mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-16 21:34:10 +00:00
Improve the entropy of the source port randomization for network address
translation. It turns out this is useful for applications which require source port randomization for security (i.e. dns servers). Discussed with: secteam Requested by: mlaier MFC after: 2 weeks
This commit is contained in:
parent
896b354188
commit
8751c5bac8
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=182488
|
@ -606,7 +606,7 @@ GetNewPort(struct libalias *la, struct alias_link *lnk, int alias_port_param)
|
|||
port_sys = ntohs(port_net);
|
||||
} else {
|
||||
/* First trial and all subsequent are random. */
|
||||
port_sys = random() & ALIAS_PORT_MASK;
|
||||
port_sys = arc4random() & ALIAS_PORT_MASK;
|
||||
port_sys += ALIAS_PORT_BASE;
|
||||
port_net = htons(port_sys);
|
||||
}
|
||||
|
@ -657,7 +657,7 @@ GetNewPort(struct libalias *la, struct alias_link *lnk, int alias_port_param)
|
|||
}
|
||||
#endif
|
||||
}
|
||||
port_sys = random() & ALIAS_PORT_MASK;
|
||||
port_sys = arc4random() & ALIAS_PORT_MASK;
|
||||
port_sys += ALIAS_PORT_BASE;
|
||||
port_net = htons(port_sys);
|
||||
}
|
||||
|
@ -772,9 +772,9 @@ FindNewPortGroup(struct libalias *la,
|
|||
|
||||
/* First trial and all subsequent are random. */
|
||||
if (align == FIND_EVEN_ALIAS_BASE)
|
||||
port_sys = random() & ALIAS_PORT_MASK_EVEN;
|
||||
port_sys = arc4random() & ALIAS_PORT_MASK_EVEN;
|
||||
else
|
||||
port_sys = random() & ALIAS_PORT_MASK;
|
||||
port_sys = arc4random() & ALIAS_PORT_MASK;
|
||||
|
||||
port_sys += ALIAS_PORT_BASE;
|
||||
}
|
||||
|
@ -796,9 +796,9 @@ FindNewPortGroup(struct libalias *la,
|
|||
|
||||
/* Find a new base to try */
|
||||
if (align == FIND_EVEN_ALIAS_BASE)
|
||||
port_sys = random() & ALIAS_PORT_MASK_EVEN;
|
||||
port_sys = arc4random() & ALIAS_PORT_MASK_EVEN;
|
||||
else
|
||||
port_sys = random() & ALIAS_PORT_MASK;
|
||||
port_sys = arc4random() & ALIAS_PORT_MASK;
|
||||
|
||||
port_sys += ALIAS_PORT_BASE;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue