Ephemeral ports patch (fixed)

Fernando Gont fernando at gont.com.ar
Mon Mar 3 06:12:15 PST 2008 

At 04:11 a.m. 03/03/2008, Mike Silbersack wrote:

>>Here's the same patch, but with the first ephemeral port changed 
>>from 1024 to 10000.
>
>Now that I've actually gone to try to apply the patch (so I can view 
>the two codepaths side by side, rather than in diff form), I'm 
>finding that I can't apply it.  I think all the whitespace got 
>stomped, either by your mail program or my mail program.  Can you 
>please resent this as an attachment?

Sure. Please let me know if this one is okay.

Kind regards,

--
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1



-------------- next part --------------
Index: in.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in.h,v
retrieving revision 1.100
diff -u -r1.100 in.h
--- in.h	12 Jun 2007 16:24:53 -0000	1.100
+++ in.h	1 Mar 2008 09:00:10 -0000
@@ -293,8 +293,7 @@
  *
  * The value IP_PORTRANGE_HIGH changes the range of candidate port numbers
  * into the "high" range.  These are reserved for client outbound connections
- * which do not want to be filtered by any firewalls.  Note that by default
- * this is the same as IP_PORTRANGE_DEFAULT.
+ * which do not want to be filtered by any firewalls.
  *
  * The value IP_PORTRANGE_LOW changes the range to the "low" are
  * that is (by convention) restricted to privileged processes.  This
@@ -331,8 +330,13 @@
 #define	IPPORT_RESERVED		1024
 
 /*
- * Default local port range, used by both IP_PORTRANGE_DEFAULT
- * and IP_PORTRANGE_HIGH.
+ * Default local port range, used by IP_PORTRANGE_DEFAULT
+ */
+#define IPPORT_EPHEMERALFIRST	10000
+#define IPPORT_EPHEMERALLAST	655535 
+ 
+/*
+ * Dynamic port range, used by IP_PORTRANGE_HIGH.
  */
 #define	IPPORT_HIFIRSTAUTO	49152
 #define	IPPORT_HILASTAUTO	65535
Index: in_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.198
diff -u -r1.198 in_pcb.c
--- in_pcb.c	22 Dec 2007 10:06:11 -0000	1.198
+++ in_pcb.c	1 Mar 2008 09:00:11 -0000
@@ -89,8 +89,8 @@
  */
 int	ipport_lowfirstauto  = IPPORT_RESERVED - 1;	/* 1023 */
 int	ipport_lowlastauto = IPPORT_RESERVEDSTART;	/* 600 */
-int	ipport_firstauto = IPPORT_HIFIRSTAUTO;		/* 49152 */
-int	ipport_lastauto  = IPPORT_HILASTAUTO;		/* 65535 */
+int	ipport_firstauto = IPPORT_EPHEMERALFIRST;	/* 10000 */
+int	ipport_lastauto  = IPPORT_EPHEMERALLAST;	/* 65535 */
 int	ipport_hifirstauto = IPPORT_HIFIRSTAUTO;	/* 49152 */
 int	ipport_hilastauto  = IPPORT_HILASTAUTO;		/* 65535 */
 
@@ -393,7 +393,7 @@
 	if (*lportp != 0)
 		lport = *lportp;
 	if (lport == 0) {
-		u_short first, last;
+		u_short first, last, aux;
 		int count;
 
 		if (laddr.s_addr != INADDR_ANY)
@@ -440,47 +440,28 @@
 		/*
 		 * Simple check to ensure all ports are not used up causing
 		 * a deadlock here.
-		 *
-		 * We split the two cases (up and down) so that the direction
-		 * is not being tested on each round of the loop.
 		 */
 		if (first > last) {
-			/*
-			 * counting down
-			 */
-			if (dorandom)
-				*lastport = first -
-					    (arc4random() % (first - last));
-			count = first - last;
+			aux = first;
+			first = last;
+			last = aux;
+		}
 
-			do {
-				if (count-- < 0)	/* completely used? */
-					return (EADDRNOTAVAIL);
-				--*lastport;
-				if (*lastport > first || *lastport < last)
-					*lastport = first;
-				lport = htons(*lastport);
-			} while (in_pcblookup_local(pcbinfo, laddr, lport,
-			    wild));
-		} else {
-			/*
-			 * counting up
-			 */
-			if (dorandom)
-				*lastport = first +
-					    (arc4random() % (last - first));
-			count = last - first;
+		if (dorandom)
+			*lastport = first +
+				    (arc4random() % (last - first));
 
-			do {
-				if (count-- < 0)	/* completely used? */
-					return (EADDRNOTAVAIL);
-				++*lastport;
-				if (*lastport < first || *lastport > last)
-					*lastport = first;
-				lport = htons(*lastport);
-			} while (in_pcblookup_local(pcbinfo, laddr, lport,
-			    wild));
-		}
+		count = last - first;
+
+		do {
+			if (count-- < 0)	/* completely used? */
+				return (EADDRNOTAVAIL);
+			++*lastport;
+			if (*lastport < first || *lastport > last)
+				*lastport = first;
+			lport = htons(*lastport);
+		} while (in_pcblookup_local(pcbinfo, laddr, lport,
+		    wild));
 	}
 	if (prison_ip(cred, 0, &laddr.s_addr))
 		return (EINVAL);

More information about the freebsd-net mailing list