nf_nat 06/06: use secure_ipv4_port_ephemeral() for NAT port randomization

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org
Subject: nf_nat 06/06: use secure_ipv4_port_ephemeral() for NAT port randomization
Date: Mon, 18 Aug 2008 18:51:56 +0200 (MEST)	[thread overview]
Message-ID: <20080818165155.18978.32057.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20080818165147.18978.92208.sendpatchset@localhost.localdomain>

nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization

Use incoming network tuple as seed for NAT port randomization.
This avoids concerns of leaking net_random() bits, and also gives better
port distribution. Don't have NAT server, compile tested only.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

[ added missing EXPORT_SYMBOL_GPL ]

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 288787c6d3d50245d718537142800762d7ff1181
tree da622065f39a1adeb8323ab2549f8638adaffbd6
parent be6e3721aa813e40f20d84d7925f9cf5cd8eef2d
author Stephen Hemminger <shemminger@vyatta.com> Mon, 18 Aug 2008 18:35:09 +0200
committer Patrick McHardy <kaber@trash.net> Mon, 18 Aug 2008 18:35:09 +0200

 drivers/char/random.c                    |    1 +
 net/ipv4/netfilter/nf_nat_proto_common.c |    8 ++++++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/char/random.c b/drivers/char/random.c
index e0d0e37..1838aa3 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1571,6 +1571,7 @@ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
 
 	return half_md4_transform(hash, keyptr->secret);
 }
+EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
diff --git a/net/ipv4/netfilter/nf_nat_proto_common.c b/net/ipv4/netfilter/nf_nat_proto_common.c
index 91537f1..6c4f11f 100644
--- a/net/ipv4/netfilter/nf_nat_proto_common.c
+++ b/net/ipv4/netfilter/nf_nat_proto_common.c
@@ -73,9 +73,13 @@ bool nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
 		range_size = ntohs(range->max.all) - min + 1;
 	}
 
-	off = *rover;
 	if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
-		off = net_random();
+		off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip,
+						 maniptype == IP_NAT_MANIP_SRC
+						 ? tuple->dst.u.all
+						 : tuple->src.u.all);
+	else
+		off = *rover;
 
 	for (i = 0; i < range_size; i++, off++) {
 		*portptr = htons(min + off % range_size);

next prev parent reply	other threads:[~2008-08-18 16:51 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-08-18 16:51 netfilter 00/06: netfilter fixes Patrick McHardy
2008-08-18 16:51 ` netfilter 01/06: Move linux/in.h and linux/in6.h inclusions outside of Patrick McHardy
2008-08-18 16:57   ` Jan Engelhardt
2008-08-18 17:01     ` Patrick McHardy
2008-08-19  4:21       ` David Miller
2008-08-18 16:51 ` netfilter 02/06: ipt_addrtype: fix matching of inverted destination address type Patrick McHardy
2008-08-19  4:30   ` David Miller
2008-08-18 16:51 ` netfilter 03/06: ctnetlink: fix double helper assignation for NAT'ed conntracks Patrick McHardy
2008-08-19  4:31   ` David Miller
2008-08-18 16:51 ` netfilter 04/06: ctnetlink: fix sleep in read-side lock section Patrick McHardy
2008-08-19  4:31   ` David Miller
2008-08-18 16:51 ` netfilter 05/06: ctnetlink: sleepable allocation with spin lock bh Patrick McHardy
2008-08-19  4:31   ` David Miller
2008-08-18 16:51 ` Patrick McHardy [this message]
2008-08-19  4:32   ` nf_nat 06/06: use secure_ipv4_port_ephemeral() for NAT port randomization David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e0d0e37 dfblob:1838aa3 dfblob:91537f1 dfblob:6c4f11f )
 OR (
bs:"nf_nat 06/06: use secure_ipv4_port_ephemeral() for NAT port randomization" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080818165155.18978.32057.sendpatchset@localhost.localdomain \
    --to=kaber@trash.net \
    --cc=davem@davemloft.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.