From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Moshe Kol <moshe.kol@mail.huji.ac.il>,
Yossi Gilad <yossi.gilad@mail.huji.ac.il>,
Amit Klein <aksecurity@gmail.com>,
Eric Dumazet <edumazet@google.com>, Willy Tarreau <w@1wt.eu>,
Jakub Kicinski <kuba@kernel.org>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [PATCH 5.4 06/11] tcp: add small random increments to the source port
Date: Thu, 23 Jun 2022 18:45:10 +0200 [thread overview]
Message-ID: <20220623164321.383720086@linuxfoundation.org> (raw)
In-Reply-To: <20220623164321.195163701@linuxfoundation.org>
From: Willy Tarreau <w@1wt.eu>
commit ca7af0402550f9a0b3316d5f1c30904e42ed257d upstream.
Here we're randomly adding between 0 and 7 random increments to the
selected source port in order to add some noise in the source port
selection that will make the next port less predictable.
With the default port range of 32768-60999 this means a worst case
reuse scenario of 14116/8=1764 connections between two consecutive
uses of the same port, with an average of 14116/4.5=3137. This code
was stressed at more than 800000 connections per second to a fixed
target with all connections closed by the client using RSTs (worst
condition) and only 2 connections failed among 13 billion, despite
the hash being reseeded every 10 seconds, indicating a perfectly
safe situation.
Cc: Moshe Kol <moshe.kol@mail.huji.ac.il>
Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il>
Cc: Amit Klein <aksecurity@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_hashtables.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -782,11 +782,12 @@ next_port:
return -EADDRNOTAVAIL;
ok:
- /* If our first attempt found a candidate, skip next candidate
- * in 1/16 of cases to add some noise.
+ /* Here we want to add a little bit of randomness to the next source
+ * port that will be chosen. We use a max() with a random here so that
+ * on low contention the randomness is maximal and on high contention
+ * it may be inexistent.
*/
- if (!i && !(prandom_u32() % 16))
- i = 2;
+ i = max_t(int, i, (prandom_u32() & 7) * 2);
WRITE_ONCE(table_perturb[index], READ_ONCE(table_perturb[index]) + i + 2);
/* Head lock still held and bh's disabled */
next prev parent reply other threads:[~2022-06-23 18:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-23 16:45 [PATCH 5.4 00/11] 5.4.201-rc1 review Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 01/11] s390/mm: use non-quiescing sske for KVM switch to keyed guest Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 02/11] dm: remove special-casing of bio-based immutable singleton target on NVMe Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 03/11] usb: gadget: u_ether: fix regression in setting fixed MAC address Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 04/11] tcp: add some entropy in __inet_hash_connect() Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 05/11] tcp: use different parts of the port_offset for index and offset Greg Kroah-Hartman
2022-06-23 16:45 ` Greg Kroah-Hartman [this message]
2022-06-23 16:45 ` [PATCH 5.4 07/11] tcp: dynamically allocate the perturb table used by source ports Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 08/11] tcp: increase source port perturb table to 2^16 Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 09/11] tcp: drop the hash_32() part from the index calculation Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 10/11] arm64: mm: Dont invalidate FROM_DEVICE buffers at start of DMA transfer Greg Kroah-Hartman
2022-06-23 16:45 ` [PATCH 5.4 11/11] Revert "hwmon: Make chip parameter for with_info API mandatory" Greg Kroah-Hartman
2022-06-23 19:43 ` [PATCH 5.4 00/11] 5.4.201-rc1 review Florian Fainelli
2022-06-24 0:53 ` Shuah Khan
2022-06-24 6:43 ` Samuel Zou
2022-06-24 9:29 ` Jon Hunter
2022-06-24 10:45 ` Sudip Mukherjee
2022-06-24 23:35 ` Guenter Roeck
2022-06-25 13:42 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220623164321.383720086@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=aksecurity@gmail.com \
--cc=ben@decadent.org.uk \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=moshe.kol@mail.huji.ac.il \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
--cc=yossi.gilad@mail.huji.ac.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).