From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202408 header.b=F5S3GK6Y;
	dkim-atps=neutral
Received: from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])
	by passt.top (Postfix) with ESMTPS id ACA925A004C
	for <passt-dev@passt.top>; Thu, 29 Aug 2024 03:32:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202408; t=1724895163;
	bh=XhRXKZErzt18HhyxlfqIeH9dF0hqVVUP9yWJNz2Vf40=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=F5S3GK6YvSHZUkGuRMoyeFXWQhI64r8QrSALXhfqJt8vf984w5NBUfi79tSB9yQ3c
	 Z4mOnmYcfRC1EoHes/htLnzA/NKdMas5rSahcwo/2T2++SH6AQ5g3yFZQgWSHx74zt
	 rdxirxKnj3SNXtCODQlpMcDEyxZbXbEeo+8RPoMjgw60zu8bQkuj+voshMWmbEUfAS
	 Xh2Cg4A5a6k6eqCSOE9RMFXYkI+GCyJsWr2iejw1/1zTghoFVxedG/NAK7TBynDLNq
	 21FqhfhzdTc7jpQA8Y9zBfCugb9l61yAJUBgGNFBSEuIId1lKak2mDoTHlOPevYtV+
	 TjLJ77SaXH4JQ==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4WvP0q3y73z4wyR; Thu, 29 Aug 2024 11:32:43 +1000 (AEST)
Date: Thu, 29 Aug 2024 11:29:30 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Laurent Vivier <lvivier@redhat.com>
Subject: Re: [PATCH 3/3] fwd, conf: Probe host's ephemeral ports
Message-ID: <Zs_O-uO8-59921GR@zatzit.fritz.box>
References: <20240828055610.3241117-1-david@gibson.dropbear.id.au>
 <20240828055610.3241117-4-david@gibson.dropbear.id.au>
 <9ba5487a-17b7-4c7b-a3d4-7a1e2c7d88a5@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="eReiuBYbYrz/qFcy"
Content-Disposition: inline
In-Reply-To: <9ba5487a-17b7-4c7b-a3d4-7a1e2c7d88a5@redhat.com>
Message-ID-Hash: Q377TE72GPR3HGSKDSYBBQUQOIPRLJF4
X-Message-ID-Hash: Q377TE72GPR3HGSKDSYBBQUQOIPRLJF4
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Stefano Brivio <sbrivio@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/Zs_O-uO8-59921GR@zatzit.fritz.box/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/Q377TE72GPR3HGSKDSYBBQUQOIPRLJF4/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--eReiuBYbYrz/qFcy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 28, 2024 at 12:22:18PM +0200, Laurent Vivier wrote:
> On 28/08/2024 07:56, David Gibson wrote:
> > When we forward "all" ports (-t all or -u all), or use an exclude-only
> > range, we don't actually forward *all* ports - that wouln't leave local
> > ports to use for outgoing connections.  Rather we forward all non-ephem=
eral
> > ports - those that won't be used for outgoing connections or datagrams.
> >=20
> > Currently we assume the range of ephemeral ports is that recommended by
> > RFC 6335, 49152-65535.  However, that's not the range used by default on
> > Linux, 32768-60999 but configurable with the net.ipv4.ip_local_port_ran=
ge
> > sysctl.
> >=20
> > We can't really know what range the guest will consider ephemeral, but =
if
> > it differs too much from the host it's likely to cause problems we can't
> > avoid anyway.  So, using the host's ephemeral range is a better guess t=
han
> > using the RFC 6335 range.
> >=20
> > Therefore, add logic to probe the host's ephemeral range, falling back =
to
> > the RFC 6335 range if that fails.  This has the bonus advantage of
> > reducing the number of ports bound by -t all, -u all on most Linux mach=
ines
> > thereby reducing kernel memory usage.  Specifically this reduces kernel
> > memory usage with -t all, -u all from ~380MiB to ~289MiB.
> >=20
> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > ---
> >   conf.c |  1 +
> >   fwd.c  | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
> >   fwd.h  |  1 +
> >   3 files changed, 57 insertions(+), 2 deletions(-)
> >=20
> > diff --git a/conf.c b/conf.c
> > index 3eb117ff..b2758864 100644
> > --- a/conf.c
> > +++ b/conf.c
> > @@ -1721,6 +1721,7 @@ void conf(struct ctx *c, int argc, char **argv)
> >   	/* Inbound port options & DNS can be parsed now (after IPv4/IPv6
> >   	 * settings)
> >   	 */
> > +	fwd_probe_ephemeral();
> >   	udp_portmap_clear();
> >   	optind =3D 0;
> >   	do {
> > diff --git a/fwd.c b/fwd.c
> > index adf61cb5..40f556e9 100644
> > --- a/fwd.c
> > +++ b/fwd.c
> > @@ -28,8 +28,61 @@
> >   #include "flow_table.h"
> >   /* Empheral port range: values from RFC 6335 */
> > -static const uint16_t fwd_ephemeral_min =3D (1 << 15) + (1 << 14);
> > -static const uint16_t fwd_ephemeral_max =3D NUM_PORTS - 1;
> > +static uint16_t fwd_ephemeral_min =3D (1 << 15) + (1 << 14);
> > +static uint16_t fwd_ephemeral_max =3D NUM_PORTS - 1;
> > +
> > +#define PORT_RANGE_SYSCTL	"/proc/sys/net/ipv4/ip_local_port_range"
> > +
> > +/** fwd_probe_ephemeral() - Determine what ports this host considers e=
phemeral
> > + *
> > + * Work out what ports the host thinks are emphemeral and record it fo=
r later
> > + * use by fwd_port_is_ephemeral().  If we're unable to probe, assume t=
he range
> > + * recommended by RFC 6335.
> > + */
> > +void fwd_probe_ephemeral(void)
> > +{
> > +	char *line, *tab, *end;
> > +	struct lineread lr;
> > +	long min, max;
> > +	ssize_t len;
> > +	int fd;
> > +
> > +	fd =3D open(PORT_RANGE_SYSCTL, O_RDONLY | O_CLOEXEC);
>=20
> Why O_CLOEXEC?

AIUI current security best practices recommend using O_CLOEXEC
basically always.  clang-tidy complains if it's not there.

> There is no close() in the function, do you rely on it to close the file =
descriptor?

No, just a very dumb oversight.

> > +	if (fd < 0)
> > +		warn_perror("Unable to open %s", PORT_RANGE_SYSCTL);
>=20
> goto parse_error ?

No, this is a different error, but there should be a return.  Added.

> or if you add the close() in parse_error, we need a return.
>=20
> > +
> > +	lineread_init(&lr, fd);
> > +	len =3D lineread_get(&lr, &line);
> > +	if (len < 0)
> > +		goto parse_err;
> > +
> > +	tab =3D strchr(line, '\t');
> > +	if (!tab)
> > +		goto parse_err;
> > +	*tab =3D '\0';
> > +
> > +	errno =3D 0;
> > +	min =3D strtol(line, &end, 10);
> > +	if (*end || errno)
> > +		goto parse_err;
> > +
> > +	errno =3D 0;
> > +	max =3D strtol(tab + 1, &end, 10);
> > +	if (*end || errno)
> > +		goto parse_err;
>=20
> As /proc files are well formated, why don't you use fscanf()?
> Something like:
>=20
>         FILE *f;
>=20
>         f =3D fopen(PORT_RANGE_SYSCTL, "r");
> 	if (f =3D=3D NULL) {
> 		warn("Unable to parse %s", PORT_RANGE_SYSCTL);
> 		return;
> 	}
>         ret =3D fscanf(f, "%d %d", &min, &max);
>         fclose(f);
>         if (ret !=3D 2)
>                 goto parse_error;

Hm, maybe.  I never feel like I know exactly what the parse rules for
scanf() are, so I tend to avoid it.  Stefano, any thoughts?

>=20
> Thanks,
> Laurent
> > +
> > +	if (min < 0 || min >=3D NUM_PORTS ||
> > +	    max < 0 || max >=3D NUM_PORTS)
> > +		goto parse_err;
> > +
> > +	fwd_ephemeral_min =3D min;
> > +	fwd_ephemeral_max =3D max;
> > +
> > +	return;
> > +
> > +parse_err:
> > +	warn("Unable to parse %s", PORT_RANGE_SYSCTL);
> > +}
> >   /**
> >    * fwd_port_is_ephemeral() - Is port number ephemeral?
> > diff --git a/fwd.h b/fwd.h
> > index 42fe57eb..23aac5b2 100644
> > --- a/fwd.h
> > +++ b/fwd.h
> > @@ -12,6 +12,7 @@ struct flowside;
> >   /* Number of ports for both TCP and UDP */
> >   #define	NUM_PORTS	(1U << 16)
> > +void fwd_probe_ephemeral(void);
> >   bool fwd_port_is_ephemeral(uint16_t port);
> >   enum fwd_ports_mode {
>=20

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--eReiuBYbYrz/qFcy
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmbPzuwACgkQzQJF27ox
2Gep8A//Qecktdih9s0xDv9vZaOea+UD/dXR/GxcJ9w6ye9P59daLeHZ95rn/tR2
S29PKKzXpV3rEy41DPcNvRmudKpjIHC/5GzrrNiTuDq1IfnFWrTfXHjl3hDp071r
eOB+QAk7a9eg3Y1OxYsuo9ZjnTllRTd6Kvw8OjZ8nn/75VCk8rEWAPrM014jV0tD
5l6VNqBdaKghJ7LQP1BEGX85v00SnMEgH9GCjkBaiekP7c+W/DC0F1X8fR3O3Z1Q
ugxTewkeGEw8kc5xMb50lwHhVsatabc8MQSrclF/ppUEyyN/fVreeHz2ZPrcWbSB
W90Vcil2OPeJkA7yoK1V2I/Qwi1+HGJX7seI/Q1udzaUuK1BmKMkk8KJVE+9Rasv
TBK3pMpkxoFWyaC+Cvc7RckKF/hOis+y3UFsFZfCc6XDl2LvLHbeL33BMfUQc2UP
8TTWIji6fpiIaQ1Hi8IyV2l4TCDHZwmq/UVwIIiU9DEMFcW7BNzy9YP18CUMsCS2
v+u9GnPN4GUtSBWSSutw5mk/8GC1C4S7RBYj8GbCUSnzQDGyC/tLMNWETQUUzxoR
VtB+sqVLZ969cRYvofSwDt2T3grWSEbWKiwRXoOgwI3dTWAdvbbx8hgq7v6tdZww
xD7KvDUyuRXq7ckxGErncf/mSBWvhrEfASKC9KizeUxK0PNuIq8=
=HkW/
-----END PGP SIGNATURE-----

--eReiuBYbYrz/qFcy--