From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Willy Tarreau <w@1wt.eu>, Moshe Kol <moshe.kol@mail.huji.ac.il>,
Yossi Gilad <yossi.gilad@mail.huji.ac.il>,
Amit Klein <aksecurity@gmail.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>,
davem@davemloft.net, yoshfuji@linux-ipv6.org, dsahern@kernel.org,
pabeni@redhat.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 15/19] tcp: add small random increments to the source port
Date: Tue, 10 May 2022 11:44:25 -0400 [thread overview]
Message-ID: <20220510154429.153677-15-sashal@kernel.org> (raw)
In-Reply-To: <20220510154429.153677-1-sashal@kernel.org>
From: Willy Tarreau <w@1wt.eu>
[ Upstream commit ca7af0402550f9a0b3316d5f1c30904e42ed257d ]
Here we're randomly adding between 0 and 7 random increments to the
selected source port in order to add some noise in the source port
selection that will make the next port less predictable.
With the default port range of 32768-60999 this means a worst case
reuse scenario of 14116/8=1764 connections between two consecutive
uses of the same port, with an average of 14116/4.5=3137. This code
was stressed at more than 800000 connections per second to a fixed
target with all connections closed by the client using RSTs (worst
condition) and only 2 connections failed among 13 billion, despite
the hash being reseeded every 10 seconds, indicating a perfectly
safe situation.
Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>
Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>
Cc: Amit Klein <aksecurity@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_hashtables.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 81a33af8393d..573a7e66ebc8 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -833,11 +833,12 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
return -EADDRNOTAVAIL;
ok:
- /* If our first attempt found a candidate, skip next candidate
- * in 1/16 of cases to add some noise.
+ /* Here we want to add a little bit of randomness to the next source
+ * port that will be chosen. We use a max() with a random here so that
+ * on low contention the randomness is maximal and on high contention
+ * it may be inexistent.
*/
- if (!i && !(prandom_u32() % 16))
- i = 2;
+ i = max_t(int, i, (prandom_u32() & 7) * 2);
WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2);
/* Head lock still held and bh's disabled */
--
2.35.1
next prev parent reply other threads:[~2022-05-10 15:49 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-10 15:44 [PATCH AUTOSEL 5.15 01/19] hwmon: (f71882fg) Fix negative temperature Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 02/19] RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 03/19] iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 04/19] ASoC: max98090: Reject invalid values in custom control put() Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 05/19] ASoC: max98090: Generate notifications on changes for custom control Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 06/19] ASoC: ops: Validate input values in snd_soc_put_volsw_range() Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 07/19] s390: disable -Warray-bounds Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 08/19] ASoC: SOF: Fix NULL pointer exception in sof_pci_probe callback Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 09/19] io_uring: assign non-fixed early for async work Sasha Levin
2022-05-10 15:47 ` Jens Axboe
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 10/19] net: emaclite: Don't advertise 1000BASE-T and do auto negotiation Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 11/19] net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 12/19] secure_seq: use the 64 bits of the siphash for port offset calculation Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 13/19] tcp: use different parts of the port_offset for index and offset Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 14/19] tcp: resalt the secret every 10 seconds Sasha Levin
2022-05-10 15:44 ` Sasha Levin [this message]
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 16/19] tcp: dynamically allocate the perturb table used by source ports Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 17/19] tcp: increase source port perturb table to 2^16 Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 18/19] tcp: drop the hash_32() part from the index calculation Sasha Levin
2022-05-10 15:44 ` [PATCH AUTOSEL 5.15 19/19] Revert "parisc: Fix patch code locking and flushing" Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220510154429.153677-15-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=aksecurity@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=moshe.kol@mail.huji.ac.il \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
--cc=yoshfuji@linux-ipv6.org \
--cc=yossi.gilad@mail.huji.ac.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox