nf_nat: use secure_ipv4_port_ephemeral() for NAT port randomization
authorStephen Hemminger <shemminger@vyatta.com>
Tue, 19 Aug 2008 04:32:32 +0000 (21:32 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 19 Aug 2008 04:32:32 +0000 (21:32 -0700)
Use incoming network tuple as seed for NAT port randomization.
This avoids concerns of leaking net_random() bits, and also gives better
port distribution. Don't have NAT server, compile tested only.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
[ added missing EXPORT_SYMBOL_GPL ]

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/char/random.c
net/ipv4/netfilter/nf_nat_proto_common.c

index e0d0e371909cd2f1c00d4e2f63fe8c8ae2c81bcc..1838aa3d24feac6a09b9516acbb1ffd623e7f2db 100644 (file)
@@ -1571,6 +1571,7 @@ u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport)
 
        return half_md4_transform(hash, keyptr->secret);
 }
+EXPORT_SYMBOL_GPL(secure_ipv4_port_ephemeral);
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
index 91537f11273f42b1298c88b990c8a2446da99d39..6c4f11f514461a5a244ba1d70180f42ad82940b4 100644 (file)
@@ -73,9 +73,13 @@ bool nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
                range_size = ntohs(range->max.all) - min + 1;
        }
 
-       off = *rover;
        if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
-               off = net_random();
+               off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip,
+                                                maniptype == IP_NAT_MANIP_SRC
+                                                ? tuple->dst.u.all
+                                                : tuple->src.u.all);
+       else
+               off = *rover;
 
        for (i = 0; i < range_size; i++, off++) {
                *portptr = htons(min + off % range_size);