Message ID | 20221028205225.10189-2-sriram.yagnaraman@est.tech |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
Series | netfilter: nf_ct_sctp: improve SCTP multihoming | expand |
Hi, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on linus/master] [also build test WARNING on v6.1-rc2 next-20221028] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 patch link: https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry config: ia64-allyesconfig compiler: ia64-linux-gcc (GCC) 12.1.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69 git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69 # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-12.1.0 make.cross W=1 O=build_dir ARCH=ia64 SHELL=/bin/bash net/ If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> All warnings (new ones prefixed by >>): net/netfilter/nf_nat_core.c: In function 'nf_nat_l4proto_unique_tuple': >> net/netfilter/nf_nat_core.c:430:20: warning: this statement may fall through [-Wimplicit-fallthrough=] 430 | if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) | ^ net/netfilter/nf_nat_core.c:432:9: note: here 432 | case IPPROTO_UDP: | ^~~~ vim +430 net/netfilter/nf_nat_core.c 374 375 /* Alter the per-proto part of the tuple (depending on maniptype), to 376 * give a unique tuple in the given range if possible. 377 * 378 * Per-protocol part of tuple is initialized to the incoming packet. 379 */ 380 static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, 381 const struct nf_nat_range2 *range, 382 enum nf_nat_manip_type maniptype, 383 const struct nf_conn *ct) 384 { 385 unsigned int range_size, min, max, i, attempts; 386 __be16 *keyptr; 387 u16 off; 388 static const unsigned int max_attempts = 128; 389 390 switch (tuple->dst.protonum) { 391 case IPPROTO_ICMP: 392 case IPPROTO_ICMPV6: 393 /* id is same for either direction... */ 394 keyptr = &tuple->src.u.icmp.id; 395 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 396 min = 0; 397 range_size = 65536; 398 } else { 399 min = ntohs(range->min_proto.icmp.id); 400 range_size = ntohs(range->max_proto.icmp.id) - 401 ntohs(range->min_proto.icmp.id) + 1; 402 } 403 goto find_free_id; 404 #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE) 405 case IPPROTO_GRE: 406 /* If there is no master conntrack we are not PPTP, 407 do not change tuples */ 408 if (!ct->master) 409 return; 410 411 if (maniptype == NF_NAT_MANIP_SRC) 412 keyptr = &tuple->src.u.gre.key; 413 else 414 keyptr = &tuple->dst.u.gre.key; 415 416 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 417 min = 1; 418 range_size = 65535; 419 } else { 420 min = ntohs(range->min_proto.gre.key); 421 range_size = ntohs(range->max_proto.gre.key) - min + 1; 422 } 423 goto find_free_id; 424 #endif 425 case IPPROTO_SCTP: 426 /* SCTP port randomization disabled, try to use the same source port 427 * as in the original packet. Drop packets if another endpoint tries 428 * to use same source port behind NAT. 429 */ > 430 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) 431 return; 432 case IPPROTO_UDP: 433 case IPPROTO_UDPLITE: 434 case IPPROTO_TCP: 435 case IPPROTO_DCCP: 436 if (maniptype == NF_NAT_MANIP_SRC) 437 keyptr = &tuple->src.u.all; 438 else 439 keyptr = &tuple->dst.u.all; 440 441 break; 442 default: 443 return; 444 } 445 446 /* If no range specified... */ 447 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 448 /* If it's dst rewrite, can't change port */ 449 if (maniptype == NF_NAT_MANIP_DST) 450 return; 451 452 if (ntohs(*keyptr) < 1024) { 453 /* Loose convention: >> 512 is credential passing */ 454 if (ntohs(*keyptr) < 512) { 455 min = 1; 456 range_size = 511 - min + 1; 457 } else { 458 min = 600; 459 range_size = 1023 - min + 1; 460 } 461 } else { 462 min = 1024; 463 range_size = 65535 - 1024 + 1; 464 } 465 } else { 466 min = ntohs(range->min_proto.all); 467 max = ntohs(range->max_proto.all); 468 if (unlikely(max < min)) 469 swap(max, min); 470 range_size = max - min + 1; 471 } 472 473 find_free_id: 474 if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) 475 off = (ntohs(*keyptr) - ntohs(range->base_proto.all)); 476 else 477 off = get_random_u16(); 478 479 attempts = range_size; 480 if (attempts > max_attempts) 481 attempts = max_attempts; 482 483 /* We are in softirq; doing a search of the entire range risks 484 * soft lockup when all tuples are already used. 485 * 486 * If we can't find any free port from first offset, pick a new 487 * one and try again, with ever smaller search window. 488 */ 489 another_round: 490 for (i = 0; i < attempts; i++, off++) { 491 *keyptr = htons(min + off % range_size); 492 if (!nf_nat_used_tuple(tuple, ct)) 493 return; 494 } 495 496 if (attempts >= range_size || attempts < 16) 497 return; 498 attempts /= 2; 499 off = get_random_u16(); 500 goto another_round; 501 } 502
Hi, Thank you for the patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v6.1-rc2 next-20221028] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 patch link: https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry config: i386-defconfig compiler: gcc-11 (Debian 11.3.0-8) 11.3.0 reproduce (this is a W=1 build): # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69 git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69 # save the config file mkdir build_dir && cp config build_dir/.config make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): net/netfilter/nf_nat_core.c: In function 'nf_nat_l4proto_unique_tuple': >> net/netfilter/nf_nat_core.c:430:21: error: implicit declaration of function 'nf_sctp_pernet'; did you mean 'nf_icmp_pernet'? [-Werror=implicit-function-declaration] 430 | if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) | ^~~~~~~~~~~~~~ | nf_icmp_pernet >> net/netfilter/nf_nat_core.c:430:50: error: invalid type argument of '->' (have 'int') 430 | if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) | ^~ cc1: some warnings being treated as errors vim +430 net/netfilter/nf_nat_core.c 374 375 /* Alter the per-proto part of the tuple (depending on maniptype), to 376 * give a unique tuple in the given range if possible. 377 * 378 * Per-protocol part of tuple is initialized to the incoming packet. 379 */ 380 static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, 381 const struct nf_nat_range2 *range, 382 enum nf_nat_manip_type maniptype, 383 const struct nf_conn *ct) 384 { 385 unsigned int range_size, min, max, i, attempts; 386 __be16 *keyptr; 387 u16 off; 388 static const unsigned int max_attempts = 128; 389 390 switch (tuple->dst.protonum) { 391 case IPPROTO_ICMP: 392 case IPPROTO_ICMPV6: 393 /* id is same for either direction... */ 394 keyptr = &tuple->src.u.icmp.id; 395 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 396 min = 0; 397 range_size = 65536; 398 } else { 399 min = ntohs(range->min_proto.icmp.id); 400 range_size = ntohs(range->max_proto.icmp.id) - 401 ntohs(range->min_proto.icmp.id) + 1; 402 } 403 goto find_free_id; 404 #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE) 405 case IPPROTO_GRE: 406 /* If there is no master conntrack we are not PPTP, 407 do not change tuples */ 408 if (!ct->master) 409 return; 410 411 if (maniptype == NF_NAT_MANIP_SRC) 412 keyptr = &tuple->src.u.gre.key; 413 else 414 keyptr = &tuple->dst.u.gre.key; 415 416 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 417 min = 1; 418 range_size = 65535; 419 } else { 420 min = ntohs(range->min_proto.gre.key); 421 range_size = ntohs(range->max_proto.gre.key) - min + 1; 422 } 423 goto find_free_id; 424 #endif 425 case IPPROTO_SCTP: 426 /* SCTP port randomization disabled, try to use the same source port 427 * as in the original packet. Drop packets if another endpoint tries 428 * to use same source port behind NAT. 429 */ > 430 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) 431 return; 432 case IPPROTO_UDP: 433 case IPPROTO_UDPLITE: 434 case IPPROTO_TCP: 435 case IPPROTO_DCCP: 436 if (maniptype == NF_NAT_MANIP_SRC) 437 keyptr = &tuple->src.u.all; 438 else 439 keyptr = &tuple->dst.u.all; 440 441 break; 442 default: 443 return; 444 } 445 446 /* If no range specified... */ 447 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 448 /* If it's dst rewrite, can't change port */ 449 if (maniptype == NF_NAT_MANIP_DST) 450 return; 451 452 if (ntohs(*keyptr) < 1024) { 453 /* Loose convention: >> 512 is credential passing */ 454 if (ntohs(*keyptr) < 512) { 455 min = 1; 456 range_size = 511 - min + 1; 457 } else { 458 min = 600; 459 range_size = 1023 - min + 1; 460 } 461 } else { 462 min = 1024; 463 range_size = 65535 - 1024 + 1; 464 } 465 } else { 466 min = ntohs(range->min_proto.all); 467 max = ntohs(range->max_proto.all); 468 if (unlikely(max < min)) 469 swap(max, min); 470 range_size = max - min + 1; 471 } 472 473 find_free_id: 474 if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) 475 off = (ntohs(*keyptr) - ntohs(range->base_proto.all)); 476 else 477 off = get_random_u16(); 478 479 attempts = range_size; 480 if (attempts > max_attempts) 481 attempts = max_attempts; 482 483 /* We are in softirq; doing a search of the entire range risks 484 * soft lockup when all tuples are already used. 485 * 486 * If we can't find any free port from first offset, pick a new 487 * one and try again, with ever smaller search window. 488 */ 489 another_round: 490 for (i = 0; i < attempts; i++, off++) { 491 *keyptr = htons(min + off % range_size); 492 if (!nf_nat_used_tuple(tuple, ct)) 493 return; 494 } 495 496 if (attempts >= range_size || attempts < 16) 497 return; 498 attempts /= 2; 499 off = get_random_u16(); 500 goto another_round; 501 } 502
Hi, Thank you for the patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v6.1-rc2 next-20221028] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 patch link: https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry config: i386-randconfig-a013 compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69 git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69 # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash net/netfilter/ If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): >> net/netfilter/nf_nat_core.c:430:7: error: implicit declaration of function 'nf_sctp_pernet' is invalid in C99 [-Werror,-Wimplicit-function-declaration] if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) ^ >> net/netfilter/nf_nat_core.c:430:38: error: member reference type 'int' is not a pointer if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ 2 errors generated. vim +/nf_sctp_pernet +430 net/netfilter/nf_nat_core.c 374 375 /* Alter the per-proto part of the tuple (depending on maniptype), to 376 * give a unique tuple in the given range if possible. 377 * 378 * Per-protocol part of tuple is initialized to the incoming packet. 379 */ 380 static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, 381 const struct nf_nat_range2 *range, 382 enum nf_nat_manip_type maniptype, 383 const struct nf_conn *ct) 384 { 385 unsigned int range_size, min, max, i, attempts; 386 __be16 *keyptr; 387 u16 off; 388 static const unsigned int max_attempts = 128; 389 390 switch (tuple->dst.protonum) { 391 case IPPROTO_ICMP: 392 case IPPROTO_ICMPV6: 393 /* id is same for either direction... */ 394 keyptr = &tuple->src.u.icmp.id; 395 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 396 min = 0; 397 range_size = 65536; 398 } else { 399 min = ntohs(range->min_proto.icmp.id); 400 range_size = ntohs(range->max_proto.icmp.id) - 401 ntohs(range->min_proto.icmp.id) + 1; 402 } 403 goto find_free_id; 404 #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE) 405 case IPPROTO_GRE: 406 /* If there is no master conntrack we are not PPTP, 407 do not change tuples */ 408 if (!ct->master) 409 return; 410 411 if (maniptype == NF_NAT_MANIP_SRC) 412 keyptr = &tuple->src.u.gre.key; 413 else 414 keyptr = &tuple->dst.u.gre.key; 415 416 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 417 min = 1; 418 range_size = 65535; 419 } else { 420 min = ntohs(range->min_proto.gre.key); 421 range_size = ntohs(range->max_proto.gre.key) - min + 1; 422 } 423 goto find_free_id; 424 #endif 425 case IPPROTO_SCTP: 426 /* SCTP port randomization disabled, try to use the same source port 427 * as in the original packet. Drop packets if another endpoint tries 428 * to use same source port behind NAT. 429 */ > 430 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) 431 return; 432 case IPPROTO_UDP: 433 case IPPROTO_UDPLITE: 434 case IPPROTO_TCP: 435 case IPPROTO_DCCP: 436 if (maniptype == NF_NAT_MANIP_SRC) 437 keyptr = &tuple->src.u.all; 438 else 439 keyptr = &tuple->dst.u.all; 440 441 break; 442 default: 443 return; 444 } 445 446 /* If no range specified... */ 447 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 448 /* If it's dst rewrite, can't change port */ 449 if (maniptype == NF_NAT_MANIP_DST) 450 return; 451 452 if (ntohs(*keyptr) < 1024) { 453 /* Loose convention: >> 512 is credential passing */ 454 if (ntohs(*keyptr) < 512) { 455 min = 1; 456 range_size = 511 - min + 1; 457 } else { 458 min = 600; 459 range_size = 1023 - min + 1; 460 } 461 } else { 462 min = 1024; 463 range_size = 65535 - 1024 + 1; 464 } 465 } else { 466 min = ntohs(range->min_proto.all); 467 max = ntohs(range->max_proto.all); 468 if (unlikely(max < min)) 469 swap(max, min); 470 range_size = max - min + 1; 471 } 472 473 find_free_id: 474 if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) 475 off = (ntohs(*keyptr) - ntohs(range->base_proto.all)); 476 else 477 off = get_random_u16(); 478 479 attempts = range_size; 480 if (attempts > max_attempts) 481 attempts = max_attempts; 482 483 /* We are in softirq; doing a search of the entire range risks 484 * soft lockup when all tuples are already used. 485 * 486 * If we can't find any free port from first offset, pick a new 487 * one and try again, with ever smaller search window. 488 */ 489 another_round: 490 for (i = 0; i < attempts; i++, off++) { 491 *keyptr = htons(min + off % range_size); 492 if (!nf_nat_used_tuple(tuple, ct)) 493 return; 494 } 495 496 if (attempts >= range_size || attempts < 16) 497 return; 498 attempts /= 2; 499 off = get_random_u16(); 500 goto another_round; 501 } 502
Hi,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on linus/master]
[also build test WARNING on v6.1-rc2 next-20221028]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
patch link: https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech
patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry
config: hexagon-randconfig-r014-20221029
compiler: clang version 16.0.0 (https://github.com/llvm/llvm-project 791a7ae1ba3efd6bca96338e10ffde557ba83920)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432
git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=hexagon SHELL=/bin/bash net/netfilter/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from net/netfilter/nf_nat_core.c:13:
In file included from include/linux/skbuff.h:17:
In file included from include/linux/bvec.h:10:
In file included from include/linux/highmem.h:12:
In file included from include/linux/hardirq.h:11:
In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
In file included from include/asm-generic/hardirq.h:17:
In file included from include/linux/irq.h:20:
In file included from include/linux/io.h:13:
In file included from arch/hexagon/include/asm/io.h:334:
include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __raw_readb(PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu'
#define __le16_to_cpu(x) ((__force __u16)(__le16)(x))
^
In file included from net/netfilter/nf_nat_core.c:13:
In file included from include/linux/skbuff.h:17:
In file included from include/linux/bvec.h:10:
In file included from include/linux/highmem.h:12:
In file included from include/linux/hardirq.h:11:
In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
In file included from include/asm-generic/hardirq.h:17:
In file included from include/linux/irq.h:20:
In file included from include/linux/io.h:13:
In file included from arch/hexagon/include/asm/io.h:334:
include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr));
~~~~~~~~~~ ^
include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu'
#define __le32_to_cpu(x) ((__force __u32)(__le32)(x))
^
In file included from net/netfilter/nf_nat_core.c:13:
In file included from include/linux/skbuff.h:17:
In file included from include/linux/bvec.h:10:
In file included from include/linux/highmem.h:12:
In file included from include/linux/hardirq.h:11:
In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1:
In file included from include/asm-generic/hardirq.h:17:
In file included from include/linux/irq.h:20:
In file included from include/linux/io.h:13:
In file included from arch/hexagon/include/asm/io.h:334:
include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writeb(value, PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic]
__raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr);
~~~~~~~~~~ ^
>> net/netfilter/nf_nat_core.c:432:2: warning: unannotated fall-through between switch labels [-Wimplicit-fallthrough]
case IPPROTO_UDP:
^
net/netfilter/nf_nat_core.c:432:2: note: insert '__attribute__((fallthrough));' to silence this warning
case IPPROTO_UDP:
^
__attribute__((fallthrough));
net/netfilter/nf_nat_core.c:432:2: note: insert 'break;' to avoid fall-through
case IPPROTO_UDP:
^
break;
7 warnings generated.
vim +432 net/netfilter/nf_nat_core.c
5b1158e909ecbe net/ipv4/netfilter/nf_nat_core.c Jozsef Kadlecsik 2006-12-02 374
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 375 /* Alter the per-proto part of the tuple (depending on maniptype), to
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 376 * give a unique tuple in the given range if possible.
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 377 *
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 378 * Per-protocol part of tuple is initialized to the incoming packet.
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 379 */
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 380 static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 381 const struct nf_nat_range2 *range,
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 382 enum nf_nat_manip_type maniptype,
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 383 const struct nf_conn *ct)
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 384 {
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 385 unsigned int range_size, min, max, i, attempts;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 386 __be16 *keyptr;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 387 u16 off;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 388 static const unsigned int max_attempts = 128;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 389
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 390 switch (tuple->dst.protonum) {
954d82979b2f9d net/netfilter/nf_nat_core.c Gustavo A. R. Silva 2020-07-08 391 case IPPROTO_ICMP:
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 392 case IPPROTO_ICMPV6:
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 393 /* id is same for either direction... */
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 394 keyptr = &tuple->src.u.icmp.id;
5bdac418f33f60 net/netfilter/nf_nat_core.c Florian Westphal 2019-04-09 395 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
5bdac418f33f60 net/netfilter/nf_nat_core.c Florian Westphal 2019-04-09 396 min = 0;
5bdac418f33f60 net/netfilter/nf_nat_core.c Florian Westphal 2019-04-09 397 range_size = 65536;
5bdac418f33f60 net/netfilter/nf_nat_core.c Florian Westphal 2019-04-09 398 } else {
5bdac418f33f60 net/netfilter/nf_nat_core.c Florian Westphal 2019-04-09 399 min = ntohs(range->min_proto.icmp.id);
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 400 range_size = ntohs(range->max_proto.icmp.id) -
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 401 ntohs(range->min_proto.icmp.id) + 1;
5bdac418f33f60 net/netfilter/nf_nat_core.c Florian Westphal 2019-04-09 402 }
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 403 goto find_free_id;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 404 #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 405 case IPPROTO_GRE:
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 406 /* If there is no master conntrack we are not PPTP,
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 407 do not change tuples */
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 408 if (!ct->master)
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 409 return;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 410
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 411 if (maniptype == NF_NAT_MANIP_SRC)
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 412 keyptr = &tuple->src.u.gre.key;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 413 else
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 414 keyptr = &tuple->dst.u.gre.key;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 415
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 416 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 417 min = 1;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 418 range_size = 65535;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 419 } else {
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 420 min = ntohs(range->min_proto.gre.key);
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 421 range_size = ntohs(range->max_proto.gre.key) - min + 1;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 422 }
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 423 goto find_free_id;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 424 #endif
a5f6ca19b0f492 net/netfilter/nf_nat_core.c Sriram Yagnaraman 2022-10-28 425 case IPPROTO_SCTP:
a5f6ca19b0f492 net/netfilter/nf_nat_core.c Sriram Yagnaraman 2022-10-28 426 /* SCTP port randomization disabled, try to use the same source port
a5f6ca19b0f492 net/netfilter/nf_nat_core.c Sriram Yagnaraman 2022-10-28 427 * as in the original packet. Drop packets if another endpoint tries
a5f6ca19b0f492 net/netfilter/nf_nat_core.c Sriram Yagnaraman 2022-10-28 428 * to use same source port behind NAT.
a5f6ca19b0f492 net/netfilter/nf_nat_core.c Sriram Yagnaraman 2022-10-28 429 */
a5f6ca19b0f492 net/netfilter/nf_nat_core.c Sriram Yagnaraman 2022-10-28 430 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port)
a5f6ca19b0f492 net/netfilter/nf_nat_core.c Sriram Yagnaraman 2022-10-28 431 return;
954d82979b2f9d net/netfilter/nf_nat_core.c Gustavo A. R. Silva 2020-07-08 @432 case IPPROTO_UDP:
954d82979b2f9d net/netfilter/nf_nat_core.c Gustavo A. R. Silva 2020-07-08 433 case IPPROTO_UDPLITE:
954d82979b2f9d net/netfilter/nf_nat_core.c Gustavo A. R. Silva 2020-07-08 434 case IPPROTO_TCP:
954d82979b2f9d net/netfilter/nf_nat_core.c Gustavo A. R. Silva 2020-07-08 435 case IPPROTO_DCCP:
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 436 if (maniptype == NF_NAT_MANIP_SRC)
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 437 keyptr = &tuple->src.u.all;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 438 else
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 439 keyptr = &tuple->dst.u.all;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 440
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 441 break;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 442 default:
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 443 return;
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 444 }
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 445
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 446 /* If no range specified... */
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 447 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 448 /* If it's dst rewrite, can't change port */
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 449 if (maniptype == NF_NAT_MANIP_DST)
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 450 return;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 451
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 452 if (ntohs(*keyptr) < 1024) {
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 453 /* Loose convention: >> 512 is credential passing */
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 454 if (ntohs(*keyptr) < 512) {
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 455 min = 1;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 456 range_size = 511 - min + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 457 } else {
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 458 min = 600;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 459 range_size = 1023 - min + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 460 }
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 461 } else {
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 462 min = 1024;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 463 range_size = 65535 - 1024 + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 464 }
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 465 } else {
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 466 min = ntohs(range->min_proto.all);
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 467 max = ntohs(range->max_proto.all);
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 468 if (unlikely(max < min))
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 469 swap(max, min);
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 470 range_size = max - min + 1;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 471 }
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 472
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 473 find_free_id:
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 474 if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 475 off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 476 else
7e3cf0843fe505 net/netfilter/nf_nat_core.c Jason A. Donenfeld 2022-10-05 477 off = get_random_u16();
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 478
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 479 attempts = range_size;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 480 if (attempts > max_attempts)
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 481 attempts = max_attempts;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 482
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 483 /* We are in softirq; doing a search of the entire range risks
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 484 * soft lockup when all tuples are already used.
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 485 *
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 486 * If we can't find any free port from first offset, pick a new
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 487 * one and try again, with ever smaller search window.
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 488 */
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 489 another_round:
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 490 for (i = 0; i < attempts; i++, off++) {
203f2e78200c27 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 491 *keyptr = htons(min + off % range_size);
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 492 if (!nf_nat_used_tuple(tuple, ct))
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 493 return;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 494 }
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 495
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 496 if (attempts >= range_size || attempts < 16)
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 497 return;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 498 attempts /= 2;
7e3cf0843fe505 net/netfilter/nf_nat_core.c Jason A. Donenfeld 2022-10-05 499 off = get_random_u16();
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 500 goto another_round;
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 501 }
716b23c19edd47 net/netfilter/nf_nat_core.c Florian Westphal 2018-12-13 502
Hi, Thank you for the patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v6.1-rc2 next-20221028] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 patch link: https://lore.kernel.org/r/20221028205225.10189-2-sriram.yagnaraman%40est.tech patch subject: [PATCH 1/2] netfilter: nf_ct_sctp: introduce no_random_port proc entry config: hexagon-randconfig-r013-20221029 compiler: clang version 16.0.0 (https://github.com/llvm/llvm-project 791a7ae1ba3efd6bca96338e10ffde557ba83920) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://github.com/intel-lab-lkp/linux/commit/a5f6ca19b0f49255370ffedc35bad02ed4004b69 git remote add linux-review https://github.com/intel-lab-lkp/linux git fetch --no-tags linux-review sriram-yagnaraman-est-tech/netfilter-nf_ct_sctp-improve-SCTP-multihoming/20221029-045432 git checkout a5f6ca19b0f49255370ffedc35bad02ed4004b69 # save the config file mkdir build_dir && cp config build_dir/.config COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=hexagon SHELL=/bin/bash net/netfilter/ If you fix the issue, kindly add following tag where applicable | Reported-by: kernel test robot <lkp@intel.com> All errors (new ones prefixed by >>): In file included from net/netfilter/nf_nat_core.c:13: In file included from include/linux/skbuff.h:17: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:12: In file included from include/linux/hardirq.h:11: In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/hexagon/include/asm/io.h:334: include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __raw_readb(PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu' #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) ^ In file included from net/netfilter/nf_nat_core.c:13: In file included from include/linux/skbuff.h:17: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:12: In file included from include/linux/hardirq.h:11: In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/hexagon/include/asm/io.h:334: include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr)); ~~~~~~~~~~ ^ include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu' #define __le32_to_cpu(x) ((__force __u32)(__le32)(x)) ^ In file included from net/netfilter/nf_nat_core.c:13: In file included from include/linux/skbuff.h:17: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:12: In file included from include/linux/hardirq.h:11: In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/hexagon/include/asm/io.h:334: include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writeb(value, PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr); ~~~~~~~~~~ ^ >> net/netfilter/nf_nat_core.c:430:7: error: call to undeclared function 'nf_sctp_pernet'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration] if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) ^ net/netfilter/nf_nat_core.c:430:38: error: member reference type 'int' is not a pointer if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^ 6 warnings and 2 errors generated. vim +/nf_sctp_pernet +430 net/netfilter/nf_nat_core.c 374 375 /* Alter the per-proto part of the tuple (depending on maniptype), to 376 * give a unique tuple in the given range if possible. 377 * 378 * Per-protocol part of tuple is initialized to the incoming packet. 379 */ 380 static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, 381 const struct nf_nat_range2 *range, 382 enum nf_nat_manip_type maniptype, 383 const struct nf_conn *ct) 384 { 385 unsigned int range_size, min, max, i, attempts; 386 __be16 *keyptr; 387 u16 off; 388 static const unsigned int max_attempts = 128; 389 390 switch (tuple->dst.protonum) { 391 case IPPROTO_ICMP: 392 case IPPROTO_ICMPV6: 393 /* id is same for either direction... */ 394 keyptr = &tuple->src.u.icmp.id; 395 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 396 min = 0; 397 range_size = 65536; 398 } else { 399 min = ntohs(range->min_proto.icmp.id); 400 range_size = ntohs(range->max_proto.icmp.id) - 401 ntohs(range->min_proto.icmp.id) + 1; 402 } 403 goto find_free_id; 404 #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE) 405 case IPPROTO_GRE: 406 /* If there is no master conntrack we are not PPTP, 407 do not change tuples */ 408 if (!ct->master) 409 return; 410 411 if (maniptype == NF_NAT_MANIP_SRC) 412 keyptr = &tuple->src.u.gre.key; 413 else 414 keyptr = &tuple->dst.u.gre.key; 415 416 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 417 min = 1; 418 range_size = 65535; 419 } else { 420 min = ntohs(range->min_proto.gre.key); 421 range_size = ntohs(range->max_proto.gre.key) - min + 1; 422 } 423 goto find_free_id; 424 #endif 425 case IPPROTO_SCTP: 426 /* SCTP port randomization disabled, try to use the same source port 427 * as in the original packet. Drop packets if another endpoint tries 428 * to use same source port behind NAT. 429 */ > 430 if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) 431 return; 432 case IPPROTO_UDP: 433 case IPPROTO_UDPLITE: 434 case IPPROTO_TCP: 435 case IPPROTO_DCCP: 436 if (maniptype == NF_NAT_MANIP_SRC) 437 keyptr = &tuple->src.u.all; 438 else 439 keyptr = &tuple->dst.u.all; 440 441 break; 442 default: 443 return; 444 } 445 446 /* If no range specified... */ 447 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { 448 /* If it's dst rewrite, can't change port */ 449 if (maniptype == NF_NAT_MANIP_DST) 450 return; 451 452 if (ntohs(*keyptr) < 1024) { 453 /* Loose convention: >> 512 is credential passing */ 454 if (ntohs(*keyptr) < 512) { 455 min = 1; 456 range_size = 511 - min + 1; 457 } else { 458 min = 600; 459 range_size = 1023 - min + 1; 460 } 461 } else { 462 min = 1024; 463 range_size = 65535 - 1024 + 1; 464 } 465 } else { 466 min = ntohs(range->min_proto.all); 467 max = ntohs(range->max_proto.all); 468 if (unlikely(max < min)) 469 swap(max, min); 470 range_size = max - min + 1; 471 } 472 473 find_free_id: 474 if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) 475 off = (ntohs(*keyptr) - ntohs(range->base_proto.all)); 476 else 477 off = get_random_u16(); 478 479 attempts = range_size; 480 if (attempts > max_attempts) 481 attempts = max_attempts; 482 483 /* We are in softirq; doing a search of the entire range risks 484 * soft lockup when all tuples are already used. 485 * 486 * If we can't find any free port from first offset, pick a new 487 * one and try again, with ever smaller search window. 488 */ 489 another_round: 490 for (i = 0; i < attempts; i++, off++) { 491 *keyptr = htons(min + off % range_size); 492 if (!nf_nat_used_tuple(tuple, ct)) 493 return; 494 } 495 496 if (attempts >= range_size || attempts < 16) 497 return; 498 attempts /= 2; 499 off = get_random_u16(); 500 goto another_round; 501 } 502
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index e1290c159184..097bed663805 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h @@ -60,6 +60,7 @@ struct nf_dccp_net { #ifdef CONFIG_NF_CT_PROTO_SCTP struct nf_sctp_net { unsigned int timeouts[SCTP_CONNTRACK_MAX]; + u8 sctp_no_random_port; }; #endif diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 5a936334b517..5e4d3215dcf6 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c @@ -699,6 +699,9 @@ void nf_conntrack_sctp_init_net(struct net *net) * 'new' timeout, like udp or icmp. */ sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; + + /* leave source port randomization as true by default */ + sn->sctp_no_random_port = 0; } const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = { diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 4ffe84c5a82c..e35876ce418d 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -602,6 +602,7 @@ enum nf_ct_sysctl_index { NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_SHUTDOWN_ACK_SENT, NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_SENT, NF_SYSCTL_CT_PROTO_TIMEOUT_SCTP_HEARTBEAT_ACKED, + NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT, #endif #ifdef CONFIG_NF_CT_PROTO_DCCP NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST, @@ -892,6 +893,14 @@ static struct ctl_table nf_ct_sysctl_table[] = { .mode = 0644, .proc_handler = proc_dointvec_jiffies, }, + [NF_SYSCTL_CT_PROTO_SCTP_NO_RANDOM_PORT] = { + .procname = "nf_conntrack_sctp_no_random_port", + .maxlen = sizeof(u8), + .mode = 0644, + .proc_handler = proc_dou8vec_minmax, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }, #endif #ifdef CONFIG_NF_CT_PROTO_DCCP [NF_SYSCTL_CT_PROTO_TIMEOUT_DCCP_REQUEST] = { @@ -1037,6 +1046,10 @@ static void nf_conntrack_standalone_init_sctp_sysctl(struct net *net, XASSIGN(HEARTBEAT_SENT, sn); XASSIGN(HEARTBEAT_ACKED, sn); #undef XASSIGN +#define XASSIGN(XNAME, rval) \ + table[NF_SYSCTL_CT_PROTO_SCTP_ ## XNAME].data = (rval) + XASSIGN(NO_RANDOM_PORT, &sn->sctp_no_random_port); +#undef XASSIGN #endif } diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index 18319a6e6806..de0134d99d58 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -422,10 +422,16 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, } goto find_free_id; #endif + case IPPROTO_SCTP: + /* SCTP port randomization disabled, try to use the same source port + * as in the original packet. Drop packets if another endpoint tries + * to use same source port behind NAT. + */ + if (nf_sctp_pernet(nf_ct_net(ct))->sctp_no_random_port) + return; case IPPROTO_UDP: case IPPROTO_UDPLITE: case IPPROTO_TCP: - case IPPROTO_SCTP: case IPPROTO_DCCP: if (maniptype == NF_NAT_MANIP_SRC) keyptr = &tuple->src.u.all;