4 files changed, 46 insertions, 53 deletions

diff --git a/pkg/tcpip/stack/iptables.go b/pkg/tcpip/stack/iptables.go
index d2f666c09..0a26f6dd8 100644
--- a/pkg/tcpip/stack/iptables.go
+++ b/pkg/tcpip/stack/iptables.go
@@ -42,7 +42,7 @@ const reaperDelay = 5 * time.Second
 
 // DefaultTables returns a default set of tables. Each chain is set to accept
 // all packets.
-func DefaultTables() *IPTables {
+func DefaultTables(seed uint32) *IPTables {
 	return &IPTables{
 		v4Tables: [NumTables]Table{
 			NATID: {
@@ -182,7 +182,7 @@ func DefaultTables() *IPTables {
 			Postrouting: {MangleID, NATID},
 		},
 		connections: ConnTrack{
-			seed: generateRandUint32(),
+			seed: seed,
 		},
 		reaperDone: make(chan struct{}, 1),
 	}
diff --git a/pkg/tcpip/stack/ndp_test.go b/pkg/tcpip/stack/ndp_test.go
index ac2fa777e..7af5ee953 100644
--- a/pkg/tcpip/stack/ndp_test.go
+++ b/pkg/tcpip/stack/ndp_test.go
@@ -19,11 +19,12 @@ import (
 	"context"
 	"encoding/binary"
 	"fmt"
+	"math/rand"
 	"testing"
 	"time"
 
 	"github.com/google/go-cmp/cmp"
-	"gvisor.dev/gvisor/pkg/rand"
+	cryptorand "gvisor.dev/gvisor/pkg/rand"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/buffer"
 	"gvisor.dev/gvisor/pkg/tcpip/checker"
@@ -497,8 +498,9 @@ func TestDADResolve(t *testing.T) {
 
 			clock := faketime.NewManualClock()
 			s := stack.New(stack.Options{
-				Clock:     clock,
-				SecureRNG: &secureRNG,
+				Clock:      clock,
+				RandSource: rand.NewSource(time.Now().UnixNano()),
+				SecureRNG:  &secureRNG,
 				NetworkProtocols: []stack.NetworkProtocolFactory{ipv6.NewProtocolWithOptions(ipv6.Options{
 					NDPDisp: &ndpDisp,
 					DADConfigs: stack.DADConfigurations{
@@ -1035,7 +1037,7 @@ func TestSetNDPConfigurations(t *testing.T) {
 // raBufWithOptsAndDHCPv6 returns a valid NDP Router Advertisement with options
 // and DHCPv6 configurations specified.
 func raBufWithOptsAndDHCPv6(ip tcpip.Address, rl uint16, managedAddress, otherConfigurations bool, optSer header.NDPOptionsSerializer) *stack.PacketBuffer {
-	icmpSize := header.ICMPv6HeaderSize + header.NDPRAMinimumSize + int(optSer.Length())
+	icmpSize := header.ICMPv6HeaderSize + header.NDPRAMinimumSize + optSer.Length()
 	hdr := buffer.NewPrependable(header.IPv6MinimumSize + icmpSize)
 	pkt := header.ICMPv6(hdr.Prepend(icmpSize))
 	pkt.SetType(header.ICMPv6RouterAdvert)
@@ -1048,13 +1050,13 @@ func raBufWithOptsAndDHCPv6(ip tcpip.Address, rl uint16, managedAddress, otherCo
 	if managedAddress {
 		// The Managed Addresses flag field is the 7th bit of byte #1 (0-indexing)
 		// of the RA payload.
-		raPayload[1] |= (1 << 7)
+		raPayload[1] |= 1 << 7
 	}
 	// Populate the Other Configurations flag field.
 	if otherConfigurations {
 		// The Other Configurations flag field is the 6th bit of byte #1
 		// (0-indexing) of the RA payload.
-		raPayload[1] |= (1 << 6)
+		raPayload[1] |= 1 << 6
 	}
 	opts := ra.Options()
 	opts.Serialize(optSer)
@@ -3833,12 +3835,12 @@ func TestAutoGenAddrWithOpaqueIID(t *testing.T) {
 	const nicName = "nic1"
 	var secretKeyBuf [header.OpaqueIIDSecretKeyMinBytes]byte
 	secretKey := secretKeyBuf[:]
-	n, err := rand.Read(secretKey)
+	n, err := cryptorand.Read(secretKey)
 	if err != nil {
-		t.Fatalf("rand.Read(_): %s", err)
+		t.Fatalf("cryptorand.Read(_): %s", err)
 	}
 	if n != header.OpaqueIIDSecretKeyMinBytes {
-		t.Fatalf("got rand.Read(_) = (%d, _), want = (%d, _)", n, header.OpaqueIIDSecretKeyMinBytes)
+		t.Fatalf("got cryptorand.Read(_) = (%d, _), want = (%d, _)", n, header.OpaqueIIDSecretKeyMinBytes)
 	}
 
 	prefix1, subnet1, _ := prefixSubnetAddr(0, linkAddr1)
@@ -3946,12 +3948,12 @@ func TestAutoGenAddrInResponseToDADConflicts(t *testing.T) {
 
 	var secretKeyBuf [header.OpaqueIIDSecretKeyMinBytes]byte
 	secretKey := secretKeyBuf[:]
-	n, err := rand.Read(secretKey)
+	n, err := cryptorand.Read(secretKey)
 	if err != nil {
-		t.Fatalf("rand.Read(_): %s", err)
+		t.Fatalf("cryptorand.Read(_): %s", err)
 	}
 	if n != header.OpaqueIIDSecretKeyMinBytes {
-		t.Fatalf("got rand.Read(_) = (%d, _), want = (%d, _)", n, header.OpaqueIIDSecretKeyMinBytes)
+		t.Fatalf("got cryptorand.Read(_) = (%d, _), want = (%d, _)", n, header.OpaqueIIDSecretKeyMinBytes)
 	}
 
 	prefix, subnet, _ := prefixSubnetAddr(0, linkAddr1)
@@ -4311,12 +4313,12 @@ func TestAutoGenAddrContinuesLifetimesAfterRetry(t *testing.T) {
 
 	var secretKeyBuf [header.OpaqueIIDSecretKeyMinBytes]byte
 	secretKey := secretKeyBuf[:]
-	n, err := rand.Read(secretKey)
+	n, err := cryptorand.Read(secretKey)
 	if err != nil {
-		t.Fatalf("rand.Read(_): %s", err)
+		t.Fatalf("cryptorand.Read(_): %s", err)
 	}
 	if n != header.OpaqueIIDSecretKeyMinBytes {
-		t.Fatalf("got rand.Read(_) = (%d, _), want = (%d, _)", n, header.OpaqueIIDSecretKeyMinBytes)
+		t.Fatalf("got cryptorand.Read(_) = (%d, _), want = (%d, _)", n, header.OpaqueIIDSecretKeyMinBytes)
 	}
 
 	prefix, subnet, _ := prefixSubnetAddr(0, linkAddr1)
diff --git a/pkg/tcpip/stack/stack.go b/pkg/tcpip/stack/stack.go
index 1ebf9670c..40d277312 100644
--- a/pkg/tcpip/stack/stack.go
+++ b/pkg/tcpip/stack/stack.go
@@ -20,7 +20,6 @@
 package stack
 
 import (
-	"bytes"
 	"encoding/binary"
 	"fmt"
 	"io"
@@ -223,10 +222,16 @@ type Options struct {
 	// RandSource must be thread-safe.
 	RandSource rand.Source
 
-	// IPTables are the initial iptables rules. If nil, iptables will allow
+	// IPTables are the initial iptables rules. If nil, DefaultIPTables will be
+	// used to construct the initial iptables rules.
 	// all traffic.
 	IPTables *IPTables
 
+	// DefaultIPTables is an optional iptables rules constructor that is called
+	// if IPTables is nil. If both fields are nil, iptables will allow all
+	// traffic.
+	DefaultIPTables func(uint32) *IPTables
+
 	// SecureRNG is a cryptographically secure random number generator.
 	SecureRNG io.Reader
 }
@@ -324,23 +329,32 @@ func New(opts Options) *Stack {
 		opts.UniqueID = new(uniqueIDGenerator)
 	}
 
+	if opts.SecureRNG == nil {
+		opts.SecureRNG = cryptorand.Reader
+	}
+
 	randSrc := opts.RandSource
 	if randSrc == nil {
+		var v int64
+		if err := binary.Read(opts.SecureRNG, binary.LittleEndian, &v); err != nil {
+			panic(err)
+		}
 		// Source provided by rand.NewSource is not thread-safe so
 		// we wrap it in a simple thread-safe version.
-		randSrc = &lockedRandomSource{src: rand.NewSource(generateRandInt64())}
+		randSrc = &lockedRandomSource{src: rand.NewSource(v)}
 	}
+	randomGenerator := rand.New(randSrc)
 
+	seed := randomGenerator.Uint32()
 	if opts.IPTables == nil {
-		opts.IPTables = DefaultTables()
+		if opts.DefaultIPTables == nil {
+			opts.DefaultIPTables = DefaultTables
+		}
+		opts.IPTables = opts.DefaultIPTables(seed)
 	}
 
 	opts.NUDConfigs.resetInvalidFields()
 
-	if opts.SecureRNG == nil {
-		opts.SecureRNG = cryptorand.Reader
-	}
-
 	s := &Stack{
 		transportProtocols:       make(map[tcpip.TransportProtocolNumber]*transportProtocolState),
 		networkProtocols:         make(map[tcpip.NetworkProtocolNumber]NetworkProtocol),
@@ -353,11 +367,11 @@ func New(opts Options) *Stack {
 		handleLocal:              opts.HandleLocal,
 		tables:                   opts.IPTables,
 		icmpRateLimiter:          NewICMPRateLimiter(),
-		seed:                     generateRandUint32(),
+		seed:                     seed,
 		nudConfigs:               opts.NUDConfigs,
 		uniqueIDGenerator:        opts.UniqueID,
 		nudDisp:                  opts.NUDDisp,
-		randomGenerator:          rand.New(randSrc),
+		randomGenerator:          randomGenerator,
 		secureRNG:                opts.SecureRNG,
 		sendBufferSize: tcpip.SendBufferSizeOption{
 			Min:     MinBufferSize,
@@ -1822,27 +1836,6 @@ func (s *Stack) SecureRNG() io.Reader {
 	return s.secureRNG
 }
 
-func generateRandUint32() uint32 {
-	b := make([]byte, 4)
-	if _, err := cryptorand.Read(b); err != nil {
-		panic(err)
-	}
-	return binary.LittleEndian.Uint32(b)
-}
-
-func generateRandInt64() int64 {
-	b := make([]byte, 8)
-	if _, err := cryptorand.Read(b); err != nil {
-		panic(err)
-	}
-	buf := bytes.NewReader(b)
-	var v int64
-	if err := binary.Read(buf, binary.LittleEndian, &v); err != nil {
-		panic(err)
-	}
-	return v
-}
-
 // FindNICNameFromID returns the name of the NIC for the given NICID.
 func (s *Stack) FindNICNameFromID(id tcpip.NICID) string {
 	s.mu.RLock()
diff --git a/pkg/tcpip/stack/transport_demuxer.go b/pkg/tcpip/stack/transport_demuxer.go
index 80ad1a9d4..8a8454a6a 100644
--- a/pkg/tcpip/stack/transport_demuxer.go
+++ b/pkg/tcpip/stack/transport_demuxer.go
@@ -16,8 +16,6 @@ package stack
 
 import (
 	"fmt"
-	"math/rand"
-
 	"gvisor.dev/gvisor/pkg/sync"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/hash/jenkins"
@@ -223,7 +221,7 @@ func (epsByNIC *endpointsByNIC) registerEndpoint(d *transportDemuxer, netProto t
 	return multiPortEp.singleRegisterEndpoint(t, flags)
 }
 
-func (epsByNIC *endpointsByNIC) checkEndpoint(d *transportDemuxer, netProto tcpip.NetworkProtocolNumber, transProto tcpip.TransportProtocolNumber, flags ports.Flags, bindToDevice tcpip.NICID) tcpip.Error {
+func (epsByNIC *endpointsByNIC) checkEndpoint(flags ports.Flags, bindToDevice tcpip.NICID) tcpip.Error {
 	epsByNIC.mu.RLock()
 	defer epsByNIC.mu.RUnlock()
 
@@ -475,7 +473,7 @@ func (d *transportDemuxer) singleRegisterEndpoint(netProto tcpip.NetworkProtocol
 	if !ok {
 		epsByNIC = &endpointsByNIC{
 			endpoints: make(map[tcpip.NICID]*multiPortEndpoint),
-			seed:      rand.Uint32(),
+			seed:      d.stack.Seed(),
 		}
 		eps.endpoints[id] = epsByNIC
 	}
@@ -502,7 +500,7 @@ func (d *transportDemuxer) singleCheckEndpoint(netProto tcpip.NetworkProtocolNum
 		return nil
 	}
 
-	return epsByNIC.checkEndpoint(d, netProto, protocol, flags, bindToDevice)
+	return epsByNIC.checkEndpoint(flags, bindToDevice)
 }
 
 // unregisterEndpoint unregisters the endpoint with the given id such that it