2022-11-15 00:23:04

by Gleb Mazovetskiy

[permalink] [raw]
Subject: [PATCH 1/1] tcp: configurable source port perturb table size

On embedded systems with little memory and no relevant
security concerns, it is beneficial to reduce the size
of the table.

Reducing the size from 2^16 to 2^8 saves 255 KiB
of kernel RAM.

Makes the table size configurable as an expert option.

The size was previously increased from 2^8 to 2^16
in commit 4c2c8f03a5ab ("tcp: increase source port perturb table to
2^16").

Signed-off-by: Gleb Mazovetskiy <[email protected]>
---
net/ipv4/Kconfig | 10 ++++++++++
net/ipv4/inet_hashtables.c | 10 +++++-----
2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index e983bb0c5012..2dfb12230f08 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -402,6 +402,16 @@ config INET_IPCOMP

If unsure, say Y.

+config INET_TABLE_PERTURB_ORDER
+ int "INET: Source port perturbation table size (as power of 2)" if EXPERT
+ default 16
+ help
+ Source port perturbation table size (as power of 2) for
+ RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm.
+
+ The default is almost always what you want.
+ Only change this if you know what you are doing.
+
config INET_XFRM_TUNNEL
tristate
select INET_TUNNEL
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index d3dc28156622..033bf3c2538f 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -906,13 +906,13 @@ EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
* Note that we use 32bit integers (vs RFC 'short integers')
* because 2^16 is not a multiple of num_ephemeral and this
* property might be used by clever attacker.
+ *
* RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
- * attacks were since demonstrated, thus we use 65536 instead to really
- * give more isolation and privacy, at the expense of 256kB of kernel
- * memory.
+ * attacks were since demonstrated, thus we use 65536 by default instead
+ * to really give more isolation and privacy, at the expense of 256kB
+ * of kernel memory.
*/
-#define INET_TABLE_PERTURB_SHIFT 16
-#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
+#define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER)
static u32 *table_perturb;

int __inet_hash_connect(struct inet_timewait_death_row *death_row,
--
2.37.2



2022-11-16 02:11:28

by Kuniyuki Iwashima

[permalink] [raw]
Subject: Re: [PATCH 1/1] tcp: configurable source port perturb table size

From: Gleb Mazovetskiy <[email protected]>
Date: Mon, 14 Nov 2022 22:56:16 +0000
> On embedded systems with little memory and no relevant
> security concerns, it is beneficial to reduce the size
> of the table.
>
> Reducing the size from 2^16 to 2^8 saves 255 KiB
> of kernel RAM.
>
> Makes the table size configurable as an expert option.
>
> The size was previously increased from 2^8 to 2^16
> in commit 4c2c8f03a5ab ("tcp: increase source port perturb table to
> 2^16").
>
> Signed-off-by: Gleb Mazovetskiy <[email protected]>

Looks good.

Reviewed-by: Kuniyuki Iwashima <[email protected]>


> ---
> net/ipv4/Kconfig | 10 ++++++++++
> net/ipv4/inet_hashtables.c | 10 +++++-----
> 2 files changed, 15 insertions(+), 5 deletions(-)
>
> diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
> index e983bb0c5012..2dfb12230f08 100644
> --- a/net/ipv4/Kconfig
> +++ b/net/ipv4/Kconfig
> @@ -402,6 +402,16 @@ config INET_IPCOMP
>
> If unsure, say Y.
>
> +config INET_TABLE_PERTURB_ORDER
> + int "INET: Source port perturbation table size (as power of 2)" if EXPERT
> + default 16
> + help
> + Source port perturbation table size (as power of 2) for
> + RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm.
> +
> + The default is almost always what you want.
> + Only change this if you know what you are doing.
> +
> config INET_XFRM_TUNNEL
> tristate
> select INET_TUNNEL
> diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
> index d3dc28156622..033bf3c2538f 100644
> --- a/net/ipv4/inet_hashtables.c
> +++ b/net/ipv4/inet_hashtables.c
> @@ -906,13 +906,13 @@ EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
> * Note that we use 32bit integers (vs RFC 'short integers')
> * because 2^16 is not a multiple of num_ephemeral and this
> * property might be used by clever attacker.
> + *
> * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
> - * attacks were since demonstrated, thus we use 65536 instead to really
> - * give more isolation and privacy, at the expense of 256kB of kernel
> - * memory.
> + * attacks were since demonstrated, thus we use 65536 by default instead
> + * to really give more isolation and privacy, at the expense of 256kB
> + * of kernel memory.
> */
> -#define INET_TABLE_PERTURB_SHIFT 16
> -#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
> +#define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER)
> static u32 *table_perturb;
>
> int __inet_hash_connect(struct inet_timewait_death_row *death_row,
> --
> 2.37.2

2022-11-16 13:37:34

by patchwork-bot+netdevbpf

[permalink] [raw]
Subject: Re: [PATCH 1/1] tcp: configurable source port perturb table size

Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <[email protected]>:

On Mon, 14 Nov 2022 22:56:16 +0000 you wrote:
> On embedded systems with little memory and no relevant
> security concerns, it is beneficial to reduce the size
> of the table.
>
> Reducing the size from 2^16 to 2^8 saves 255 KiB
> of kernel RAM.
>
> [...]

Here is the summary with links:
- [1/1] tcp: configurable source port perturb table size
https://git.kernel.org/netdev/net/c/aeac4ec8f46d

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html