From patchwork Mon Nov 28 10:45:59 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
X-Patchwork-Id: 699933
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3tS3mY4z45z9tkH
	for <patchwork-incoming@ozlabs.org>;
	Mon, 28 Nov 2016 22:07:25 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932790AbcK1LHU (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 28 Nov 2016 06:07:20 -0500
Received: from nuclearcat.com ([144.76.183.226]:47548 "EHLO nuclearcat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932765AbcK1LHS (ORCPT <rfc822;netdev@vger.kernel.org>);
	Mon, 28 Nov 2016 06:07:18 -0500
X-Greylist: delayed 1274 seconds by postgrey-1.27 at vger.kernel.org;
	Mon, 28 Nov 2016 06:07:18 EST
Received: from localhost (localhost [127.0.0.1])
	by nuclearcat.com (Postfix) with ESMTP id 206BF67C0889;
	Mon, 28 Nov 2016 10:46:01 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at nuclearcat.com
Received: from nuclearcat.com ([127.0.0.1])
	by localhost (nuclearcat.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id DbXO_GnavhrM; Mon, 28 Nov 2016 10:45:59 +0000 (UTC)
Received: from germany.nuclearcat.com (localhost [127.0.0.1])
	(Authenticated sender: nuclearcat@nuclearcat.com)
	by nuclearcat.com (Postfix) with ESMTPA id 8508F67C002B;
	Mon, 28 Nov 2016 10:45:59 +0000 (UTC)
MIME-Version: 1.0
Date: Mon, 28 Nov 2016 12:45:59 +0200
From: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
To: Linux Kernel Network Developers <netdev@vger.kernel.org>,
	Pablo Neira Ayuso <pablo@netfilter.org>
Subject: SNAT --random & fully is not actually random for ips
Message-ID: <97a6a1c557f0f1e6d55d8d09b326f8b1@nuclearcat.com>
X-Sender: nuclearcat@nuclearcat.com
User-Agent: Roundcube Webmail/1.2.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Hello,

I noticed that if i specify -j SNAT with options --random --random-fully 
still it keeps persistence for source IP.
Actually truly random src ip required in some scenarios like links 
balanced by IPs, but seems since 2012 at least it is not possible.

But actually if i do something like:
  	for (i = 0; i <= max; i++) {

It works as intended. But i guess to not break compatibility it is 
better should be introduced as new option?
Or maybe there is no really need for such option?

--- nf_nat_core.c.new	2016-11-28 09:55:54.000000000 +0000
+++ nf_nat_core.c	2016-11-21 09:11:59.000000000 +0000
@@ -282,13 +282,9 @@
  	 * client coming from the same IP (some Internet Banking sites
  	 * like this), even across reboots.
  	 */
-	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
-	    j = prandom_u32();
-	} else {
-	    j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / 
sizeof(u32),
+	j = jhash2((u32 *)&tuple->src.u3, sizeof(tuple->src.u3) / sizeof(u32),
  		   range->flags & NF_NAT_RANGE_PERSISTENT ?
  			0 : (__force u32)tuple->dst.u3.all[max] ^ zone->id);
-	}

  	full_range = false;