David Miller <da...@davemloft.net> wrote: > From: Soheil Hassas Yeganeh <soheil.k...@gmail.com> > Date: Wed, 15 Mar 2017 16:30:45 -0400 > > > Note that this cache was already broken for caching timestamps of > > multiple machines behind a NAT sharing the same address. > > That's the documented, well established, limitation of time-wait > recycling.
Sigh. "don't enable this if you connect your machine to the internet". We're not in the 1990s anymore. Even I am behind ipv4 CG-NAT nowadays. So I disagree and would remove this thing. > This limitation of the feature does not give us a reason to break the > feature even further as a matter of convenience, or to remove it > altogether for the same reason. > > Please, instead, fix the bug that was introduced. AFAIU we only have two alternatives, removal of the randomization feature or switch to a offset computed via hash(saddr, daddr, secret). Unless there are more comments I'll look into doing the latter tomorrow.
