[PATCH] cleanup for random seed initialization ip_conntrack_hash_rnd

[PATCH] cleanup for random seed initialization ip_conntrack_hash_rnd

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 348 bytes --]

Hi Harald and list,

Attached a clean up for the initialization of the random seed used in 
ip_conntrack. With this patch the random seed is initialized once when 
ip_conntrack is loaded instead of checking every time a conntrack is 
created whether it was already initialized or not. If I'm missing 
something, please let me know.

regards,
Pablo

[-- Attachment #2: ip_conntrack_hash_rnd-cleanup.diff --]
[-- Type: text/plain, Size: 1157 bytes --]

diff -Nru --exclude .depend --exclude '*.o' --exclude '*.ko' --exclude '*.ver' --exclude '.*.flags' --exclude '*.orig' --exclude '*.rej' --exclude '*.cmd' --exclude '*.mod.c' --exclude '*~' linux-2.6.3-old/net/ipv4/netfilter/ip_conntrack_core.c linux-2.6.3-patched/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.6.3-old/net/ipv4/netfilter/ip_conntrack_core.c	2004-02-18 04:57:11.000000000 +0100
+++ linux-2.6.3-patched/net/ipv4/netfilter/ip_conntrack_core.c	2004-04-13 00:46:17.000000000 +0200
@@ -109,7 +109,6 @@
 	nf_conntrack_put(&ct->infos[0]);
 }
 
-static int ip_conntrack_hash_rnd_initted;
 static unsigned int ip_conntrack_hash_rnd;
 
 static u_int32_t
@@ -628,11 +627,6 @@
 	int i;
 	static unsigned int drop_next;
 
-	if (!ip_conntrack_hash_rnd_initted) {
-		get_random_bytes(&ip_conntrack_hash_rnd, 4);
-		ip_conntrack_hash_rnd_initted = 1;
-	}
-
 	hash = hash_conntrack(tuple);
 
 	if (ip_conntrack_max &&
@@ -1369,6 +1363,8 @@
 {
 	unsigned int i;
 	int ret;
+	
+	get_random_bytes(&ip_conntrack_hash_rnd, 4);
 
 	/* Idea from tcp.c: use 1/16384 of memory.  On i386: 32MB
 	 * machine has 256 buckets.  >= 1GB machines have 8192 buckets. */

Re: [PATCH] cleanup for random seed initialization ip_conntrack_hash_rnd

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

On Tue, Apr 13, 2004 at 12:56:17AM +0200, Pablo Neira wrote:
> Hi Harald and list,
> 
> Attached a clean up for the initialization of the random seed used in 
> ip_conntrack. With this patch the random seed is initialized once when 
> ip_conntrack is loaded instead of checking every time a conntrack is 
> created whether it was already initialized or not. If I'm missing 
> something, please let me know.

yes, you are missing that there might not be sufficient entropy yet at
the time ip_conntrack is loaded (or, for that matter, consider a
statically linked ip_conntrack).

> regards,
> Pablo
-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [PATCH] cleanup for random seed initialization ip_conntrack_hash_rnd

[Pablo Neira]

Hi Harald,

Harald Welte wrote:

>On Tue, Apr 13, 2004 at 12:56:17AM +0200, Pablo Neira wrote:
>  
>
>>Hi Harald and list,
>>
>>Attached a clean up for the initialization of the random seed used in 
>>ip_conntrack. With this patch the random seed is initialized once when 
>>ip_conntrack is loaded instead of checking every time a conntrack is 
>>created whether it was already initialized or not. If I'm missing 
>>something, please let me know.
>>    
>>
>
>yes, you are missing that there might not be sufficient entropy yet at
>the time ip_conntrack is loaded (or, for that matter, consider a
>statically linked ip_conntrack).
>  
>
ok, that's makes me understand the reason why the initialization is done 
that way.

thanks,
Pablo