From patchwork Mon Feb 25 23:59:17 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 1048026 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="XQPVMQAw"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 447fKj1FZXz9s2R for ; Tue, 26 Feb 2019 11:08:25 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 725B56BC1; Tue, 26 Feb 2019 00:08:01 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 9B48C647C for ; Mon, 25 Feb 2019 23:59:29 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com [209.85.215.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3B16BA9 for ; Mon, 25 Feb 2019 23:59:29 +0000 (UTC) Received: by mail-pg1-f194.google.com with SMTP id 196so5237792pgf.13 for ; Mon, 25 Feb 2019 15:59:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id; bh=hGUTtlUJxFuOgadm+9FU+CQTHOlD9PAyZJUNPwzs8TQ=; b=XQPVMQAwKS8sTTVvKmREMAzdY4d84dsTAC50lHlGh5N+kkvN7dEoixIaYePhPZCOMB O0faxNFV2jkOGzFVUdXDqiPeVG2nPyKME236blByGsq0jYyBYSL2rmPv1OlUw3X8Aoch +0R3nLLPAn2p6x4vrx2eTlMeGvViPgoq6vSaDZTew/PKbxS56B9BxozunLPn5i43Dooz +r9+JlqKv8N5iHIa4UaSpzbFwCHhdujcJK2tYZKv0VmBU/Q1t+iQXugz4JVMsWLFdIbB M/JSQ+tkJKX1ucqCqUdOfTq3uw7LMYAiJ4ns2ZCNod40d6mgmUetbMo49yDU9yQNl2GO AHCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=hGUTtlUJxFuOgadm+9FU+CQTHOlD9PAyZJUNPwzs8TQ=; b=kKKuecAtcT+KXvrC/MzzPxexJKKo/vTakKZW3AGsYGQgzp08oc0Na0kSL5z3gX1iZT FyKiuNZTp0qo27x+tBN5pzsJBqx/b2cx3Hla+b8m1b+wGBoAdlpIFA8OWTlJNg6LdvzA 12G2032pnMTRFLcRk9mz607gHQgdWOeh2m+5nY5f9zf377EkDv1m9hECG8g2MFQ8Lee1 8ohpz1bJl12AxtF8gDtFP0sLn3FqsnNNYGJQFAntiJgTLvCoYd9CYdjUJjrmeAa9nYyh HJNlT0RPkd1Nw75hXN+izNEm6QzGrTDxFe7YB3YDRZhZcRU7RltRqiseGNmk21jDgwBR lwSg== X-Gm-Message-State: AHQUAuZJbubrEyFJGXUha59zAX3gr1eNJKtry9EQxmX/3Zn0NL9AY5a5 GAN3yp1uDg7SQdsHYwolXas= X-Google-Smtp-Source: AHgI3IbGolp7s3qaWRn4MErwjB+u3cWyAg4ywlMVzAtSxzk7vsfDWgevBWbU5XLOM2kugZEoFrAPHQ== X-Received: by 2002:a63:e451:: with SMTP id i17mr21553016pgk.413.1551139168725; Mon, 25 Feb 2019 15:59:28 -0800 (PST) Received: from ubuntu.localdomain (c-76-102-76-212.hsd1.ca.comcast.net. [76.102.76.212]) by smtp.gmail.com with ESMTPSA id b70sm17896781pfm.6.2019.02.25.15.59.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 25 Feb 2019 15:59:28 -0800 (PST) From: Darrell Ball To: dlu998@gmail.com, dev@openvswitch.org Date: Mon, 25 Feb 2019 15:59:17 -0800 Message-Id: <1551139158-58309-1-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [patch v2 1/2] conntrack: Fix wasted work for ICMP NAT. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org ICMPv4 and ICMPv6 are not subject to port address translation (PAT), however, a loop increments a local variable unnecessarily for ephemeral ports, resulting in wasted work for ICMPv4 and ICMPv6 packets subject to NAT. Fix this by checking for PAT being enabled before incrementing the local port variable and bail out otherwise. Signed-off-by: Darrell Ball --- v2: Consolidate two selection statements. lib/conntrack.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 4028ba9..5f143e0 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -2179,20 +2179,16 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, bool ephemeral_ports_tried = conn->nat_info->nat_action & NAT_ACTION_DST ? true : false; union ct_addr first_addr = ct_addr; + bool pat_enabled = conn->key.nw_proto != IPPROTO_ICMP && + conn->key.nw_proto != IPPROTO_ICMPV6; while (true) { + if (conn->nat_info->nat_action & NAT_ACTION_SRC) { nat_conn->rev_key.dst.addr = ct_addr; - } else { - nat_conn->rev_key.src.addr = ct_addr; - } - - if ((conn->key.nw_proto == IPPROTO_ICMP) || - (conn->key.nw_proto == IPPROTO_ICMPV6)) { - all_ports_tried = true; - } else if (conn->nat_info->nat_action & NAT_ACTION_SRC) { nat_conn->rev_key.dst.port = htons(port); } else { + nat_conn->rev_key.src.addr = ct_addr; nat_conn->rev_key.src.port = htons(port); } @@ -2200,7 +2196,7 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, ct->hash_basis); if (new_insert) { return true; - } else if (!all_ports_tried) { + } else if (pat_enabled && !all_ports_tried) { if (min_port == max_port) { all_ports_tried = true; } else if (port == max_port) { @@ -2222,7 +2218,7 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, ct_addr = conn->nat_info->min_addr; } if (!memcmp(&ct_addr, &first_addr, sizeof ct_addr)) { - if (!ephemeral_ports_tried) { + if (pat_enabled && !ephemeral_ports_tried) { ephemeral_ports_tried = true; ct_addr = conn->nat_info->min_addr; first_addr = ct_addr; From patchwork Mon Feb 25 23:59:18 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 1048027 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="eye7/8+O"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 447fLG2qgwz9s2R for ; Tue, 26 Feb 2019 11:08:54 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 5A66A6BC7; Tue, 26 Feb 2019 00:08:02 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1CD74647C for ; Mon, 25 Feb 2019 23:59:31 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com [209.85.210.196]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 96C7AA9 for ; Mon, 25 Feb 2019 23:59:30 +0000 (UTC) Received: by mail-pf1-f196.google.com with SMTP id v21so5247044pfm.12 for ; Mon, 25 Feb 2019 15:59:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=88zvUj1g+nTtzEHtHw1sw/+SjeGUg1J7JURHvfmQWbI=; b=eye7/8+OMGvaUztPdSvEt6DDNbabP6HiFu7Q4w02xf3lLQeYK0vsrsJAzBh2yZsXOA Ffkp3+MdYAjmsYurf+Pcso1sly4br59Mr3lTFZMKoatsZP2KPgo3IRNzrdVSgjYHd/ap GkohhotPMisyAMeyAcuzKSRP2ht0sbrgNIR2lcWUw9Wz8wqQqQVBwUkTQ5sY5ECTZYJ/ rBDpkIHY8JF+P5H0NqBr/rYoah09iMQNGWPSfLCLC+/5MXu+KcwcFVQAnHDsj2uzr93/ oDrHyJRJh2LoNQg86NfMPqqGmGmBRz9VHaxo3EqZ7aroN0qMoeXN3ZF4L9TEnfRj+Dle tTkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=88zvUj1g+nTtzEHtHw1sw/+SjeGUg1J7JURHvfmQWbI=; b=ho/G8geON7Xzs9kg4jKglev+xXEzY9Os56I2E0e0SoLRd3Ucn0tR5oFIoyqIWPxQ5/ boxgam510YOu0OTGRrHSft/8ReMA6KOzbL4v4IENUGdoRikDmmUSaY3lAnww08P8LhYp q4oPMB4D6yvyRvjn+7Q7BEteoi8mZc1sixfJxjAeiELouata7anp8tRQJAFVmHc9mdrM NdMkxasp9fiTOGRVNEJG26+V010QllDxFj15vHCBZBFPEVUMcMFzk0mCEWFs8AGresV7 BtamxWDytwBfKZMrM9VWXfR50nSEIG1a563IayEIPawZh3x19L2bLSztTDQZvcWE5+IP eTWQ== X-Gm-Message-State: AHQUAuYI/+ptutQh5+8yX4sqfpC1+4l6Pkav5LcK61ebkT7x8xiYThKJ Fz+2R9TwOgSO2OKH+Z7MmoZ+Qlfm X-Google-Smtp-Source: AHgI3IYe9GwScnOw/nAmtWKjTUyMULUYuxyhiJQlTiWuCSzu6JnqBtDrPmc0pVHmOGHmL9Sb8ZHhnQ== X-Received: by 2002:a62:4817:: with SMTP id v23mr22677794pfa.81.1551139170142; Mon, 25 Feb 2019 15:59:30 -0800 (PST) Received: from ubuntu.localdomain (c-76-102-76-212.hsd1.ca.comcast.net. [76.102.76.212]) by smtp.gmail.com with ESMTPSA id b70sm17896781pfm.6.2019.02.25.15.59.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 25 Feb 2019 15:59:29 -0800 (PST) From: Darrell Ball To: dlu998@gmail.com, dev@openvswitch.org Date: Mon, 25 Feb 2019 15:59:18 -0800 Message-Id: <1551139158-58309-2-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1551139158-58309-1-git-send-email-dlu998@gmail.com> References: <1551139158-58309-1-git-send-email-dlu998@gmail.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [patch v2 2/2] conntrack: Skip ephemeral ports with specified port range. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This patch removes the fallback to ephemeral ports when a SNAT port range is specified; DNAT already does not fallback to ephemeral ports, in general. This is not restrictive to the user and makes it easier to limit NAT L4 port selection. The documentation is updated and a new test is added to enforce the behavior. Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2019-February/356607.html Fixes: 286de2729955 ("dpdk: Userspace Datapath: Introduce NAT Support.") Signed-off-by: Darrell Ball --- v2: No change to this patch. lib/conntrack.c | 8 +++++--- lib/ovs-actions.xml | 11 ++++++----- tests/system-traffic.at | 50 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 8 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index 5f143e0..0a18ca9 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -2175,9 +2175,11 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, uint16_t port = first_port; bool all_ports_tried = false; - /* For DNAT, we don't use ephemeral ports. */ - bool ephemeral_ports_tried = conn->nat_info->nat_action & NAT_ACTION_DST - ? true : false; + /* For DNAT or for specified port ranges, we don't use ephemeral ports. */ + bool ephemeral_ports_tried + = conn->nat_info->nat_action & NAT_ACTION_DST || + conn->nat_info->nat_action & NAT_ACTION_SRC_PORT + ? true : false; union ct_addr first_addr = ct_addr; bool pat_enabled = conn->key.nw_proto != IPPROTO_ICMP && conn->key.nw_proto != IPPROTO_ICMPV6; diff --git a/lib/ovs-actions.xml b/lib/ovs-actions.xml index fec0b95..84df842 100644 --- a/lib/ovs-actions.xml +++ b/lib/ovs-actions.xml @@ -1664,11 +1664,12 @@ $ ovs-ofctl -O OpenFlow10 add-flow br0 actions=mod_nw_src:1.2.3.4
The L4 port or range port1-port2 from which the - translated port should be selected. In case of a mapping conflict - the datapath may choose any other non-conflicting port number - instead, even when no port range is specified. The port number - selection can be informed by the optional random and - hash flags described below. + translated port should be selected. When a port range is + specified, fallback to ephemeral ports does not happen, else, + it will. The port number selection can be informed by the + optional random and hash flags + described below. The userspace datapath only supports the + hash behavior.
diff --git a/tests/system-traffic.at b/tests/system-traffic.at index d1f8c10..b124181 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -3994,6 +3994,56 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - SNAT with port range with exhaustion]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240:34568,random)),2 +in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat) +in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat) +in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1 +dnl +dnl ARP +priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10 +priority=10 arp action=normal +priority=0,action=drop +dnl +dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0 +table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] +table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]] +dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action. +dnl TPA IP in reg2. +dnl Swaps the fields of the ARP message to turn a query to a response. +table=10 priority=100 arp xreg0=0 action=normal +table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]] +table=10 priority=0 action=drop +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl HTTP requests from p0->p1 should work fine. +OVS_START_L7([at_ns1], [http]) +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log]) + +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log], [4]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) +]) + +OVS_TRAFFIC_VSWITCHD_STOP(["dnl +/Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and\/or zone partitioning./d +/Dropped .* log messages in last .* seconds \(most recently, .* seconds ago\) due to excessive rate/d"]) +AT_CLEANUP AT_SETUP([conntrack - more complex SNAT]) CHECK_CONNTRACK()