lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <fb3151804cc3b2c57e69d1059b3417ee@nuclearcat.com>
Date:   Mon, 28 Nov 2016 13:12:07 +0200
From:   Denys Fedoryshchenko <nuclearcat@...learcat.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>
Cc:     Linux Kernel Network Developers <netdev@...r.kernel.org>,
        netfilter-devel@...r.kernel.org
Subject: Re: SNAT --random & fully is not actually random for ips

On 2016-11-28 13:06, Pablo Neira Ayuso wrote:
> On Mon, Nov 28, 2016 at 12:45:59PM +0200, Denys Fedoryshchenko wrote:
>> Hello,
>> 
>> I noticed that if i specify -j SNAT with options --random 
>> --random-fully
>> still it keeps persistence for source IP.
> 
> So you specify both?
> 
>> Actually truly random src ip required in some scenarios like links 
>> balanced
>> by IPs, but seems since 2012 at least it is not possible.
>> 
>> But actually if i do something like:
>> --- nf_nat_core.c.new	2016-11-28 09:55:54.000000000 +0000
>> +++ nf_nat_core.c	2016-11-21 09:11:59.000000000 +0000
>> @@ -282,13 +282,9 @@
>>  	 * client coming from the same IP (some Internet Banking sites
>>  	 * like this), even across reboots.
>>  	 */
>> -	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
>> -	    j = prandom_u32();
>> -	} else {
>> -	    j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / 
>> sizeof(u32),
>> +	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / 
>> sizeof(u32),
>>  		   range->flags & NF_NAT_RANGE_PERSISTENT ?
>>  			0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id);
>> -	}
>> 
>>  	full_range = false;
>>  	for (i = 0; i <= max; i++) {
>> 
>> It works as intended. But i guess to not break compatibility it is 
>> better
>> should be introduced as new option?
>> Or maybe there is no really need for such option?
> 
> Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY?
Ops, sorry i just did mistake with files, actually it is in reverse ( 
did this patch, and it worked properly with it, with random source ip).
--- nf_nat_core.c	2016-11-21 09:11:59.000000000 +0000
+++ nf_nat_core.c.new	2016-11-28 09:55:54.000000000 +0000
@@ -282,9 +282,13 @@
  	 * client coming from the same IP (some Internet Banking sites
  	 * like this), even across reboots.
  	 */
-	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
+	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
+	    j = prandom_u32();
+	} else {
+	    j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / 
sizeof(u32),
  		   range->flags & NF_NAT_RANGE_PERSISTENT ?
  			0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id);
+	}

  	full_range = false;
  	for (i = 0; i <= max; i++) {

This is current situation, RANDOM_FULLY actually does prandom_u32 for 
source port only, but not for IP.
IP kept as persistent and kind of predictable, because hash function 
based on source ip.

Sure i did tried to specify any combination of flags, but looking to 
"find_best_ips_proto" function, it wont have any effect.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ