Henrik Nordstrom writes: > On Monday 08 July 2002 23.30, Don Cohen wrote: > > > I figure it hardly matters whether I do the analogous thing for > > proto, since it's so short. > > Actually you could consider proto almost a constant.. I don't think > you really gain anything by obfuscating this.. just adding it to the > result to make sure different protocols hash into different buckets > should suffice just fine me thinks.. but sure, being paranoid does > not hurt other than CPU time.. but it should be allowed to influence > the hash value. I agree it's just trying to err on the side of caution. It's nearly constant in non-attack traffic, but it's something over which the attacker has total control. I admit I don't see how he can befefit from knowing that E=1.
> Related note: You only have sport/dport for known protocols such as > TCP/UDP/ICMP. On unknown protocols (proto_generic tracking) > sport/dport will be all 0, meaning there is only one single conntrack > entry per sip/dip/proto tuple for such protocols.. Ok. The attacker then does not control the port values supplied to the hash, which can only benefit us.