"Ephemeral" ports are those which the kernel may allocate as local port numbers for outgoing connections or datagrams. Because of that, they're generally not good choices for listening servers to bind to. Thefore when using -t all, -u all or exclude-only ranges, we map only non-ephemeral ports. Our logic for this is a bit rigid though: we assume the ephemeral ports are always a fixed range at the top of the port number space. We also assume PORT_EPHEMERAL_MIN is a multiple of 8, or we won't set the forward bitmap correctly. Make the logic in conf.c more flexible, using a helper moved into fwd.[ch], although we don't change which ports we consider ephemeral (yet). The new handling is undoubtedly more computationally expensive, but since it's a once-off operation at start off, I don't think it really matters. Signed-off-by: David Gibson Reviewed-by: Laurent Vivier --- conf.c | 12 ++++++++---- fwd.c | 17 +++++++++++++++++ fwd.h | 2 ++ util.h | 3 --- 4 files changed, 27 insertions(+), 7 deletions(-) diff --git a/conf.c b/conf.c index e29b6a92..6b3dafd5 100644 --- a/conf.c +++ b/conf.c @@ -156,9 +156,12 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, die("'all' port forwarding is only allowed for passt"); fwd->mode = FWD_ALL; - memset(fwd->map, 0xff, PORT_EPHEMERAL_MIN / 8); - for (i = 0; i < PORT_EPHEMERAL_MIN; i++) { + for (i = 0; i < NUM_PORTS; i++) { + if (fwd_port_is_ephemeral(i)) + continue; + + bitmap_set(fwd->map, i); if (optname == 't') { ret = tcp_sock_init(c, AF_UNSPEC, NULL, NULL, i); @@ -259,8 +262,9 @@ static void conf_ports(const struct ctx *c, char optname, const char *optarg, } while ((p = next_chunk(p, ','))); if (exclude_only) { - for (i = 0; i < PORT_EPHEMERAL_MIN; i++) { - if (bitmap_isset(exclude, i)) + for (i = 0; i < NUM_PORTS; i++) { + if (fwd_port_is_ephemeral(i) || + bitmap_isset(exclude, i)) continue; bitmap_set(fwd->map, i); diff --git a/fwd.c b/fwd.c index 2a0452fa..8fa312a7 100644 --- a/fwd.c +++ b/fwd.c @@ -27,6 +27,23 @@ #include "lineread.h" #include "flow_table.h" +/* Empheral port range: values from RFC 6335 */ +static const in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14); +static const in_port_t fwd_ephemeral_max = NUM_PORTS - 1; + +/** + * fwd_port_is_ephemeral() - Is port number ephemeral? + * @port: Port number + * + * Return: true if @port is ephemeral, that is may be allocated by the kernel as + * a local port for outgoing connections or datagrams, but should not be + * used for binding services to. + */ +bool fwd_port_is_ephemeral(in_port_t port) +{ + return (port >= fwd_ephemeral_min) && (port <= fwd_ephemeral_max); +} + /* See enum in kernel's include/net/tcp_states.h */ #define UDP_LISTEN 0x07 #define TCP_LISTEN 0x0a diff --git a/fwd.h b/fwd.h index b4aa8d57..99dd66cf 100644 --- a/fwd.h +++ b/fwd.h @@ -12,6 +12,8 @@ struct flowside; /* Number of ports for both TCP and UDP */ #define NUM_PORTS (1U << 16) +bool fwd_port_is_ephemeral(in_port_t port); + enum fwd_ports_mode { FWD_UNSET = 0, FWD_SPEC = 1, diff --git a/util.h b/util.h index 1463c921..c7a59d5d 100644 --- a/util.h +++ b/util.h @@ -95,9 +95,6 @@ #define FD_PROTO(x, proto) \ (IN_INTERVAL(c->proto.fd_min, c->proto.fd_max, (x))) -#define PORT_EPHEMERAL_MIN ((1 << 15) + (1 << 14)) /* RFC 6335 */ -#define PORT_IS_EPHEMERAL(port) ((port) >= PORT_EPHEMERAL_MIN) - #define MAC_ZERO ((uint8_t [ETH_ALEN]){ 0 }) #define MAC_IS_ZERO(addr) (!memcmp((addr), MAC_ZERO, ETH_ALEN)) -- 2.46.0

When we forward "all" ports (-t all or -u all), or use an exclude-only range, we don't actually forward *all* ports - that wouln't leave local ports to use for outgoing connections. Rather we forward all non-ephemeral ports - those that won't be used for outgoing connections or datagrams. Currently we assume the range of ephemeral ports is that recommended by RFC 6335, 49152-65535. However, that's not the range used by default on Linux, 32768-60999 but configurable with the net.ipv4.ip_local_port_range sysctl. We can't really know what range the guest will consider ephemeral, but if it differs too much from the host it's likely to cause problems we can't avoid anyway. So, using the host's ephemeral range is a better guess than using the RFC 6335 range. Therefore, add logic to probe the host's ephemeral range, falling back to the RFC 6335 range if that fails. This has the bonus advantage of reducing the number of ports bound by -t all -u all on most Linux machines thereby reducing kernel memory usage. Specifically this reduces kernel memory usage with -t all -u all from ~380MiB to ~289MiB. Signed-off-by: David Gibson --- conf.c | 1 + fwd.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- fwd.h | 1 + 3 files changed, 61 insertions(+), 2 deletions(-) diff --git a/conf.c b/conf.c index 3eb117ff..b2758864 100644 --- a/conf.c +++ b/conf.c @@ -1721,6 +1721,7 @@ void conf(struct ctx *c, int argc, char **argv) /* Inbound port options & DNS can be parsed now (after IPv4/IPv6 * settings) */ + fwd_probe_ephemeral(); udp_portmap_clear(); optind = 0; do { diff --git a/fwd.c b/fwd.c index 8fa312a7..a5050980 100644 --- a/fwd.c +++ b/fwd.c @@ -28,8 +28,65 @@ #include "flow_table.h" /* Empheral port range: values from RFC 6335 */ -static const in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14); -static const in_port_t fwd_ephemeral_max = NUM_PORTS - 1; +static in_port_t fwd_ephemeral_min = (1 << 15) + (1 << 14); +static in_port_t fwd_ephemeral_max = NUM_PORTS - 1; + +#define PORT_RANGE_SYSCTL "/proc/sys/net/ipv4/ip_local_port_range" + +/** fwd_probe_ephemeral() - Determine what ports this host considers ephemeral + * + * Work out what ports the host thinks are emphemeral and record it for later + * use by fwd_port_is_ephemeral(). If we're unable to probe, assume the range + * recommended by RFC 6335. + */ +void fwd_probe_ephemeral(void) +{ + char *line, *tab, *end; + struct lineread lr; + long min, max; + ssize_t len; + int fd; + + fd = open(PORT_RANGE_SYSCTL, O_RDONLY | O_CLOEXEC); + if (fd < 0) { + warn_perror("Unable to open %s", PORT_RANGE_SYSCTL); + return; + } + + lineread_init(&lr, fd); + len = lineread_get(&lr, &line); + close(fd); + + if (len < 0) + goto parse_err; + + tab = strchr(line, '\t'); + if (!tab) + goto parse_err; + *tab = '\0'; + + errno = 0; + min = strtol(line, &end, 10); + if (*end || errno) + goto parse_err; + + errno = 0; + max = strtol(tab + 1, &end, 10); + if (*end || errno) + goto parse_err; + + if (min < 0 || min >= NUM_PORTS || + max < 0 || max >= NUM_PORTS) + goto parse_err; + + fwd_ephemeral_min = min; + fwd_ephemeral_max = max; + + return; + +parse_err: + warn("Unable to parse %s", PORT_RANGE_SYSCTL); +} /** * fwd_port_is_ephemeral() - Is port number ephemeral? diff --git a/fwd.h b/fwd.h index 99dd66cf..3562f3ca 100644 --- a/fwd.h +++ b/fwd.h @@ -12,6 +12,7 @@ struct flowside; /* Number of ports for both TCP and UDP */ #define NUM_PORTS (1U << 16) +void fwd_probe_ephemeral(void); bool fwd_port_is_ephemeral(in_port_t port); enum fwd_ports_mode { -- 2.46.0