Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9f593653 authored Aug 18, 2008 by Stephen Hemminger Committed by David S. Miller Aug 18, 2008

nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization



Use incoming network tuple as seed for NAT port randomization.
This avoids concerns of leaking net_random() bits, and also gives better
port distribution. Don't have NAT server, compile tested only.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

[ added missing EXPORT_SYMBOL_GPL ]

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent fab00c5d

drivers/char/random.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1571,6 +1571,7 @@ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)

		return half_md4_transform(hash, keyptr->secret);
		}
		EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);

		#if defined(CONFIG_IPV6) \|\| defined(CONFIG_IPV6_MODULE)
		u32 secure_ipv6_port_ephemeral(const __be32 saddr, const __be32 daddr,

net/ipv4/netfilter/nf_nat_proto_common.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -73,9 +73,13 @@ bool nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
		range_size = ntohs(range->max.all) - min + 1;
		}

		off = *rover;
		if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
		off = net_random();
		off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip,
		maniptype == IP_NAT_MANIP_SRC
		? tuple->dst.u.all
		: tuple->src.u.all);
		else
		off = *rover;

		for (i = 0; i < range_size; i++, off++) {
		*portptr = htons(min + off % range_size);