From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7AB44C38142 for ; Tue, 24 Jan 2023 10:05:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233176AbjAXKFq (ORCPT ); Tue, 24 Jan 2023 05:05:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229930AbjAXKFo (ORCPT ); Tue, 24 Jan 2023 05:05:44 -0500 Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC47512F2F for ; Tue, 24 Jan 2023 02:05:42 -0800 (PST) Received: by mail-ej1-x635.google.com with SMTP id ud5so37599420ejc.4 for ; Tue, 24 Jan 2023 02:05:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=iDOKpQT7VEpnsD2V/TmfNEjOO7D+R586p1CBQWzIDzU=; b=xHsdIJt5sBMccxOyGOGgGkauVZEuzoMBnni1Hb9zv5PlAH8K0mnfOwKbhc0GHinj4L ClpOcv6kCUiNYwiXTUdEJCkOZQhMd5XU26H+fbFf0oPBElybAOZmFCc1Yvce0V318gut /6rSvZcA6vPnNYKYbaXrY8RBYi0sP0z/RpsEo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=iDOKpQT7VEpnsD2V/TmfNEjOO7D+R586p1CBQWzIDzU=; b=gQpc7/bGnYU2KE2u48aFv5AE4kg0cAoZQnjEgFAmvHfwS3nsocWxa24DmDxnEnIj4Q NN6cBAdoBmRRVSXewOrv7fmB4dkGEQz9aZD+QAZoErz2f6QImiS4lAEay6uxwrS8m1p+ cIzE3VUv0ERPMq6mYBq/WViL4/wYzURQOoVg8imtfpYzd0oE4wq6UXUhMPLU769xYnZc Z77Mql6KupgBdF0XiWR8Uip22F4JK/KY4v40U82HVaxiNFLw9RzwRC7crYinZUBa+oVU uZAJTyufkBUrvGGxK2g1Dt3YJhhaussK/lcvVSddd6er4zEyGgFshgRO0t+NMCahzPwf hdcQ== X-Gm-Message-State: AFqh2kqlLeN+IpD5BgE4HxRWIpQvmlIil1/sTrgCEwzZpSJz+40xozWm 9bBql7ukmeqwwzox8C8dYU8CXA== X-Google-Smtp-Source: AMrXdXvyMvR4peZww9i7Dm8hi/cYUU0KgL1yZwWt7UmtYc060HHhlCQpOY2N3mTFQg3v18hWqBFceg== X-Received: by 2002:a17:906:34c4:b0:86f:9e4:d13e with SMTP id h4-20020a17090634c400b0086f09e4d13emr29198080ejb.72.1674554741317; Tue, 24 Jan 2023 02:05:41 -0800 (PST) Received: from cloudflare.com (79.184.123.123.ipv4.supernova.orange.pl. [79.184.123.123]) by smtp.gmail.com with ESMTPSA id q4-20020a1709064c8400b007c0d4d3a0c1sm674137eju.32.2023.01.24.02.05.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Jan 2023 02:05:40 -0800 (PST) From: Jakub Sitnicki Subject: [PATCH net-next v5 0/2] Add IP_LOCAL_PORT_RANGE socket option Date: Tue, 24 Jan 2023 11:05:26 +0100 Message-Id: <20221221-sockopt-port-range-v5-0-9fb2c00ad293@cloudflare.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAGatz2MC/4XOQW7EIAwF0KuMWJcKHJI0XfUeVRcB7AY1hQiYa KpR7l6LbUeN5I398TN3UTAHLOL1chcZ91BCitz0Txfhljl+ogyeewEKQHPJktxX2qrcUq4ytxeo DXgclSLjBS/auaC0nLmFV+N1XXm4ZaRwa5feRcQqI96q+OBkCaWm/NO+sOuW/3dt11JJBKsmYwd F5N/cmq6e1jnjs0vfzdzh3AF2tO9Ja2NpgPGh0507HTvdQHNP/TQNZB465twx7PjRA0E/aOhe/j jHcfwC4YtsB7ABAAA= To: netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Kuniyuki Iwashima , Neal Cardwell , Leon Romanovsky , selinux@vger.kernel.org, Paul Moore , Stephen Smalley , Eric Paris , kernel-team@cloudflare.com, Marek Majkowski X-Mailer: b4 0.11.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch set is a follow up to the "How to share IPv4 addresses by partitioning the port space" talk given at LPC 2022 [1]. Please see patch #1 for the motivation & the use case description. Patch #2 adds tests exercising the new option in various scenarios. Documentation ------------- Proposed update to the ip(7) man-page: IP_LOCAL_PORT_RANGE (since Linux X.Y) Set or get the per-socket default local port range. This option can be used to clamp down the global local port range, defined by the ip_local_port_range /proc interface described below, for a given socket. The option takes an uint32_t value with the high 16 bits set to the upper range bound, and the low 16 bits set to the lower range bound. Range bounds are inclusive. The 16-bit values should be in host byte order. The lower bound has to be less than the upper bound when both bounds are not zero. Otherwise, setting the option fails with EINVAL. If either bound is outside of the global local port range, or is zero, then that bound has no effect. To reset the setting, pass zero as both the upper and the lower bound. Interaction with SELinux bind() hook ------------------------------------ SELinux bind() hook - selinux_socket_bind() - performs a permission check if the requested local port number lies outside of the netns ephemeral port range. The proposed socket option cannot be used change the ephemeral port range to extend beyond the per-netns port range, as set by net.ipv4.ip_local_port_range. Hence, there is no interaction with SELinux, AFAICT. Changelog: --------- v4 -> v5: v4: https://lore.kernel.org/r/20221221-sockopt-port-range-v4-0-d7d2f2561238@cloudflare.com * Code changes called out in individual patches. v3 -> v4: v3: https://lore.kernel.org/r/20221221-sockopt-port-range-v3-0-36fa5f5996f4@cloudflare.com * Highlight that port bounds should be in host byte order. (Neal) v2 -> v3: v2: https://lore.kernel.org/r/20221221-sockopt-port-range-v2-0-1d5f114bf627@cloudflare.com * Describe interaction considerations with SELinux. * Code changes called out in individual patches. v1 -> v2: v1: https://lore.kernel.org/netdev/20221221-sockopt-port-range-v1-0-e2b094b60ffd@cloudflare.com/ * Fix the corner case when the per-socket range doesn't overlap with the per-netns range. Fallback correctly to the per-netns range. (Kuniyuki) * selftests: Instead of iterating over socket families (ip4, ip6) and types (tcp, udp), generate tests for each combo from a template. This keeps the code indentation level down and makes tests more granular. * Rewrite man-page prose: - explain how to unset the option, - document when EINVAL is returned. RFC -> v1 RFC: https://lore.kernel.org/netdev/20220912225308.93659-1-jakub@cloudflare.com/ * Allow either the high bound or the low bound, or both, to be zero * Add getsockopt support * Add selftests Links: ------ [1]: https://lpc.events/event/16/contributions/1349/ To: netdev@vger.kernel.org Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Kuniyuki Iwashima Cc: Neal Cardwell Cc: Leon Romanovsky Cc: selinux@vger.kernel.org Cc: Paul Moore Cc: Stephen Smalley Cc: Eric Paris Cc: kernel-team@cloudflare.com Signed-off-by: Jakub Sitnicki --- Jakub Sitnicki (2): inet: Add IP_LOCAL_PORT_RANGE socket option selftests/net: Cover the IP_LOCAL_PORT_RANGE socket option include/net/inet_sock.h | 4 + include/net/ip.h | 3 +- include/uapi/linux/in.h | 1 + net/ipv4/inet_connection_sock.c | 25 +- net/ipv4/inet_hashtables.c | 2 +- net/ipv4/ip_sockglue.c | 18 + net/ipv4/udp.c | 2 +- net/sctp/socket.c | 2 +- tools/testing/selftests/net/Makefile | 2 + tools/testing/selftests/net/ip_local_port_range.c | 447 +++++++++++++++++++++ tools/testing/selftests/net/ip_local_port_range.sh | 5 + 11 files changed, 505 insertions(+), 6 deletions(-)