[PATCH AUTOSEL 5.17 16/21] tcp: add small random increments to the source port

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Willy Tarreau <w@1wt.eu>, Moshe Kol <moshe.kol@mail.huji.ac.il>,
	Yossi Gilad <yossi.gilad@mail.huji.ac.il>,
	Amit Klein <aksecurity@gmail.com>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
	davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org,
	pabeni@redhat.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.17 16/21] tcp: add small random increments to the source port
Date: Tue, 10 May 2022 11:43:35 -0400	[thread overview]
Message-ID: <20220510154340.153400-16-sashal@kernel.org> (raw)
In-Reply-To: <20220510154340.153400-1-sashal@kernel.org>

From: Willy Tarreau <w@1wt.eu>

[ Upstream commit ca7af0402550f9a0b3316d5f1c30904e42ed257d ]

Here we're randomly adding between 0 and 7 random increments to the
selected source port in order to add some noise in the source port
selection that will make the next port less predictable.

With the default port range of 32768-60999 this means a worst case
reuse scenario of 14116/8=1764 connections between two consecutive
uses of the same port, with an average of 14116/4.5=3137. This code
was stressed at more than 800000 connections per second to a fixed
target with all connections closed by the client using RSTs (worst
condition) and only 2 connections failed among 13 billion, despite
the hash being reseeded every 10 seconds, indicating a perfectly
safe situation.

Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>
Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>
Cc: Amit Klein <aksecurity@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/inet_hashtables.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 29c701cd8312..63bb4902f018 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -833,11 +833,12 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
 	return -EADDRNOTAVAIL;
 
 ok:
-	/* If our first attempt found a candidate, skip next candidate
-	 * in 1/16 of cases to add some noise.
+	/* Here we want to add a little bit of randomness to the next source
+	 * port that will be chosen. We use a max() with a random here so that
+	 * on low contention the randomness is maximal and on high contention
+	 * it may be inexistent.
 	 */
-	if (!i && !(prandom_u32() % 16))
-		i = 2;
+	i = max_t(int, i, (prandom_u32() & 7) * 2);
 	WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2);
 
 	/* Head lock still held and bh's disabled */
-- 
2.35.1

next prev parent reply	other threads:[~2022-05-10 15:45 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-10 15:43 [PATCH AUTOSEL 5.17 01/21] hwmon: (asus_wmi_sensors) Fix CROSSHAIR VI HERO name Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 02/21] hwmon: (f71882fg) Fix negative temperature Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 03/21] RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 04/21] iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 05/21] ASoC: max98090: Reject invalid values in custom control put() Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 06/21] ASoC: max98090: Generate notifications on changes for custom control Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 07/21] ASoC: ops: Validate input values in snd_soc_put_volsw_range() Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 08/21] s390: disable -Warray-bounds Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 09/21] ASoC: SOF: Fix NULL pointer exception in sof_pci_probe callback Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 10/21] io_uring: assign non-fixed early for async work Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 11/21] net: emaclite: Don't advertise 1000BASE-T and do auto negotiation Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 12/21] net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 13/21] secure_seq: use the 64 bits of the siphash for port offset calculation Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 14/21] tcp: use different parts of the port_offset for index and offset Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 15/21] tcp: resalt the secret every 10 seconds Sasha Levin
2022-05-10 15:43 ` Sasha Levin [this message]
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 17/21] tcp: dynamically allocate the perturb table used by source ports Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 18/21] tcp: increase source port perturb table to 2^16 Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 19/21] tcp: drop the hash_32() part from the index calculation Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 20/21] block: Do not call folio_next() on an unreferenced folio Sasha Levin
2022-05-10 17:29   ` Matthew Wilcox
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 21/21] Revert "parisc: Fix patch code locking and flushing" Sasha Levin
2022-05-10 15:49   ` Helge Deller
2022-05-14 16:24     ` Sasha Levin
2022-05-14 16:47       ` John David Anglin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:29c701cd831 dfblob:63bb4902f01 )
 OR (
bs:"[PATCH AUTOSEL 5.17 16/21] tcp: add small random increments to the source port" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220510154340.153400-16-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=aksecurity@gmail.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=moshe.kol@mail.huji.ac.il \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=stable@vger.kernel.org \
    --cc=w@1wt.eu \
    --cc=yoshfuji@linux-ipv6.org \
    --cc=yossi.gilad@mail.huji.ac.il \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox