lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20161128112955.GA1691@salvia>
Date:   Mon, 28 Nov 2016 12:29:55 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Denys Fedoryshchenko <nuclearcat@...learcat.com>
Cc:     Linux Kernel Network Developers <netdev@...r.kernel.org>,
        netfilter-devel@...r.kernel.org
Subject: Re: SNAT --random & fully is not actually random for ips

On Mon, Nov 28, 2016 at 01:12:07PM +0200, Denys Fedoryshchenko wrote:
> On 2016-11-28 13:06, Pablo Neira Ayuso wrote:
> >Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY?
>
> Ops, sorry i just did mistake with files, actually it is in reverse ( did
> this patch, and it worked properly with it, with random source ip).

Oh, I see 8)

> --- nf_nat_core.c	2016-11-21 09:11:59.000000000 +0000
> +++ nf_nat_core.c.new	2016-11-28 09:55:54.000000000 +0000
> @@ -282,9 +282,13 @@
>  	 * client coming from the same IP (some Internet Banking sites
>  	 * like this), even across reboots.
>  	 */
> -	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
> +	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
> +	    j = prandom_u32();
> +	} else {
> +	    j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
>  		   range->flags & NF_NAT_RANGE_PERSISTENT ?
>  			0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id);
> +	}
> 
>  	full_range = false;
>  	for (i = 0; i <= max; i++) {
> 
> This is current situation, RANDOM_FULLY actually does prandom_u32 for source
> port only, but not for IP.
> IP kept as persistent and kind of predictable, because hash function based
> on source ip.
> 
> Sure i did tried to specify any combination of flags, but looking to
> "find_best_ips_proto" function, it wont have any effect.

IIRC the original intention on random-fully was to cover only ports.
Did you interpret from git history otherwise? Otherwise, safe
procedure is to add a new flag.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ