ipt_netflow: optionally seed initial template ID from PRNG

laarmen · aabc · commit 56831a5bff2d · 2021-01-28T17:59:46.000+03:00
If we're always starting from 256, a module reload could result in the
client getting data under template IDs that were used under the previous
configuration and might not match (or worse, wrongly match). We add a
compilation option to start the template ID range from a random number,
reducing greatly the chances of such an accident occuring.

Since we're starting from a random number, we now have to check for
wrapping, as the random number might be close to 0xFFFF, which would
mean exporting template with IDs under 256 that are reserved.

v2: Fix the log output by keeping a separate count of the templates
generated by the module.

Signed-off-by: Simon Chopin &lt;s.chopin@alphalink.fr&gt;
[abc@openwall.com: Fixed incorrect if statement]
Signed-off-by: ABC &lt;abc@openwall.com&gt;
diff --git a/configure b/configure
@@ -302,6 +302,7 @@ show_help() {
   echo "  --enable-direction     enables flowDirection(61) Element"
   echo "  --enable-sampler       enables Flow Sampling"
   echo "  --enable-sampler=hash  enables Hash sampler"
+  echo "  --enable-rand-tpl-id   enables seeding the template IDs from a random number"
   echo "  --enable-aggregation   enables aggregation rules"
   echo "  --enable-promisc       enables promisc hack mode"
   echo "  --promisc-mpls         decapsulate MPLS in promisc mode"
@@ -337,6 +338,7 @@ do
     --enable-sampl*hash) KOPTS="$KOPTS -DENABLE_SAMPLER -DSAMPLING_HASH" ;;
     --enable-sampl*) KOPTS="$KOPTS -DENABLE_SAMPLER" ;;
     --enable-aggr*)  KOPTS="$KOPTS -DENABLE_AGGR" ;;
+    --enable-rand-tpl*)  KOPTS="$KOPTS -DENABLE_RANDOM_TEMPLATE_IDS" ;;
     --enable-promi*)   ENABLE_PROMISC=1 ;;
     --promisc-mpls*)   ENABLE_PROMISC=1; PROMISC_MPLS=1; MPLS_DEPTH=${ac_optarg:-3} ;;
     --enable-snmp-r*)  KOPTS="$KOPTS -DSNMP_RULES" ;;
diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
@@ -329,6 +329,7 @@ enum {
 	DONT_FLUSH, AND_FLUSH
 };
 static int template_ids = FLOWSET_DATA_FIRST;
+static int tpl_gen_count = 0; /* how much templates */
 static int tpl_count = 0; /* how much active templates */
 #define STAT_INTERVAL	 (1*60)
 #define SYSINFO_INTERVAL (5*60)
@@ -704,7 +705,7 @@ static int nf_seq_show(struct seq_file *seq, void *v)
 		seq_printf(seq, " (netflow)");
 	if (protocol >= 9)
 		seq_printf(seq, ", refresh-rate %u, timeout-rate %u, (templates %d, active %d).\n",
-		    refresh_rate, timeout_rate, template_ids - FLOWSET_DATA_FIRST, tpl_count);
+		    refresh_rate, timeout_rate, tpl_gen_count, tpl_count);
 	else
 		seq_printf(seq, "\n");
 
@@ -3393,6 +3394,9 @@ static struct data_template *get_template(const unsigned int tmask)
 	tpl->length = length;
 	tpl->rec_size = 0;
 	tpl->template_id_n = htons(template_ids++);
+	tpl_gen_count++;
+	if (template_ids >= 0x00010000)
+		template_ids = FLOWSET_DATA_FIRST;
 	tpl->exported_cnt = 0;
 	tpl->exported_ts = 0;
 
@@ -5710,6 +5714,10 @@ static int __init ipt_netflow_init(void)
 #endif
 #endif
 
+#ifdef ENABLE_RANDOM_TEMPLATE_IDS
+	template_ids = FLOWSET_DATA_FIRST | prandom_u32_max(0x00010000);
+#endif
+
 #ifdef SNMP_RULES
 	if (!snmp_rules)
 		snmp_rules = snmp_rules_buf;
