| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Jul 2021 13:23:33 +0800
From: kernel test robot <lkp@...el.com>
To: Cole Dishington <Cole.Dishington@...iedtelesis.co.nz>,
pablo@...filter.org
Cc: kbuild-all@...ts.01.org, kadlec@...filter.org, fw@...len.de,
davem@...emloft.net, kuba@...nel.org, shuah@...nel.org,
linux-kernel@...r.kernel.org, netfilter-devel@...r.kernel.org,
coreteam@...filter.org, netdev@...r.kernel.org
Subject: Re: [PATCH] net: netfilter: Fix port selection of FTP for
NF_NAT_RANGE_PROTO_SPECIFIED
Hi Cole,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
[also build test WARNING on nf/master ipvs/master v5.14-rc3 next-20210727]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210728-112306
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/2e0f4c593d92890a9a5b0098b3f20a6486b4019d
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210728-112306
git checkout 2e0f4c593d92890a9a5b0098b3f20a6486b4019d
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross ARCH=xtensa
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
All warnings (new ones prefixed by >>):
>> net/netfilter/nf_nat_core.c:363:6: warning: no previous prototype for 'nf_nat_l4proto_unique_tuple' [-Wmissing-prototypes]
363 | void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/nf_nat_l4proto_unique_tuple +363 net/netfilter/nf_nat_core.c
357
358 /* Alter the per-proto part of the tuple (depending on maniptype), to
359 * give a unique tuple in the given range if possible.
360 *
361 * Per-protocol part of tuple is initialized to the incoming packet.
362 */
> 363 void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
364 const struct nf_nat_range2 *range,
365 enum nf_nat_manip_type maniptype,
366 const struct nf_conn *ct)
367 {
368 unsigned int range_size, min, max, i, attempts;
369 __be16 *keyptr;
370 u16 off;
371 static const unsigned int max_attempts = 128;
372
373 switch (tuple->dst.protonum) {
374 case IPPROTO_ICMP:
375 case IPPROTO_ICMPV6:
376 /* id is same for either direction... */
377 keyptr = &tuple->src.u.icmp.id;
378 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
379 min = 0;
380 range_size = 65536;
381 } else {
382 min = ntohs(range->min_proto.icmp.id);
383 range_size = ntohs(range->max_proto.icmp.id) -
384 ntohs(range->min_proto.icmp.id) + 1;
385 }
386 goto find_free_id;
387 #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
388 case IPPROTO_GRE:
389 /* If there is no master conntrack we are not PPTP,
390 do not change tuples */
391 if (!ct->master)
392 return;
393
394 if (maniptype == NF_NAT_MANIP_SRC)
395 keyptr = &tuple->src.u.gre.key;
396 else
397 keyptr = &tuple->dst.u.gre.key;
398
399 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
400 min = 1;
401 range_size = 65535;
402 } else {
403 min = ntohs(range->min_proto.gre.key);
404 range_size = ntohs(range->max_proto.gre.key) - min + 1;
405 }
406 goto find_free_id;
407 #endif
408 case IPPROTO_UDP:
409 case IPPROTO_UDPLITE:
410 case IPPROTO_TCP:
411 case IPPROTO_SCTP:
412 case IPPROTO_DCCP:
413 if (maniptype == NF_NAT_MANIP_SRC)
414 keyptr = &tuple->src.u.all;
415 else
416 keyptr = &tuple->dst.u.all;
417
418 break;
419 default:
420 return;
421 }
422
423 /* If no range specified... */
424 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
425 /* If it's dst rewrite, can't change port */
426 if (maniptype == NF_NAT_MANIP_DST)
427 return;
428
429 if (ntohs(*keyptr) < 1024) {
430 /* Loose convention: >> 512 is credential passing */
431 if (ntohs(*keyptr) < 512) {
432 min = 1;
433 range_size = 511 - min + 1;
434 } else {
435 min = 600;
436 range_size = 1023 - min + 1;
437 }
438 } else {
439 min = 1024;
440 range_size = 65535 - 1024 + 1;
441 }
442 } else {
443 min = ntohs(range->min_proto.all);
444 max = ntohs(range->max_proto.all);
445 if (unlikely(max < min))
446 swap(max, min);
447 range_size = max - min + 1;
448 }
449
450 find_free_id:
451 if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
452 off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
453 else
454 off = prandom_u32();
455
456 attempts = range_size;
457 if (attempts > max_attempts)
458 attempts = max_attempts;
459
460 /* We are in softirq; doing a search of the entire range risks
461 * soft lockup when all tuples are already used.
462 *
463 * If we can't find any free port from first offset, pick a new
464 * one and try again, with ever smaller search window.
465 */
466 another_round:
467 for (i = 0; i < attempts; i++, off++) {
468 *keyptr = htons(min + off % range_size);
469 if (!nf_nat_used_tuple(tuple, ct))
470 return;
471 }
472
473 if (attempts >= range_size || attempts < 16)
474 return;
475 attempts /= 2;
476 off = prandom_u32();
477 goto another_round;
478 }
479
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (67880 bytes)
Powered by blists - more mailing lists