main/linux-grsec: add networking patches again

1472f4ff · Natanael Copa · 4bf64481 · 1472f4ff · 1472f4ff · 1472f4ff
Commit 1472f4ff authored Mar 03, 2011 by Natanael Copa
4 changed files
--- a/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
+++ b/main/linux-grsec/0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
+From cc9ff19da9bf76a2f70bcb80225a1c587c162e52 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Wed, 3 Nov 2010 04:41:38 +0000
+Subject: [PATCH] xfrm: use gre key as flow upper protocol info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The GRE Key field is intended to be used for identifying an individual
+traffic flow within a tunnel. It is useful to be able to have XFRM
+policy selector matches to have different policies for different
+GRE tunnels.
+
+Signed-off-by: Timo Teräs <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/flow.h      |    2 ++
+ include/net/xfrm.h      |    6 ++++++
+ net/ipv4/ip_gre.c       |   12 +++++++-----
+ net/ipv4/xfrm4_policy.c |   15 +++++++++++++++
+ 4 files changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/flow.h b/include/net/flow.h
+index 0ac3fb5..7196e68 100644
+--- a/include/net/flow.h
+++ b/include/net/flow.h
+@@ -67,6 +67,7 @@ struct flowi {
+ 		} dnports;
+ 
+ 		__be32		spi;
+		__be32		gre_key;
+ 
+ 		struct {
+ 			__u8	type;
+@@ -78,6 +79,7 @@ struct flowi {
+ #define fl_icmp_code	uli_u.icmpt.code
+ #define fl_ipsec_spi	uli_u.spi
+ #define fl_mh_type	uli_u.mht.type
+#define fl_gre_key	uli_u.gre_key
+ 	__u32           secid;	/* used by xfrm; see secid.txt */
+ } __attribute__((__aligned__(BITS_PER_LONG/8)));
+ 
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index bcfb6b2..54b2832 100644
+--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
+@@ -805,6 +805,9 @@ __be16 xfrm_flowi_sport(struct flowi *fl)
+ 	case IPPROTO_MH:
+ 		port = htons(fl->fl_mh_type);
+ 		break;
+	case IPPROTO_GRE:
+		port = htonl(fl->fl_gre_key) >> 16;
+		break;
+ 	default:
+ 		port = 0;	/*XXX*/
+ 	}
+@@ -826,6 +829,9 @@ __be16 xfrm_flowi_dport(struct flowi *fl)
+ 	case IPPROTO_ICMPV6:
+ 		port = htons(fl->fl_icmp_code);
+ 		break;
+	case IPPROTO_GRE:
+		port = htonl(fl->fl_gre_key) & 0xffff;
+		break;
+ 	default:
+ 		port = 0;	/*XXX*/
+ 	}
+diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
+index cab2057..aace653 100644
+--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
+@@ -779,9 +779,9 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
+ 					.tos = RT_TOS(tos)
+ 				}
+ 			},
+-			.proto = IPPROTO_GRE
+-		}
+-;
+			.proto = IPPROTO_GRE,
+			.fl_gre_key = tunnel->parms.o_key
+		};
+ 		if (ip_route_output_key(dev_net(dev), &rt, &fl)) {
+ 			dev->stats.tx_carrier_errors++;
+ 			goto tx_error;
+@@ -958,7 +958,8 @@ static int ipgre_tunnel_bind_dev(struct net_device *dev)
+ 					.tos = RT_TOS(iph->tos)
+ 				}
+ 			},
+-			.proto = IPPROTO_GRE
+			.proto = IPPROTO_GRE,
+			.fl_gre_key = tunnel->parms.o_key
+ 		};
+ 		struct rtable *rt;
+ 
+@@ -1223,7 +1224,8 @@ static int ipgre_open(struct net_device *dev)
+ 					.tos = RT_TOS(t->parms.iph.tos)
+ 				}
+ 			},
+-			.proto = IPPROTO_GRE
+			.proto = IPPROTO_GRE,
+			.fl_gre_key = t->parms.o_key
+ 		};
+ 		struct rtable *rt;
+ 
+diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
+index dd1fd8c..4a8c533 100644
+--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
+@@ -11,6 +11,7 @@
+ #include <linux/err.h>
+ #include <linux/kernel.h>
+ #include <linux/inetdevice.h>
+#include <linux/if_tunnel.h>
+ #include <net/dst.h>
+ #include <net/xfrm.h>
+ #include <net/ip.h>
+@@ -154,6 +155,20 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
+ 				fl->fl_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
+ 			}
+ 			break;
+
+		case IPPROTO_GRE:
+			if (pskb_may_pull(skb, xprth + 12 - skb->data)) {
+				__be16 *greflags = (__be16 *)xprth;
+				__be32 *gre_hdr = (__be32 *)xprth;
+
+				if (greflags[0] & GRE_KEY) {
+					if (greflags[0] & GRE_CSUM)
+						gre_hdr++;
+					fl->fl_gre_key = gre_hdr[1];
+				}
+			}
+			break;
+
+ 		default:
+ 			fl->fl_ipsec_spi = 0;
+ 			break;
+-- 
+1.7.4.1
+
--- a/main/linux-grsec/0004-arp-flush-arp-cache-on-device-change.patch
+++ b/main/linux-grsec/0004-arp-flush-arp-cache-on-device-change.patch
+From 8a0e3ea4924059a7268446177d6869e3399adbb2 Mon Sep 17 00:00:00 2001
+From: Timo Teras <timo.teras@iki.fi>
+Date: Mon, 12 Apr 2010 13:46:45 +0000
+Subject: [PATCH 04/18] arp: flush arp cache on device change
+
+If IFF_NOARP is changed, we must flush the arp cache.
+
+Signed-off-by: Timo Teras <timo.teras@iki.fi>
+---
+ net/ipv4/arp.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
+index 4e80f33..580bfc3 100644
+--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
+@@ -1200,6 +1200,9 @@ static int arp_netdev_event(struct notifier_block *this, unsigned long event, vo
+ 		neigh_changeaddr(&arp_tbl, dev);
+ 		rt_cache_flush(dev_net(dev), 0);
+ 		break;
+	case NETDEV_CHANGE:
+		neigh_changeaddr(&arp_tbl, dev);
+		break;
+ 	default:
+ 		break;
+ 	}
+-- 
+1.7.0.2
+
--- a/main/linux-grsec/APKBUILD
+++ b/main/linux-grsec/APKBUILD
@@ -4,7 +4,7 @@ _flavor=grsec
 pkgname=linux-${_flavor}
 pkgver=2.6.37.2
 _kernver=2.6.37
-pkgrel=0
+pkgrel=1
 pkgdesc="Linux kernel with grsecurity"
 url=http://grsecurity.net
 depends="mkinitfs linux-firmware"
@@ -15,6 +15,10 @@ install=
 source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
 	ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
 	grsecurity-2.2.1-2.6.37.2-201103021740.patch
+	
+	0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
+	xfrm-fix-gre-key-endianess.patch
+	0004-arp-flush-arp-cache-on-device-change.patch

 	kernelconfig.x86
 	kernelconfig.x86_64
@@ -141,5 +145,8 @@ firmware() {
 md5sums="c8ee37b4fdccdb651e0603d35350b434  linux-2.6.37.tar.bz2
 bb5798f2a2a5af13219d1a250c4dad11  patch-2.6.37.2.bz2
 023faa02aded5827539e7ed7653dc133  grsecurity-2.2.1-2.6.37.2-201103021740.patch
+3152851c31bfa8c54660dbb84d75b38d  0001-xfrm-use-gre-key-as-flow-upper-protocol-info.patch
+ea7a7eb2775b71ae5ef24d029a4905bd  xfrm-fix-gre-key-endianess.patch
+776adeeb5272093574f8836c5037dd7d  0004-arp-flush-arp-cache-on-device-change.patch
 7825fa82fecc817d6e2dfd3bb0c52f37  kernelconfig.x86
 b72e1345ceddbe2d0d9de35e342b336d  kernelconfig.x86_64"
--- a/main/linux-grsec/xfrm-fix-gre-key-endianess.patch
+++ b/main/linux-grsec/xfrm-fix-gre-key-endianess.patch
+From aa285b1740f5b13e5a2606a927f3129954583d78 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Timo=20Ter=C3=A4s?= <timo.teras@iki.fi>
+Date: Tue, 23 Nov 2010 04:03:45 +0000
+Subject: [PATCH] xfrm: fix gre key endianess
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+fl->fl_gre_key is network byte order contrary to fl->fl_icmp_*.
+Make xfrm_flowi_{s|d}port return network byte order values for gre
+key too.
+
+Signed-off-by: Timo TerÃ¤s <timo.teras@iki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ include/net/xfrm.h |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/xfrm.h b/include/net/xfrm.h
+index 54b2832..7fa5b00 100644
+--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
+@@ -806,7 +806,7 @@ __be16 xfrm_flowi_sport(struct flowi *fl)
+ 		port = htons(fl->fl_mh_type);
+ 		break;
+ 	case IPPROTO_GRE:
+-		port = htonl(fl->fl_gre_key) >> 16;
+		port = htons(ntohl(fl->fl_gre_key) >> 16);
+ 		break;
+ 	default:
+ 		port = 0;	/*XXX*/
+@@ -830,7 +830,7 @@ __be16 xfrm_flowi_dport(struct flowi *fl)
+ 		port = htons(fl->fl_icmp_code);
+ 		break;
+ 	case IPPROTO_GRE:
+-		port = htonl(fl->fl_gre_key) & 0xffff;
+		port = htons(ntohl(fl->fl_gre_key) & 0xffff);
+ 		break;
+ 	default:
+ 		port = 0;	/*XXX*/
+-- 
+1.7.3.2
+