From patchwork Mon Nov 14 22:56:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gleb Mazovetskiy X-Patchwork-Id: 20060 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2407795wru; Mon, 14 Nov 2022 15:03:29 -0800 (PST) X-Google-Smtp-Source: AA0mqf6ZGrm68s0WkRw5xJibpuGUp0XUX9rKkQYFRR2m7yS/yha9XZp0Uv+n9lTOMA8gZfjdtO/I X-Received: by 2002:a17:907:908a:b0:7ae:3a88:9487 with SMTP id ge10-20020a170907908a00b007ae3a889487mr11472191ejb.193.1668467009697; Mon, 14 Nov 2022 15:03:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668467009; cv=none; d=google.com; s=arc-20160816; b=IaE/ev89BMrqZ1HI6oqjLWOQR9D5lV4U4sOST7EmpJClD9SkUHfO0cMmQ7rxK45Wly 4FVgnI6QkJHqDz88BY87Sf8hCP5BAefDQcGTjdttQQ0JarZ1EBeYib4cjyzK0gz+rPfM POWn7AdwAeIQrryRwYXXS+CA6zF2mbGgSG3trs0plXXIQZnSXk32Iit2GvCkoHfmXrAM gwhXc4+dW89cKtZgM5LkKruy2bifw/VR0k4ogde1EBXrPUgDDeNcnlMDyVqvBpF1i1eJ JpFOImkgXNs1PQpBkMQ9b0TC0eWXbI47+OUMgrF2StIyRiDYjH+GWmAgwuIq57Y/+yTy P8TA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=qPyG0FSRCyKP6gYMH1LHT/s8pPm9SNYOKN61w9u/6Ew=; b=pNChAFYA4vrsBzCJm9nGSLwvzpXWRRlPT5/Mf4xY1qZkpsTHl7jFmGrp4DvKYIop/A Of5MLmKiqJSYlS0hAi2BNMtk3B2A8mDLT82DTOIGpW8pmGZYo+mSlSRaqvaS0B8C2yok jyiE05eVDkFMOhVYV4CT4dSySURB4wpwTpnow446q9682LaLVm/sH8ztrB82PM/h1CEu Vl+7fEbTDLMOQiy8RsmrXWik4ufY4b53vyJAh3JnDEl5q9olvRW0I5tTKTkDhu0Z2y/S f/8HxHlEgkvt6RS1UnK6HvIAZWfD2l5tr4fJ9T+1HiunMl5DJUfbJ3eNz1p/g9317D3G 45Sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nQmwADRg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sc11-20020a1709078a0b00b0078d96d3278csi7451152ejc.510.2022.11.14.15.03.03; Mon, 14 Nov 2022 15:03:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nQmwADRg; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237826AbiKNW5F (ORCPT + 99 others); Mon, 14 Nov 2022 17:57:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47258 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237808AbiKNW5D (ORCPT ); Mon, 14 Nov 2022 17:57:03 -0500 Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65C1819029; Mon, 14 Nov 2022 14:57:02 -0800 (PST) Received: by mail-wr1-x434.google.com with SMTP id l14so21123700wrw.2; Mon, 14 Nov 2022 14:57:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=qPyG0FSRCyKP6gYMH1LHT/s8pPm9SNYOKN61w9u/6Ew=; b=nQmwADRg32ms0Xw8eCNWAJkuFPGhmNlezbsM1/zBghMFcAP3PBjPQJW4N8M6QlTak8 vtCh4nEVMYmWDei3ePjIyHxczO/mAGJvIIzhRcYxwYzkLK5LZTnonFJUFk4ymFNGWMVq ERHy/m6Zn49sZTMxPqDP2jzbhV0UUm0T5zvpKrnwrMLfucwGNUGoi7+zeZkOyvouzU0m GIc7lWsFYC0VZ4ZCuzoie7Nx4m7XddaQX0qtQCBN1QfncpaEx3HCB+AgEYVSKlY/r6H/ PbWGfu9E4XClL3+tyH+KGSeCINg5o0zCtxXs8pZGX1XKOM2uQqBF74ba1Sh4ONGplc7o H/mA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qPyG0FSRCyKP6gYMH1LHT/s8pPm9SNYOKN61w9u/6Ew=; b=bIh6x2MkhfK8t10M+UxYKktNgMzSx64eRYowyTI/SMFfCk3JVQsZ74FmpIqqvszmkK OCnWXYb1aBsAoSoPOrTc2RRBS5XYnTeaPUdm+EVvawixUFJCWQBvQ63uhrVTKm8B5Amm x1I+p2HCzvo95uGpTt88G/xcbQ64TvVmvCNW6GZ5vzJdfQgENoBORaf/JhV00pAiPnxm s9JoJh5wDffyYA7f7LZQ4WcMpC/In4v0xEpjlcx4ioGN5OlhAvpUxbjaMKSAlk17XywM 2dpT5HJ7X9eCG6QUSVxmuGxfV7QwF+0bz55BPBH7BvZa1g9BcivYeRw5dImoan7yYvDw ndsw== X-Gm-Message-State: ANoB5pnAErM+Oif1e0mdNfy6EbfIWP0iyWvPQXbf3XEpJn2IhlIut42y Be6PzhZWC4VVBkCGhfxsPiA= X-Received: by 2002:adf:dbc6:0:b0:236:5fe3:c459 with SMTP id e6-20020adfdbc6000000b002365fe3c459mr9094586wrj.219.1668466620620; Mon, 14 Nov 2022 14:57:00 -0800 (PST) Received: from gleb-linux.. (cpc76906-dals22-2-0-cust400.20-2.cable.virginm.net. [81.106.81.145]) by smtp.gmail.com with ESMTPSA id j7-20020a5d4527000000b00236545edc91sm10775485wra.76.2022.11.14.14.56.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Nov 2022 14:57:00 -0800 (PST) From: Gleb Mazovetskiy To: "David S. Miller" , Hideaki YOSHIFUJI , David Ahern , Eric Dumazet , Jakub Kicinski , Paolo Abeni Cc: Paul Cercueil , Gleb Mazovetskiy , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/1] tcp: configurable source port perturb table size Date: Mon, 14 Nov 2022 22:56:16 +0000 Message-Id: <20221114225616.16715-1-glex.spb@gmail.com> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749514463092492478?= X-GMAIL-MSGID: =?utf-8?q?1749514463092492478?= On embedded systems with little memory and no relevant security concerns, it is beneficial to reduce the size of the table. Reducing the size from 2^16 to 2^8 saves 255 KiB of kernel RAM. Makes the table size configurable as an expert option. The size was previously increased from 2^8 to 2^16 in commit 4c2c8f03a5ab ("tcp: increase source port perturb table to 2^16"). Signed-off-by: Gleb Mazovetskiy Reviewed-by: Kuniyuki Iwashima --- net/ipv4/Kconfig | 10 ++++++++++ net/ipv4/inet_hashtables.c | 10 +++++----- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index e983bb0c5012..2dfb12230f08 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -402,6 +402,16 @@ config INET_IPCOMP If unsure, say Y. +config INET_TABLE_PERTURB_ORDER + int "INET: Source port perturbation table size (as power of 2)" if EXPERT + default 16 + help + Source port perturbation table size (as power of 2) for + RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm. + + The default is almost always what you want. + Only change this if you know what you are doing. + config INET_XFRM_TUNNEL tristate select INET_TUNNEL diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c index d3dc28156622..033bf3c2538f 100644 --- a/net/ipv4/inet_hashtables.c +++ b/net/ipv4/inet_hashtables.c @@ -906,13 +906,13 @@ EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr); * Note that we use 32bit integers (vs RFC 'short integers') * because 2^16 is not a multiple of num_ephemeral and this * property might be used by clever attacker. + * * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though - * attacks were since demonstrated, thus we use 65536 instead to really - * give more isolation and privacy, at the expense of 256kB of kernel - * memory. + * attacks were since demonstrated, thus we use 65536 by default instead + * to really give more isolation and privacy, at the expense of 256kB + * of kernel memory. */ -#define INET_TABLE_PERTURB_SHIFT 16 -#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT) +#define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER) static u32 *table_perturb; int __inet_hash_connect(struct inet_timewait_death_row *death_row,