* [PATCH] netfilter: nat: limit port clash resolution attempts
@ 2022-02-03 5:13 Vimal Agrawal
2022-02-03 6:10 ` Vimal Agrawal
2022-02-03 12:43 ` Florian Westphal
0 siblings, 2 replies; 3+ messages in thread
From: Vimal Agrawal @ 2022-02-03 5:13 UTC (permalink / raw)
To: netfilter-devel, pablo, fw; +Cc: vimal.agrawal, avimalin
commit a504b703bb1da526a01593da0e4be2af9d9f5fa8 ("netfilter: nat:
limit port clash resolution attempts")
In case almost or all available ports are taken, clash resolution can
take a very long time, resulting in soft lockup.
This can happen when many to-be-natted hosts connect to same
destination:port (e.g. a proxy) and all connections pass the same SNAT.
Pick a random offset in the acceptable range, then try ever smaller
number of adjacent port numbers, until either the limit is reached or a
useable port was found. This results in at most 248 attempts
(128 + 64 + 32 + 16 + 8, i.e. 4 restarts with new search offset)
instead of 64000+,
Signed-off-by: Vimal Agrawal <vimal.agrawal@sophos.com>
---
net/netfilter/nf_nat_proto_common.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
index 7d7466dbf663..d0d9747f68a9 100644
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -41,9 +41,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
const struct nf_conn *ct,
u16 *rover)
{
- unsigned int range_size, min, max, i;
+ unsigned int range_size, min, max, i, attempts;
__be16 *portptr;
- u_int16_t off;
+ u16 off;
+ static const unsigned int max_attempts = 128;
if (maniptype == NF_NAT_MANIP_SRC)
portptr = &tuple->src.u.all;
@@ -87,14 +88,30 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
off = *rover;
}
- for (i = 0; ; ++off) {
+ attempts = range_size;
+ if (attempts > max_attempts)
+ attempts = max_attempts;
+
+ /* We are in softirq; doing a search of the entire range risks
+ * soft lockup when all tuples are already used.
+ *
+ * If we can't find any free port from first offset, pick a new
+ * one and try again, with ever smaller search window.
+ */
+another_round:
+ for (i = 0; i < attempts; i++, off++) {
*portptr = htons(min + off % range_size);
- if (++i != range_size && nf_nat_used_tuple(tuple, ct))
+ if (nf_nat_used_tuple(tuple, ct))
continue;
if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL))
*rover = off;
return;
}
+ if (attempts >= range_size || attempts < 16)
+ return;
+ attempts /= 2;
+ off = prandom_u32();
+ goto another_round;
}
EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple);
--
2.32.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] netfilter: nat: limit port clash resolution attempts
2022-02-03 5:13 [PATCH] netfilter: nat: limit port clash resolution attempts Vimal Agrawal
@ 2022-02-03 6:10 ` Vimal Agrawal
2022-02-03 12:43 ` Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Vimal Agrawal @ 2022-02-03 6:10 UTC (permalink / raw)
To: netfilter-devel, pablo, fw, kadlec; +Cc: Vimal Agrawal
corrected a typo in one id in the mailing list.
Vimal
On Thu, Feb 3, 2022 at 10:44 AM Vimal Agrawal <avimalin@gmail.com> wrote:
>
> commit a504b703bb1da526a01593da0e4be2af9d9f5fa8 ("netfilter: nat:
> limit port clash resolution attempts")
>
> In case almost or all available ports are taken, clash resolution can
> take a very long time, resulting in soft lockup.
>
> This can happen when many to-be-natted hosts connect to same
> destination:port (e.g. a proxy) and all connections pass the same SNAT.
>
> Pick a random offset in the acceptable range, then try ever smaller
> number of adjacent port numbers, until either the limit is reached or a
> useable port was found. This results in at most 248 attempts
> (128 + 64 + 32 + 16 + 8, i.e. 4 restarts with new search offset)
> instead of 64000+,
>
> Signed-off-by: Vimal Agrawal <vimal.agrawal@sophos.com>
> ---
> net/netfilter/nf_nat_proto_common.c | 25 +++++++++++++++++++++----
> 1 file changed, 21 insertions(+), 4 deletions(-)
>
> diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
> index 7d7466dbf663..d0d9747f68a9 100644
> --- a/net/netfilter/nf_nat_proto_common.c
> +++ b/net/netfilter/nf_nat_proto_common.c
> @@ -41,9 +41,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
> const struct nf_conn *ct,
> u16 *rover)
> {
> - unsigned int range_size, min, max, i;
> + unsigned int range_size, min, max, i, attempts;
> __be16 *portptr;
> - u_int16_t off;
> + u16 off;
> + static const unsigned int max_attempts = 128;
>
> if (maniptype == NF_NAT_MANIP_SRC)
> portptr = &tuple->src.u.all;
> @@ -87,14 +88,30 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
> off = *rover;
> }
>
> - for (i = 0; ; ++off) {
> + attempts = range_size;
> + if (attempts > max_attempts)
> + attempts = max_attempts;
> +
> + /* We are in softirq; doing a search of the entire range risks
> + * soft lockup when all tuples are already used.
> + *
> + * If we can't find any free port from first offset, pick a new
> + * one and try again, with ever smaller search window.
> + */
> +another_round:
> + for (i = 0; i < attempts; i++, off++) {
> *portptr = htons(min + off % range_size);
> - if (++i != range_size && nf_nat_used_tuple(tuple, ct))
> + if (nf_nat_used_tuple(tuple, ct))
> continue;
> if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL))
> *rover = off;
> return;
> }
> + if (attempts >= range_size || attempts < 16)
> + return;
> + attempts /= 2;
> + off = prandom_u32();
> + goto another_round;
> }
> EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple);
>
> --
> 2.32.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] netfilter: nat: limit port clash resolution attempts
2022-02-03 5:13 [PATCH] netfilter: nat: limit port clash resolution attempts Vimal Agrawal
2022-02-03 6:10 ` Vimal Agrawal
@ 2022-02-03 12:43 ` Florian Westphal
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2022-02-03 12:43 UTC (permalink / raw)
To: Vimal Agrawal; +Cc: netfilter-devel, pablo, fw, vimal.agrawal
Vimal Agrawal <avimalin@gmail.com> wrote:
> commit a504b703bb1da526a01593da0e4be2af9d9f5fa8 ("netfilter: nat:
> limit port clash resolution attempts")
I've forwarded this to stable@ for inclusion into 4.14.y.
I've also sent a request for 4.19.y (applies with no changes) and
a backported version for 4.9.y.
4.4.y is EOL, so no action done in that department.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-02-03 12:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-03 5:13 [PATCH] netfilter: nat: limit port clash resolution attempts Vimal Agrawal
2022-02-03 6:10 ` Vimal Agrawal
2022-02-03 12:43 ` Florian Westphal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.