Commit 5191d501 authored by Jan Engelhardt's avatar Jan Engelhardt Committed by Patrick McHardy

netfilter: xtables: do not grab random bytes at __init

"It is deliberately not done in the init function, since we might not
have sufficient random while booting."
Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 89bc7a0f
...@@ -28,6 +28,7 @@ MODULE_ALIAS("ip6t_NFQUEUE"); ...@@ -28,6 +28,7 @@ MODULE_ALIAS("ip6t_NFQUEUE");
MODULE_ALIAS("arpt_NFQUEUE"); MODULE_ALIAS("arpt_NFQUEUE");
static u32 jhash_initval __read_mostly; static u32 jhash_initval __read_mostly;
static bool rnd_inited __read_mostly;
static unsigned int static unsigned int
nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par) nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
...@@ -90,6 +91,10 @@ static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par) ...@@ -90,6 +91,10 @@ static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
const struct xt_NFQ_info_v1 *info = par->targinfo; const struct xt_NFQ_info_v1 *info = par->targinfo;
u32 maxid; u32 maxid;
if (unlikely(!rnd_inited)) {
get_random_bytes(&jhash_initval, sizeof(jhash_initval));
rnd_inited = true;
}
if (info->queues_total == 0) { if (info->queues_total == 0) {
pr_err("NFQUEUE: number of total queues is 0\n"); pr_err("NFQUEUE: number of total queues is 0\n");
return false; return false;
...@@ -135,7 +140,6 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = { ...@@ -135,7 +140,6 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
static int __init nfqueue_tg_init(void) static int __init nfqueue_tg_init(void)
{ {
get_random_bytes(&jhash_initval, sizeof(jhash_initval));
return xt_register_targets(nfqueue_tg_reg, ARRAY_SIZE(nfqueue_tg_reg)); return xt_register_targets(nfqueue_tg_reg, ARRAY_SIZE(nfqueue_tg_reg));
} }
......
...@@ -23,6 +23,7 @@ static DEFINE_MUTEX(xt_rateest_mutex); ...@@ -23,6 +23,7 @@ static DEFINE_MUTEX(xt_rateest_mutex);
#define RATEEST_HSIZE 16 #define RATEEST_HSIZE 16
static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly; static struct hlist_head rateest_hash[RATEEST_HSIZE] __read_mostly;
static unsigned int jhash_rnd __read_mostly; static unsigned int jhash_rnd __read_mostly;
static bool rnd_inited __read_mostly;
static unsigned int xt_rateest_hash(const char *name) static unsigned int xt_rateest_hash(const char *name)
{ {
...@@ -93,6 +94,11 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par) ...@@ -93,6 +94,11 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
struct gnet_estimator est; struct gnet_estimator est;
} cfg; } cfg;
if (unlikely(!rnd_inited)) {
get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
rnd_inited = true;
}
est = xt_rateest_lookup(info->name); est = xt_rateest_lookup(info->name);
if (est) { if (est) {
/* /*
...@@ -164,7 +170,6 @@ static int __init xt_rateest_tg_init(void) ...@@ -164,7 +170,6 @@ static int __init xt_rateest_tg_init(void)
for (i = 0; i < ARRAY_SIZE(rateest_hash); i++) for (i = 0; i < ARRAY_SIZE(rateest_hash); i++)
INIT_HLIST_HEAD(&rateest_hash[i]); INIT_HLIST_HEAD(&rateest_hash[i]);
get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
return xt_register_target(&xt_rateest_tg_reg); return xt_register_target(&xt_rateest_tg_reg);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment