From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2BDC15C82 for ; Mon, 5 Dec 2022 19:12:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 331FFC433D6; Mon, 5 Dec 2022 19:12:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1670267552; bh=Uudvv/eYZ5Is7IV34IZjrizxRmx39zAx9iz/aM6iyTo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=S+GvDPRkwExEvP/4yEMtdACIgYqVA3FZ5sJ+oYwE6kRMTEzON0ya3s5a8R7M5RceJ gLBe06iyWSksAYd8ur2WWuxvFh+mTejNnNMRZ3d39N9IWqFL9OOhMbNuPWUqpyempA kica+e0Q8plXMyjyvx3xRuWCPSnwxSDRmYPdb6G8= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Gleb Mazovetskiy , Kuniyuki Iwashima , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 28/62] tcp: configurable source port perturb table size Date: Mon, 5 Dec 2022 20:09:25 +0100 Message-Id: <20221205190759.159365142@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221205190758.073114639@linuxfoundation.org> References: <20221205190758.073114639@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Gleb Mazovetskiy [ Upstream commit aeac4ec8f46d610a10adbaeff5e2edf6a88ffc62 ] On embedded systems with little memory and no relevant security concerns, it is beneficial to reduce the size of the table. Reducing the size from 2^16 to 2^8 saves 255 KiB of kernel RAM. Makes the table size configurable as an expert option. The size was previously increased from 2^8 to 2^16 in commit 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16"). Signed-off-by: Gleb Mazovetskiy Reviewed-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/Kconfig | 10 ++++++++++ net/ipv4/inet_hashtables.c | 10 +++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 4d265d4a0dbe..29be5bcbe7ac 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -371,6 +371,16 @@ config INET_IPCOMP If unsure, say Y. +config INET_TABLE_PERTURB_ORDER + int "INET: Source port perturbation table size (as power of 2)" if EXPERT + default 16 + help + Source port perturbation table size (as power of 2) for + RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm. + + The default is almost always what you want. + Only change this if you know what you are doing. + config INET_XFRM_TUNNEL tristate select INET_TUNNEL diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index db47e1c407d9..9958850b6cee 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -541,13 +541,13 @@ EXPORT_SYMBOL_GPL(inet_unhash); * Note that we use 32bit integers (vs RFC 'short integers') * because 2^16 is not a multiple of num_ephemeral and this * property might be used by clever attacker. + * * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though - * attacks were since demonstrated, thus we use 65536 instead to really - * give more isolation and privacy, at the expense of 256kB of kernel - * memory. + * attacks were since demonstrated, thus we use 65536 by default instead + * to really give more isolation and privacy, at the expense of 256kB + * of kernel memory. */ -#define INET_TABLE_PERTURB_SHIFT 16 -#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT) +#define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER) static u32 *table_perturb; int __inet_hash_connect(struct inet_timewait_death_row *death_row, -- 2.35.1