diff options
| author |   Florian Westphal <fw@strlen.de> | 2018-12-13 16:01:27 +0100 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2018-12-17 23:32:36 +0100 |
| commit | 912da924a29fc6bd466b98a8791d6f7cf74caf61 (patch) | |
| tree | 755dea0c481c601888c262c31dcf7d2906581ad8 /net/netfilter | |
| parent | netfilter: remove unused parameters in nf_ct_l4proto_[un]register_sysctl() (diff) | |
| download | linux-dev-912da924a29fc6bd466b98a8791d6f7cf74caf61.tar.xz linux-dev-912da924a29fc6bd466b98a8791d6f7cf74caf61.zip | |
netfilter: remove NF_NAT_RANGE_PROTO_RANDOM support
Historically this was net_random() based, and was then converted to
a hash based algorithm (private boot seed + hash of endpoint addresses)
due to concerns of leaking net_random() bits.
RANDOM_FULLY mode was added later to avoid problems with hash
based mode (see commit 34ce324019e76,
"netfilter: nf_nat: add full port randomization support" for details).
Just make prandom_u32() the default search starting point and get rid of
->secure_port() altogether.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_nat_proto_common.c | 9 |
1 files changed, 2 insertions, 7 deletions
diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c index dcb5d11688a1..dabfe9a2c041 100644 --- a/net/netfilter/nf_nat_proto_common.c +++ b/net/netfilter/nf_nat_proto_common.c @@ -77,15 +77,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, range_size = max - min + 1; } - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) { - off = l3proto->secure_port(tuple, maniptype == NF_NAT_MANIP_SRC - ? tuple->dst.u.all - : tuple->src.u.all); - } else if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) { + if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) off = (ntohs(*portptr) - ntohs(range->base_proto.all)); - } else { + else off = prandom_u32(); - } attempts = range_size; if (attempts > max_attempts) |