33 | I had ideas to make optimizations where pmtu information would not | ||
34 | be needed. This includes: | ||
35 | - Target devices with IFF_XMIT_DST_RELEASE set (practically all devices | ||
36 | except tunnels). If skb_dst() is early freed the target device cannot | ||
37 | generate PMTU events | ||
38 | - Add flag for input route generation if pmtu info is needed for | ||
39 | fragmentation. Basically a flag saying if DF bit was set in ip_hdr. | ||
40 | |||
41 | However, TCPMSS clamp-to-pmtu prevents both optimizations. | ||
42 | |||
43 | I'm not yet all familiar with the recent changes in routing caching, | ||
44 | so there might be caveats that I missed. Basic testing shows this fixes | ||
45 | the fragmentation issues I'm seeing, and I have not yet found any ill | ||
46 | side effects either. | ||
47 | |||
48 | include/net/ip_fib.h | 3 ++- | ||
49 | net/ipv4/fib_semantics.c | 3 ++- | ||
50 | net/ipv4/route.c | 41 +++++++++++++++++++++++++++++++---------- | ||
51 | 3 files changed, 35 insertions(+), 12 deletions(-) | ||
52 | |||
53 | diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h | ||
54 | index e49db91..20529a6 100644 | ||
55 | --- a/include/net/ip_fib.h | ||
56 | +++ b/include/net/ip_fib.h | ||
57 | @@ -55,7 +55,8 @@ struct fib_nh_exception { | ||
58 | u32 fnhe_pmtu; | ||
59 | __be32 fnhe_gw; | ||
60 | unsigned long fnhe_expires; | ||
61 | - struct rtable __rcu *fnhe_rth; | ||
62 | + struct rtable __rcu *fnhe_rth_input; | ||
63 | + struct rtable __rcu *fnhe_rth_output; | ||
64 | unsigned long fnhe_stamp; | ||
65 | }; | ||
66 | |||
67 | diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c | ||
68 | index 8f6cb7a..d5dbca5 100644 | ||
69 | --- a/net/ipv4/fib_semantics.c | ||
70 | +++ b/net/ipv4/fib_semantics.c | ||
71 | @@ -169,7 +169,8 @@ static void free_nh_exceptions(struct fib_nh *nh) | ||
72 | |||
73 | next = rcu_dereference_protected(fnhe->fnhe_next, 1); | ||
74 | |||
75 | - rt_fibinfo_free(&fnhe->fnhe_rth); | ||
76 | + rt_fibinfo_free(&fnhe->fnhe_rth_input); | ||
77 | + rt_fibinfo_free(&fnhe->fnhe_rth_output); | ||
78 | |||
79 | kfree(fnhe); | ||
80 | |||
81 | diff --git a/net/ipv4/route.c b/net/ipv4/route.c | ||
82 | index 550781a..073df96 100644 | ||
83 | --- a/net/ipv4/route.c | ||
84 | +++ b/net/ipv4/route.c | ||
85 | @@ -576,9 +576,14 @@ static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash) | ||
86 | if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) | ||
87 | oldest = fnhe; | ||
88 | } | ||
89 | - orig = rcu_dereference(oldest->fnhe_rth); | ||
90 | + orig = rcu_dereference(oldest->fnhe_rth_input); | ||
91 | if (orig) { | ||
92 | - RCU_INIT_POINTER(oldest->fnhe_rth, NULL); | ||
93 | + RCU_INIT_POINTER(oldest->fnhe_rth_input, NULL); | ||
94 | + rt_free(orig); | ||
95 | + } | ||
96 | + orig = rcu_dereference(oldest->fnhe_rth_output); | ||
97 | + if (orig) { | ||
98 | + RCU_INIT_POINTER(oldest->fnhe_rth_output, NULL); | ||
99 | rt_free(orig); | ||
100 | } | ||
101 | return oldest; | ||
102 | @@ -1209,7 +1214,15 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe, | ||
103 | spin_lock_bh(&fnhe_lock); | ||
104 | |||
105 | if (daddr == fnhe->fnhe_daddr) { | ||
106 | - struct rtable *orig = rcu_dereference(fnhe->fnhe_rth); | ||
107 | + struct rtable __rcu **porig; | ||
108 | + struct rtable *orig; | ||
109 | + | ||
110 | + if (rt_is_input_route(rt)) | ||
111 | + porig = &fnhe->fnhe_rth_input; | ||
112 | + else | ||
113 | + porig = &fnhe->fnhe_rth_output; | ||
114 | + | ||
115 | + orig = rcu_dereference(*porig); | ||
116 | if (orig && rt_is_expired(orig)) { | ||
117 | fnhe->fnhe_gw = 0; | ||
118 | fnhe->fnhe_pmtu = 0; | ||
119 | @@ -1231,12 +1244,14 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe, | ||
120 | } else if (!rt->rt_gateway) | ||
121 | rt->rt_gateway = daddr; | ||
122 | |||
123 | - rcu_assign_pointer(fnhe->fnhe_rth, rt); | ||
124 | - if (orig) | ||
125 | - rt_free(orig); | ||
126 | + if (!(rt->dst.flags & DST_NOCACHE)) { | ||
127 | + rcu_assign_pointer(*porig, rt); | ||
128 | + if (orig) | ||
129 | + rt_free(orig); | ||
130 | + ret = true; | ||
131 | + } | ||
132 | |||
133 | fnhe->fnhe_stamp = jiffies; | ||
134 | - ret = true; | ||
135 | } | ||
136 | spin_unlock_bh(&fnhe_lock); | ||
137 | |||
138 | @@ -1468,6 +1483,7 @@ static int __mkroute_input(struct sk_buff *skb, | ||
139 | struct in_device *in_dev, | ||
140 | __be32 daddr, __be32 saddr, u32 tos) | ||
141 | { | ||
142 | + struct fib_nh_exception *fnhe; | ||
143 | struct rtable *rth; | ||
144 | int err; | ||
145 | struct in_device *out_dev; | ||
146 | @@ -1514,8 +1530,13 @@ static int __mkroute_input(struct sk_buff *skb, | ||
147 | } | ||
148 | } | ||
149 | |||
150 | + fnhe = find_exception(&FIB_RES_NH(*res), daddr); | ||
151 | if (do_cache) { | ||
152 | - rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); | ||
153 | + if (fnhe != NULL) | ||
154 | + rth = rcu_dereference(fnhe->fnhe_rth_input); | ||
155 | + else | ||
156 | + rth = rcu_dereference(FIB_RES_NH(*res).nh_rth_input); | ||
157 | + | ||
158 | if (rt_cache_valid(rth)) { | ||
159 | skb_dst_set_noref(skb, &rth->dst); | ||
160 | goto out; | ||
161 | @@ -1543,7 +1564,7 @@ static int __mkroute_input(struct sk_buff *skb, | ||
162 | rth->dst.input = ip_forward; | ||
163 | rth->dst.output = ip_output; | ||
164 | |||
165 | - rt_set_nexthop(rth, daddr, res, NULL, res->fi, res->type, itag); | ||
166 | + rt_set_nexthop(rth, daddr, res, fnhe, res->fi, res->type, itag); | ||
167 | skb_dst_set(skb, &rth->dst); | ||
168 | out: | ||
169 | err = 0; | ||
170 | @@ -1858,7 +1879,7 @@ static struct rtable *__mkroute_output(const struct fib_result *res, | ||
171 | |||
172 | fnhe = find_exception(nh, fl4->daddr); | ||
173 | if (fnhe) | ||
174 | - prth = &fnhe->fnhe_rth; | ||
175 | + prth = &fnhe->fnhe_rth_output; | ||
176 | else { | ||
177 | if (unlikely(fl4->flowi4_flags & | ||
178 | FLOWI_FLAG_KNOWN_NH && | ||