From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Leblond Subject: Resend [Patch 1/2] Avoid direct connections between NATed hosts Date: Sat, 13 Jan 2007 22:00:49 +0100 Message-ID: <1168722049.5737.4.camel@localhost> References: <1168621167.28615.14.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-M7YI+xXAEJfiQK9p64PO" Cc: netfilter-devel@lists.netfilter.org Return-path: To: Jan Engelhardt In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org --=-M7YI+xXAEJfiQK9p64PO Content-Type: multipart/mixed; boundary="=-xFZvYgX6kRtKw19ihC1E" --=-xFZvYgX6kRtKw19ihC1E Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hi, Le vendredi 12 janvier 2007 =E0 23:53 +0100, Jan Engelhardt a =E9crit : > >This patches against kernel and iptables add the capability to randomize > >the source port used when doing SNAT. >=20 > Drop the extra { } - various places. Done > Do we want get_random_bytes(), or would net_random() suffice? It seems that net_random() will be hard enough to predict. Thanks for the idea. BR, --=20 Eric Leblond INL --=-xFZvYgX6kRtKw19ihC1E Content-Disposition: attachment; filename=0001-Add-randomness-to-port-selection-in-SNAT.txt Content-Type: text/plain; name=0001-Add-randomness-to-port-selection-in-SNAT.txt; charset=ISO-8859-15 Content-Transfer-Encoding: base64 U2lnbmVkLW9mZi1ieTogRXJpYyBMZWJsb25kIDxlcmljQGlubC5mcj4NCi0tLQ0KIGluY2x1ZGUv bGludXgvbmV0ZmlsdGVyX2lwdjQvaXBfbmF0LmggfCAgICAxICsNCiBpbmNsdWRlL25ldC9uZXRm aWx0ZXIvbmZfbmF0LmggICAgICAgIHwgICAgMSArDQogbmV0L2lwdjQvbmV0ZmlsdGVyL2lwX25h dF9jb3JlLmMgICAgICB8ICAgMTIgKysrKysrKysrKy0tDQogbmV0L2lwdjQvbmV0ZmlsdGVyL2lw X25hdF9wcm90b190Y3AuYyB8ICAgIDUgKysrKysNCiBuZXQvaXB2NC9uZXRmaWx0ZXIvaXBfbmF0 X3Byb3RvX3VkcC5jIHwgICAgNSArKysrKw0KIG5ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRfY29y ZS5jICAgICAgfCAgIDEyICsrKysrKysrKystLQ0KIG5ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRf cHJvdG9fdGNwLmMgfCAgICA0ICsrKysNCiBuZXQvaXB2NC9uZXRmaWx0ZXIvbmZfbmF0X3Byb3Rv X3VkcC5jIHwgICAgMiArKw0KIDggZmlsZXMgY2hhbmdlZCwgMzggaW5zZXJ0aW9ucygrKSwgNCBk ZWxldGlvbnMoLSkNCg0KZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvbmV0ZmlsdGVyX2lwdjQv aXBfbmF0LmggYi9pbmNsdWRlL2xpbnV4L25ldGZpbHRlcl9pcHY0L2lwX25hdC5oDQppbmRleCBi ZGY1NTM2Li5iYmNhODlhIDEwMDY0NA0KLS0tIGEvaW5jbHVkZS9saW51eC9uZXRmaWx0ZXJfaXB2 NC9pcF9uYXQuaA0KKysrIGIvaW5jbHVkZS9saW51eC9uZXRmaWx0ZXJfaXB2NC9pcF9uYXQuaA0K QEAgLTE2LDYgKzE2LDcgQEAgI2RlZmluZSBIT09LMk1BTklQKGhvb2tudW0pICgoaG9va251bSkg IQ0KIA0KICNkZWZpbmUgSVBfTkFUX1JBTkdFX01BUF9JUFMgMQ0KICNkZWZpbmUgSVBfTkFUX1JB TkdFX1BST1RPX1NQRUNJRklFRCAyDQorI2RlZmluZSBJUF9OQVRfUkFOR0VfUFJPVE9fUkFORE9N IDQgLyogYWRkIHJhbmRvbW5lc3MgdG8gInBvcnQiIHNlbGVjdGlvbiAqLw0KIA0KIC8qIE5BVCBz ZXF1ZW5jZSBudW1iZXIgbW9kaWZpY2F0aW9ucyAqLw0KIHN0cnVjdCBpcF9uYXRfc2VxIHsNCmRp ZmYgLS1naXQgYS9pbmNsdWRlL25ldC9uZXRmaWx0ZXIvbmZfbmF0LmggYi9pbmNsdWRlL25ldC9u ZXRmaWx0ZXIvbmZfbmF0LmgNCmluZGV4IDYxYzYyMDYuLmJjNTdkZDcgMTAwNjQ0DQotLS0gYS9p bmNsdWRlL25ldC9uZXRmaWx0ZXIvbmZfbmF0LmgNCisrKyBiL2luY2x1ZGUvbmV0L25ldGZpbHRl ci9uZl9uYXQuaA0KQEAgLTE2LDYgKzE2LDcgQEAgI2RlZmluZSBIT09LMk1BTklQKGhvb2tudW0p ICgoaG9va251bSkgIQ0KIA0KICNkZWZpbmUgSVBfTkFUX1JBTkdFX01BUF9JUFMgMQ0KICNkZWZp bmUgSVBfTkFUX1JBTkdFX1BST1RPX1NQRUNJRklFRCAyDQorI2RlZmluZSBJUF9OQVRfUkFOR0Vf UFJPVE9fUkFORE9NIDQNCiANCiAvKiBOQVQgc2VxdWVuY2UgbnVtYmVyIG1vZGlmaWNhdGlvbnMg Ki8NCiBzdHJ1Y3QgbmZfbmF0X3NlcSB7DQpkaWZmIC0tZ2l0IGEvbmV0L2lwdjQvbmV0ZmlsdGVy L2lwX25hdF9jb3JlLmMgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvaXBfbmF0X2NvcmUuYw0KaW5kZXgg OWQxYTUxNy4uNWUwOGMyYiAxMDA2NDQNCi0tLSBhL25ldC9pcHY0L25ldGZpbHRlci9pcF9uYXRf Y29yZS5jDQorKysgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvaXBfbmF0X2NvcmUuYw0KQEAgLTI0Niw4 ICsyNDYsOSBAQCBnZXRfdW5pcXVlX3R1cGxlKHN0cnVjdCBpcF9jb25udHJhY2tfdHVwDQogCWlm IChtYW5pcHR5cGUgPT0gSVBfTkFUX01BTklQX1NSQykgew0KIAkJaWYgKGZpbmRfYXBwcm9wcmlh dGVfc3JjKG9yaWdfdHVwbGUsIHR1cGxlLCByYW5nZSkpIHsNCiAJCQlERUJVR1AoImdldF91bmlx dWVfdHVwbGU6IEZvdW5kIGN1cnJlbnQgc3JjIG1hcFxuIik7DQotCQkJaWYgKCFpcF9uYXRfdXNl ZF90dXBsZSh0dXBsZSwgY29ubnRyYWNrKSkNCi0JCQkJcmV0dXJuOw0KKwkJCWlmICghKHJhbmdl LT5mbGFncyAmIElQX05BVF9SQU5HRV9QUk9UT19SQU5ET00pKQ0KKwkJCQlpZiAoIWlwX25hdF91 c2VkX3R1cGxlKHR1cGxlLCBjb25udHJhY2spKQ0KKwkJCQkJcmV0dXJuOw0KIAkJfQ0KIAl9DQog DQpAQCAtMjYxLDYgKzI2MiwxMyBAQCBnZXRfdW5pcXVlX3R1cGxlKHN0cnVjdCBpcF9jb25udHJh Y2tfdHVwDQogDQogCXByb3RvID0gaXBfbmF0X3Byb3RvX2ZpbmRfZ2V0KG9yaWdfdHVwbGUtPmRz dC5wcm90b251bSk7DQogDQorCS8qIENoYW5nZSBwcm90b2NvbCBpbmZvIHRvIGhhdmUgc29tZSBy YW5kb21pemF0aW9uICovDQorCWlmIChyYW5nZS0+ZmxhZ3MgJiBJUF9OQVRfUkFOR0VfUFJPVE9f UkFORE9NKSB7DQorCQlwcm90by0+dW5pcXVlX3R1cGxlKHR1cGxlLCByYW5nZSwgbWFuaXB0eXBl LCBjb25udHJhY2spOw0KKwkJaXBfbmF0X3Byb3RvX3B1dChwcm90byk7DQorCQlyZXR1cm47DQor CX0NCisNCiAJLyogT25seSBib3RoZXIgbWFwcGluZyBpZiBpdCdzIG5vdCBhbHJlYWR5IGluIHJh bmdlIGFuZCB1bmlxdWUgKi8NCiAJaWYgKCghKHJhbmdlLT5mbGFncyAmIElQX05BVF9SQU5HRV9Q Uk9UT19TUEVDSUZJRUQpDQogCSAgICAgfHwgcHJvdG8tPmluX3JhbmdlKHR1cGxlLCBtYW5pcHR5 cGUsICZyYW5nZS0+bWluLCAmcmFuZ2UtPm1heCkpDQpkaWZmIC0tZ2l0IGEvbmV0L2lwdjQvbmV0 ZmlsdGVyL2lwX25hdF9wcm90b190Y3AuYyBiL25ldC9pcHY0L25ldGZpbHRlci9pcF9uYXRfcHJv dG9fdGNwLmMNCmluZGV4IGI1ODZkMTguLjE1NGE0ZjcgMTAwNjQ0DQotLS0gYS9uZXQvaXB2NC9u ZXRmaWx0ZXIvaXBfbmF0X3Byb3RvX3RjcC5jDQorKysgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvaXBf bmF0X3Byb3RvX3RjcC5jDQpAQCAtMTgsNiArMTgsOCBAQCAjaW5jbHVkZSA8bGludXgvbmV0Zmls dGVyX2lwdjQvaXBfbmF0X3J1DQogI2luY2x1ZGUgPGxpbnV4L25ldGZpbHRlcl9pcHY0L2lwX25h dF9wcm90b2NvbC5oPg0KICNpbmNsdWRlIDxsaW51eC9uZXRmaWx0ZXJfaXB2NC9pcF9uYXRfY29y ZS5oPg0KIA0KKyNpbmNsdWRlIDxsaW51eC9yYW5kb20uaD4NCisNCiBzdGF0aWMgaW50DQogdGNw X2luX3JhbmdlKGNvbnN0IHN0cnVjdCBpcF9jb25udHJhY2tfdHVwbGUgKnR1cGxlLA0KIAkgICAg IGVudW0gaXBfbmF0X21hbmlwX3R5cGUgbWFuaXB0eXBlLA0KQEAgLTc1LDYgKzc3LDkgQEAgdGNw X3VuaXF1ZV90dXBsZShzdHJ1Y3QgaXBfY29ubnRyYWNrX3R1cA0KIAkJcmFuZ2Vfc2l6ZSA9IG50 b2hzKHJhbmdlLT5tYXgudGNwLnBvcnQpIC0gbWluICsgMTsNCiAJfQ0KIA0KKwkvKiBTdGFydCBm cm9tIHJhbmRvbSBwb3J0IHRvIGF2b2lkIHByZWRpY3Rpb24gKi8NCisJaWYgKHJhbmdlLT5mbGFn cyAmIElQX05BVF9SQU5HRV9QUk9UT19SQU5ET00pDQorCQlwb3J0ID0gKHVfaW50MTZfdCkgbmV0 X3JhbmRvbSgpOw0KIAlmb3IgKGkgPSAwOyBpIDwgcmFuZ2Vfc2l6ZTsgaSsrLCBwb3J0KyspIHsN CiAJCSpwb3J0cHRyID0gaHRvbnMobWluICsgcG9ydCAlIHJhbmdlX3NpemUpOw0KIAkJaWYgKCFp cF9uYXRfdXNlZF90dXBsZSh0dXBsZSwgY29ubnRyYWNrKSkgew0KZGlmZiAtLWdpdCBhL25ldC9p cHY0L25ldGZpbHRlci9pcF9uYXRfcHJvdG9fdWRwLmMgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvaXBf bmF0X3Byb3RvX3VkcC5jDQppbmRleCA1Y2VkMDg3Li5iODdlZDIwIDEwMDY0NA0KLS0tIGEvbmV0 L2lwdjQvbmV0ZmlsdGVyL2lwX25hdF9wcm90b191ZHAuYw0KKysrIGIvbmV0L2lwdjQvbmV0Zmls dGVyL2lwX25hdF9wcm90b191ZHAuYw0KQEAgLTE4LDYgKzE4LDggQEAgI2luY2x1ZGUgPGxpbnV4 L25ldGZpbHRlcl9pcHY0L2lwX25hdF9jbw0KICNpbmNsdWRlIDxsaW51eC9uZXRmaWx0ZXJfaXB2 NC9pcF9uYXRfcnVsZS5oPg0KICNpbmNsdWRlIDxsaW51eC9uZXRmaWx0ZXJfaXB2NC9pcF9uYXRf cHJvdG9jb2wuaD4NCiANCisjaW5jbHVkZSA8bGludXgvcmFuZG9tLmg+DQorDQogc3RhdGljIGlu dA0KIHVkcF9pbl9yYW5nZShjb25zdCBzdHJ1Y3QgaXBfY29ubnRyYWNrX3R1cGxlICp0dXBsZSwN CiAJICAgICBlbnVtIGlwX25hdF9tYW5pcF90eXBlIG1hbmlwdHlwZSwNCkBAIC03NCw2ICs3Niw5 IEBAIHVkcF91bmlxdWVfdHVwbGUoc3RydWN0IGlwX2Nvbm50cmFja190dXANCiAJCXJhbmdlX3Np emUgPSBudG9ocyhyYW5nZS0+bWF4LnVkcC5wb3J0KSAtIG1pbiArIDE7DQogCX0NCiANCisJLyog U3RhcnQgZnJvbSByYW5kb20gcG9ydCB0byBhdm9pZCBwcmVkaWN0aW9uICovDQorCWlmIChyYW5n ZS0+ZmxhZ3MgJiBJUF9OQVRfUkFOR0VfUFJPVE9fUkFORE9NKQ0KKwkJcG9ydCA9ICh1X2ludDE2 X3QpIG5ldF9yYW5kb20oKTsNCiAJZm9yIChpID0gMDsgaSA8IHJhbmdlX3NpemU7IGkrKywgcG9y dCsrKSB7DQogCQkqcG9ydHB0ciA9IGh0b25zKG1pbiArIHBvcnQgJSByYW5nZV9zaXplKTsNCiAJ CWlmICghaXBfbmF0X3VzZWRfdHVwbGUodHVwbGUsIGNvbm50cmFjaykpDQpkaWZmIC0tZ2l0IGEv bmV0L2lwdjQvbmV0ZmlsdGVyL25mX25hdF9jb3JlLmMgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvbmZf bmF0X2NvcmUuYw0KaW5kZXggODZhOTIyNy4uOTk4YjI1NSAxMDA2NDQNCi0tLSBhL25ldC9pcHY0 L25ldGZpbHRlci9uZl9uYXRfY29yZS5jDQorKysgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvbmZfbmF0 X2NvcmUuYw0KQEAgLTI1NCw4ICsyNTQsOSBAQCBnZXRfdW5pcXVlX3R1cGxlKHN0cnVjdCBuZl9j b25udHJhY2tfdHVwDQogCWlmIChtYW5pcHR5cGUgPT0gSVBfTkFUX01BTklQX1NSQykgew0KIAkJ aWYgKGZpbmRfYXBwcm9wcmlhdGVfc3JjKG9yaWdfdHVwbGUsIHR1cGxlLCByYW5nZSkpIHsNCiAJ CQlERUJVR1AoImdldF91bmlxdWVfdHVwbGU6IEZvdW5kIGN1cnJlbnQgc3JjIG1hcFxuIik7DQot CQkJaWYgKCFuZl9uYXRfdXNlZF90dXBsZSh0dXBsZSwgY3QpKQ0KLQkJCQlyZXR1cm47DQorCQkJ aWYgKCEocmFuZ2UtPmZsYWdzICYgSVBfTkFUX1JBTkdFX1BST1RPX1JBTkRPTSkpDQorCQkJCWlm ICghbmZfbmF0X3VzZWRfdHVwbGUodHVwbGUsIGN0KSkNCisJCQkJCXJldHVybjsNCiAJCX0NCiAJ fQ0KIA0KQEAgLTI2OSw2ICsyNzAsMTMgQEAgZ2V0X3VuaXF1ZV90dXBsZShzdHJ1Y3QgbmZfY29u bnRyYWNrX3R1cA0KIA0KIAlwcm90byA9IG5mX25hdF9wcm90b19maW5kX2dldChvcmlnX3R1cGxl LT5kc3QucHJvdG9udW0pOw0KIA0KKwkvKiBDaGFuZ2UgcHJvdG9jb2wgaW5mbyB0byBoYXZlIHNv bWUgcmFuZG9taXphdGlvbiAqLw0KKwlpZiAocmFuZ2UtPmZsYWdzICYgSVBfTkFUX1JBTkdFX1BS T1RPX1JBTkRPTSkgew0KKwkJcHJvdG8tPnVuaXF1ZV90dXBsZSh0dXBsZSwgcmFuZ2UsIG1hbmlw dHlwZSwgY3QpOw0KKwkJbmZfbmF0X3Byb3RvX3B1dChwcm90byk7DQorCQlyZXR1cm47DQorCX0N CisNCiAJLyogT25seSBib3RoZXIgbWFwcGluZyBpZiBpdCdzIG5vdCBhbHJlYWR5IGluIHJhbmdl IGFuZCB1bmlxdWUgKi8NCiAJaWYgKCghKHJhbmdlLT5mbGFncyAmIElQX05BVF9SQU5HRV9QUk9U T19TUEVDSUZJRUQpIHx8DQogCSAgICAgcHJvdG8tPmluX3JhbmdlKHR1cGxlLCBtYW5pcHR5cGUs ICZyYW5nZS0+bWluLCAmcmFuZ2UtPm1heCkpICYmDQpkaWZmIC0tZ2l0IGEvbmV0L2lwdjQvbmV0 ZmlsdGVyL25mX25hdF9wcm90b190Y3AuYyBiL25ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRfcHJv dG9fdGNwLmMNCmluZGV4IDdlMjZhN2UuLmJhMjExZWYgMTAwNjQ0DQotLS0gYS9uZXQvaXB2NC9u ZXRmaWx0ZXIvbmZfbmF0X3Byb3RvX3RjcC5jDQorKysgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvbmZf bmF0X3Byb3RvX3RjcC5jDQpAQCAtMTgsNiArMTgsOCBAQCAjaW5jbHVkZSA8bmV0L25ldGZpbHRl ci9uZl9uYXRfcnVsZS5oPg0KICNpbmNsdWRlIDxuZXQvbmV0ZmlsdGVyL25mX25hdF9wcm90b2Nv bC5oPg0KICNpbmNsdWRlIDxuZXQvbmV0ZmlsdGVyL25mX25hdF9jb3JlLmg+DQogDQorI2luY2x1 ZGUgPGxpbnV4L3JhbmRvbS5oPg0KKw0KIHN0YXRpYyBpbnQNCiB0Y3BfaW5fcmFuZ2UoY29uc3Qg c3RydWN0IG5mX2Nvbm50cmFja190dXBsZSAqdHVwbGUsDQogCSAgICAgZW51bSBuZl9uYXRfbWFu aXBfdHlwZSBtYW5pcHR5cGUsDQpAQCAtNzUsNiArNzcsOCBAQCB0Y3BfdW5pcXVlX3R1cGxlKHN0 cnVjdCBuZl9jb25udHJhY2tfdHVwDQogCQlyYW5nZV9zaXplID0gbnRvaHMocmFuZ2UtPm1heC50 Y3AucG9ydCkgLSBtaW4gKyAxOw0KIAl9DQogDQorCWlmIChyYW5nZS0+ZmxhZ3MgJiBJUF9OQVRf UkFOR0VfUFJPVE9fUkFORE9NKQ0KKwkJcG9ydCA9ICh1X2ludDE2X3QpIG5ldF9yYW5kb20oKTsN CiAJZm9yIChpID0gMDsgaSA8IHJhbmdlX3NpemU7IGkrKywgcG9ydCsrKSB7DQogCQkqcG9ydHB0 ciA9IGh0b25zKG1pbiArIHBvcnQgJSByYW5nZV9zaXplKTsNCiAJCWlmICghbmZfbmF0X3VzZWRf dHVwbGUodHVwbGUsIGN0KSkNCmRpZmYgLS1naXQgYS9uZXQvaXB2NC9uZXRmaWx0ZXIvbmZfbmF0 X3Byb3RvX3VkcC5jIGIvbmV0L2lwdjQvbmV0ZmlsdGVyL25mX25hdF9wcm90b191ZHAuYw0KaW5k ZXggYWIwY2U0Yy4uMGNlOWI4MyAxMDA2NDQNCi0tLSBhL25ldC9pcHY0L25ldGZpbHRlci9uZl9u YXRfcHJvdG9fdWRwLmMNCisrKyBiL25ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRfcHJvdG9fdWRw LmMNCkBAIC03Myw2ICs3Myw4IEBAIHVkcF91bmlxdWVfdHVwbGUoc3RydWN0IG5mX2Nvbm50cmFj a190dXANCiAJCXJhbmdlX3NpemUgPSBudG9ocyhyYW5nZS0+bWF4LnVkcC5wb3J0KSAtIG1pbiAr IDE7DQogCX0NCiANCisJaWYgKHJhbmdlLT5mbGFncyAmIElQX05BVF9SQU5HRV9QUk9UT19SQU5E T00pDQorCQlwb3J0ID0gKHVfaW50MTZfdCkgbmV0X3JhbmRvbSgpOw0KIAlmb3IgKGkgPSAwOyBp IDwgcmFuZ2Vfc2l6ZTsgaSsrLCBwb3J0KyspIHsNCiAJCSpwb3J0cHRyID0gaHRvbnMobWluICsg cG9ydCAlIHJhbmdlX3NpemUpOw0KIAkJaWYgKCFuZl9uYXRfdXNlZF90dXBsZSh0dXBsZSwgY3Qp KQ0KLS0gDQoxLjQuMQ0KDQo= --=-xFZvYgX6kRtKw19ihC1E-- --=-M7YI+xXAEJfiQK9p64PO Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQBFqUiBnxA7CdMWjzIRAjQSAJ94phZJhEpOMiuNu7Y0NbACMWzmXgCaAjDU spibjCRKFn58GHffKm6FJpo= =abLk -----END PGP SIGNATURE----- --=-M7YI+xXAEJfiQK9p64PO--