| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20221221-sockopt-port-range-v2-0-1d5f114bf627@cloudflare.com>
Date: Tue, 10 Jan 2023 14:37:28 +0100
From: Jakub Sitnicki <jakub@...udflare.com>
To: netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Kuniyuki Iwashima <kuniyu@...zon.com>,
kernel-team@...udflare.com
Subject: [PATCH net-next v2 0/2] Add IP_LOCAL_PORT_RANGE socket option
This patch set is a follow up to the "How to share IPv4 addresses by
partitioning the port space" talk given at LPC 2022 [1].
Please see patch #1 for the motivation & the use case description.
Patch #2 adds tests exercising the new option in various scenarios.
Documentation
-------------
Proposed update to the ip(7) man-page:
IP_LOCAL_PORT_RANGE (since Linux X.Y)
Set or get the per-socket default local port range. This
option can be used to clamp down the global local port
range, defined by the ip_local_port_range /proc inter‐
face described below, for a given socket.
The option takes an uint32_t value with the high 16 bits
set to the upper range bound, and the low 16 bits set to
the lower range bound. Range bounds are inclusive.
The lower bound has to be less than the upper bound when
both bounds are not zero. Otherwise, setting the option
fails with EINVAL.
If either bound is outside of the global local port
range, or is zero, then that bound has no effect.
To reset the setting, pass zero as both the upper and
the lower bound.
Changelog:
---------
v1 -> v2:
v1: https://lore.kernel.org/netdev/20221221-sockopt-port-range-v1-0-e2b094b60ffd@cloudflare.com/
* Fix the corner case when the per-socket range doesn't overlap with the
per-netns range. Fallback correctly to the per-netns range. (Kuniyuki)
* selftests: Instead of iterating over socket families (ip4, ip6) and types
(tcp, udp), generate tests for each combo from a template. This keeps the
code indentation level down and makes tests more granular.
* Rewrite man-page prose:
- explain how to unset the option,
- document when EINVAL is returned.
RFC -> v1
RFC: https://lore.kernel.org/netdev/20220912225308.93659-1-jakub@cloudflare.com/
* Allow either the high bound or the low bound, or both, to be zero
* Add getsockopt support
* Add selftests
Links:
------
[1]: https://lpc.events/event/16/contributions/1349/
To: netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>
Cc: Eric Dumazet <edumazet@...gle.com>
Cc: Jakub Kicinski <kuba@...nel.org>
Cc: Paolo Abeni <pabeni@...hat.com>
Cc: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: kernel-team@...udflare.com
Signed-off-by: Jakub Sitnicki <jakub@...udflare.com>
---
Jakub Sitnicki (2):
inet: Add IP_LOCAL_PORT_RANGE socket option
selftests/net: Cover the IP_LOCAL_PORT_RANGE socket option
include/net/inet_sock.h | 4 +
include/net/ip.h | 3 +-
include/uapi/linux/in.h | 1 +
net/ipv4/inet_connection_sock.c | 25 +-
net/ipv4/inet_hashtables.c | 2 +-
net/ipv4/ip_sockglue.c | 18 +
net/ipv4/udp.c | 2 +-
tools/testing/selftests/net/Makefile | 2 +
tools/testing/selftests/net/ip_local_port_range.c | 439 +++++++++++++++++++++
tools/testing/selftests/net/ip_local_port_range.sh | 5 +
10 files changed, 496 insertions(+), 5 deletions(-)
---
base-commit: a3ae16030a0320229df10cedfeff1f80df26ee76
change-id: 20221221-sockopt-port-range-e142de700f4d
Best regards,
--
Jakub Sitnicki <jakub@...udflare.com>
Powered by blists - more mailing lists