Commit e0bb2631 authored by Natanael Copa's avatar Natanael Copa

core/linux-grsec-sources: upgrade to 2.6.28.5

parent 89a4e424
From: Timo Teras <timo.teras@iki.fi>
Date: Tue, 20 Jan 2009 01:22:12 +0000 (-0800)
Subject: gre: strict physical device binding
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-next-2.6.git;a=commitdiff_plain;h=749c10f931923451a4c59b4435d182aa9ae27a4f;hp=57a574993d94671b495cdbe8aeb78b745abfe14f
gre: strict physical device binding
Check the device on receive path and allow otherwise identical devices
as long as the physical device differs.
This is useful for NBMA tunnels, where you want to use different gre IP
for each public IP available via different physical devices.
Signed-off-by: Timo Teras <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 0101521..4a43739 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -164,67 +164,113 @@ static DEFINE_RWLOCK(ipgre_lock);
/* Given src, dst and key, find appropriate for input tunnel. */
-static struct ip_tunnel * ipgre_tunnel_lookup(struct net *net,
+static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
__be32 remote, __be32 local,
__be32 key, __be16 gre_proto)
{
+ struct net *net = dev_net(dev);
+ int link = dev->ifindex;
unsigned h0 = HASH(remote);
unsigned h1 = HASH(key);
- struct ip_tunnel *t;
- struct ip_tunnel *t2 = NULL;
+ struct ip_tunnel *t, *sel[4] = { NULL, NULL, NULL, NULL };
struct ipgre_net *ign = net_generic(net, ipgre_net_id);
int dev_type = (gre_proto == htons(ETH_P_TEB)) ?
ARPHRD_ETHER : ARPHRD_IPGRE;
+ int idx;
for (t = ign->tunnels_r_l[h0^h1]; t; t = t->next) {
- if (local == t->parms.iph.saddr && remote == t->parms.iph.daddr) {
- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
- if (t->dev->type == dev_type)
- return t;
- if (t->dev->type == ARPHRD_IPGRE && !t2)
- t2 = t;
- }
- }
+ if (local != t->parms.iph.saddr ||
+ remote != t->parms.iph.daddr ||
+ key != t->parms.i_key ||
+ !(t->dev->flags & IFF_UP))
+ continue;
+
+ if (t->dev->type != ARPHRD_IPGRE &&
+ t->dev->type != dev_type)
+ continue;
+
+ idx = 0;
+ if (t->parms.link != link)
+ idx |= 1;
+ if (t->dev->type != dev_type)
+ idx |= 2;
+ if (idx == 0)
+ return t;
+ if (sel[idx] == NULL)
+ sel[idx] = t;
}
for (t = ign->tunnels_r[h0^h1]; t; t = t->next) {
- if (remote == t->parms.iph.daddr) {
- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
- if (t->dev->type == dev_type)
- return t;
- if (t->dev->type == ARPHRD_IPGRE && !t2)
- t2 = t;
- }
- }
+ if (remote != t->parms.iph.daddr ||
+ key != t->parms.i_key ||
+ !(t->dev->flags & IFF_UP))
+ continue;
+
+ if (t->dev->type != ARPHRD_IPGRE &&
+ t->dev->type != dev_type)
+ continue;
+
+ idx = 0;
+ if (t->parms.link != link)
+ idx |= 1;
+ if (t->dev->type != dev_type)
+ idx |= 2;
+ if (idx == 0)
+ return t;
+ if (sel[idx] == NULL)
+ sel[idx] = t;
}
for (t = ign->tunnels_l[h1]; t; t = t->next) {
- if (local == t->parms.iph.saddr ||
- (local == t->parms.iph.daddr &&
- ipv4_is_multicast(local))) {
- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
- if (t->dev->type == dev_type)
- return t;
- if (t->dev->type == ARPHRD_IPGRE && !t2)
- t2 = t;
- }
- }
+ if ((local != t->parms.iph.saddr &&
+ (local != t->parms.iph.daddr ||
+ !ipv4_is_multicast(local))) ||
+ key != t->parms.i_key ||
+ !(t->dev->flags & IFF_UP))
+ continue;
+
+ if (t->dev->type != ARPHRD_IPGRE &&
+ t->dev->type != dev_type)
+ continue;
+
+ idx = 0;
+ if (t->parms.link != link)
+ idx |= 1;
+ if (t->dev->type != dev_type)
+ idx |= 2;
+ if (idx == 0)
+ return t;
+ if (sel[idx] == NULL)
+ sel[idx] = t;
}
for (t = ign->tunnels_wc[h1]; t; t = t->next) {
- if (t->parms.i_key == key && t->dev->flags & IFF_UP) {
- if (t->dev->type == dev_type)
- return t;
- if (t->dev->type == ARPHRD_IPGRE && !t2)
- t2 = t;
- }
+ if (t->parms.i_key != key ||
+ !(t->dev->flags & IFF_UP))
+ continue;
+
+ if (t->dev->type != ARPHRD_IPGRE &&
+ t->dev->type != dev_type)
+ continue;
+
+ idx = 0;
+ if (t->parms.link != link)
+ idx |= 1;
+ if (t->dev->type != dev_type)
+ idx |= 2;
+ if (idx == 0)
+ return t;
+ if (sel[idx] == NULL)
+ sel[idx] = t;
}
- if (t2)
- return t2;
+ for (idx = 1; idx < ARRAY_SIZE(sel); idx++)
+ if (sel[idx] != NULL)
+ return sel[idx];
- if (ign->fb_tunnel_dev->flags&IFF_UP)
+ if (ign->fb_tunnel_dev->flags & IFF_UP)
return netdev_priv(ign->fb_tunnel_dev);
+
return NULL;
}
@@ -284,6 +330,7 @@ static struct ip_tunnel *ipgre_tunnel_find(struct net *net,
__be32 remote = parms->iph.daddr;
__be32 local = parms->iph.saddr;
__be32 key = parms->i_key;
+ int link = parms->link;
struct ip_tunnel *t, **tp;
struct ipgre_net *ign = net_generic(net, ipgre_net_id);
@@ -291,6 +338,7 @@ static struct ip_tunnel *ipgre_tunnel_find(struct net *net,
if (local == t->parms.iph.saddr &&
remote == t->parms.iph.daddr &&
key == t->parms.i_key &&
+ link == t->parms.link &&
type == t->dev->type)
break;
@@ -421,7 +469,7 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
}
read_lock(&ipgre_lock);
- t = ipgre_tunnel_lookup(dev_net(skb->dev), iph->daddr, iph->saddr,
+ t = ipgre_tunnel_lookup(skb->dev, iph->daddr, iph->saddr,
flags & GRE_KEY ?
*(((__be32 *)p) + (grehlen / 4) - 1) : 0,
p[1]);
@@ -518,7 +566,7 @@ static int ipgre_rcv(struct sk_buff *skb)
gre_proto = *(__be16 *)(h + 2);
read_lock(&ipgre_lock);
- if ((tunnel = ipgre_tunnel_lookup(dev_net(skb->dev),
+ if ((tunnel = ipgre_tunnel_lookup(skb->dev,
iph->saddr, iph->daddr, key,
gre_proto))) {
struct net_device_stats *stats = &tunnel->dev->stats;
From: Timo Teras <timo.teras@iki.fi>
Date: Tue, 27 Jan 2009 04:56:10 +0000 (-0800)
Subject: gre: optimize hash lookup
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-next-2.6.git;a=commitdiff_plain;h=afcf12422ec8236dc8b9238fef7a475876eea8da;hp=3eacdf58c2c0b9507afedfc19108e98b992c31e4
gre: optimize hash lookup
Instead of keeping candidate tunnel device from all categories,
keep only one candidate with best score. This optimizes stack
usage and speeds up exit code.
Signed-off-by: Timo Teras <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 4a43739..07a188a 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -172,11 +172,11 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
int link = dev->ifindex;
unsigned h0 = HASH(remote);
unsigned h1 = HASH(key);
- struct ip_tunnel *t, *sel[4] = { NULL, NULL, NULL, NULL };
+ struct ip_tunnel *t, *cand = NULL;
struct ipgre_net *ign = net_generic(net, ipgre_net_id);
int dev_type = (gre_proto == htons(ETH_P_TEB)) ?
ARPHRD_ETHER : ARPHRD_IPGRE;
- int idx;
+ int score, cand_score = 4;
for (t = ign->tunnels_r_l[h0^h1]; t; t = t->next) {
if (local != t->parms.iph.saddr ||
@@ -189,15 +189,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
t->dev->type != dev_type)
continue;
- idx = 0;
+ score = 0;
if (t->parms.link != link)
- idx |= 1;
+ score |= 1;
if (t->dev->type != dev_type)
- idx |= 2;
- if (idx == 0)
+ score |= 2;
+ if (score == 0)
return t;
- if (sel[idx] == NULL)
- sel[idx] = t;
+
+ if (score < cand_score) {
+ cand = t;
+ cand_score = score;
+ }
}
for (t = ign->tunnels_r[h0^h1]; t; t = t->next) {
@@ -210,15 +213,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
t->dev->type != dev_type)
continue;
- idx = 0;
+ score = 0;
if (t->parms.link != link)
- idx |= 1;
+ score |= 1;
if (t->dev->type != dev_type)
- idx |= 2;
- if (idx == 0)
+ score |= 2;
+ if (score == 0)
return t;
- if (sel[idx] == NULL)
- sel[idx] = t;
+
+ if (score < cand_score) {
+ cand = t;
+ cand_score = score;
+ }
}
for (t = ign->tunnels_l[h1]; t; t = t->next) {
@@ -233,15 +239,18 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
t->dev->type != dev_type)
continue;
- idx = 0;
+ score = 0;
if (t->parms.link != link)
- idx |= 1;
+ score |= 1;
if (t->dev->type != dev_type)
- idx |= 2;
- if (idx == 0)
+ score |= 2;
+ if (score == 0)
return t;
- if (sel[idx] == NULL)
- sel[idx] = t;
+
+ if (score < cand_score) {
+ cand = t;
+ cand_score = score;
+ }
}
for (t = ign->tunnels_wc[h1]; t; t = t->next) {
@@ -253,20 +262,22 @@ static struct ip_tunnel * ipgre_tunnel_lookup(struct net_device *dev,
t->dev->type != dev_type)
continue;
- idx = 0;
+ score = 0;
if (t->parms.link != link)
- idx |= 1;
+ score |= 1;
if (t->dev->type != dev_type)
- idx |= 2;
- if (idx == 0)
+ score |= 2;
+ if (score == 0)
return t;
- if (sel[idx] == NULL)
- sel[idx] = t;
+
+ if (score < cand_score) {
+ cand = t;
+ cand_score = score;
+ }
}
- for (idx = 1; idx < ARRAY_SIZE(sel); idx++)
- if (sel[idx] != NULL)
- return sel[idx];
+ if (cand != NULL)
+ return cand;
if (ign->fb_tunnel_dev->flags & IFF_UP)
return netdev_priv(ign->fb_tunnel_dev);
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
_suff=grsec
pkgname=linux-$_suff-sources
pkgver=2.6.26.8
pkgver=2.6.28.5
pkgdesc="Linux kernel sources with grsecurity patch"
_kernver=2.6.26
_grsecver=2.1.12-2.6.26.6-200810131006
_kernver=2.6.28
_grsecver=2.1.12-$_kernver.5-200902121552
pkgrel=2
options="!strip"
license=GPL-2
......@@ -12,7 +12,8 @@ url=http://kernel.org
source="ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-$_kernver.tar.bz2
ftp://ftp.kernel.org/pub/linux/kernel/v2.6/patch-$pkgver.bz2
http://www.grsecurity.net/test/grsecurity-$_grsecver.patch
linux-2.6.26.8-ipgre-strict-binding.diff
0001-linux-2.6.28.5-ipgre-strict-binding.patch
0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch
"
build() {
......@@ -21,15 +22,18 @@ build() {
bunzip2 -c < ../patch-$pkgver.bz2 | patch -p1 || return 1
fi
patch -p1 < ../grsecurity-$_grsecver.patch || return 1
patch -p1 < ../linux-2.6.26.8-ipgre-strict-binding.diff || return 1
for i in ../*.patch; do
msg "Applying $i..."
patch -p1 < $i || return 1
done
mkdir -p "$pkgdir/usr/src"
cd "$srcdir"
mv "linux-$_kernver" "$pkgdir/usr/src/linux-$pkgver-$_suff"
}
md5sums="5169d01c405bc3f866c59338e217968c linux-2.6.26.tar.bz2
e27c07bb82e02532e874758980141281 patch-2.6.26.8.bz2
5398417243c0abbcd8d94f5e52eff4bc grsecurity-2.1.12-2.6.26.6-200810131006.patch
b83b352e8718c5c60accfb562482727f linux-2.6.26.8-ipgre-strict-binding.diff"
md5sums="d351e44709c9810b85e29b877f50968a linux-2.6.28.tar.bz2
7a062fcdec46cec78c3fedbf558e334b patch-2.6.28.5.bz2
0ff9cf5f9c43797d30a0c90feea94e1e grsecurity-2.1.12-2.6.28.5-200902121552.patch
7673b4521283ad41434a18ca18b16ad8 0001-linux-2.6.28.5-ipgre-strict-binding.patch
8f405c738b150c532c46eaad5390cca2 0002-linux-2.6.28.5-ipgre-optimize-hash-lookup.patch"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment