rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Actually fix ipsec encapsulation problems (rhbz 1458222 1458499)

This commit is contained in:
Laura Abbott 2017-06-05 08:51:55 -07:00
parent c4db36809d
commit abd2ac6003
2 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
actual_udpencap_fix.patch Normal file
View File

@ -0,0 +1,45 @@
From: Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH] esp4: Fix udpencap for local TCP packets.
Locally generated TCP packets are usually cloned, so we
do skb_cow_data() on this packets. After that we need to
reload the pointer to the esp header. On udpencap this
header has an offset to skb_transport_header, so take this
offset into account.
Fixes: commit cac2661c53f ("esp4: Avoid skb_cow_data whenever possible")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/esp4.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index b1e2444..ab71fbb 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -223,6 +223,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
int extralen;
int tailen;
__be64 seqno;
+ int esp_offset = 0;
__u8 proto = *skb_mac_header(skb);
/* skb is pure payload to encrypt */
@@ -288,6 +289,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
break;
}
+ esp_offset = (unsigned char *)esph - (unsigned char *)uh;
+
*skb_mac_header(skb) = IPPROTO_UDP;
}
@@ -397,7 +400,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
goto error;
nfrags = err;
tail = skb_tail_pointer(trailer);
- esph = ip_esp_hdr(skb);
+ esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esp_offset);
skip_cow:
esp_output_fill_trailer(tail, tfclen, plen, proto);

7
kernel.spec
View File

@ -642,6 +642,10 @@ Patch676: 2-2-nvme-Quirk-APST-on-Intel-600P-P3100-devices.patch
# Networking fix reported on bodhi
Patch678: net-v2-ip6_tunnel-ip6_gre-fix-setting-of-DSCP-on-encapsulated-packets.patch
# rhbz 1458222 1458499
# As linked from http://marc.info/?l=linux-netdev&m=149336766030175&w=2
Patch679: actual_udpencap_fix.patch
# END OF PATCH DEFINITIONS
%endif
@ -2206,6 +2210,9 @@ fi
#
#
%changelog
* Mon Jun 05 2017 Laura Abbott <labbott@fedoraproject.org>
- Actually fix ipsec encapsulation problems (rhbz 1458222 1458499)
* Fri Jun 02 2017 Laura Abbott <labbott@fedoraproject.org>
- Turn CONFIG_GPIO_SYSFS back on