From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=R1slnFJO;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by passt.top (Postfix) with ESMTP id EBDD35A004C
	for <passt-dev@passt.top>; Wed, 28 Aug 2024 12:22:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1724840542;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:autocrypt:autocrypt;
	bh=OdjlErNqOlrwZEr4LZxNEUB84GUW0whr/1u7xa6df5U=;
	b=R1slnFJOSewVXWvJ+xt5Qg3m6x9BSvq3vz0dApT3rSiZxx25IBdSdYtfO+ByUEXyn/Jcy3
	1LpFH1ctNgWAuVvuA7uhL4nb8iZ8HJ/S/xDO2Y61u9Vf6MnZSjpq8wxsxXno5MJAeNJUTi
	bgksggez27N3F0uAYwwHrfr3o5kKqEE=
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-633-Y_HHgO9CMgSHKKvjvi5ZVQ-1; Wed, 28 Aug 2024 06:22:21 -0400
X-MC-Unique: Y_HHgO9CMgSHKKvjvi5ZVQ-1
Received: by mail-wm1-f69.google.com with SMTP id 5b1f17b1804b1-4280b119a74so55389375e9.3
        for <passt-dev@passt.top>; Wed, 28 Aug 2024 03:22:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724840540; x=1725445340;
        h=content-transfer-encoding:in-reply-to:autocrypt:from
         :content-language:references:to:subject:user-agent:mime-version:date
         :message-id:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=OdjlErNqOlrwZEr4LZxNEUB84GUW0whr/1u7xa6df5U=;
        b=myewC7fxoqhyqPi78530AQSoTjLIKQCTZ6956sRqdVYGi5wlApmamKmUejnkj9stPY
         Rp1qD5hWx2ZlYw7qHzvHZDhTZa0ikCW+mlyzUJh8eMtufxnFaNi70+sM0vrdRo5y0VNm
         rxDCVaQWCn4/10WUYD99a2EGCqFc6gkLjvADggbqIqHTs/VwUKwXXlk38ypJw2MtvhQf
         B+cXa5jPzyaIhs4XPMZvaPEgCXLYY2YfEHEfx3txiX9z+jO3Nv5khEcoIn2RrQsv/YNa
         xm4oqu/nb3a/wlYnGT3k2OVUU/wEpb1EEmrZywWPF5IqxKj24z41h5dh4podoSne/4wH
         aD2g==
X-Forwarded-Encrypted: i=1; AJvYcCXGagBqlLDOYn4WnDv1PCibKYq3+3HuBMluafwW2R1JCPdvg2eqzslAIHMEzsrEOW0hUyh0TCsRtEk=@passt.top
X-Gm-Message-State: AOJu0Yy6IO7PVoNj013o7Lyl8+6JWAl539S+qp7UCGrkRgJ4kJ7WC9/X
	VIVH0Nq8A1w+jCOtwwPwXXQrgsbTV4tLToWmB0EpOQfBCyyXfrVB+1peDNGTSgBIZ42xIMTob0q
	PsbgzjDxq3YkM9/p9mNsGPoHQsGAuo5R0nh8ODueOCVR46bF1Vg==
X-Received: by 2002:a5d:650f:0:b0:371:8a49:f206 with SMTP id ffacd0b85a97d-3731186511fmr9361300f8f.30.1724840540267;
        Wed, 28 Aug 2024 03:22:20 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEX99Q5NwJBN8eR5Im8MwqdMJj77h8WRiOU0KLp2QbyUxoZkGqcv7ex18voNlqW2eBrXiMZSQ==
X-Received: by 2002:a5d:650f:0:b0:371:8a49:f206 with SMTP id ffacd0b85a97d-3731186511fmr9361278f8f.30.1724840539550;
        Wed, 28 Aug 2024 03:22:19 -0700 (PDT)
Received: from ?IPV6:2a01:e0a:e10:ef90:4c84:58cb:a1ef:8b78? ([2a01:e0a:e10:ef90:4c84:58cb:a1ef:8b78])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42ba640464asm16796895e9.46.2024.08.28.03.22.18
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 28 Aug 2024 03:22:19 -0700 (PDT)
Message-ID: <9ba5487a-17b7-4c7b-a3d4-7a1e2c7d88a5@redhat.com>
Date: Wed, 28 Aug 2024 12:22:18 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH 3/3] fwd, conf: Probe host's ephemeral ports
To: David Gibson <david@gibson.dropbear.id.au>, passt-dev@passt.top,
 Stefano Brivio <sbrivio@redhat.com>
References: <20240828055610.3241117-1-david@gibson.dropbear.id.au>
 <20240828055610.3241117-4-david@gibson.dropbear.id.au>
From: Laurent Vivier <lvivier@redhat.com>
Autocrypt: addr=lvivier@redhat.com; keydata=
 xsFNBFYFJhkBEAC2me7w2+RizYOKZM+vZCx69GTewOwqzHrrHSG07MUAxJ6AY29/+HYf6EY2
 WoeuLWDmXE7A3oJoIsRecD6BXHTb0OYS20lS608anr3B0xn5g0BX7es9Mw+hV/pL+63EOCVm
 SUVTEQwbGQN62guOKnJJJfphbbv82glIC/Ei4Ky8BwZkUuXd7d5NFJKC9/GDrbWdj75cDNQx
 UZ9XXbXEKY9MHX83Uy7JFoiFDMOVHn55HnncflUncO0zDzY7CxFeQFwYRbsCXOUL9yBtqLer
 Ky8/yjBskIlNrp0uQSt9LMoMsdSjYLYhvk1StsNPg74+s4u0Q6z45+l8RAsgLw5OLtTa+ePM
 JyS7OIGNYxAX6eZk1+91a6tnqfyPcMbduxyBaYXn94HUG162BeuyBkbNoIDkB7pCByed1A7q
 q9/FbuTDwgVGVLYthYSfTtN0Y60OgNkWCMtFwKxRaXt1WFA5ceqinN/XkgA+vf2Ch72zBkJL
 RBIhfOPFv5f2Hkkj0MvsUXpOWaOjatiu0fpPo6Hw14UEpywke1zN4NKubApQOlNKZZC4hu6/
 8pv2t4HRi7s0K88jQYBRPObjrN5+owtI51xMaYzvPitHQ2053LmgsOdN9EKOqZeHAYG2SmRW
 LOxYWKX14YkZI5j/TXfKlTpwSMvXho+efN4kgFvFmP6WT+tPnwARAQABzSNMYXVyZW50IFZp
 dmllciA8bHZpdmllckByZWRoYXQuY29tPsLBeAQTAQIAIgUCVgVQgAIbAwYLCQgHAwIGFQgC
 CQoLBBYCAwECHgECF4AACgkQ8ww4vT8vvjwpgg//fSGy0Rs/t8cPFuzoY1cex4limJQfReLr
 SJXCANg9NOWy/bFK5wunj+h/RCFxIFhZcyXveurkBwYikDPUrBoBRoOJY/BHK0iZo7/WQkur
 6H5losVZtrotmKOGnP/lJYZ3H6OWvXzdz8LL5hb3TvGOP68K8Bn8UsIaZJoeiKhaNR0sOJyI
 YYbgFQPWMHfVwHD/U+/gqRhD7apVysxv5by/pKDln1I5v0cRRH6hd8M8oXgKhF2+rAOL7gvh
 jEHSSWKUlMjC7YwwjSZmUkL+TQyE18e2XBk85X8Da3FznrLiHZFHQ/NzETYxRjnOzD7/kOVy
 gKD/o7asyWQVU65mh/ECrtjfhtCBSYmIIVkopoLaVJ/kEbVJQegT2P6NgERC/31kmTF69vn8
 uQyW11Hk8tyubicByL3/XVBrq4jZdJW3cePNJbTNaT0d/bjMg5zCWHbMErUib2Nellnbg6bc
 2HLDe0NLVPuRZhHUHM9hO/JNnHfvgiRQDh6loNOUnm9Iw2YiVgZNnT4soUehMZ7au8PwSl4I
 KYE4ulJ8RRiydN7fES3IZWmOPlyskp1QMQBD/w16o+lEtY6HSFEzsK3o0vuBRBVp2WKnssVH
 qeeV01ZHw0bvWKjxVNOksP98eJfWLfV9l9e7s6TaAeySKRRubtJ+21PRuYAxKsaueBfUE7ZT
 7zfOwU0EVgUmGQEQALxSQRbl/QOnmssVDxWhHM5TGxl7oLNJms2zmBpcmlrIsn8nNz0rRyxT
 460k2niaTwowSRK8KWVDeAW6ZAaWiYjLlTunoKwvF8vP3JyWpBz0diTxL5o+xpvy/Q6YU3BN
 efdq8Vy3rFsxgW7mMSrI/CxJ667y8ot5DVugeS2NyHfmZlPGE0Nsy7hlebS4liisXOrN3jFz
 asKyUws3VXek4V65lHwB23BVzsnFMn/bw/rPliqXGcwl8CoJu8dSyrCcd1Ibs0/Inq9S9+t0
 VmWiQWfQkz4rvEeTQkp/VfgZ6z98JRW7S6l6eophoWs0/ZyRfOm+QVSqRfFZdxdP2PlGeIFM
 C3fXJgygXJkFPyWkVElr76JTbtSHsGWbt6xUlYHKXWo+xf9WgtLeby3cfSkEchACrxDrQpj+
 Jt/JFP+q997dybkyZ5IoHWuPkn7uZGBrKIHmBunTco1+cKSuRiSCYpBIXZMHCzPgVDjk4viP
 brV9NwRkmaOxVvye0vctJeWvJ6KA7NoAURplIGCqkCRwg0MmLrfoZnK/gRqVJ/f6adhU1oo6
 z4p2/z3PemA0C0ANatgHgBb90cd16AUxpdEQmOCmdNnNJF/3Zt3inzF+NFzHoM5Vwq6rc1JP
 jfC3oqRLJzqAEHBDjQFlqNR3IFCIAo4SYQRBdAHBCzkM4rWyRhuVABEBAAHCwV8EGAECAAkF
 AlYFJhkCGwwACgkQ8ww4vT8vvjwg9w//VQrcnVg3TsjEybxDEUBm8dBmnKqcnTBFmxN5FFtI
 WlEuY8+YMiWRykd8Ln9RJ/98/ghABHz9TN8TRo2b6WimV64FmlVn17Ri6FgFU3xNt9TTEChq
 AcNg88eYryKsYpFwegGpwUlaUaaGh1m9OrTzcQy+klVfZWaVJ9Nw0keoGRGb8j4XjVpL8+2x
 OhXKrM1fzzb8JtAuSbuzZSQPDwQEI5CKKxp7zf76J21YeRrEW4WDznPyVcDTa+tz++q2S/Bp
 P4W98bXCBIuQgs2m+OflERv5c3Ojldp04/S4NEjXEYRWdiCxN7ca5iPml5gLtuvhJMSy36gl
 U6IW9kn30IWuSoBpTkgV7rLUEhh9Ms82VWW/h2TxL8enfx40PrfbDtWwqRID3WY8jLrjKfTd
 R3LW8BnUDNkG+c4FzvvGUs8AvuqxxyHbXAfDx9o/jXfPHVRmJVhSmd+hC3mcQ+4iX5bBPBPM
 oDqSoLt5w9GoQQ6gDVP2ZjTWqwSRMLzNr37rJjZ1pt0DCMMTbiYIUcrhX8eveCJtY7NGWNyx
 FCRkhxRuGcpwPmRVDwOl39MB3iTsRighiMnijkbLXiKoJ5CDVvX5yicNqYJPKh5MFXN1bvsB
 kmYiStMRbrD0HoY1kx5/VozBtc70OU0EB8Wrv9hZD+Ofp0T3KOr1RUHvCZoLURfFhSQ=
In-Reply-To: <20240828055610.3241117-4-david@gibson.dropbear.id.au>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Message-ID-Hash: HIT6TJBFEXZZUHTPE4STZCFEGND227RC
X-Message-ID-Hash: HIT6TJBFEXZZUHTPE4STZCFEGND227RC
X-MailFrom: lvivier@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/9ba5487a-17b7-4c7b-a3d4-7a1e2c7d88a5@redhat.com/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/HIT6TJBFEXZZUHTPE4STZCFEGND227RC/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On 28/08/2024 07:56, David Gibson wrote:
> When we forward "all" ports (-t all or -u all), or use an exclude-only
> range, we don't actually forward *all* ports - that wouln't leave local
> ports to use for outgoing connections.  Rather we forward all non-ephemeral
> ports - those that won't be used for outgoing connections or datagrams.
> 
> Currently we assume the range of ephemeral ports is that recommended by
> RFC 6335, 49152-65535.  However, that's not the range used by default on
> Linux, 32768-60999 but configurable with the net.ipv4.ip_local_port_range
> sysctl.
> 
> We can't really know what range the guest will consider ephemeral, but if
> it differs too much from the host it's likely to cause problems we can't
> avoid anyway.  So, using the host's ephemeral range is a better guess than
> using the RFC 6335 range.
> 
> Therefore, add logic to probe the host's ephemeral range, falling back to
> the RFC 6335 range if that fails.  This has the bonus advantage of
> reducing the number of ports bound by -t all, -u all on most Linux machines
> thereby reducing kernel memory usage.  Specifically this reduces kernel
> memory usage with -t all, -u all from ~380MiB to ~289MiB.
> 
> Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> ---
>   conf.c |  1 +
>   fwd.c  | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
>   fwd.h  |  1 +
>   3 files changed, 57 insertions(+), 2 deletions(-)
> 
> diff --git a/conf.c b/conf.c
> index 3eb117ff..b2758864 100644
> --- a/conf.c
> +++ b/conf.c
> @@ -1721,6 +1721,7 @@ void conf(struct ctx *c, int argc, char **argv)
>   	/* Inbound port options & DNS can be parsed now (after IPv4/IPv6
>   	 * settings)
>   	 */
> +	fwd_probe_ephemeral();
>   	udp_portmap_clear();
>   	optind = 0;
>   	do {
> diff --git a/fwd.c b/fwd.c
> index adf61cb5..40f556e9 100644
> --- a/fwd.c
> +++ b/fwd.c
> @@ -28,8 +28,61 @@
>   #include "flow_table.h"
>   
>   /* Empheral port range: values from RFC 6335 */
> -static const uint16_t fwd_ephemeral_min = (1 << 15) + (1 << 14);
> -static const uint16_t fwd_ephemeral_max = NUM_PORTS - 1;
> +static uint16_t fwd_ephemeral_min = (1 << 15) + (1 << 14);
> +static uint16_t fwd_ephemeral_max = NUM_PORTS - 1;
> +
> +#define PORT_RANGE_SYSCTL	"/proc/sys/net/ipv4/ip_local_port_range"
> +
> +/** fwd_probe_ephemeral() - Determine what ports this host considers ephemeral
> + *
> + * Work out what ports the host thinks are emphemeral and record it for later
> + * use by fwd_port_is_ephemeral().  If we're unable to probe, assume the range
> + * recommended by RFC 6335.
> + */
> +void fwd_probe_ephemeral(void)
> +{
> +	char *line, *tab, *end;
> +	struct lineread lr;
> +	long min, max;
> +	ssize_t len;
> +	int fd;
> +
> +	fd = open(PORT_RANGE_SYSCTL, O_RDONLY | O_CLOEXEC);

Why O_CLOEXEC?
There is no close() in the function, do you rely on it to close the file descriptor?

> +	if (fd < 0)
> +		warn_perror("Unable to open %s", PORT_RANGE_SYSCTL);

goto parse_error ?

or if you add the close() in parse_error, we need a return.

> +
> +	lineread_init(&lr, fd);
> +	len = lineread_get(&lr, &line);
> +	if (len < 0)
> +		goto parse_err;
> +
> +	tab = strchr(line, '\t');
> +	if (!tab)
> +		goto parse_err;
> +	*tab = '\0';
> +
> +	errno = 0;
> +	min = strtol(line, &end, 10);
> +	if (*end || errno)
> +		goto parse_err;
> +
> +	errno = 0;
> +	max = strtol(tab + 1, &end, 10);
> +	if (*end || errno)
> +		goto parse_err;

As /proc files are well formated, why don't you use fscanf()?
Something like:

         FILE *f;

         f = fopen(PORT_RANGE_SYSCTL, "r");
	if (f == NULL) {
		warn("Unable to parse %s", PORT_RANGE_SYSCTL);
		return;
	}
         ret = fscanf(f, "%d %d", &min, &max);
         fclose(f);
         if (ret != 2)
                 goto parse_error;

Thanks,
Laurent
> +
> +	if (min < 0 || min >= NUM_PORTS ||
> +	    max < 0 || max >= NUM_PORTS)
> +		goto parse_err;
> +
> +	fwd_ephemeral_min = min;
> +	fwd_ephemeral_max = max;
> +
> +	return;
> +
> +parse_err:
> +	warn("Unable to parse %s", PORT_RANGE_SYSCTL);
> +}
>   
>   /**
>    * fwd_port_is_ephemeral() - Is port number ephemeral?
> diff --git a/fwd.h b/fwd.h
> index 42fe57eb..23aac5b2 100644
> --- a/fwd.h
> +++ b/fwd.h
> @@ -12,6 +12,7 @@ struct flowside;
>   /* Number of ports for both TCP and UDP */
>   #define	NUM_PORTS	(1U << 16)
>   
> +void fwd_probe_ephemeral(void);
>   bool fwd_port_is_ephemeral(uint16_t port);
>   
>   enum fwd_ports_mode {