Date: Mon, 03 Mar 2008 02:33:37 -0200 From: Fernando Gont <fernando@gont.com.ar> To: freebsd-net@freebsd.org Cc: Rui Paulo <rpaulo@fnop.net> Subject: Ephemeral ports patch (fixed) Message-ID: <200803030435.m234Z7As026508@venus.xmundo.net>
next in thread | raw e-mail | index | archive | help
Folks,
Here's the same patch, but with the first ephemeral port changed from
1024 to 10000.
Index: in.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in.h,v
retrieving revision 1.100
diff -u -r1.100 in.h
--- in.h 12 Jun 2007 16:24:53 -0000 1.100
+++ in.h 1 Mar 2008 09:00:10 -0000
@@ -293,8 +293,7 @@
*
* The value IP_PORTRANGE_HIGH changes the range of candidate port numbers
* into the "high" range. These are reserved for client outbound connections
- * which do not want to be filtered by any firewalls. Note that by default
- * this is the same as IP_PORTRANGE_DEFAULT.
+ * which do not want to be filtered by any firewalls.
*
* The value IP_PORTRANGE_LOW changes the range to the "low" are
* that is (by convention) restricted to privileged processes. This
@@ -331,8 +330,13 @@
#define IPPORT_RESERVED 1024
/*
- * Default local port range, used by both IP_PORTRANGE_DEFAULT
- * and IP_PORTRANGE_HIGH.
+ * Default local port range, used by IP_PORTRANGE_DEFAULT
+ */
+#define IPPORT_EPHEMERALFIRST 10000
+#define IPPORT_EPHEMERALLAST 655535
+
+/*
+ * Dynamic port range, used by IP_PORTRANGE_HIGH.
*/
#define IPPORT_HIFIRSTAUTO 49152
#define IPPORT_HILASTAUTO 65535
Index: in_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.198
diff -u -r1.198 in_pcb.c
--- in_pcb.c 22 Dec 2007 10:06:11 -0000 1.198
+++ in_pcb.c 1 Mar 2008 09:00:11 -0000
@@ -89,8 +89,8 @@
*/
int ipport_lowfirstauto = IPPORT_RESERVED - 1; /* 1023 */
int ipport_lowlastauto = IPPORT_RESERVEDSTART; /* 600 */
-int ipport_firstauto = IPPORT_HIFIRSTAUTO; /* 49152 */
-int ipport_lastauto = IPPORT_HILASTAUTO; /* 65535 */
+int ipport_firstauto = IPPORT_EPHEMERALFIRST; /* 10000 */
+int ipport_lastauto = IPPORT_EPHEMERALLAST; /* 65535 */
int ipport_hifirstauto = IPPORT_HIFIRSTAUTO; /* 49152 */
int ipport_hilastauto = IPPORT_HILASTAUTO; /* 65535 */
@@ -393,7 +393,7 @@
if (*lportp != 0)
lport = *lportp;
if (lport == 0) {
- u_short first, last;
+ u_short first, last, aux;
int count;
if (laddr.s_addr != INADDR_ANY)
@@ -440,47 +440,28 @@
/*
* Simple check to ensure all ports are not used up causing
* a deadlock here.
- *
- * We split the two cases (up and down) so that the direction
- * is not being tested on each round of the loop.
*/
if (first > last) {
- /*
- * counting down
- */
- if (dorandom)
- *lastport = first -
- (arc4random() % (first - last));
- count = first - last;
+ aux = first;
+ first = last;
+ last = aux;
+ }
- do {
- if (count-- < 0) /* completely used? */
- return (EADDRNOTAVAIL);
- --*lastport;
- if (*lastport > first || *lastport < last)
- *lastport = first;
- lport = htons(*lastport);
- } while (in_pcblookup_local(pcbinfo, laddr, lport,
- wild));
- } else {
- /*
- * counting up
- */
- if (dorandom)
- *lastport = first +
- (arc4random() % (last - first));
- count = last - first;
+ if (dorandom)
+ *lastport = first +
+ (arc4random() % (last - first));
- do {
- if (count-- < 0) /* completely used? */
- return (EADDRNOTAVAIL);
- ++*lastport;
- if (*lastport < first || *lastport > last)
- *lastport = first;
- lport = htons(*lastport);
- } while (in_pcblookup_local(pcbinfo, laddr, lport,
- wild));
- }
+ count = last - first;
+
+ do {
+ if (count-- < 0) /* completely used? */
+ return (EADDRNOTAVAIL);
+ ++*lastport;
+ if (*lastport < first || *lastport > last)
+ *lastport = first;
+ lport = htons(*lastport);
+ } while (in_pcblookup_local(pcbinfo, laddr, lport,
+ wild));
}
if (prison_ip(cred, 0, &laddr.s_addr))
return (EINVAL);
Kind regards,
--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803030435.m234Z7As026508>