From patchwork Mon Nov 28 11:12:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Denys Fedoryshchenko X-Patchwork-Id: 699934 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tS3t959LYz9tkH for ; Mon, 28 Nov 2016 22:12:17 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932558AbcK1LMN (ORCPT ); Mon, 28 Nov 2016 06:12:13 -0500 Received: from nuclearcat.com ([144.76.183.226]:49590 "EHLO nuclearcat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754525AbcK1LMM (ORCPT ); Mon, 28 Nov 2016 06:12:12 -0500 Received: from localhost (localhost [127.0.0.1]) by nuclearcat.com (Postfix) with ESMTP id 0177B67C02A5; Mon, 28 Nov 2016 11:12:10 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at nuclearcat.com Received: from nuclearcat.com ([127.0.0.1]) by localhost (nuclearcat.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9h-lpmS2VITW; Mon, 28 Nov 2016 11:12:07 +0000 (UTC) Received: from germany.nuclearcat.com (localhost [127.0.0.1]) (Authenticated sender: nuclearcat@nuclearcat.com) by nuclearcat.com (Postfix) with ESMTPA id 6750167C002B; Mon, 28 Nov 2016 11:12:07 +0000 (UTC) MIME-Version: 1.0 Date: Mon, 28 Nov 2016 13:12:07 +0200 From: Denys Fedoryshchenko To: Pablo Neira Ayuso Cc: Linux Kernel Network Developers , netfilter-devel@vger.kernel.org Subject: Re: SNAT --random & fully is not actually random for ips In-Reply-To: <20161128110651.GA1024@salvia> References: <97a6a1c557f0f1e6d55d8d09b326f8b1@nuclearcat.com> <20161128110651.GA1024@salvia> Message-ID: X-Sender: nuclearcat@nuclearcat.com User-Agent: Roundcube Webmail/1.2.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 2016-11-28 13:06, Pablo Neira Ayuso wrote: > On Mon, Nov 28, 2016 at 12:45:59PM +0200, Denys Fedoryshchenko wrote: >> Hello, >> >> I noticed that if i specify -j SNAT with options --random >> --random-fully >> still it keeps persistence for source IP. > > So you specify both? > >> Actually truly random src ip required in some scenarios like links >> balanced >> by IPs, but seems since 2012 at least it is not possible. >> >> But actually if i do something like: >> --- nf_nat_core.c.new 2016-11-28 09:55:54.000000000 +0000 >> +++ nf_nat_core.c 2016-11-21 09:11:59.000000000 +0000 >> @@ -282,13 +282,9 @@ >> * client coming from the same IP (some Internet Banking sites >> * like this), even across reboots. >> */ >> - if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { >> - j = prandom_u32(); >> - } else { >> - j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / >> sizeof(u32), >> + j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / >> sizeof(u32), >> range->flags & NF_NAT_RANGE_PERSISTENT ? >> 0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id); >> - } >> >> full_range = false; >> for (i = 0; i <= max; i++) { >> >> It works as intended. But i guess to not break compatibility it is >> better >> should be introduced as new option? >> Or maybe there is no really need for such option? > > Why does your patch reverts NF_NAT_RANGE_PROTO_RANDOM_FULLY? Ops, sorry i just did mistake with files, actually it is in reverse ( did this patch, and it worked properly with it, with random source ip). for (i = 0; i <= max; i++) { This is current situation, RANDOM_FULLY actually does prandom_u32 for source port only, but not for IP. IP kept as persistent and kind of predictable, because hash function based on source ip. Sure i did tried to specify any combination of flags, but looking to "find_best_ips_proto" function, it wont have any effect. --- nf_nat_core.c 2016-11-21 09:11:59.000000000 +0000 +++ nf_nat_core.c.new 2016-11-28 09:55:54.000000000 +0000 @@ -282,9 +282,13 @@ * client coming from the same IP (some Internet Banking sites * like this), even across reboots. */ - j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), + if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { + j = prandom_u32(); + } else { + j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32), range->flags & NF_NAT_RANGE_PERSISTENT ? 0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id); + } full_range = false;