Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: kernel test robot <lkp@intel.com>
To: Cole Dishington <Cole.Dishington@alliedtelesis.co.nz>,
	pablo@netfilter.org
Cc: kbuild-all@lists.01.org, kadlec@netfilter.org, fw@strlen.de,
	davem@davemloft.net, kuba@kernel.org, shuah@kernel.org,
	linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org, netdev@vger.kernel.org
Subject: Re: [PATCH] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED
Date: Wed, 28 Jul 2021 13:23:33 +0800	[thread overview]
Message-ID: <202107281353.pGmCqOxp-lkp@intel.com> (raw)
In-Reply-To: <20210728032134.21983-1-Cole.Dishington@alliedtelesis.co.nz>

[-- Attachment #1: Type: text/plain, Size: 5890 bytes --]

Hi Cole,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on nf-next/master]
[also build test WARNING on nf/master ipvs/master v5.14-rc3 next-20210727]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210728-112306
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/2e0f4c593d92890a9a5b0098b3f20a6486b4019d
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210728-112306
        git checkout 2e0f4c593d92890a9a5b0098b3f20a6486b4019d
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross ARCH=xtensa 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

>> net/netfilter/nf_nat_core.c:363:6: warning: no previous prototype for 'nf_nat_l4proto_unique_tuple' [-Wmissing-prototypes]
     363 | void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
         |      ^~~~~~~~~~~~~~~~~~~~~~~~~~~


vim +/nf_nat_l4proto_unique_tuple +363 net/netfilter/nf_nat_core.c

   357	
   358	/* Alter the per-proto part of the tuple (depending on maniptype), to
   359	 * give a unique tuple in the given range if possible.
   360	 *
   361	 * Per-protocol part of tuple is initialized to the incoming packet.
   362	 */
 > 363	void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
   364					 const struct nf_nat_range2 *range,
   365					 enum nf_nat_manip_type maniptype,
   366					 const struct nf_conn *ct)
   367	{
   368		unsigned int range_size, min, max, i, attempts;
   369		__be16 *keyptr;
   370		u16 off;
   371		static const unsigned int max_attempts = 128;
   372	
   373		switch (tuple->dst.protonum) {
   374		case IPPROTO_ICMP:
   375		case IPPROTO_ICMPV6:
   376			/* id is same for either direction... */
   377			keyptr = &tuple->src.u.icmp.id;
   378			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   379				min = 0;
   380				range_size = 65536;
   381			} else {
   382				min = ntohs(range->min_proto.icmp.id);
   383				range_size = ntohs(range->max_proto.icmp.id) -
   384					     ntohs(range->min_proto.icmp.id) + 1;
   385			}
   386			goto find_free_id;
   387	#if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
   388		case IPPROTO_GRE:
   389			/* If there is no master conntrack we are not PPTP,
   390			   do not change tuples */
   391			if (!ct->master)
   392				return;
   393	
   394			if (maniptype == NF_NAT_MANIP_SRC)
   395				keyptr = &tuple->src.u.gre.key;
   396			else
   397				keyptr = &tuple->dst.u.gre.key;
   398	
   399			if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   400				min = 1;
   401				range_size = 65535;
   402			} else {
   403				min = ntohs(range->min_proto.gre.key);
   404				range_size = ntohs(range->max_proto.gre.key) - min + 1;
   405			}
   406			goto find_free_id;
   407	#endif
   408		case IPPROTO_UDP:
   409		case IPPROTO_UDPLITE:
   410		case IPPROTO_TCP:
   411		case IPPROTO_SCTP:
   412		case IPPROTO_DCCP:
   413			if (maniptype == NF_NAT_MANIP_SRC)
   414				keyptr = &tuple->src.u.all;
   415			else
   416				keyptr = &tuple->dst.u.all;
   417	
   418			break;
   419		default:
   420			return;
   421		}
   422	
   423		/* If no range specified... */
   424		if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
   425			/* If it's dst rewrite, can't change port */
   426			if (maniptype == NF_NAT_MANIP_DST)
   427				return;
   428	
   429			if (ntohs(*keyptr) < 1024) {
   430				/* Loose convention: >> 512 is credential passing */
   431				if (ntohs(*keyptr) < 512) {
   432					min = 1;
   433					range_size = 511 - min + 1;
   434				} else {
   435					min = 600;
   436					range_size = 1023 - min + 1;
   437				}
   438			} else {
   439				min = 1024;
   440				range_size = 65535 - 1024 + 1;
   441			}
   442		} else {
   443			min = ntohs(range->min_proto.all);
   444			max = ntohs(range->max_proto.all);
   445			if (unlikely(max < min))
   446				swap(max, min);
   447			range_size = max - min + 1;
   448		}
   449	
   450	find_free_id:
   451		if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
   452			off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
   453		else
   454			off = prandom_u32();
   455	
   456		attempts = range_size;
   457		if (attempts > max_attempts)
   458			attempts = max_attempts;
   459	
   460		/* We are in softirq; doing a search of the entire range risks
   461		 * soft lockup when all tuples are already used.
   462		 *
   463		 * If we can't find any free port from first offset, pick a new
   464		 * one and try again, with ever smaller search window.
   465		 */
   466	another_round:
   467		for (i = 0; i < attempts; i++, off++) {
   468			*keyptr = htons(min + off % range_size);
   469			if (!nf_nat_used_tuple(tuple, ct))
   470				return;
   471		}
   472	
   473		if (attempts >= range_size || attempts < 16)
   474			return;
   475		attempts /= 2;
   476		off = prandom_u32();
   477		goto another_round;
   478	}
   479	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 67880 bytes --]

  reply	other threads:[~2021-07-28  5:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-28  3:21 Cole Dishington
2021-07-28  5:23 ` kernel test robot [this message]
2021-07-28  9:06 ` Florian Westphal
2021-07-28 10:30 ` kernel test robot
2021-07-28 11:09 ` kernel test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202107281353.pGmCqOxp-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=Cole.Dishington@alliedtelesis.co.nz \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=kbuild-all@lists.01.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=shuah@kernel.org \
    --subject='Re: [PATCH] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).