xt_connlimit 20070605
Eric Dumazet
dada1 at cosmosbay.com
Tue Jun 5 14:37:42 CEST 2007
On Tue, 5 Jun 2007 14:06:50 +0200 (MEST)
Jan Engelhardt <jengelh at linux01.gwdg.de> wrote:
>
> +static inline unsigned int connlimit_iphash(u_int32_t addr)
> +{
> + return (addr ^ (addr >> 8) ^ (addr >> 16) ^ (addr >> 24)) & 0xff;
> +}
> +
> +static int count_them(struct xt_connlimit_data *data, u_int32_t addr,
> + u_int32_t mask, struct nf_conn *ct)
There is some problem with this hash function :
An attacker can easily send on your machine SYN packets where addr
is carefully chosen so that your hash function returns the same value.
Time to scan 1.000 elements in a chain is too long.
I suggest you use jhash and a random value (initialized at boot time), so that
the attacker has hard work to guess your hash function.
See for examples :
net/ipv4/route.c , function rt_hash_code()
net/netfilter/nf_conntrack_core.c , function __hash_conntrack()
net/ipv4/netfilter/ipt_recent.c, function recent_entry_hash()
More information about the netfilter-devel
mailing list