| inet_hashtables.c (e9261476184be1abd486c9434164b2acbe0ed6c2) | inet_hashtables.c (4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * INET An implementation of the TCP/IP protocol suite for the LINUX 4 * operating system. INET is implemented using the BSD Socket 5 * interface as the means of communication with the user level. 6 * 7 * Generic INET transport hashtables 8 * --- 712 unchanged lines hidden (view full) --- 721 } 722} 723EXPORT_SYMBOL_GPL(inet_unhash); 724 725/* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm 726 * Note that we use 32bit integers (vs RFC 'short integers') 727 * because 2^16 is not a multiple of num_ephemeral and this 728 * property might be used by clever attacker. | 1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * INET An implementation of the TCP/IP protocol suite for the LINUX 4 * operating system. INET is implemented using the BSD Socket 5 * interface as the means of communication with the user level. 6 * 7 * Generic INET transport hashtables 8 * --- 712 unchanged lines hidden (view full) --- 721 } 722} 723EXPORT_SYMBOL_GPL(inet_unhash); 724 725/* RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm 726 * Note that we use 32bit integers (vs RFC 'short integers') 727 * because 2^16 is not a multiple of num_ephemeral and this 728 * property might be used by clever attacker. |
| 729 * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, 730 * we use 256 instead to really give more isolation and 731 * privacy, this only consumes 1 KB of kernel memory. | 729 * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though 730 * attacks were since demonstrated, thus we use 65536 instead to really 731 * give more isolation and privacy, at the expense of 256kB of kernel 732 * memory. |
| 732 */ | 733 */ |
| 733#define INET_TABLE_PERTURB_SHIFT 8 | 734#define INET_TABLE_PERTURB_SHIFT 16 |
| 734#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT) 735static u32 *table_perturb; 736 737int __inet_hash_connect(struct inet_timewait_death_row *death_row, 738 struct sock *sk, u64 port_offset, 739 int (*check_established)(struct inet_timewait_death_row *, 740 struct sock *, __u16, struct inet_timewait_sock **)) 741{ --- 222 unchanged lines hidden --- | 735#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT) 736static u32 *table_perturb; 737 738int __inet_hash_connect(struct inet_timewait_death_row *death_row, 739 struct sock *sk, u64 port_offset, 740 int (*check_established)(struct inet_timewait_death_row *, 741 struct sock *, __u16, struct inet_timewait_sock **)) 742{ --- 222 unchanged lines hidden --- |