On embedded systems with little memory and no relevant
security concerns, it is beneficial to reduce the size
of the table.
Reducing the size from 2^16 to 2^8 saves 255 KiB
of kernel RAM.
Makes the table size configurable as an expert option.
The size was previously increased from 2^8 to 2^16
in commit 4c2c8f03a5ab ("tcp: increase source port perturb table to
2^16").
Signed-off-by: Gleb Mazovetskiy <[email protected]>
---
net/ipv4/Kconfig | 10 ++++++++++
net/ipv4/inet_hashtables.c | 10 +++++-----
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index e983bb0c5012..2dfb12230f08 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -402,6 +402,16 @@ config INET_IPCOMP
If unsure, say Y.
+config INET_TABLE_PERTURB_ORDER
+ int "INET: Source port perturbation table size (as power of 2)" if EXPERT
+ default 16
+ help
+ Source port perturbation table size (as power of 2) for
+ RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm.
+
+ The default is almost always what you want.
+ Only change this if you know what you are doing.
+
config INET_XFRM_TUNNEL
tristate
select INET_TUNNEL
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index d3dc28156622..033bf3c2538f 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -906,13 +906,13 @@ EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
* Note that we use 32bit integers (vs RFC 'short integers')
* because 2^16 is not a multiple of num_ephemeral and this
* property might be used by clever attacker.
+ *
* RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
- * attacks were since demonstrated, thus we use 65536 instead to really
- * give more isolation and privacy, at the expense of 256kB of kernel
- * memory.
+ * attacks were since demonstrated, thus we use 65536 by default instead
+ * to really give more isolation and privacy, at the expense of 256kB
+ * of kernel memory.
*/
-#define INET_TABLE_PERTURB_SHIFT 16
-#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
+#define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER)
static u32 *table_perturb;
int __inet_hash_connect(struct inet_timewait_death_row *death_row,
--
2.37.2
From: Gleb Mazovetskiy <[email protected]>
Date: Mon, 14 Nov 2022 22:56:16 +0000
> On embedded systems with little memory and no relevant
> security concerns, it is beneficial to reduce the size
> of the table.
>
> Reducing the size from 2^16 to 2^8 saves 255 KiB
> of kernel RAM.
>
> Makes the table size configurable as an expert option.
>
> The size was previously increased from 2^8 to 2^16
> in commit 4c2c8f03a5ab ("tcp: increase source port perturb table to
> 2^16").
>
> Signed-off-by: Gleb Mazovetskiy <[email protected]>
Looks good.
Reviewed-by: Kuniyuki Iwashima <[email protected]>
> ---
> net/ipv4/Kconfig | 10 ++++++++++
> net/ipv4/inet_hashtables.c | 10 +++++-----
> 2 files changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
> index e983bb0c5012..2dfb12230f08 100644
> --- a/net/ipv4/Kconfig
> +++ b/net/ipv4/Kconfig
> @@ -402,6 +402,16 @@ config INET_IPCOMP
>
> If unsure, say Y.
>
> +config INET_TABLE_PERTURB_ORDER
> + int "INET: Source port perturbation table size (as power of 2)" if EXPERT
> + default 16
> + help
> + Source port perturbation table size (as power of 2) for
> + RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm.
> +
> + The default is almost always what you want.
> + Only change this if you know what you are doing.
> +
> config INET_XFRM_TUNNEL
> tristate
> select INET_TUNNEL
> diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
> index d3dc28156622..033bf3c2538f 100644
> --- a/net/ipv4/inet_hashtables.c
> +++ b/net/ipv4/inet_hashtables.c
> @@ -906,13 +906,13 @@ EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
> * Note that we use 32bit integers (vs RFC 'short integers')
> * because 2^16 is not a multiple of num_ephemeral and this
> * property might be used by clever attacker.
> + *
> * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
> - * attacks were since demonstrated, thus we use 65536 instead to really
> - * give more isolation and privacy, at the expense of 256kB of kernel
> - * memory.
> + * attacks were since demonstrated, thus we use 65536 by default instead
> + * to really give more isolation and privacy, at the expense of 256kB
> + * of kernel memory.
> */
> -#define INET_TABLE_PERTURB_SHIFT 16
> -#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
> +#define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER)
> static u32 *table_perturb;
>
> int __inet_hash_connect(struct inet_timewait_death_row *death_row,
> --
> 2.37.2
Hello:
This patch was applied to netdev/net.git (master)
by David S. Miller <[email protected]>:
On Mon, 14 Nov 2022 22:56:16 +0000 you wrote:
> On embedded systems with little memory and no relevant
> security concerns, it is beneficial to reduce the size
> of the table.
>
> Reducing the size from 2^16 to 2^8 saves 255 KiB
> of kernel RAM.
>
> [...]
Here is the summary with links:
- [1/1] tcp: configurable source port perturb table size
https://git.kernel.org/netdev/net/c/aeac4ec8f46d
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html