At 04:11 a.m. 03/03/2008, Mike Silbersack wrote:
Here's the same patch, but with the first ephemeral port changed
from 1024 to 10000.
Now that I've actually gone to try to apply the patch (so I can view
the two codepaths side by side, rather than in diff form), I'm
finding that I can't apply it. I think all the whitespace got
stomped, either by your mail program or my mail program. Can you
please resent this as an attachment?
Sure. Please let me know if this one is okay.
Kind regards,
--
Fernando Gont
e-mail: [EMAIL PROTECTED] || [EMAIL PROTECTED]
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Index: in.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in.h,v
retrieving revision 1.100
diff -u -r1.100 in.h
--- in.h 12 Jun 2007 16:24:53 -0000 1.100
+++ in.h 1 Mar 2008 09:00:10 -0000
@@ -293,8 +293,7 @@
*
* The value IP_PORTRANGE_HIGH changes the range of candidate port numbers
* into the "high" range. These are reserved for client outbound connections
- * which do not want to be filtered by any firewalls. Note that by default
- * this is the same as IP_PORTRANGE_DEFAULT.
+ * which do not want to be filtered by any firewalls.
*
* The value IP_PORTRANGE_LOW changes the range to the "low" are
* that is (by convention) restricted to privileged processes. This
@@ -331,8 +330,13 @@
#define IPPORT_RESERVED 1024
/*
- * Default local port range, used by both IP_PORTRANGE_DEFAULT
- * and IP_PORTRANGE_HIGH.
+ * Default local port range, used by IP_PORTRANGE_DEFAULT
+ */
+#define IPPORT_EPHEMERALFIRST 10000
+#define IPPORT_EPHEMERALLAST 655535
+
+/*
+ * Dynamic port range, used by IP_PORTRANGE_HIGH.
*/
#define IPPORT_HIFIRSTAUTO 49152
#define IPPORT_HILASTAUTO 65535
Index: in_pcb.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in_pcb.c,v
retrieving revision 1.198
diff -u -r1.198 in_pcb.c
--- in_pcb.c 22 Dec 2007 10:06:11 -0000 1.198
+++ in_pcb.c 1 Mar 2008 09:00:11 -0000
@@ -89,8 +89,8 @@
*/
int ipport_lowfirstauto = IPPORT_RESERVED - 1; /* 1023 */
int ipport_lowlastauto = IPPORT_RESERVEDSTART; /* 600 */
-int ipport_firstauto = IPPORT_HIFIRSTAUTO; /* 49152 */
-int ipport_lastauto = IPPORT_HILASTAUTO; /* 65535 */
+int ipport_firstauto = IPPORT_EPHEMERALFIRST; /* 10000 */
+int ipport_lastauto = IPPORT_EPHEMERALLAST; /* 65535 */
int ipport_hifirstauto = IPPORT_HIFIRSTAUTO; /* 49152 */
int ipport_hilastauto = IPPORT_HILASTAUTO; /* 65535 */
@@ -393,7 +393,7 @@
if (*lportp != 0)
lport = *lportp;
if (lport == 0) {
- u_short first, last;
+ u_short first, last, aux;
int count;
if (laddr.s_addr != INADDR_ANY)
@@ -440,47 +440,28 @@
/*
* Simple check to ensure all ports are not used up causing
* a deadlock here.
- *
- * We split the two cases (up and down) so that the direction
- * is not being tested on each round of the loop.
*/
if (first > last) {
- /*
- * counting down
- */
- if (dorandom)
- *lastport = first -
- (arc4random() % (first - last));
- count = first - last;
+ aux = first;
+ first = last;
+ last = aux;
+ }
- do {
- if (count-- < 0) /* completely used? */
- return (EADDRNOTAVAIL);
- --*lastport;
- if (*lastport > first || *lastport < last)
- *lastport = first;
- lport = htons(*lastport);
- } while (in_pcblookup_local(pcbinfo, laddr, lport,
- wild));
- } else {
- /*
- * counting up
- */
- if (dorandom)
- *lastport = first +
- (arc4random() % (last - first));
- count = last - first;
+ if (dorandom)
+ *lastport = first +
+ (arc4random() % (last - first));
- do {
- if (count-- < 0) /* completely used? */
- return (EADDRNOTAVAIL);
- ++*lastport;
- if (*lastport < first || *lastport > last)
- *lastport = first;
- lport = htons(*lastport);
- } while (in_pcblookup_local(pcbinfo, laddr, lport,
- wild));
- }
+ count = last - first;
+
+ do {
+ if (count-- < 0) /* completely used? */
+ return (EADDRNOTAVAIL);
+ ++*lastport;
+ if (*lastport < first || *lastport > last)
+ *lastport = first;
+ lport = htons(*lastport);
+ } while (in_pcblookup_local(pcbinfo, laddr, lport,
+ wild));
}
if (prison_ip(cred, 0, &laddr.s_addr))
return (EINVAL);
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
