From: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
netfilter-devel@vger.kernel.org
Subject: Re: SNAT --random & fully is not actually random for ips
Date: Mon, 28 Nov 2016 13:35:33 +0200 [thread overview]
Message-ID: <b4333f580bdb9ca2ede6269a9de3135c@nuclearcat.com> (raw)
In-Reply-To: <20161128112955.GA1691@salvia>
On 2016-11-28 13:29, Pablo Neira Ayuso wrote:
> On Mon, Nov 28, 2016 at 01:12:07PM +0200, Denys Fedoryshchenko wrote:
>> On 2016-11-28 13:06, Pablo Neira Ayuso wrote:
>> >Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY?
>>
>> Ops, sorry i just did mistake with files, actually it is in reverse (
>> did
>> this patch, and it worked properly with it, with random source ip).
>
> Oh, I see 8)
>
>> --- nf_nat_core.c 2016-11-21 09:11:59.000000000 +0000
>> +++ nf_nat_core.c.new 2016-11-28 09:55:54.000000000 +0000
>> @@ -282,9 +282,13 @@
>> * client coming from the same IP (some Internet Banking sites
>> * like this), even across reboots.
>> */
>> - j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) /
>> sizeof(u32),
>> + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
>> + j = prandom_u32();
>> + } else {
>> + j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) /
>> sizeof(u32),
>> range->flags & NF_NAT_RANGE_PERSISTENT ?
>> 0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id);
>> + }
>>
>> full_range = false;
>> for (i = 0; i <= max; i++) {
>>
>> This is current situation, RANDOM_FULLY actually does prandom_u32 for
>> source
>> port only, but not for IP.
>> IP kept as persistent and kind of predictable, because hash function
>> based
>> on source ip.
>>
>> Sure i did tried to specify any combination of flags, but looking to
>> "find_best_ips_proto" function, it wont have any effect.
>
> IIRC the original intention on random-fully was to cover only ports.
> Did you interpret from git history otherwise? Otherwise, safe
> procedure is to add a new flag.
No, seems i didnt read man page well, sorry.
I will check it, maybe will try to add new option and submit a patch,
still studying impact on "balancing" with this change, seems it works
great.
But not really sure such thing needed for someone else, actually some
might have privacy concerns as well, and can use such option for
privacy.
prev parent reply other threads:[~2016-11-28 11:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-28 10:45 SNAT --random & fully is not actually random for ips Denys Fedoryshchenko
2016-11-28 11:06 ` Pablo Neira Ayuso
2016-11-28 11:12 ` Denys Fedoryshchenko
2016-11-28 11:29 ` Pablo Neira Ayuso
2016-11-28 11:35 ` Denys Fedoryshchenko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4333f580bdb9ca2ede6269a9de3135c@nuclearcat.com \
--to=nuclearcat@nuclearcat.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).