lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202107281353.pGmCqOxp-lkp@intel.com>
Date:   Wed, 28 Jul 2021 13:23:33 +0800
From:   kernel test robot <lkp@...el.com>
To:     Cole Dishington <Cole.Dishington@...iedtelesis.co.nz>,
        pablo@...filter.org
Cc:     kbuild-all@...ts.01.org, kadlec@...filter.org, fw@...len.de,
        davem@...emloft.net, kuba@...nel.org, shuah@...nel.org,
        linux-kernel@...r.kernel.org, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org, netdev@...r.kernel.org
Subject: Re: [PATCH] net: netfilter: Fix port selection of FTP for
 NF_NAT_RANGE_PROTO_SPECIFIED

Hi Cole,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on nf-next/master]
[also build test WARNING on nf/master ipvs/master v5.14-rc3 next-20210727]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210728-112306
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/2e0f4c593d92890a9a5b0098b3f20a6486b4019d
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210728-112306
        git checkout 2e0f4c593d92890a9a5b0098b3f20a6486b4019d
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross ARCH=xtensa 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>

All warnings (new ones prefixed by >>):

>> net/netfilter/nf_nat_core.c:363:6: warning: no previous prototype for 'nf_nat_l4proto_unique_tuple' [-Wmissing-prototypes]
     363 | void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
         |      ^~~~~~~~~~~~~~~~~~~~~~~~~~~


vim +/nf_nat_l4proto_unique_tuple +363 net/netfilter/nf_nat_core.c

   357	
   358	/* Alter the per-proto part of the tuple (depending on maniptype), to
   359	 * give a unique tuple in the given range if possible.
   360	 *
   361	 * Per-protocol part of tuple is initialized to the incoming packet.
   362	 */
 > 363	void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
   364					 const struct nf_nat_range2 *range,
   365					 enum nf_nat_manip_type maniptype,
   366					 const struct nf_conn *ct)
   367	{
   368		unsigned int range_size, min, max, i, attempts;
   369		__be16 *keyptr;
   370		u16 off;
   371		static const unsigned int max_attempts = 128;
   372	
   373		switch (tuple->dst.protonum) {
   374		case IPPROTO_ICMP:
   375		case IPPROTO_ICMPV6:
   376			/* id is same for either direction... */
   377			keyptr = &tuple->src.u.icmp.id;
   378			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   379				min = 0;
   380				range_size = 65536;
   381			} else {
   382				min = ntohs(range->min_proto.icmp.id);
   383				range_size = ntohs(range->max_proto.icmp.id) -
   384					     ntohs(range->min_proto.icmp.id) + 1;
   385			}
   386			goto find_free_id;
   387	#if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
   388		case IPPROTO_GRE:
   389			/* If there is no master conntrack we are not PPTP,
   390			   do not change tuples */
   391			if (!ct->master)
   392				return;
   393	
   394			if (maniptype == NF_NAT_MANIP_SRC)
   395				keyptr = &tuple->src.u.gre.key;
   396			else
   397				keyptr = &tuple->dst.u.gre.key;
   398	
   399			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   400				min = 1;
   401				range_size = 65535;
   402			} else {
   403				min = ntohs(range->min_proto.gre.key);
   404				range_size = ntohs(range->max_proto.gre.key) - min + 1;
   405			}
   406			goto find_free_id;
   407	#endif
   408		case IPPROTO_UDP:
   409		case IPPROTO_UDPLITE:
   410		case IPPROTO_TCP:
   411		case IPPROTO_SCTP:
   412		case IPPROTO_DCCP:
   413			if (maniptype == NF_NAT_MANIP_SRC)
   414				keyptr = &tuple->src.u.all;
   415			else
   416				keyptr = &tuple->dst.u.all;
   417	
   418			break;
   419		default:
   420			return;
   421		}
   422	
   423		/* If no range specified... */
   424		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   425			/* If it's dst rewrite, can't change port */
   426			if (maniptype == NF_NAT_MANIP_DST)
   427				return;
   428	
   429			if (ntohs(*keyptr) < 1024) {
   430				/* Loose convention: >> 512 is credential passing */
   431				if (ntohs(*keyptr) < 512) {
   432					min = 1;
   433					range_size = 511 - min + 1;
   434				} else {
   435					min = 600;
   436					range_size = 1023 - min + 1;
   437				}
   438			} else {
   439				min = 1024;
   440				range_size = 65535 - 1024 + 1;
   441			}
   442		} else {
   443			min = ntohs(range->min_proto.all);
   444			max = ntohs(range->max_proto.all);
   445			if (unlikely(max < min))
   446				swap(max, min);
   447			range_size = max - min + 1;
   448		}
   449	
   450	find_free_id:
   451		if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
   452			off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
   453		else
   454			off = prandom_u32();
   455	
   456		attempts = range_size;
   457		if (attempts > max_attempts)
   458			attempts = max_attempts;
   459	
   460		/* We are in softirq; doing a search of the entire range risks
   461		 * soft lockup when all tuples are already used.
   462		 *
   463		 * If we can't find any free port from first offset, pick a new
   464		 * one and try again, with ever smaller search window.
   465		 */
   466	another_round:
   467		for (i = 0; i < attempts; i++, off++) {
   468			*keyptr = htons(min + off % range_size);
   469			if (!nf_nat_used_tuple(tuple, ct))
   470				return;
   471		}
   472	
   473		if (attempts >= range_size || attempts < 16)
   474			return;
   475		attempts /= 2;
   476		off = prandom_u32();
   477		goto another_round;
   478	}
   479	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

Download attachment ".config.gz" of type "application/gzip" (67880 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ