From owner-freebsd-net@FreeBSD.ORG  Wed Jan 26 11:54:29 2011
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 66C6A1065679
	for <freebsd-net@freebsd.org>; Wed, 26 Jan 2011 11:54:29 +0000 (UTC)
	(envelope-from ivo.vachkov@gmail.com)
Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com
	[209.85.216.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 196528FC08
	for <freebsd-net@freebsd.org>; Wed, 26 Jan 2011 11:54:28 +0000 (UTC)
Received: by qwj9 with SMTP id 9so845100qwj.13
	for <freebsd-net@freebsd.org>; Wed, 26 Jan 2011 03:54:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:from:date:message-id:subject:to
	:content-type; bh=WGwb+Ht7XMUO5rn6x9+no/qajvvBcRIkdJKX8y5emrM=;
	b=EFwBbmsb/0yIPA64ytAxQX5XZ99E67chMOKxSbsjZQy9acFBg9SdI9F1HuPIx07qpO
	alBfbcvIqJhHMHdczSyblxO67hH63SJExgdtn65d9+MnTqIUEfIMIUrkDkqNJ3Bo+NOy
	oeEO8jtkKseFMOW3ezx2THYiCCdf5ZKhHOADE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:from:date:message-id:subject:to:content-type;
	b=AzlvMEI/U7PaeROFVQ00f4CLZWZuJun6RiEL6oXvEXb/ngKWLaDaaEc4Fcm3xEyAvM
	k0LDxtaVbNCbct1j/tWLQwZPCv7xKhA0K5MMfg0uO5PRR6Wf4aUnvv78eg21397SeiYh
	BJN+d1kI6hP0dIenTEIwG8hj3iVNCB5f5HZ1o=
Received: by 10.224.89.85 with SMTP id d21mr355117qam.162.1296041307938; Wed,
	26 Jan 2011 03:28:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.220.193.9 with HTTP; Wed, 26 Jan 2011 03:28:07 -0800 (PST)
From: Ivo Vachkov <ivo.vachkov@gmail.com>
Date: Wed, 26 Jan 2011 13:28:07 +0200
Message-ID: <AANLkTi=rF+CYiNG7PurPtrwn-AMT9cYEe90epGAJDwDq@mail.gmail.com>
To: FreeBSD Net <freebsd-net@freebsd.org>
Content-Type: multipart/mixed; boundary=0015175ce06ac62152049abe21a9
Subject: Proposed patch for Port Randomization modifications according to
	RFC6056
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jan 2011 11:54:29 -0000

--0015175ce06ac62152049abe21a9
Content-Type: text/plain; charset=UTF-8

Hello,

I would like to propose a patch (against FreeBSD RELENG_8) to extend
the port randomization support in FreeBSD, according to RFC6056
(https://www.rfc-editor.org/rfc/rfc6056.txt)

Currently the patch implements:
- Algorithm 1 (default in FreeBSD 8)
- Algorithm 2
- Algorithm 5
from the aforementioned RFC6056.

Any of those algorithms can be chosen with the sysctl variable
net.inet.ip.portrange.rfc6056_algorithm.

I deliberately skipped Algorithm 3 and Algorithm 4, because I believe
usage of cryptographic hash functions will introduce unnecessary
latency in vital network operations. However, in case of expressed
interest, I will be glad to add those too.

I would like to ask what is the proper way to validate the sysctl
input in order to accept only a specific values? In my case only '1',
'2' and '5'.

Thank you very much.

Ivo Vachkov

--0015175ce06ac62152049abe21a9
Content-Type: text/x-patch; charset=US-ASCII;
	name="freebsd-RELENG_8-rfc6056.patch"
Content-Disposition: attachment; filename="freebsd-RELENG_8-rfc6056.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_gje4xjku0

ZGlmZiAtciBmYmYxMzEzMzYyZDcgc3JjL3N5cy9uZXRpbmV0L2luX3BjYi5jCi0tLSBhL3NyYy9z
eXMvbmV0aW5ldC9pbl9wY2IuYwlUdWUgSmFuIDI1IDE0OjAzOjM3IDIwMTEgKzAyMDAKKysrIGIv
c3JjL3N5cy9uZXRpbmV0L2luX3BjYi5jCVdlZCBKYW4gMjYgMTI6NTg6MDUgMjAxMSArMDIwMApA
QCAtMTA5LDYgKzEwOSw3IEBACiBWTkVUX0RFRklORShpbnQsIGlwcG9ydF9zdG9wcmFuZG9tKTsJ
CS8qIHRvZ2dsZWQgYnkgaXBwb3J0X3RpY2sgKi8KIFZORVRfREVGSU5FKGludCwgaXBwb3J0X3Rj
cGFsbG9jcyk7CiBzdGF0aWMgVk5FVF9ERUZJTkUoaW50LCBpcHBvcnRfdGNwbGFzdGNvdW50KTsK
K1ZORVRfREVGSU5FKGludCwgaXBwb3J0X3JmYzYwNTZhbGcpID0gMTsJLyogdXNlciBjb250cm9s
bGVkIHZpYSBzeXNjdGwgKi8KIAogI2RlZmluZQlWX2lwcG9ydF90Y3BsYXN0Y291bnQJCVZORVQo
aXBwb3J0X3RjcGxhc3Rjb3VudCkKIApAQCAtMTc0LDYgKzE3NSw4IEBACiAJJlZORVRfTkFNRShp
cHBvcnRfcmFuZG9tdGltZSksIDAsCiAJIk1pbmltdW0gdGltZSB0byBrZWVwIHNlcXVlbnRhbCBw
b3J0ICIKIAkiYWxsb2NhdGlvbiBiZWZvcmUgc3dpdGNoaW5nIHRvIGEgcmFuZG9tIG9uZSIpOwor
U1lTQ1RMX1ZORVRfSU5UKF9uZXRfaW5ldF9pcF9wb3J0cmFuZ2UsIE9JRF9BVVRPLCByZmM2MDU2
X2FsZ29yaXRobSwgQ1RMRkxBR19SVywKKwkmVk5FVF9OQU1FKGlwcG9ydF9yZmM2MDU2YWxnKSwg
MCwgIlJGQyA2MDU2IFBvcnQgcmFuZG9taXphdGlvbiBhbGdvcml0aG0iKTsKIAogLyoKICAqIGlu
X3BjYi5jOiBtYW5hZ2UgdGhlIFByb3RvY29sIENvbnRyb2wgQmxvY2tzLgpAQCAtNDY4LDIxICs0
NzEsNzUgQEAKIAkJCWxhc3QgPSBhdXg7CiAJCX0KIAotCQlpZiAoZG9yYW5kb20pCi0JCQkqbGFz
dHBvcnQgPSBmaXJzdCArCi0JCQkJICAgIChhcmM0cmFuZG9tKCkgJSAobGFzdCAtIGZpcnN0KSk7
Ci0KIAkJY291bnQgPSBsYXN0IC0gZmlyc3Q7CiAKLQkJZG8gewotCQkJaWYgKGNvdW50LS0gPCAw
KQkvKiBjb21wbGV0ZWx5IHVzZWQ/ICovCi0JCQkJcmV0dXJuIChFQUREUk5PVEFWQUlMKTsKLQkJ
CSsrKmxhc3Rwb3J0OwotCQkJaWYgKCpsYXN0cG9ydCA8IGZpcnN0IHx8ICpsYXN0cG9ydCA+IGxh
c3QpCi0JCQkJKmxhc3Rwb3J0ID0gZmlyc3Q7Ci0JCQlscG9ydCA9IGh0b25zKCpsYXN0cG9ydCk7
Ci0JCX0gd2hpbGUgKGluX3BjYmxvb2t1cF9sb2NhbChwY2JpbmZvLCBsYWRkciwKLQkJICAgIGxw
b3J0LCB3aWxkLCBjcmVkKSk7CisJCS8qIAorCQkgKiBBY2NvcmRpbmcgdG8gUkZDNjA1NiB0aGVy
ZSBhcmUgNSAoZml2ZSkgcG9zc2libGUgYWxnb3JpdGhtcworCQkgKiBmb3IgcmFuZG9tIHBvcnQg
YWxsb2NhdGlvbi4gVXNhZ2Ugb2YgYSBwYXJ0aWN1bGFyIGFsZ29yaXRobQorCQkgKiBpcyBzcGVj
aWZpZWQgd2l0aCB0aGUgJ25ldC5pbmV0LmlwLnBvcnRyYW5nZS5yZmM2MDU2X2FsZ29yaXRobScK
KwkJICogc3lzY3RsIHZhcmlhYmxlLiBEZWZhdWx0IHZhbHVlIGlzIDEsIHdoaWNoIHJlcHJlc2Vu
dHMgdGhlCisJCSAqIGxlZ2FjeSByYW5kb20gcG9ydCBhbGxvY2F0aW9uIGFsZ29yaXRobSBpbiBG
cmVlQlNELgorCQkgKi8KKwkJaWYgKGRvcmFuZG9tKSB7CisJCQlzd2l0Y2ggKFZfaXBwb3J0X3Jm
YzYwNTZhbGcpIHsKKwkJCWNhc2UgNToJCS8qIFJhbmRvbS1JbmNyZW1lbnRzIFBvcnQgU2VsZWN0
aW9uICovCisJCQkJZG8geworCQkJCQlpZiAoY291bnQtLSA8IDApCS8qIGNvbXBsZXRlbHkgdXNl
ZD8gKi8KKwkJCQkJCXJldHVybiAoRUFERFJOT1RBVkFJTCk7CisKKwkJCQkJKmxhc3Rwb3J0ID0g
Zmlyc3QgKyAoKGFyYzRyYW5kb20oKSAlIDY1NTM2KSArIAorCQkJCQkgICAgKGFyYzRyYW5kb20o
KSAlIDUwMCkgKyAxKTsKKworCQkJCQlpZiAoKmxhc3Rwb3J0IDwgZmlyc3QgfHwgKmxhc3Rwb3J0
ID4gbGFzdCkKKwkJCQkJCSpsYXN0cG9ydCA9IGZpcnN0OworCQkJCQlscG9ydCA9IGh0b25zKCps
YXN0cG9ydCk7CisJCQkJfSB3aGlsZSAoaW5fcGNibG9va3VwX2xvY2FsKHBjYmluZm8sIGxhZGRy
LAorCQkJCSAgICBscG9ydCwgd2lsZCwgY3JlZCkpOworCisJCQkJYnJlYWs7CisJCQljYXNlIDI6
CQkvKiBTaW1wbGUgUG9ydCBSYW5kb21pemF0aW9uIEFsZ29yaXRobSBJSSAqLworCQkJCWRvIHsK
KwkJCQkJaWYgKGNvdW50LS0gPCAwKQkvKiBjb21wbGV0ZWx5IHVzZWQ/ICovCisJCQkJCQlyZXR1
cm4gKEVBRERSTk9UQVZBSUwpOworCisJCQkJCSpsYXN0cG9ydCA9IGZpcnN0ICsgKGFyYzRyYW5k
b20oKSAlIChsYXN0IC0gZmlyc3QpKTsKKworCQkJCQlpZiAoKmxhc3Rwb3J0IDwgZmlyc3QgfHwg
Kmxhc3Rwb3J0ID4gbGFzdCkKKwkJCQkJCSpsYXN0cG9ydCA9IGZpcnN0OworCQkJCQlscG9ydCA9
IGh0b25zKCpsYXN0cG9ydCk7CisJCQkJfSB3aGlsZSAoaW5fcGNibG9va3VwX2xvY2FsKHBjYmlu
Zm8sIGxhZGRyLAorCQkJCSAgICBscG9ydCwgd2lsZCwgY3JlZCkpOworCisJCQkJYnJlYWs7CisJ
CQljYXNlIDE6CQkvKiBTaW1wbGUgUG9ydCBSYW5kb21pemF0aW9uIEFsZ29yaXRobSBJICovCisJ
CQlkZWZhdWx0OgorCQkJCSpsYXN0cG9ydCA9IGZpcnN0ICsgKGFyYzRyYW5kb20oKSAlIChsYXN0
IC0gZmlyc3QpKTsKKworCQkJCWRvIHsKKwkJCQkJaWYgKGNvdW50LS0gPCAwKQkvKiBjb21wbGV0
ZWx5IHVzZWQ/ICovCisJCQkJCQlyZXR1cm4gKEVBRERSTk9UQVZBSUwpOworCisJCQkJCSsrKmxh
c3Rwb3J0OworCisJCQkJCWlmICgqbGFzdHBvcnQgPCBmaXJzdCB8fCAqbGFzdHBvcnQgPiBsYXN0
KQorCQkJCQkJKmxhc3Rwb3J0ID0gZmlyc3Q7CisJCQkJCWxwb3J0ID0gaHRvbnMoKmxhc3Rwb3J0
KTsKKwkJCQl9IHdoaWxlIChpbl9wY2Jsb29rdXBfbG9jYWwocGNiaW5mbywgbGFkZHIsCisJCQkJ
ICAgIGxwb3J0LCB3aWxkLCBjcmVkKSk7CisJCQl9CisJCX0gZWxzZSB7CisJCQlkbyB7CisJCQkJ
aWYgKGNvdW50LS0gPCAwKSAgICAgICAgLyogY29tcGxldGVseSB1c2VkPyAqLworCQkJCQlyZXR1
cm4gKEVBRERSTk9UQVZBSUwpOworCQorCQkJCSsrKmxhc3Rwb3J0OworCisJCQkJaWYgKCpsYXN0
cG9ydCA8IGZpcnN0IHx8ICpsYXN0cG9ydCA+IGxhc3QpCisJCQkJCSpsYXN0cG9ydCA9IGZpcnN0
OworCQkJCWxwb3J0ID0gaHRvbnMoKmxhc3Rwb3J0KTsKKwkJCX0gd2hpbGUgKGluX3BjYmxvb2t1
cF9sb2NhbChwY2JpbmZvLCBsYWRkciwKKwkJCSAgICBscG9ydCwgd2lsZCwgY3JlZCkpOworCQl9
CiAJfQogCSpsYWRkcnAgPSBsYWRkci5zX2FkZHI7CiAJKmxwb3J0cCA9IGxwb3J0OwpkaWZmIC1y
IGZiZjEzMTMzNjJkNyBzcmMvc3lzL25ldGluZXQvaW5fcGNiLmgKLS0tIGEvc3JjL3N5cy9uZXRp
bmV0L2luX3BjYi5oCVR1ZSBKYW4gMjUgMTQ6MDM6MzcgMjAxMSArMDIwMAorKysgYi9zcmMvc3lz
L25ldGluZXQvaW5fcGNiLmgJV2VkIEphbiAyNiAxMjo1ODowNSAyMDExICswMjAwCkBAIC00NjYs
NiArNDY2LDcgQEAKIFZORVRfREVDTEFSRShpbnQsIGlwcG9ydF9yYW5kb210aW1lKTsKIFZORVRf
REVDTEFSRShpbnQsIGlwcG9ydF9zdG9wcmFuZG9tKTsKIFZORVRfREVDTEFSRShpbnQsIGlwcG9y
dF90Y3BhbGxvY3MpOworVk5FVF9ERUNMQVJFKGludCwgaXBwb3J0X3JmYzYwNTZhbGcpOwogCiAj
ZGVmaW5lCVZfaXBwb3J0X3Jlc2VydmVkaGlnaAlWTkVUKGlwcG9ydF9yZXNlcnZlZGhpZ2gpCiAj
ZGVmaW5lCVZfaXBwb3J0X3Jlc2VydmVkbG93CVZORVQoaXBwb3J0X3Jlc2VydmVkbG93KQpAQCAt
NDgwLDYgKzQ4MSw3IEBACiAjZGVmaW5lCVZfaXBwb3J0X3JhbmRvbXRpbWUJVk5FVChpcHBvcnRf
cmFuZG9tdGltZSkKICNkZWZpbmUJVl9pcHBvcnRfc3RvcHJhbmRvbQlWTkVUKGlwcG9ydF9zdG9w
cmFuZG9tKQogI2RlZmluZQlWX2lwcG9ydF90Y3BhbGxvY3MJVk5FVChpcHBvcnRfdGNwYWxsb2Nz
KQorI2RlZmluZSBWX2lwcG9ydF9yZmM2MDU2YWxnCVZORVQoaXBwb3J0X3JmYzYwNTZhbGcpCiAK
IGV4dGVybiBzdHJ1Y3QgY2FsbG91dCBpcHBvcnRfdGlja19jYWxsb3V0OwogCg==
--0015175ce06ac62152049abe21a9--