From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au Authentication-Results: passt.top; dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202408 header.b=r9kKiZQk; dkim-atps=neutral Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 2ADC05A004C for ; Thu, 29 Aug 2024 03:32:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202408; t=1724895163; bh=2e2lDQcjEZB8upOHXitZ/P7zzJVuZoV34ipp0VG2Or8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=r9kKiZQkldnmMfgqTzMOKLMxg6RN0jgqbAFn9EOzTPBysosBlVM7BTHZrgvi6ZYBN UMLcHsSKIi8JW277sJKqKM/oqHJWPwXOMy4uXei0pwoxeAxhd8UqRFrE7MYN4DEJpK NvazXWU18FInXyViKHFnxoF5yCoH44XfqN3U6ca4hUspVNzFRIf5F55yS2H2/ft1cF b/tF5FRlXjNmDJIRbEpEtdQU6VomBFXuroCMz7Gjz1DXeTN36aJX+mulCDC+JYA9M6 OXbFgFcxuRlMIIj53vnh/K6I9jTlRyyJQSA2CYau1TzbvTSZmq0LFv3zG1VkV0bxI7 ITTFKci4LGAoA== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4WvP0q4KyCz4x2d; Thu, 29 Aug 2024 11:32:43 +1000 (AEST) From: David Gibson To: passt-dev@passt.top, Stefano Brivio Subject: [PATCH v2 3/3] fwd, conf: Probe host's ephemeral ports Date: Thu, 29 Aug 2024 11:32:42 +1000 Message-ID: <20240829013242.3396770-4-david@gibson.dropbear.id.au> X-Mailer: git-send-email 2.46.0 In-Reply-To: <20240829013242.3396770-1-david@gibson.dropbear.id.au> References: <20240829013242.3396770-1-david@gibson.dropbear.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: UWN7KKPU7DSTYOCDAX6XFAN47WCU2ACZ X-Message-ID-Hash: UWN7KKPU7DSTYOCDAX6XFAN47WCU2ACZ X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: David Gibson X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: When we forward "all" ports (-t all or -u all), or use an exclude-only range, we don't actually forward *all* ports - that wouln't leave local ports to use for outgoing connections. Rather we forward all non-ephemeral ports - those that won't be used for outgoing connections or datagrams. Currently we assume the range of ephemeral ports is that recommended by RFC 6335, 49152-65535. However, that's not the range used by default on Linux, 32768-60999 but configurable with the net.ipv4.ip_local_port_range sysctl. We can't really know what range the guest will consider ephemeral, but if it differs too much from the host it's likely to cause problems we can't avoid anyway. So, using the host's ephemeral range is a better guess than using the RFC 6335 range. Therefore, add logic to probe the host's ephemeral range, falling back to the RFC 6335 range if that fails. This has the bonus advantage of reducing the number of ports bound by -t all -u all on most Linux machines thereby reducing kernel memory usage. Specifically this reduces kernel memory usage with -t all -u all from ~380MiB to ~289MiB. Signed-off-by: David Gibson --- conf.c | 1 + fwd.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- fwd.h | 1 + 3 files changed, 61 insertions(+), 2 deletions(-) diff --git a/conf.c b/conf.c index 3eb117ff..b2758864 100644 --- a/conf.c +++ b/conf.c @@ -1721,6 +1721,7 @@ void conf(struct ctx *c, int argc, char **argv) /* Inbound port options & DNS can be parsed now (after IPv4/IPv6 * settings) */ + fwd_probe_ephemeral(); udp_portmap_clear(); optind = 0; do { diff --git a/fwd.c b/fwd.c index adf61cb5..d9daa582 100644 --- a/fwd.c +++ b/fwd.c @@ -28,8 +28,65 @@ #include "flow_table.h" /* Empheral port range: values from RFC 6335 */ -static const uint16_t fwd_ephemeral_min = (1 << 15) + (1 << 14); -static const uint16_t fwd_ephemeral_max = NUM_PORTS - 1; +static uint16_t fwd_ephemeral_min = (1 << 15) + (1 << 14); +static uint16_t fwd_ephemeral_max = NUM_PORTS - 1; + +#define PORT_RANGE_SYSCTL "/proc/sys/net/ipv4/ip_local_port_range" + +/** fwd_probe_ephemeral() - Determine what ports this host considers ephemeral + * + * Work out what ports the host thinks are emphemeral and record it for later + * use by fwd_port_is_ephemeral(). If we're unable to probe, assume the range + * recommended by RFC 6335. + */ +void fwd_probe_ephemeral(void) +{ + char *line, *tab, *end; + struct lineread lr; + long min, max; + ssize_t len; + int fd; + + fd = open(PORT_RANGE_SYSCTL, O_RDONLY | O_CLOEXEC); + if (fd < 0) { + warn_perror("Unable to open %s", PORT_RANGE_SYSCTL); + return; + } + + lineread_init(&lr, fd); + len = lineread_get(&lr, &line); + close(fd); + + if (len < 0) + goto parse_err; + + tab = strchr(line, '\t'); + if (!tab) + goto parse_err; + *tab = '\0'; + + errno = 0; + min = strtol(line, &end, 10); + if (*end || errno) + goto parse_err; + + errno = 0; + max = strtol(tab + 1, &end, 10); + if (*end || errno) + goto parse_err; + + if (min < 0 || min >= NUM_PORTS || + max < 0 || max >= NUM_PORTS) + goto parse_err; + + fwd_ephemeral_min = min; + fwd_ephemeral_max = max; + + return; + +parse_err: + warn("Unable to parse %s", PORT_RANGE_SYSCTL); +} /** * fwd_port_is_ephemeral() - Is port number ephemeral? diff --git a/fwd.h b/fwd.h index 42fe57eb..23aac5b2 100644 --- a/fwd.h +++ b/fwd.h @@ -12,6 +12,7 @@ struct flowside; /* Number of ports for both TCP and UDP */ #define NUM_PORTS (1U << 16) +void fwd_probe_ephemeral(void); bool fwd_port_is_ephemeral(uint16_t port); enum fwd_ports_mode { -- 2.46.0