diff mbox series

[1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry

Message ID 20221028205225.10189-2-sriram.yagnaraman@est.tech
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series netfilter: nf_ct_sctp: improve SCTP multihoming | expand

Commit Message

Sriram Yagnaraman Oct. 28, 2022, 8:52 p.m. UTC 
From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>

This patch introduces a new proc entry to disable source port
randomization for SCTP connections.

As specified in RFC9260 all transport addresses used by an SCTP endpoint
MUST use the same port number but can use multiple IP addresses. That
means that all paths taken within an SCTP association should have the
same port even if they pass through different NAT/middleboxes in the
network.

Disabling source port randomization provides a deterministic source port
for the remote SCTP endpoint for all paths used in the SCTP association.
On NAT/middlebox restarts we will always end up with the same port after
the restart, and the SCTP endpoints involved in the SCTP association can
remain transparent to restarts.

Of course, there is a downside as this makes it impossible to have
multiple SCTP endpoints behind NAT that use the same source port.
But, this is a lesser of a problem than losing an existing association
altogether.

Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
---
 include/net/netns/conntrack.h           |  1 +
 net/netfilter/nf_conntrack_proto_sctp.c |  3 +++
 net/netfilter/nf_conntrack_standalone.c | 13 +++++++++++++
 net/netfilter/nf_nat_core.c             |  8 +++++++-
 4 files changed, 24 insertions(+), 1 deletion(-)

Comments

kernel test robot Oct. 28, 2022, 10:35 p.m. UTC | #1 
Hi,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v6.1-rc2 next-20221028]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
patch link:    https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech
patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry
config: ia64-allyesconfig
compiler: ia64-linux-gcc (GCC) 12.1.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
        git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 SHELL=/bin/bash net/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   net/netfilter/nf_nat_core.c: In function 'nf_nat_l4proto_unique_tuple':
>> net/netfilter/nf_nat_core.c:430:20: warning: this statement may fall through [-Wimplicit-fallthrough=]
     430 |                 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
         |                    ^
   net/netfilter/nf_nat_core.c:432:9: note: here
     432 |         case IPPROTO_UDP:
         |         ^~~~


vim +430 net/netfilter/nf_nat_core.c

   374	
   375	/* Alter the per-proto part of the tuple (depending on maniptype), to
   376	 * give a unique tuple in the given range if possible.
   377	 *
   378	 * Per-protocol part of tuple is initialized to the incoming packet.
   379	 */
   380	static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
   381						const struct nf_nat_range2 *range,
   382						enum nf_nat_manip_type maniptype,
   383						const struct nf_conn *ct)
   384	{
   385		unsigned int range_size, min, max, i, attempts;
   386		__be16 *keyptr;
   387		u16 off;
   388		static const unsigned int max_attempts = 128;
   389	
   390		switch (tuple->dst.protonum) {
   391		case IPPROTO_ICMP:
   392		case IPPROTO_ICMPV6:
   393			/* id is same for either direction... */
   394			keyptr = &tuple->src.u.icmp.id;
   395			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   396				min = 0;
   397				range_size = 65536;
   398			} else {
   399				min = ntohs(range->min_proto.icmp.id);
   400				range_size = ntohs(range->max_proto.icmp.id) -
   401					     ntohs(range->min_proto.icmp.id) + 1;
   402			}
   403			goto find_free_id;
   404	#if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
   405		case IPPROTO_GRE:
   406			/* If there is no master conntrack we are not PPTP,
   407			   do not change tuples */
   408			if (!ct->master)
   409				return;
   410	
   411			if (maniptype == NF_NAT_MANIP_SRC)
   412				keyptr = &tuple->src.u.gre.key;
   413			else
   414				keyptr = &tuple->dst.u.gre.key;
   415	
   416			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   417				min = 1;
   418				range_size = 65535;
   419			} else {
   420				min = ntohs(range->min_proto.gre.key);
   421				range_size = ntohs(range->max_proto.gre.key) - min + 1;
   422			}
   423			goto find_free_id;
   424	#endif
   425		case IPPROTO_SCTP:
   426			/* SCTP port randomization disabled, try to use the same source port
   427			 * as in the original packet. Drop packets if another endpoint tries
   428			 * to use same source port behind NAT.
   429			 */
 > 430			if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
   431				return;
   432		case IPPROTO_UDP:
   433		case IPPROTO_UDPLITE:
   434		case IPPROTO_TCP:
   435		case IPPROTO_DCCP:
   436			if (maniptype == NF_NAT_MANIP_SRC)
   437				keyptr = &tuple->src.u.all;
   438			else
   439				keyptr = &tuple->dst.u.all;
   440	
   441			break;
   442		default:
   443			return;
   444		}
   445	
   446		/* If no range specified... */
   447		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   448			/* If it's dst rewrite, can't change port */
   449			if (maniptype == NF_NAT_MANIP_DST)
   450				return;
   451	
   452			if (ntohs(*keyptr) < 1024) {
   453				/* Loose convention: >> 512 is credential passing */
   454				if (ntohs(*keyptr) < 512) {
   455					min = 1;
   456					range_size = 511 - min + 1;
   457				} else {
   458					min = 600;
   459					range_size = 1023 - min + 1;
   460				}
   461			} else {
   462				min = 1024;
   463				range_size = 65535 - 1024 + 1;
   464			}
   465		} else {
   466			min = ntohs(range->min_proto.all);
   467			max = ntohs(range->max_proto.all);
   468			if (unlikely(max < min))
   469				swap(max, min);
   470			range_size = max - min + 1;
   471		}
   472	
   473	find_free_id:
   474		if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
   475			off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
   476		else
   477			off = get_random_u16();
   478	
   479		attempts = range_size;
   480		if (attempts > max_attempts)
   481			attempts = max_attempts;
   482	
   483		/* We are in softirq; doing a search of the entire range risks
   484		 * soft lockup when all tuples are already used.
   485		 *
   486		 * If we can't find any free port from first offset, pick a new
   487		 * one and try again, with ever smaller search window.
   488		 */
   489	another_round:
   490		for (i = 0; i < attempts; i++, off++) {
   491			*keyptr = htons(min + off % range_size);
   492			if (!nf_nat_used_tuple(tuple, ct))
   493				return;
   494		}
   495	
   496		if (attempts >= range_size || attempts < 16)
   497			return;
   498		attempts /= 2;
   499		off = get_random_u16();
   500		goto another_round;
   501	}
   502
kernel test robot Oct. 29, 2022, 4:39 a.m. UTC | #2 
Hi,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.1-rc2 next-20221028]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
patch link:    https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech
patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry
config: i386-defconfig
compiler: gcc-11 (Debian 11.3.0-8) 11.3.0
reproduce (this is a W=1 build):
        # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
        git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   net/netfilter/nf_nat_core.c: In function 'nf_nat_l4proto_unique_tuple':
>> net/netfilter/nf_nat_core.c:430:21: error: implicit declaration of function 'nf_sctp_pernet'; did you mean 'nf_icmp_pernet'? [-Werror=implicit-function-declaration]
     430 |                 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
         |                     ^~~~~~~~~~~~~~
         |                     nf_icmp_pernet
>> net/netfilter/nf_nat_core.c:430:50: error: invalid type argument of '->' (have 'int')
     430 |                 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
         |                                                  ^~
   cc1: some warnings being treated as errors


vim +430 net/netfilter/nf_nat_core.c

   374	
   375	/* Alter the per-proto part of the tuple (depending on maniptype), to
   376	 * give a unique tuple in the given range if possible.
   377	 *
   378	 * Per-protocol part of tuple is initialized to the incoming packet.
   379	 */
   380	static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
   381						const struct nf_nat_range2 *range,
   382						enum nf_nat_manip_type maniptype,
   383						const struct nf_conn *ct)
   384	{
   385		unsigned int range_size, min, max, i, attempts;
   386		__be16 *keyptr;
   387		u16 off;
   388		static const unsigned int max_attempts = 128;
   389	
   390		switch (tuple->dst.protonum) {
   391		case IPPROTO_ICMP:
   392		case IPPROTO_ICMPV6:
   393			/* id is same for either direction... */
   394			keyptr = &tuple->src.u.icmp.id;
   395			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   396				min = 0;
   397				range_size = 65536;
   398			} else {
   399				min = ntohs(range->min_proto.icmp.id);
   400				range_size = ntohs(range->max_proto.icmp.id) -
   401					     ntohs(range->min_proto.icmp.id) + 1;
   402			}
   403			goto find_free_id;
   404	#if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
   405		case IPPROTO_GRE:
   406			/* If there is no master conntrack we are not PPTP,
   407			   do not change tuples */
   408			if (!ct->master)
   409				return;
   410	
   411			if (maniptype == NF_NAT_MANIP_SRC)
   412				keyptr = &tuple->src.u.gre.key;
   413			else
   414				keyptr = &tuple->dst.u.gre.key;
   415	
   416			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   417				min = 1;
   418				range_size = 65535;
   419			} else {
   420				min = ntohs(range->min_proto.gre.key);
   421				range_size = ntohs(range->max_proto.gre.key) - min + 1;
   422			}
   423			goto find_free_id;
   424	#endif
   425		case IPPROTO_SCTP:
   426			/* SCTP port randomization disabled, try to use the same source port
   427			 * as in the original packet. Drop packets if another endpoint tries
   428			 * to use same source port behind NAT.
   429			 */
 > 430			if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
   431				return;
   432		case IPPROTO_UDP:
   433		case IPPROTO_UDPLITE:
   434		case IPPROTO_TCP:
   435		case IPPROTO_DCCP:
   436			if (maniptype == NF_NAT_MANIP_SRC)
   437				keyptr = &tuple->src.u.all;
   438			else
   439				keyptr = &tuple->dst.u.all;
   440	
   441			break;
   442		default:
   443			return;
   444		}
   445	
   446		/* If no range specified... */
   447		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   448			/* If it's dst rewrite, can't change port */
   449			if (maniptype == NF_NAT_MANIP_DST)
   450				return;
   451	
   452			if (ntohs(*keyptr) < 1024) {
   453				/* Loose convention: >> 512 is credential passing */
   454				if (ntohs(*keyptr) < 512) {
   455					min = 1;
   456					range_size = 511 - min + 1;
   457				} else {
   458					min = 600;
   459					range_size = 1023 - min + 1;
   460				}
   461			} else {
   462				min = 1024;
   463				range_size = 65535 - 1024 + 1;
   464			}
   465		} else {
   466			min = ntohs(range->min_proto.all);
   467			max = ntohs(range->max_proto.all);
   468			if (unlikely(max < min))
   469				swap(max, min);
   470			range_size = max - min + 1;
   471		}
   472	
   473	find_free_id:
   474		if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
   475			off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
   476		else
   477			off = get_random_u16();
   478	
   479		attempts = range_size;
   480		if (attempts > max_attempts)
   481			attempts = max_attempts;
   482	
   483		/* We are in softirq; doing a search of the entire range risks
   484		 * soft lockup when all tuples are already used.
   485		 *
   486		 * If we can't find any free port from first offset, pick a new
   487		 * one and try again, with ever smaller search window.
   488		 */
   489	another_round:
   490		for (i = 0; i < attempts; i++, off++) {
   491			*keyptr = htons(min + off % range_size);
   492			if (!nf_nat_used_tuple(tuple, ct))
   493				return;
   494		}
   495	
   496		if (attempts >= range_size || attempts < 16)
   497			return;
   498		attempts /= 2;
   499		off = get_random_u16();
   500		goto another_round;
   501	}
   502
kernel test robot Oct. 29, 2022, 5:29 a.m. UTC | #3 
Hi,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.1-rc2 next-20221028]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
patch link:    https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech
patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry
config: i386-randconfig-a013
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
        git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash net/netfilter/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

>> net/netfilter/nf_nat_core.c:430:7: error: implicit declaration of function 'nf_sctp_pernet' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
                   if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
                       ^
>> net/netfilter/nf_nat_core.c:430:38: error: member reference type 'int' is not a pointer
                   if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  ^
   2 errors generated.


vim +/nf_sctp_pernet +430 net/netfilter/nf_nat_core.c

   374	
   375	/* Alter the per-proto part of the tuple (depending on maniptype), to
   376	 * give a unique tuple in the given range if possible.
   377	 *
   378	 * Per-protocol part of tuple is initialized to the incoming packet.
   379	 */
   380	static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
   381						const struct nf_nat_range2 *range,
   382						enum nf_nat_manip_type maniptype,
   383						const struct nf_conn *ct)
   384	{
   385		unsigned int range_size, min, max, i, attempts;
   386		__be16 *keyptr;
   387		u16 off;
   388		static const unsigned int max_attempts = 128;
   389	
   390		switch (tuple->dst.protonum) {
   391		case IPPROTO_ICMP:
   392		case IPPROTO_ICMPV6:
   393			/* id is same for either direction... */
   394			keyptr = &tuple->src.u.icmp.id;
   395			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   396				min = 0;
   397				range_size = 65536;
   398			} else {
   399				min = ntohs(range->min_proto.icmp.id);
   400				range_size = ntohs(range->max_proto.icmp.id) -
   401					     ntohs(range->min_proto.icmp.id) + 1;
   402			}
   403			goto find_free_id;
   404	#if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
   405		case IPPROTO_GRE:
   406			/* If there is no master conntrack we are not PPTP,
   407			   do not change tuples */
   408			if (!ct->master)
   409				return;
   410	
   411			if (maniptype == NF_NAT_MANIP_SRC)
   412				keyptr = &tuple->src.u.gre.key;
   413			else
   414				keyptr = &tuple->dst.u.gre.key;
   415	
   416			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   417				min = 1;
   418				range_size = 65535;
   419			} else {
   420				min = ntohs(range->min_proto.gre.key);
   421				range_size = ntohs(range->max_proto.gre.key) - min + 1;
   422			}
   423			goto find_free_id;
   424	#endif
   425		case IPPROTO_SCTP:
   426			/* SCTP port randomization disabled, try to use the same source port
   427			 * as in the original packet. Drop packets if another endpoint tries
   428			 * to use same source port behind NAT.
   429			 */
 > 430			if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
   431				return;
   432		case IPPROTO_UDP:
   433		case IPPROTO_UDPLITE:
   434		case IPPROTO_TCP:
   435		case IPPROTO_DCCP:
   436			if (maniptype == NF_NAT_MANIP_SRC)
   437				keyptr = &tuple->src.u.all;
   438			else
   439				keyptr = &tuple->dst.u.all;
   440	
   441			break;
   442		default:
   443			return;
   444		}
   445	
   446		/* If no range specified... */
   447		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   448			/* If it's dst rewrite, can't change port */
   449			if (maniptype == NF_NAT_MANIP_DST)
   450				return;
   451	
   452			if (ntohs(*keyptr) < 1024) {
   453				/* Loose convention: >> 512 is credential passing */
   454				if (ntohs(*keyptr) < 512) {
   455					min = 1;
   456					range_size = 511 - min + 1;
   457				} else {
   458					min = 600;
   459					range_size = 1023 - min + 1;
   460				}
   461			} else {
   462				min = 1024;
   463				range_size = 65535 - 1024 + 1;
   464			}
   465		} else {
   466			min = ntohs(range->min_proto.all);
   467			max = ntohs(range->max_proto.all);
   468			if (unlikely(max < min))
   469				swap(max, min);
   470			range_size = max - min + 1;
   471		}
   472	
   473	find_free_id:
   474		if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
   475			off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
   476		else
   477			off = get_random_u16();
   478	
   479		attempts = range_size;
   480		if (attempts > max_attempts)
   481			attempts = max_attempts;
   482	
   483		/* We are in softirq; doing a search of the entire range risks
   484		 * soft lockup when all tuples are already used.
   485		 *
   486		 * If we can't find any free port from first offset, pick a new
   487		 * one and try again, with ever smaller search window.
   488		 */
   489	another_round:
   490		for (i = 0; i < attempts; i++, off++) {
   491			*keyptr = htons(min + off % range_size);
   492			if (!nf_nat_used_tuple(tuple, ct))
   493				return;
   494		}
   495	
   496		if (attempts >= range_size || attempts < 16)
   497			return;
   498		attempts /= 2;
   499		off = get_random_u16();
   500		goto another_round;
   501	}
   502
kernel test robot Oct. 29, 2022, 11:43 a.m. UTC | #4 
Hi,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on linus/master]
[also build test WARNING on v6.1-rc2 next-20221028]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
patch link:    https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech
patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry
config: hexagon-randconfig-r014-20221029
compiler: clang version 16.0.0 (https://github.com/llvm/llvm-project 791a7ae1ba3efd6bca96338e10ffde557ba83920)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
        git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=hexagon SHELL=/bin/bash net/netfilter/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   In file included from net/netfilter/nf_nat_core.c:13:
   In file included from include/linux/skbuff.h:17:
   In file included from include/linux/bvec.h:10:
   In file included from include/linux/highmem.h:12:
   In file included from include/linux/hardirq.h:11:
   In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:20:
   In file included from include/linux/io.h:13:
   In file included from arch/hexagon/include/asm/io.h:334:
   include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           val = __raw_readb(PCI_IOBASE + addr);
                             ~~~~~~~~~~ ^
   include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
                                                           ~~~~~~~~~~ ^
   include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu'
   #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
                                                     ^
   In file included from net/netfilter/nf_nat_core.c:13:
   In file included from include/linux/skbuff.h:17:
   In file included from include/linux/bvec.h:10:
   In file included from include/linux/highmem.h:12:
   In file included from include/linux/hardirq.h:11:
   In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:20:
   In file included from include/linux/io.h:13:
   In file included from arch/hexagon/include/asm/io.h:334:
   include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
                                                           ~~~~~~~~~~ ^
   include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu'
   #define __le32_to_cpu(x) ((__force __u32)(__le32)(x))
                                                     ^
   In file included from net/netfilter/nf_nat_core.c:13:
   In file included from include/linux/skbuff.h:17:
   In file included from include/linux/bvec.h:10:
   In file included from include/linux/highmem.h:12:
   In file included from include/linux/hardirq.h:11:
   In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:20:
   In file included from include/linux/io.h:13:
   In file included from arch/hexagon/include/asm/io.h:334:
   include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           __raw_writeb(value, PCI_IOBASE + addr);
                               ~~~~~~~~~~ ^
   include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
                                                         ~~~~~~~~~~ ^
   include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
                                                         ~~~~~~~~~~ ^
>> net/netfilter/nf_nat_core.c:432:2: warning: unannotated fall-through between switch labels [-Wimplicit-fallthrough]
           case IPPROTO_UDP:
           ^
   net/netfilter/nf_nat_core.c:432:2: note: insert '__attribute__((fallthrough));' to silence this warning
           case IPPROTO_UDP:
           ^
           __attribute__((fallthrough)); 
   net/netfilter/nf_nat_core.c:432:2: note: insert 'break;' to avoid fall-through
           case IPPROTO_UDP:
           ^
           break; 
   7 warnings generated.


vim +432 net/netfilter/nf_nat_core.c

5b1158e909ecbe net/ipv4/netfilter/nf_nat_core.c Jozsef Kadlecsik    2006-12-02  374  
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  375  /* Alter the per-proto part of the tuple (depending on maniptype), to
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  376   * give a unique tuple in the given range if possible.
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  377   *
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  378   * Per-protocol part of tuple is initialized to the incoming packet.
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  379   */
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  380  static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  381  					const struct nf_nat_range2 *range,
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  382  					enum nf_nat_manip_type maniptype,
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  383  					const struct nf_conn *ct)
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  384  {
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  385  	unsigned int range_size, min, max, i, attempts;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  386  	__be16 *keyptr;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  387  	u16 off;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  388  	static const unsigned int max_attempts = 128;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  389  
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  390  	switch (tuple->dst.protonum) {
954d82979b2f9d net/netfilter/nf_nat_core.c      Gustavo A. R. Silva 2020-07-08  391  	case IPPROTO_ICMP:
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  392  	case IPPROTO_ICMPV6:
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  393  		/* id is same for either direction... */
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  394  		keyptr = &tuple->src.u.icmp.id;
5bdac418f33f60 net/netfilter/nf_nat_core.c      Florian Westphal    2019-04-09  395  		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
5bdac418f33f60 net/netfilter/nf_nat_core.c      Florian Westphal    2019-04-09  396  			min = 0;
5bdac418f33f60 net/netfilter/nf_nat_core.c      Florian Westphal    2019-04-09  397  			range_size = 65536;
5bdac418f33f60 net/netfilter/nf_nat_core.c      Florian Westphal    2019-04-09  398  		} else {
5bdac418f33f60 net/netfilter/nf_nat_core.c      Florian Westphal    2019-04-09  399  			min = ntohs(range->min_proto.icmp.id);
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  400  			range_size = ntohs(range->max_proto.icmp.id) -
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  401  				     ntohs(range->min_proto.icmp.id) + 1;
5bdac418f33f60 net/netfilter/nf_nat_core.c      Florian Westphal    2019-04-09  402  		}
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  403  		goto find_free_id;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  404  #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  405  	case IPPROTO_GRE:
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  406  		/* If there is no master conntrack we are not PPTP,
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  407  		   do not change tuples */
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  408  		if (!ct->master)
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  409  			return;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  410  
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  411  		if (maniptype == NF_NAT_MANIP_SRC)
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  412  			keyptr = &tuple->src.u.gre.key;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  413  		else
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  414  			keyptr = &tuple->dst.u.gre.key;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  415  
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  416  		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  417  			min = 1;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  418  			range_size = 65535;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  419  		} else {
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  420  			min = ntohs(range->min_proto.gre.key);
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  421  			range_size = ntohs(range->max_proto.gre.key) - min + 1;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  422  		}
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  423  		goto find_free_id;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  424  #endif
a5f6ca19b0f492 net/netfilter/nf_nat_core.c      Sriram Yagnaraman   2022-10-28  425  	case IPPROTO_SCTP:
a5f6ca19b0f492 net/netfilter/nf_nat_core.c      Sriram Yagnaraman   2022-10-28  426  		/* SCTP port randomization disabled, try to use the same source port
a5f6ca19b0f492 net/netfilter/nf_nat_core.c      Sriram Yagnaraman   2022-10-28  427  		 * as in the original packet. Drop packets if another endpoint tries
a5f6ca19b0f492 net/netfilter/nf_nat_core.c      Sriram Yagnaraman   2022-10-28  428  		 * to use same source port behind NAT.
a5f6ca19b0f492 net/netfilter/nf_nat_core.c      Sriram Yagnaraman   2022-10-28  429  		 */
a5f6ca19b0f492 net/netfilter/nf_nat_core.c      Sriram Yagnaraman   2022-10-28  430  		if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
a5f6ca19b0f492 net/netfilter/nf_nat_core.c      Sriram Yagnaraman   2022-10-28  431  			return;
954d82979b2f9d net/netfilter/nf_nat_core.c      Gustavo A. R. Silva 2020-07-08 @432  	case IPPROTO_UDP:
954d82979b2f9d net/netfilter/nf_nat_core.c      Gustavo A. R. Silva 2020-07-08  433  	case IPPROTO_UDPLITE:
954d82979b2f9d net/netfilter/nf_nat_core.c      Gustavo A. R. Silva 2020-07-08  434  	case IPPROTO_TCP:
954d82979b2f9d net/netfilter/nf_nat_core.c      Gustavo A. R. Silva 2020-07-08  435  	case IPPROTO_DCCP:
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  436  		if (maniptype == NF_NAT_MANIP_SRC)
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  437  			keyptr = &tuple->src.u.all;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  438  		else
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  439  			keyptr = &tuple->dst.u.all;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  440  
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  441  		break;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  442  	default:
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  443  		return;
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  444  	}
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  445  
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  446  	/* If no range specified... */
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  447  	if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  448  		/* If it's dst rewrite, can't change port */
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  449  		if (maniptype == NF_NAT_MANIP_DST)
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  450  			return;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  451  
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  452  		if (ntohs(*keyptr) < 1024) {
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  453  			/* Loose convention: >> 512 is credential passing */
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  454  			if (ntohs(*keyptr) < 512) {
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  455  				min = 1;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  456  				range_size = 511 - min + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  457  			} else {
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  458  				min = 600;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  459  				range_size = 1023 - min + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  460  			}
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  461  		} else {
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  462  			min = 1024;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  463  			range_size = 65535 - 1024 + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  464  		}
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  465  	} else {
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  466  		min = ntohs(range->min_proto.all);
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  467  		max = ntohs(range->max_proto.all);
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  468  		if (unlikely(max < min))
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  469  			swap(max, min);
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  470  		range_size = max - min + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  471  	}
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  472  
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  473  find_free_id:
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  474  	if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  475  		off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  476  	else
7e3cf0843fe505 net/netfilter/nf_nat_core.c      Jason A. Donenfeld  2022-10-05  477  		off = get_random_u16();
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  478  
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  479  	attempts = range_size;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  480  	if (attempts > max_attempts)
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  481  		attempts = max_attempts;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  482  
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  483  	/* We are in softirq; doing a search of the entire range risks
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  484  	 * soft lockup when all tuples are already used.
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  485  	 *
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  486  	 * If we can't find any free port from first offset, pick a new
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  487  	 * one and try again, with ever smaller search window.
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  488  	 */
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  489  another_round:
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  490  	for (i = 0; i < attempts; i++, off++) {
203f2e78200c27 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  491  		*keyptr = htons(min + off % range_size);
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  492  		if (!nf_nat_used_tuple(tuple, ct))
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  493  			return;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  494  	}
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  495  
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  496  	if (attempts >= range_size || attempts < 16)
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  497  		return;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  498  	attempts /= 2;
7e3cf0843fe505 net/netfilter/nf_nat_core.c      Jason A. Donenfeld  2022-10-05  499  	off = get_random_u16();
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  500  	goto another_round;
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  501  }
716b23c19edd47 net/netfilter/nf_nat_core.c      Florian Westphal    2018-12-13  502
kernel test robot Oct. 29, 2022, 12:34 p.m. UTC | #5 
Hi,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.1-rc2 next-20221028]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
patch link:    https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech
patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry
config: hexagon-randconfig-r013-20221029
compiler: clang version 16.0.0 (https://github.com/llvm/llvm-project 791a7ae1ba3efd6bca96338e10ffde557ba83920)
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69
        git remote add linux-review https://github.com/intel-lab-lkp/linux
        git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
        git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69
        # save the config file
        mkdir build_dir && cp config build_dir/.config
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=hexagon SHELL=/bin/bash net/netfilter/

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from net/netfilter/nf_nat_core.c:13:
   In file included from include/linux/skbuff.h:17:
   In file included from include/linux/bvec.h:10:
   In file included from include/linux/highmem.h:12:
   In file included from include/linux/hardirq.h:11:
   In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:20:
   In file included from include/linux/io.h:13:
   In file included from arch/hexagon/include/asm/io.h:334:
   include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           val = __raw_readb(PCI_IOBASE + addr);
                             ~~~~~~~~~~ ^
   include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
                                                           ~~~~~~~~~~ ^
   include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu'
   #define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
                                                     ^
   In file included from net/netfilter/nf_nat_core.c:13:
   In file included from include/linux/skbuff.h:17:
   In file included from include/linux/bvec.h:10:
   In file included from include/linux/highmem.h:12:
   In file included from include/linux/hardirq.h:11:
   In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:20:
   In file included from include/linux/io.h:13:
   In file included from arch/hexagon/include/asm/io.h:334:
   include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
                                                           ~~~~~~~~~~ ^
   include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu'
   #define __le32_to_cpu(x) ((__force __u32)(__le32)(x))
                                                     ^
   In file included from net/netfilter/nf_nat_core.c:13:
   In file included from include/linux/skbuff.h:17:
   In file included from include/linux/bvec.h:10:
   In file included from include/linux/highmem.h:12:
   In file included from include/linux/hardirq.h:11:
   In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
   In file included from include/asm-generic/hardirq.h:17:
   In file included from include/linux/irq.h:20:
   In file included from include/linux/io.h:13:
   In file included from arch/hexagon/include/asm/io.h:334:
   include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           __raw_writeb(value, PCI_IOBASE + addr);
                               ~~~~~~~~~~ ^
   include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
                                                         ~~~~~~~~~~ ^
   include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
           __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
                                                         ~~~~~~~~~~ ^
>> net/netfilter/nf_nat_core.c:430:7: error: call to undeclared function 'nf_sctp_pernet'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
                   if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
                       ^
   net/netfilter/nf_nat_core.c:430:38: error: member reference type 'int' is not a pointer
                   if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
                       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  ^
   6 warnings and 2 errors generated.


vim +/nf_sctp_pernet +430 net/netfilter/nf_nat_core.c

   374	
   375	/* Alter the per-proto part of the tuple (depending on maniptype), to
   376	 * give a unique tuple in the given range if possible.
   377	 *
   378	 * Per-protocol part of tuple is initialized to the incoming packet.
   379	 */
   380	static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
   381						const struct nf_nat_range2 *range,
   382						enum nf_nat_manip_type maniptype,
   383						const struct nf_conn *ct)
   384	{
   385		unsigned int range_size, min, max, i, attempts;
   386		__be16 *keyptr;
   387		u16 off;
   388		static const unsigned int max_attempts = 128;
   389	
   390		switch (tuple->dst.protonum) {
   391		case IPPROTO_ICMP:
   392		case IPPROTO_ICMPV6:
   393			/* id is same for either direction... */
   394			keyptr = &tuple->src.u.icmp.id;
   395			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   396				min = 0;
   397				range_size = 65536;
   398			} else {
   399				min = ntohs(range->min_proto.icmp.id);
   400				range_size = ntohs(range->max_proto.icmp.id) -
   401					     ntohs(range->min_proto.icmp.id) + 1;
   402			}
   403			goto find_free_id;
   404	#if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
   405		case IPPROTO_GRE:
   406			/* If there is no master conntrack we are not PPTP,
   407			   do not change tuples */
   408			if (!ct->master)
   409				return;
   410	
   411			if (maniptype == NF_NAT_MANIP_SRC)
   412				keyptr = &tuple->src.u.gre.key;
   413			else
   414				keyptr = &tuple->dst.u.gre.key;
   415	
   416			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   417				min = 1;
   418				range_size = 65535;
   419			} else {
   420				min = ntohs(range->min_proto.gre.key);
   421				range_size = ntohs(range->max_proto.gre.key) - min + 1;
   422			}
   423			goto find_free_id;
   424	#endif
   425		case IPPROTO_SCTP:
   426			/* SCTP port randomization disabled, try to use the same source port
   427			 * as in the original packet. Drop packets if another endpoint tries
   428			 * to use same source port behind NAT.
   429			 */
 > 430			if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
   431				return;
   432		case IPPROTO_UDP:
   433		case IPPROTO_UDPLITE:
   434		case IPPROTO_TCP:
   435		case IPPROTO_DCCP:
   436			if (maniptype == NF_NAT_MANIP_SRC)
   437				keyptr = &tuple->src.u.all;
   438			else
   439				keyptr = &tuple->dst.u.all;
   440	
   441			break;
   442		default:
   443			return;
   444		}
   445	
   446		/* If no range specified... */
   447		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   448			/* If it's dst rewrite, can't change port */
   449			if (maniptype == NF_NAT_MANIP_DST)
   450				return;
   451	
   452			if (ntohs(*keyptr) < 1024) {
   453				/* Loose convention: >> 512 is credential passing */
   454				if (ntohs(*keyptr) < 512) {
   455					min = 1;
   456					range_size = 511 - min + 1;
   457				} else {
   458					min = 600;
   459					range_size = 1023 - min + 1;
   460				}
   461			} else {
   462				min = 1024;
   463				range_size = 65535 - 1024 + 1;
   464			}
   465		} else {
   466			min = ntohs(range->min_proto.all);
   467			max = ntohs(range->max_proto.all);
   468			if (unlikely(max < min))
   469				swap(max, min);
   470			range_size = max - min + 1;
   471		}
   472	
   473	find_free_id:
   474		if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
   475			off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
   476		else
   477			off = get_random_u16();
   478	
   479		attempts = range_size;
   480		if (attempts > max_attempts)
   481			attempts = max_attempts;
   482	
   483		/* We are in softirq; doing a search of the entire range risks
   484		 * soft lockup when all tuples are already used.
   485		 *
   486		 * If we can't find any free port from first offset, pick a new
   487		 * one and try again, with ever smaller search window.
   488		 */
   489	another_round:
   490		for (i = 0; i < attempts; i++, off++) {
   491			*keyptr = htons(min + off % range_size);
   492			if (!nf_nat_used_tuple(tuple, ct))
   493				return;
   494		}
   495	
   496		if (attempts >= range_size || attempts < 16)
   497			return;
   498		attempts /= 2;
   499		off = get_random_u16();
   500		goto another_round;
   501	}
   502
diff mbox series

Patch

diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index e1290c159184..097bed663805 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -60,6 +60,7 @@  struct nf_dccp_net {
 #ifdef CONFIG_NF_CT_PROTO_SCTP
 struct nf_sctp_net {
 	unsigned int timeouts[SCTP_CONNTRACK_MAX];
+	u8 sctp_no_random_port;
 };
 #endif
 
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 5a936334b517..5e4d3215dcf6 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -699,6 +699,9 @@  void nf_conntrack_sctp_init_net(struct net *net)
 	 * 'new' timeout, like udp or icmp.
 	 */
 	sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
+
+	/* leave source port randomization as true by default */
+	sn->sctp_no_random_port = 0;
 }
 
 const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 4ffe84c5a82c..e35876ce418d 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -602,6 +602,7 @@  enum nf_ct_sysctl_index {
 	NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT,
 	NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT,
 	NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED,
+	NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT,
 #endif
 #ifdef CONFIG_NF_CT_PROTO_DCCP
 	NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST,
@@ -892,6 +893,14 @@  static struct ctl_table nf_ct_sysctl_table[] = {
 		.mode           = 0644,
 		.proc_handler   = proc_dointvec_jiffies,
 	},
+	[NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT] = {
+		.procname	= "nf_conntrack_sctp_no_random_port",
+		.maxlen		= sizeof(u8),
+		.mode		= 0644,
+		.proc_handler	= proc_dou8vec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE,
+	},
 #endif
 #ifdef CONFIG_NF_CT_PROTO_DCCP
 	[NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = {
@@ -1037,6 +1046,10 @@  static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net,
 	XASSIGN(HEARTBEAT_SENT, sn);
 	XASSIGN(HEARTBEAT_ACKED, sn);
 #undef XASSIGN
+#define XASSIGN(XNAME, rval) \
+	table[NF_SYSCTL_CT_PROTO_SCTP_ ## XNAME].data = (rval)
+	XASSIGN(NO_RANDOM_PORT, &sn->sctp_no_random_port);
+#undef XASSIGN
 #endif
 }
 
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 18319a6e6806..de0134d99d58 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -422,10 +422,16 @@  static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
 		}
 		goto find_free_id;
 #endif
+	case IPPROTO_SCTP:
+		/* SCTP port randomization disabled, try to use the same source port
+		 * as in the original packet. Drop packets if another endpoint tries
+		 * to use same source port behind NAT.
+		 */
+		if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
+			return;
 	case IPPROTO_UDP:
 	case IPPROTO_UDPLITE:
 	case IPPROTO_TCP:
-	case IPPROTO_SCTP:
 	case IPPROTO_DCCP:
 		if (maniptype == NF_NAT_MANIP_SRC)
 			keyptr = &tuple->src.u.all;