netfilter: avoid get_random_bytes calls

All these users need an initial seed value for jhash, prandom is perfectly fine. This avoids draining the entropy pool where its not strictly required. nfnetlink_log did not use the random value at all. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: avoid get_random_bytes calls
All these users need an initial seed value for jhash, prandom is perfectly fine. This avoids draining the entropy pool where its not strictly required. nfnetlink_log did not use the random value at all. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal · Pablo Neira Ayuso
1 parent 8cf4d6a224
Showing 6 changed files with 5 additions and 13 deletions Side-by-side Diff
net/netfilter/nfnetlink_log.c
net/netfilter/nft_hash.c
net/netfilter/xt_RATEEST.c
net/netfilter/xt_connlimit.c
net/netfilter/xt_hashlimit.c
net/netfilter/xt_recent.c
@@ -28,8 +28,6 @@
 #include <linux/proc_fs.h>
 #include <linux/security.h>
 #include <linux/list.h>
-#include <linux/jhash.h>
-#include <linux/random.h>
 #include <linux/slab.h>
 #include <net/sock.h>
 #include <net/netfilter/nf_log.h>
@@ -75,7 +73,6 @@
 };
  
 #define INSTANCE_BUCKETS	16
-static unsigned int hash_init;
  
 static int nfnl_log_net_id __read_mostly;
  
@@ -1065,11 +1062,6 @@
 static int __init nfnetlink_log_init(void)
 {
 	int status = -ENOMEM;
-
-	/* it's not really all that important to have a random value, so
-	 * we can do this from the init function, even if there hasn't
-	 * been that much entropy yet */
-	get_random_bytes(&hash_init, sizeof(hash_init));
  
 	netlink_register_notifier(&nfulnl_rtnl_notifier);
 	status = nfnetlink_subsys_register(&nfulnl_subsys);
@@ -164,7 +164,7 @@
 	unsigned int cnt, i;
  
 	if (unlikely(!nft_hash_rnd_initted)) {
-		get_random_bytes(&nft_hash_rnd, 4);
+		nft_hash_rnd = prandom_u32();
 		nft_hash_rnd_initted = true;
 	}
  
@@ -100,7 +100,7 @@
 	int ret;
  
 	if (unlikely(!rnd_inited)) {
-		get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
+		jhash_rnd = prandom_u32();
 		rnd_inited = true;
 	}
  
@@ -229,7 +229,7 @@
 		u_int32_t rand;
  
 		do {
-			get_random_bytes(&rand, sizeof(rand));
+			rand = prandom_u32();
 		} while (!rand);
 		cmpxchg(&connlimit_rnd, 0, rand);
 	}
@@ -177,7 +177,7 @@
 	/* initialize hash with random val at the time we allocate
 	 * the first hashtable entry */
 	if (unlikely(!ht->rnd_initialized)) {
-		get_random_bytes(&ht->rnd, sizeof(ht->rnd));
+		ht->rnd = prandom_u32();
 		ht->rnd_initialized = true;
 	}
  
@@ -334,7 +334,7 @@
 	size_t sz;
  
 	if (unlikely(!hash_rnd_inited)) {
-		get_random_bytes(&hash_rnd, sizeof(hash_rnd));
+		hash_rnd = prandom_u32();
 		hash_rnd_inited = true;
 	}
 	if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
...	...	@@ -28,8 +28,6 @@
28	28	#include <linux/proc_fs.h>
29	29	#include <linux/security.h>
30	30	#include <linux/list.h>
31		-#include <linux/jhash.h>
32		-#include <linux/random.h>
33	31	#include <linux/slab.h>
34	32	#include <net/sock.h>
35	33	#include <net/netfilter/nf_log.h>
...	...	@@ -75,7 +73,6 @@
75	73	};
76	74
77	75	#define INSTANCE_BUCKETS 16
78		-static unsigned int hash_init;
79	76
80	77	static int nfnl_log_net_id __read_mostly;
81	78
...	...	@@ -1065,11 +1062,6 @@
1065	1062	static int __init nfnetlink_log_init(void)
1066	1063	{
1067	1064	int status = -ENOMEM;
1068		-
1069		- /* it's not really all that important to have a random value, so
1070		- * we can do this from the init function, even if there hasn't
1071		- * been that much entropy yet */
1072		- get_random_bytes(&hash_init, sizeof(hash_init));
1073	1065
1074	1066	netlink_register_notifier(&nfulnl_rtnl_notifier);
1075	1067	status = nfnetlink_subsys_register(&nfulnl_subsys);
...	...	@@ -164,7 +164,7 @@
164	164	unsigned int cnt, i;
165	165
166	166	if (unlikely(!nft_hash_rnd_initted)) {
167		- get_random_bytes(&nft_hash_rnd, 4);
	167	+ nft_hash_rnd = prandom_u32();
168	168	nft_hash_rnd_initted = true;
169	169	}
170	170
...	...	@@ -100,7 +100,7 @@
100	100	int ret;
101	101
102	102	if (unlikely(!rnd_inited)) {
103		- get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
	103	+ jhash_rnd = prandom_u32();
104	104	rnd_inited = true;
105	105	}
106	106
...	...	@@ -229,7 +229,7 @@
229	229	u_int32_t rand;
230	230
231	231	do {
232		- get_random_bytes(&rand, sizeof(rand));
	232	+ rand = prandom_u32();
233	233	} while (!rand);
234	234	cmpxchg(&connlimit_rnd, 0, rand);
235	235	}
...	...	@@ -177,7 +177,7 @@
177	177	/* initialize hash with random val at the time we allocate
178	178	* the first hashtable entry */
179	179	if (unlikely(!ht->rnd_initialized)) {
180		- get_random_bytes(&ht->rnd, sizeof(ht->rnd));
	180	+ ht->rnd = prandom_u32();
181	181	ht->rnd_initialized = true;
182	182	}
183	183
...	...	@@ -334,7 +334,7 @@
334	334	size_t sz;
335	335
336	336	if (unlikely(!hash_rnd_inited)) {
337		- get_random_bytes(&hash_rnd, sizeof(hash_rnd));
	337	+ hash_rnd = prandom_u32();
338	338	hash_rnd_inited = true;
339	339	}
340	340	if (info->check_set & ~XT_RECENT_VALID_FLAGS) {