Hi,
"When source port is generated on the fly for the TCP protocol (ie. with
connect() ) will
be altered so that the source port is generated at random, instead of a simple
incrementing algorithm."
Ported from grsecurity (http://www.grsecurity.net by Brad Spengler).
Instead of using the PaX & grsecurity-dependent get_random_long() function, we use
the new randomization infrastructure introduced by Arjan van de Ven <[email protected]>,
providing the helpers get_random_int() and randomize_range().
More information at:
http://people.redhat.com/arjanv/randomize/02-randomize-infrastructure
The patch is also available at:
http://pearls.tuxedo-es.org/patches/security/tcp-rand_src-ports.patch
Signed-off-by: Lorenzo Hernandez Garcia-Hierro <[email protected]>
Cheers,
--
Lorenzo Hern?ndez Garc?a-Hierro <[email protected]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
Stephen Hemminger has already added TCP port randomization on
connect() to the 2.6.x tree. See
net/ipv4/tcp_ipv4.c:tcp_v4_hash_connect(), where randomized port
selection occurs. And unlike your patch, Stephen did add ipv6
support (via net/ipv6/tcp_ipv6.c:tcp_v6_hash_connect()) for
port randomization as well.
I'd like to ask two things:
1) That you use [email protected] for networking patches as that
is where the networking developers listen.
2) That you do some checking to see that the feature you're adding
is not already present in the tree.
Thanks a lot.
El lun, 18-04-2005 a las 12:26 -0700, David S. Miller escribi?:
> Stephen Hemminger has already added TCP port randomization on
> connect() to the 2.6.x tree. See
> net/ipv4/tcp_ipv4.c:tcp_v4_hash_connect(), where randomized port
> selection occurs. And unlike your patch, Stephen did add ipv6
> support (via net/ipv6/tcp_ipv6.c:tcp_v6_hash_connect()) for
> port randomization as well.
I missed Hemminger's bits there.
I apologize for any inconvenience.
>
> 1) That you use [email protected] for networking patches as that
> is where the networking developers listen.
OK.
> 2) That you do some checking to see that the feature you're adding
> is not already present in the tree.
I do, just missed that ;)
Among that I have the patch done since time ago, just didn't submitted
it to the list, so, during the transition I forgot all about any change
(nor I checked the CSETs).
Thanks for the advice,
Cheers.
--
Lorenzo Hern?ndez Garc?a-Hierro <[email protected]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]