tcp: add small random increments to the source port

stable inclusion from stable-v5.10.125 commit d28e64b1c63eced06aedadcacb0be4997c10c7c1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L6EY Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d28e64b1c63eced06aedadcacb0be4997c10c7c1 -------------------------------- commit ca7af040 upstream. Here we're randomly adding between 0 and 7 random increments to the selected source port in order to add some noise in the source port selection that will make the next port less predictable. With the default port range of 32768-60999 this means a worst case reuse scenario of 14116/8=1764 connections between two consecutive uses of the same port, with an average of 14116/4.5=3137. This code was stressed at more than 800000 connections per second to a fixed target with all connections closed by the client using RSTs (worst condition) and only 2 connections failed among 13 billion, despite the hash being reseeded every 10 seconds, indicating a perfectly safe situation. Cc: Moshe Kol <moshe.kol@mail.huji.ac.il> Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il> Cc: Amit Klein <aksecurity@gmail.com> Reviewed-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N Willy Tarreau <w@1wt.eu> Signed-off-by: N Jakub Kicinski <kuba@kernel.org> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>

tcp: add small random increments to the source port
stable inclusion from stable-v5.10.125 commit d28e64b1c63eced06aedadcacb0be4997c10c7c1 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L6EY Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d28e64b1c63eced06aedadcacb0be4997c10c7c1 -------------------------------- commit ca7af040 upstream. Here we're randomly adding between 0 and 7 random increments to the selected source port in order to add some noise in the source port selection that will make the next port less predictable. With the default port range of 32768-60999 this means a worst case reuse scenario of 14116/8=1764 connections between two consecutive uses of the same port, with an average of 14116/4.5=3137. This code was stressed at more than 800000 connections per second to a fixed target with all connections closed by the client using RSTs (worst condition) and only 2 connections failed among 13 billion, despite the hash being reseeded every 10 seconds, indicating a perfectly safe situation. Cc: Moshe Kol <moshe.kol@mail.huji.ac.il> Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il> Cc: Amit Klein <aksecurity@gmail.com> Reviewed-by: N Eric Dumazet <edumazet@google.com> Signed-off-by: N Willy Tarreau <w@1wt.eu> Signed-off-by: N Jakub Kicinski <kuba@kernel.org> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Reviewed-by: N Wei Li <liwei391@huawei.com>
92c5c105 · Willy Tarreau · Zheng Zengkai · 1f90978d · 92c5c105
隐藏空白更改
内联并排

Showing with 5 addition and 4 deletion

net/ipv4/inet_hashtables.c net/ipv4/inet_hashtables.c +5 -4

未找到文件。
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -833,11 +833,12 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
 	return -EADDRNOTAVAIL;
 ok:
-	/* If our first attempt found a candidate, skip next candidate
+	/* Here we want to add a little bit of randomness to the next source
-	 * in 1/16 of cases to add some noise.
+	 * port that will be chosen. We use a max() with a random here so that
+	 * on low contention the randomness is maximal and on high contention
+	 * it may be inexistent.
 	 */
-	if (!i && !(prandom_u32() % 16))
+	i = max_t(int, i, (prandom_u32() & 7) * 2);
-		i = 2;
 	WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2);
 	/* Head lock still held and bh's disabled */