ipt_netflow: optionally seed initial template ID from PRNG

If we're always starting from 256, a module reload could result in the client getting data under template IDs that were used under the previous configuration and might not match (or worse, wrongly match). We add a compilation option to start the template ID range from a random number, reducing greatly the chances of such an accident occuring. Since we're starting from a random number, we now have to check for wrapping, as the random number might be close to 0xFFFF, which would mean exporting template with IDs under 256 that are reserved. v2: Fix the log output by keeping a separate count of the templates generated by the module. v3: Fixed incorrect if (by ABC). Signed-off-by: Simon Chopin <[email protected]>
aabc · Jan 28, 2021 · ee0f69e · ee0f69e
1 parent 83a20ef
commit ee0f69e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/configure b/configure
@@ -302,6 +302,7 @@ show_help() {
   echo "  --enable-direction     enables flowDirection(61) Element"
   echo "  --enable-sampler       enables Flow Sampling"
   echo "  --enable-sampler=hash  enables Hash sampler"
+  echo "  --enable-rand-tpl-id   enables seeding the template IDs from a random number"
   echo "  --enable-aggregation   enables aggregation rules"
   echo "  --enable-promisc       enables promisc hack mode"
   echo "  --promisc-mpls         decapsulate MPLS in promisc mode"
@@ -337,6 +338,7 @@ do
     --enable-sampl*hash) KOPTS="$KOPTS -DENABLE_SAMPLER -DSAMPLING_HASH" ;;
     --enable-sampl*) KOPTS="$KOPTS -DENABLE_SAMPLER" ;;
     --enable-aggr*)  KOPTS="$KOPTS -DENABLE_AGGR" ;;
+    --enable-rand-tpl*)  KOPTS="$KOPTS -DENABLE_RANDOM_TEMPLATE_IDS" ;;
     --enable-promi*)   ENABLE_PROMISC=1 ;;
     --promisc-mpls*)   ENABLE_PROMISC=1; PROMISC_MPLS=1; MPLS_DEPTH=${ac_optarg:-3} ;;
     --enable-snmp-r*)  KOPTS="$KOPTS -DSNMP_RULES" ;;

diff --git a/ipt_NETFLOW.c b/ipt_NETFLOW.c
@@ -329,6 +329,7 @@ enum {
 	DONT_FLUSH, AND_FLUSH
 };
 static int template_ids = FLOWSET_DATA_FIRST;
+static int tpl_gen_count = 0; /* how much templates */
 static int tpl_count = 0; /* how much active templates */
 #define STAT_INTERVAL	 (1*60)
 #define SYSINFO_INTERVAL (5*60)
@@ -704,7 +705,7 @@ static int nf_seq_show(struct seq_file *seq, void *v)
 		seq_printf(seq, " (netflow)");
 	if (protocol >= 9)
 		seq_printf(seq, ", refresh-rate %u, timeout-rate %u, (templates %d, active %d).\n",
-		    refresh_rate, timeout_rate, template_ids - FLOWSET_DATA_FIRST, tpl_count);
+		    refresh_rate, timeout_rate, tpl_gen_count, tpl_count);
 	else
 		seq_printf(seq, "\n");
 
@@ -3393,6 +3394,9 @@ static struct data_template *get_template(const unsigned int tmask)
 	tpl->length = length;
 	tpl->rec_size = 0;
 	tpl->template_id_n = htons(template_ids++);
+	tpl_gen_count++;
+	if (template_ids >= 0x00010000)
+		template_ids = FLOWSET_DATA_FIRST;
 	tpl->exported_cnt = 0;
 	tpl->exported_ts = 0;
 
@@ -5710,6 +5714,10 @@ static int __init ipt_netflow_init(void)
 #endif
 #endif
 
+#ifdef ENABLE_RANDOM_TEMPLATE_IDS
+	template_ids = FLOWSET_DATA_FIRST | prandom_u32_max(0x00010000);
+#endif
+
 #ifdef SNMP_RULES
 	if (!snmp_rules)
 		snmp_rules = snmp_rules_buf;