netfilter: xtables: do not grab random bytes at __init

"It is deliberately not done in the init function, since we might not have sufficient random while booting." Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>

netfilter: xtables: do not grab random bytes at __init
"It is deliberately not done in the init function, since we might not have sufficient random while booting." Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
Jan Engelhardt · Patrick McHardy
1 parent 89bc7a0f64
Showing 2 changed files with 11 additions and 2 deletions Side-by-side Diff
net/netfilter/xt_NFQUEUE.c
net/netfilter/xt_RATEEST.c
@@ -28,6 +28,7 @@
 MODULE_ALIAS("arpt_NFQUEUE");
  
 static u32 jhash_initval __read_mostly;
+static bool rnd_inited __read_mostly;
  
 static unsigned int
 nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
@@ -90,6 +91,10 @@
 	const struct xt_NFQ_info_v1 *info = par->targinfo;
 	u32 maxid;
  
+	if (unlikely(!rnd_inited)) {
+		get_random_bytes(&jhash_initval, sizeof(jhash_initval));
+		rnd_inited = true;
+	}
 	if (info->queues_total == 0) {
 		pr_err("NFQUEUE: number of total queues is 0\n");
 		return false;
@@ -135,7 +140,6 @@
  
 static int __init nfqueue_tg_init(void)
 {
-	get_random_bytes(&jhash_initval, sizeof(jhash_initval));
 	return xt_register_targets(nfqueue_tg_reg, ARRAY_SIZE(nfqueue_tg_reg));
 }
  
@@ -23,6 +23,7 @@
 #define RATEEST_HSIZE	16
 static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly;
 static unsigned int jhash_rnd __read_mostly;
+static bool rnd_inited __read_mostly;
  
 static unsigned int xt_rateest_hash(const char *name)
 {
@@ -93,6 +94,11 @@
 		struct gnet_estimator	est;
 	} cfg;
  
+	if (unlikely(!rnd_inited)) {
+		get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
+		rnd_inited = true;
+	}
+
 	est = xt_rateest_lookup(info->name);
 	if (est) {
 		/*
@@ -164,7 +170,6 @@
 	for (i = 0; i < ARRAY_SIZE(rateest_hash); i++)
 		INIT_HLIST_HEAD(&rateest_hash[i]);
  
-	get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
 	return xt_register_target(&xt_rateest_tg_reg);
 }
...	...	@@ -28,6 +28,7 @@
28	28	MODULE_ALIAS("arpt_NFQUEUE");
29	29
30	30	static u32 jhash_initval __read_mostly;
	31	+static bool rnd_inited __read_mostly;
31	32
32	33	static unsigned int
33	34	nfqueue_tg(struct sk_buff skb, const struct xt_target_param par)
...	...	@@ -90,6 +91,10 @@
90	91	const struct xt_NFQ_info_v1 *info = par->targinfo;
91	92	u32 maxid;
92	93
	94	+ if (unlikely(!rnd_inited)) {
	95	+ get_random_bytes(&jhash_initval, sizeof(jhash_initval));
	96	+ rnd_inited = true;
	97	+ }
93	98	if (info->queues_total == 0) {
94	99	pr_err("NFQUEUE: number of total queues is 0\n");
95	100	return false;
...	...	@@ -135,7 +140,6 @@
135	140
136	141	static int __init nfqueue_tg_init(void)
137	142	{
138		- get_random_bytes(&jhash_initval, sizeof(jhash_initval));
139	143	return xt_register_targets(nfqueue_tg_reg, ARRAY_SIZE(nfqueue_tg_reg));
140	144	}
141	145
...	...	@@ -23,6 +23,7 @@
23	23	#define RATEEST_HSIZE 16
24	24	static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly;
25	25	static unsigned int jhash_rnd __read_mostly;
	26	+static bool rnd_inited __read_mostly;
26	27
27	28	static unsigned int xt_rateest_hash(const char *name)
28	29	{
...	...	@@ -93,6 +94,11 @@
93	94	struct gnet_estimator est;
94	95	} cfg;
95	96
	97	+ if (unlikely(!rnd_inited)) {
	98	+ get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
	99	+ rnd_inited = true;
	100	+ }
	101	+
96	102	est = xt_rateest_lookup(info->name);
97	103	if (est) {
98	104	/*
...	...	@@ -164,7 +170,6 @@
164	170	for (i = 0; i < ARRAY_SIZE(rateest_hash); i++)
165	171	INIT_HLIST_HEAD(&rateest_hash[i]);
166	172
167		- get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
168	173	return xt_register_target(&xt_rateest_tg_reg);
169	174	}
170	175