提交 6ed5943f 编写于 作者: F Florian Westphal 提交者: Pablo Neira Ayuso

netfilter: nat: remove l4 protocol port rovers

This is a leftover from days where single-cpu systems were common:
Store last port used to resolve a clash to use it as a starting point when
the next conflict needs to be resolved.

When we have parallel attempt to connect to same address:port pair,
its likely that both cores end up computing the same "available" port,
as both use same starting port, and newly used ports won't become
visible to other cores until the conntrack gets confirmed later.

One of the cores then has to drop the packet at insertion time because
the chosen new tuple turns out to be in use after all.

Lets simplify this: remove port rover and use a pseudo-random starting
point.

Note that this doesn't make netfilter default to 'fully random' mode;
the 'rover' was only used if NAT could not reuse source port as-is.
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 c3e93059
...@@ -74,7 +74,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -74,7 +74,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
struct nf_conntrack_tuple *tuple, struct nf_conntrack_tuple *tuple,
const struct nf_nat_range2 *range, const struct nf_nat_range2 *range,
enum nf_nat_manip_type maniptype, enum nf_nat_manip_type maniptype,
const struct nf_conn *ct, u16 *rover); const struct nf_conn *ct);
int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[], int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[],
struct nf_nat_range2 *range); struct nf_nat_range2 *range);
......
...@@ -38,8 +38,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -38,8 +38,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
struct nf_conntrack_tuple *tuple, struct nf_conntrack_tuple *tuple,
const struct nf_nat_range2 *range, const struct nf_nat_range2 *range,
enum nf_nat_manip_type maniptype, enum nf_nat_manip_type maniptype,
const struct nf_conn *ct, const struct nf_conn *ct)
u16 *rover)
{ {
unsigned int range_size, min, max, i; unsigned int range_size, min, max, i;
__be16 *portptr; __be16 *portptr;
...@@ -86,16 +85,13 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -86,16 +85,13 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
} else if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) { } else if (range->flags & NF_NAT_RANGE_PROTO_OFFSET) {
off = (ntohs(*portptr) - ntohs(range->base_proto.all)); off = (ntohs(*portptr) - ntohs(range->base_proto.all));
} else { } else {
off = *rover; off = prandom_u32();
} }
for (i = 0; ; ++off) { for (i = 0; ; ++off) {
*portptr = htons(min + off % range_size); *portptr = htons(min + off % range_size);
if (++i != range_size && nf_nat_used_tuple(tuple, ct)) if (++i != range_size && nf_nat_used_tuple(tuple, ct))
continue; continue;
if (!(range->flags & (NF_NAT_RANGE_PROTO_RANDOM_ALL|
NF_NAT_RANGE_PROTO_OFFSET)))
*rover = off;
return; return;
} }
} }
......
...@@ -18,8 +18,6 @@ ...@@ -18,8 +18,6 @@
#include <net/netfilter/nf_nat_l3proto.h> #include <net/netfilter/nf_nat_l3proto.h>
#include <net/netfilter/nf_nat_l4proto.h> #include <net/netfilter/nf_nat_l4proto.h>
static u_int16_t dccp_port_rover;
static void static void
dccp_unique_tuple(const struct nf_nat_l3proto *l3proto, dccp_unique_tuple(const struct nf_nat_l3proto *l3proto,
struct nf_conntrack_tuple *tuple, struct nf_conntrack_tuple *tuple,
...@@ -27,8 +25,7 @@ dccp_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -27,8 +25,7 @@ dccp_unique_tuple(const struct nf_nat_l3proto *l3proto,
enum nf_nat_manip_type maniptype, enum nf_nat_manip_type maniptype,
const struct nf_conn *ct) const struct nf_conn *ct)
{ {
nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
&dccp_port_rover);
} }
static bool static bool
......
...@@ -12,8 +12,6 @@ ...@@ -12,8 +12,6 @@
#include <net/netfilter/nf_nat_l4proto.h> #include <net/netfilter/nf_nat_l4proto.h>
static u_int16_t nf_sctp_port_rover;
static void static void
sctp_unique_tuple(const struct nf_nat_l3proto *l3proto, sctp_unique_tuple(const struct nf_nat_l3proto *l3proto,
struct nf_conntrack_tuple *tuple, struct nf_conntrack_tuple *tuple,
...@@ -21,8 +19,7 @@ sctp_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -21,8 +19,7 @@ sctp_unique_tuple(const struct nf_nat_l3proto *l3proto,
enum nf_nat_manip_type maniptype, enum nf_nat_manip_type maniptype,
const struct nf_conn *ct) const struct nf_conn *ct)
{ {
nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
&nf_sctp_port_rover);
} }
static bool static bool
......
...@@ -18,8 +18,6 @@ ...@@ -18,8 +18,6 @@
#include <net/netfilter/nf_nat_l4proto.h> #include <net/netfilter/nf_nat_l4proto.h>
#include <net/netfilter/nf_nat_core.h> #include <net/netfilter/nf_nat_core.h>
static u16 tcp_port_rover;
static void static void
tcp_unique_tuple(const struct nf_nat_l3proto *l3proto, tcp_unique_tuple(const struct nf_nat_l3proto *l3proto,
struct nf_conntrack_tuple *tuple, struct nf_conntrack_tuple *tuple,
...@@ -27,8 +25,7 @@ tcp_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -27,8 +25,7 @@ tcp_unique_tuple(const struct nf_nat_l3proto *l3proto,
enum nf_nat_manip_type maniptype, enum nf_nat_manip_type maniptype,
const struct nf_conn *ct) const struct nf_conn *ct)
{ {
nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
&tcp_port_rover);
} }
static bool static bool
......
...@@ -17,8 +17,6 @@ ...@@ -17,8 +17,6 @@
#include <net/netfilter/nf_nat_l3proto.h> #include <net/netfilter/nf_nat_l3proto.h>
#include <net/netfilter/nf_nat_l4proto.h> #include <net/netfilter/nf_nat_l4proto.h>
static u16 udp_port_rover;
static void static void
udp_unique_tuple(const struct nf_nat_l3proto *l3proto, udp_unique_tuple(const struct nf_nat_l3proto *l3proto,
struct nf_conntrack_tuple *tuple, struct nf_conntrack_tuple *tuple,
...@@ -26,8 +24,7 @@ udp_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -26,8 +24,7 @@ udp_unique_tuple(const struct nf_nat_l3proto *l3proto,
enum nf_nat_manip_type maniptype, enum nf_nat_manip_type maniptype,
const struct nf_conn *ct) const struct nf_conn *ct)
{ {
nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
&udp_port_rover);
} }
static void static void
...@@ -79,8 +76,6 @@ static bool udp_manip_pkt(struct sk_buff *skb, ...@@ -79,8 +76,6 @@ static bool udp_manip_pkt(struct sk_buff *skb,
} }
#ifdef CONFIG_NF_NAT_PROTO_UDPLITE #ifdef CONFIG_NF_NAT_PROTO_UDPLITE
static u16 udplite_port_rover;
static bool udplite_manip_pkt(struct sk_buff *skb, static bool udplite_manip_pkt(struct sk_buff *skb,
const struct nf_nat_l3proto *l3proto, const struct nf_nat_l3proto *l3proto,
unsigned int iphdroff, unsigned int hdroff, unsigned int iphdroff, unsigned int hdroff,
...@@ -104,8 +99,7 @@ udplite_unique_tuple(const struct nf_nat_l3proto *l3proto, ...@@ -104,8 +99,7 @@ udplite_unique_tuple(const struct nf_nat_l3proto *l3proto,
enum nf_nat_manip_type maniptype, enum nf_nat_manip_type maniptype,
const struct nf_conn *ct) const struct nf_conn *ct)
{ {
nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct, nf_nat_l4proto_unique_tuple(l3proto, tuple, range, maniptype, ct);
&udplite_port_rover);
} }
const struct nf_nat_l4proto nf_nat_l4proto_udplite = { const struct nf_nat_l4proto nf_nat_l4proto_udplite = {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册