[PATCH] netfilter: nat: limit port clash resolution attempts

[PATCH] netfilter: nat: limit port clash resolution attempts

[Vimal Agrawal]

commit a504b703bb1da526a01593da0e4be2af9d9f5fa8 ("netfilter: nat:
limit port clash resolution attempts")

In case almost or all available ports are taken, clash resolution can
take a very long time, resulting in soft lockup.

This can happen when many to-be-natted hosts connect to same
destination:port (e.g. a proxy) and all connections pass the same SNAT.

Pick a random offset in the acceptable range, then try ever smaller
number of adjacent port numbers, until either the limit is reached or a
useable port was found.  This results in at most 248 attempts
(128 + 64 + 32 + 16 + 8, i.e. 4 restarts with new search offset)
instead of 64000+,

Signed-off-by: Vimal Agrawal <vimal.agrawal@sophos.com>
---
 net/netfilter/nf_nat_proto_common.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
index 7d7466dbf663..d0d9747f68a9 100644
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -41,9 +41,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
 				 const struct nf_conn *ct,
 				 u16 *rover)
 {
-	unsigned int range_size, min, max, i;
+	unsigned int range_size, min, max, i, attempts;
 	__be16 *portptr;
-	u_int16_t off;
+	u16 off;
+	static const unsigned int max_attempts = 128;
 
 	if (maniptype == NF_NAT_MANIP_SRC)
 		portptr = &tuple->src.u.all;
@@ -87,14 +88,30 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
 		off = *rover;
 	}
 
-	for (i = 0; ; ++off) {
+	attempts = range_size;
+	if (attempts > max_attempts)
+		attempts = max_attempts;
+
+	/* We are in softirq; doing a search of the entire range risks
+	 * soft lockup when all tuples are already used.
+	 *
+	 * If we can't find any free port from first offset, pick a new
+	 * one and try again, with ever smaller search window.
+	 */
+another_round:
+	for (i = 0; i < attempts; i++, off++) {
 		*portptr = htons(min + off % range_size);
-		if (++i != range_size && nf_nat_used_tuple(tuple, ct))
+		if (nf_nat_used_tuple(tuple, ct))
 			continue;
 		if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL))
 			*rover = off;
 		return;
 	}
+	if (attempts >= range_size || attempts < 16)
+		return;
+	attempts /= 2;
+	off = prandom_u32();
+	goto another_round;
 }
 EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple);
 
-- 
2.32.0

Re: [PATCH] netfilter: nat: limit port clash resolution attempts

[Vimal Agrawal]

corrected a typo in one id in the mailing list.

Vimal

On Thu, Feb 3, 2022 at 10:44 AM Vimal Agrawal <avimalin@gmail.com> wrote:
>
> commit a504b703bb1da526a01593da0e4be2af9d9f5fa8 ("netfilter: nat:
> limit port clash resolution attempts")
>
> In case almost or all available ports are taken, clash resolution can
> take a very long time, resulting in soft lockup.
>
> This can happen when many to-be-natted hosts connect to same
> destination:port (e.g. a proxy) and all connections pass the same SNAT.
>
> Pick a random offset in the acceptable range, then try ever smaller
> number of adjacent port numbers, until either the limit is reached or a
> useable port was found.  This results in at most 248 attempts
> (128 + 64 + 32 + 16 + 8, i.e. 4 restarts with new search offset)
> instead of 64000+,
>
> Signed-off-by: Vimal Agrawal <vimal.agrawal@sophos.com>
> ---
>  net/netfilter/nf_nat_proto_common.c | 25 +++++++++++++++++++++----
>  1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
> index 7d7466dbf663..d0d9747f68a9 100644
> --- a/net/netfilter/nf_nat_proto_common.c
> +++ b/net/netfilter/nf_nat_proto_common.c
> @@ -41,9 +41,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
>                                  const struct nf_conn *ct,
>                                  u16 *rover)
>  {
> -       unsigned int range_size, min, max, i;
> +       unsigned int range_size, min, max, i, attempts;
>         __be16 *portptr;
> -       u_int16_t off;
> +       u16 off;
> +       static const unsigned int max_attempts = 128;
>
>         if (maniptype == NF_NAT_MANIP_SRC)
>                 portptr = &tuple->src.u.all;
> @@ -87,14 +88,30 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
>                 off = *rover;
>         }
>
> -       for (i = 0; ; ++off) {
> +       attempts = range_size;
> +       if (attempts > max_attempts)
> +               attempts = max_attempts;
> +
> +       /* We are in softirq; doing a search of the entire range risks
> +        * soft lockup when all tuples are already used.
> +        *
> +        * If we can't find any free port from first offset, pick a new
> +        * one and try again, with ever smaller search window.
> +        */
> +another_round:
> +       for (i = 0; i < attempts; i++, off++) {
>                 *portptr = htons(min + off % range_size);
> -               if (++i != range_size && nf_nat_used_tuple(tuple, ct))
> +               if (nf_nat_used_tuple(tuple, ct))
>                         continue;
>                 if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL))
>                         *rover = off;
>                 return;
>         }
> +       if (attempts >= range_size || attempts < 16)
> +               return;
> +       attempts /= 2;
> +       off = prandom_u32();
> +       goto another_round;
>  }
>  EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple);
>
> --
> 2.32.0
>

Re: [PATCH] netfilter: nat: limit port clash resolution attempts

[Florian Westphal]

Vimal Agrawal <avimalin@gmail.com> wrote:
> commit a504b703bb1da526a01593da0e4be2af9d9f5fa8 ("netfilter: nat:
> limit port clash resolution attempts")

I've forwarded this to stable@ for inclusion into 4.14.y.

I've also sent a request for 4.19.y (applies with no changes) and
a backported version for 4.9.y.

4.4.y is EOL, so no action done in that department.