From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Bd+2hZRS; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 013755A004C for ; Wed, 28 Aug 2024 12:01:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1724839306; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=ElRwFwdn02OMwXc/yAumarmXVEf8VkeNljx3S2PFEQk=; b=Bd+2hZRSM6HNgBhGB6NZVTDsaqJefJAos3upCcdYgOLQScXntlMXOiOow3Sl61+DnNL9wE +PkP3IZlnCe8sdW1lQ5DiD2MLLHWJK3751916sxfklPU+4f1gfHBS0G/Fhhn89MPlJJGws 7ExSeuSQD6RHyr66XFqTjKo5D2zELjs= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-253-dJlRCvTYNNK_fN8rKVG9_A-1; Wed, 28 Aug 2024 06:01:45 -0400 X-MC-Unique: dJlRCvTYNNK_fN8rKVG9_A-1 Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-4281310bf7aso55212095e9.1 for ; Wed, 28 Aug 2024 03:01:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724839304; x=1725444104; h=content-transfer-encoding:in-reply-to:autocrypt:from :content-language:references:to:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ElRwFwdn02OMwXc/yAumarmXVEf8VkeNljx3S2PFEQk=; b=vdk17o96PpqlM97G2X04PJRcDBNKtRnOpQy9E5wLX244nfyEotJuVwNHF+Yf55cpdZ t2IZFNsTGn1gSdQiej5jjXV2qUW9FrhT3nf0qJ+AtQDZRKfJ5D0/2hP3FIwlKzudP/e7 UiV+P/T+lKUHxS8K7NHdy6agHscRyb5G3nJtUBNoo6w6m7pRhVd11bjXPNAGz2le/hRj Ats302Yubu8uozQ2zsuO/TkJ58xeMRXky1NnNdPvt3KQjKCbXdHsEjxqUf5TugKUPB6U HCS4F24petnsNlImoQa+eqGCNq0Obk3K8LbvFu9D6r7JVMDgNbKlKIStwNf2nNABPY2I jVUQ== X-Forwarded-Encrypted: i=1; AJvYcCWuVQk9/1i2LYwSjCzOY93J7FUbi7tBqORWy4pu2+YhtCk9hWpCpKAI6sm9ImYyqjvaQW7yiJjVEr8=@passt.top X-Gm-Message-State: AOJu0Yxh7OwlDHmArL+GRJdJRQ3l733xbe2dmwucsMXWEfyRLN8J24i3 LDUUfjmW7Krd6LhCq2RFnF7Ja7h1bwva6ZJDt1r53qh2+GJV/ggvSeFGSCmQtb3H1vzRUDu1YhO yHntGmRC/6KUr2SeBk1wvpVMq54QXwBSkSDXVtoSXG97r/ydgWA== X-Received: by 2002:adf:8bd2:0:b0:368:6f30:ddf1 with SMTP id ffacd0b85a97d-373118e4003mr9732127f8f.59.1724839304413; Wed, 28 Aug 2024 03:01:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEL2KhBtMtgJlj+s4LRHnxax1sYPa1BbWCo8kmf3LmkPoF+89IQtziBNrQk11CCtBNFo+pHDA== X-Received: by 2002:adf:8bd2:0:b0:368:6f30:ddf1 with SMTP id ffacd0b85a97d-373118e4003mr9731910f8f.59.1724839299277; Wed, 28 Aug 2024 03:01:39 -0700 (PDT) Received: from ?IPV6:2a01:e0a:e10:ef90:4c84:58cb:a1ef:8b78? ([2a01:e0a:e10:ef90:4c84:58cb:a1ef:8b78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3730813c515sm15101605f8f.25.2024.08.28.03.01.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 28 Aug 2024 03:01:38 -0700 (PDT) Message-ID: <772b4f09-6d86-4ca7-b819-034bb505f9d5@redhat.com> Date: Wed, 28 Aug 2024 12:01:38 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 1/3] conf, fwd: Make ephemeral port logic more flexible To: David Gibson , passt-dev@passt.top, Stefano Brivio References: <20240828055610.3241117-1-david@gibson.dropbear.id.au> <20240828055610.3241117-2-david@gibson.dropbear.id.au> From: Laurent Vivier Autocrypt: addr=lvivier@redhat.com; keydata= xsFNBFYFJhkBEAC2me7w2+RizYOKZM+vZCx69GTewOwqzHrrHSG07MUAxJ6AY29/+HYf6EY2 WoeuLWDmXE7A3oJoIsRecD6BXHTb0OYS20lS608anr3B0xn5g0BX7es9Mw+hV/pL+63EOCVm SUVTEQwbGQN62guOKnJJJfphbbv82glIC/Ei4Ky8BwZkUuXd7d5NFJKC9/GDrbWdj75cDNQx UZ9XXbXEKY9MHX83Uy7JFoiFDMOVHn55HnncflUncO0zDzY7CxFeQFwYRbsCXOUL9yBtqLer Ky8/yjBskIlNrp0uQSt9LMoMsdSjYLYhvk1StsNPg74+s4u0Q6z45+l8RAsgLw5OLtTa+ePM JyS7OIGNYxAX6eZk1+91a6tnqfyPcMbduxyBaYXn94HUG162BeuyBkbNoIDkB7pCByed1A7q q9/FbuTDwgVGVLYthYSfTtN0Y60OgNkWCMtFwKxRaXt1WFA5ceqinN/XkgA+vf2Ch72zBkJL RBIhfOPFv5f2Hkkj0MvsUXpOWaOjatiu0fpPo6Hw14UEpywke1zN4NKubApQOlNKZZC4hu6/ 8pv2t4HRi7s0K88jQYBRPObjrN5+owtI51xMaYzvPitHQ2053LmgsOdN9EKOqZeHAYG2SmRW LOxYWKX14YkZI5j/TXfKlTpwSMvXho+efN4kgFvFmP6WT+tPnwARAQABzSNMYXVyZW50IFZp dmllciA8bHZpdmllckByZWRoYXQuY29tPsLBeAQTAQIAIgUCVgVQgAIbAwYLCQgHAwIGFQgC CQoLBBYCAwECHgECF4AACgkQ8ww4vT8vvjwpgg//fSGy0Rs/t8cPFuzoY1cex4limJQfReLr SJXCANg9NOWy/bFK5wunj+h/RCFxIFhZcyXveurkBwYikDPUrBoBRoOJY/BHK0iZo7/WQkur 6H5losVZtrotmKOGnP/lJYZ3H6OWvXzdz8LL5hb3TvGOP68K8Bn8UsIaZJoeiKhaNR0sOJyI YYbgFQPWMHfVwHD/U+/gqRhD7apVysxv5by/pKDln1I5v0cRRH6hd8M8oXgKhF2+rAOL7gvh jEHSSWKUlMjC7YwwjSZmUkL+TQyE18e2XBk85X8Da3FznrLiHZFHQ/NzETYxRjnOzD7/kOVy gKD/o7asyWQVU65mh/ECrtjfhtCBSYmIIVkopoLaVJ/kEbVJQegT2P6NgERC/31kmTF69vn8 uQyW11Hk8tyubicByL3/XVBrq4jZdJW3cePNJbTNaT0d/bjMg5zCWHbMErUib2Nellnbg6bc 2HLDe0NLVPuRZhHUHM9hO/JNnHfvgiRQDh6loNOUnm9Iw2YiVgZNnT4soUehMZ7au8PwSl4I KYE4ulJ8RRiydN7fES3IZWmOPlyskp1QMQBD/w16o+lEtY6HSFEzsK3o0vuBRBVp2WKnssVH qeeV01ZHw0bvWKjxVNOksP98eJfWLfV9l9e7s6TaAeySKRRubtJ+21PRuYAxKsaueBfUE7ZT 7zfOwU0EVgUmGQEQALxSQRbl/QOnmssVDxWhHM5TGxl7oLNJms2zmBpcmlrIsn8nNz0rRyxT 460k2niaTwowSRK8KWVDeAW6ZAaWiYjLlTunoKwvF8vP3JyWpBz0diTxL5o+xpvy/Q6YU3BN efdq8Vy3rFsxgW7mMSrI/CxJ667y8ot5DVugeS2NyHfmZlPGE0Nsy7hlebS4liisXOrN3jFz asKyUws3VXek4V65lHwB23BVzsnFMn/bw/rPliqXGcwl8CoJu8dSyrCcd1Ibs0/Inq9S9+t0 VmWiQWfQkz4rvEeTQkp/VfgZ6z98JRW7S6l6eophoWs0/ZyRfOm+QVSqRfFZdxdP2PlGeIFM C3fXJgygXJkFPyWkVElr76JTbtSHsGWbt6xUlYHKXWo+xf9WgtLeby3cfSkEchACrxDrQpj+ Jt/JFP+q997dybkyZ5IoHWuPkn7uZGBrKIHmBunTco1+cKSuRiSCYpBIXZMHCzPgVDjk4viP brV9NwRkmaOxVvye0vctJeWvJ6KA7NoAURplIGCqkCRwg0MmLrfoZnK/gRqVJ/f6adhU1oo6 z4p2/z3PemA0C0ANatgHgBb90cd16AUxpdEQmOCmdNnNJF/3Zt3inzF+NFzHoM5Vwq6rc1JP jfC3oqRLJzqAEHBDjQFlqNR3IFCIAo4SYQRBdAHBCzkM4rWyRhuVABEBAAHCwV8EGAECAAkF AlYFJhkCGwwACgkQ8ww4vT8vvjwg9w//VQrcnVg3TsjEybxDEUBm8dBmnKqcnTBFmxN5FFtI WlEuY8+YMiWRykd8Ln9RJ/98/ghABHz9TN8TRo2b6WimV64FmlVn17Ri6FgFU3xNt9TTEChq AcNg88eYryKsYpFwegGpwUlaUaaGh1m9OrTzcQy+klVfZWaVJ9Nw0keoGRGb8j4XjVpL8+2x OhXKrM1fzzb8JtAuSbuzZSQPDwQEI5CKKxp7zf76J21YeRrEW4WDznPyVcDTa+tz++q2S/Bp P4W98bXCBIuQgs2m+OflERv5c3Ojldp04/S4NEjXEYRWdiCxN7ca5iPml5gLtuvhJMSy36gl U6IW9kn30IWuSoBpTkgV7rLUEhh9Ms82VWW/h2TxL8enfx40PrfbDtWwqRID3WY8jLrjKfTd R3LW8BnUDNkG+c4FzvvGUs8AvuqxxyHbXAfDx9o/jXfPHVRmJVhSmd+hC3mcQ+4iX5bBPBPM oDqSoLt5w9GoQQ6gDVP2ZjTWqwSRMLzNr37rJjZ1pt0DCMMTbiYIUcrhX8eveCJtY7NGWNyx FCRkhxRuGcpwPmRVDwOl39MB3iTsRighiMnijkbLXiKoJ5CDVvX5yicNqYJPKh5MFXN1bvsB kmYiStMRbrD0HoY1kx5/VozBtc70OU0EB8Wrv9hZD+Ofp0T3KOr1RUHvCZoLURfFhSQ= In-Reply-To: <20240828055610.3241117-2-david@gibson.dropbear.id.au> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Message-ID-Hash: ARZTUJ6PQHOHLEUIVSDVWKJNYWEHO7M4 X-Message-ID-Hash: ARZTUJ6PQHOHLEUIVSDVWKJNYWEHO7M4 X-MailFrom: lvivier@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 28/08/2024 07:56, David Gibson wrote: > "Ephemeral" ports are those which the kernel may allocate as local > port numbers for outgoing connections or datagrams. Because of that, > they're generally not good choices for listening servers to bind to. > > Thefore when using -t all, -u all or exclude-only ranges, we map only > non-ephemeral ports. Our logic for this is a bit rigid though: we > assume the ephemeral ports are always a fixed range at the top of the > port number space. We also assume PORT_EPHEMERAL_MIN is a multiple of > 8, or we won't set the forward bitmap correctly. > > Make the logic in conf.c more flexible, using a helper moved into > fwd.[ch], although we don't change which ports we consider ephemeral > (yet). > > The new handling is undoubtedly more computationally expensive, but > since it's a once-off operation at start off, I don't think it really > matters. > > Signed-off-by: David Gibson > --- > conf.c | 12 ++++++++---- > fwd.c | 17 +++++++++++++++++ > fwd.h | 2 ++ > util.h | 3 --- > 4 files changed, 27 insertions(+), 7 deletions(-) > > diff --git a/conf.c b/conf.c > index e29b6a92..6b3dafd5 100644 > --- a/conf.c > +++ b/conf.c > @@ -156,9 +156,12 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, > die("'all' port forwarding is only allowed for passt"); > > fwd->mode = FWD_ALL; > - memset(fwd->map, 0xff, PORT_EPHEMERAL_MIN / 8); > > - for (i = 0; i < PORT_EPHEMERAL_MIN; i++) { > + for (i = 0; i < NUM_PORTS; i++) { > + if (fwd_port_is_ephemeral(i)) > + continue; > + > + bitmap_set(fwd->map, i); > if (optname == 't') { > ret = tcp_sock_init(c, AF_UNSPEC, NULL, NULL, > i); > @@ -259,8 +262,9 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, > } while ((p = next_chunk(p, ','))); > > if (exclude_only) { > - for (i = 0; i < PORT_EPHEMERAL_MIN; i++) { > - if (bitmap_isset(exclude, i)) > + for (i = 0; i < NUM_PORTS; i++) { > + if (fwd_port_is_ephemeral(i) || > + bitmap_isset(exclude, i)) > continue; > > bitmap_set(fwd->map, i); > diff --git a/fwd.c b/fwd.c > index 2a0452fa..adf61cb5 100644 > --- a/fwd.c > +++ b/fwd.c > @@ -27,6 +27,23 @@ > #include "lineread.h" > #include "flow_table.h" > > +/* Empheral port range: values from RFC 6335 */ > +static const uint16_t fwd_ephemeral_min = (1 << 15) + (1 << 14); > +static const uint16_t fwd_ephemeral_max = NUM_PORTS - 1; > + > +/** > + * fwd_port_is_ephemeral() - Is port number ephemeral? > + * @port: Port number > + * > + * Return: true if @port is ephemeral, that is may be allocated by the kernel as > + * a local port for outgoing connections or datagrams, but should not be > + * used for binding services to. > + */ > +bool fwd_port_is_ephemeral(uint16_t port) > +{ > + return (port >= fwd_ephemeral_min) && (port <= fwd_ephemeral_max); > +} > + > /* See enum in kernel's include/net/tcp_states.h */ > #define UDP_LISTEN 0x07 > #define TCP_LISTEN 0x0a > diff --git a/fwd.h b/fwd.h > index b4aa8d57..42fe57eb 100644 > --- a/fwd.h > +++ b/fwd.h > @@ -12,6 +12,8 @@ struct flowside; > /* Number of ports for both TCP and UDP */ > #define NUM_PORTS (1U << 16) > > +bool fwd_port_is_ephemeral(uint16_t port); > + > enum fwd_ports_mode { > FWD_UNSET = 0, > FWD_SPEC = 1, > diff --git a/util.h b/util.h > index 1463c921..c7a59d5d 100644 > --- a/util.h > +++ b/util.h > @@ -95,9 +95,6 @@ > #define FD_PROTO(x, proto) \ > (IN_INTERVAL(c->proto.fd_min, c->proto.fd_max, (x))) > > -#define PORT_EPHEMERAL_MIN ((1 << 15) + (1 << 14)) /* RFC 6335 */ > -#define PORT_IS_EPHEMERAL(port) ((port) >= PORT_EPHEMERAL_MIN) > - > #define MAC_ZERO ((uint8_t [ETH_ALEN]){ 0 }) > #define MAC_IS_ZERO(addr) (!memcmp((addr), MAC_ZERO, ETH_ALEN)) > Reviewed-by: Laurent Vivier