git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 15 Nov 2018 09:22:59 +0000 (10:22 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 8 Feb 2022 17:23:11 +0000 (18:23 +0100)
commit	ffebec7f45128dbcc0d11ea1695fbea08f42c3f4
tree	5651de4657ff03dc5c0ea0ec306e8996e608e1cb	tree
parent	08ed3cabc07e9f6035466e33fbdfad1978e05e06	commit \| diff

netfilter: nat: remove l4 protocol port rovers

commit 6ed5943f8735e2b778d92ea4d9805c0a1d89bc2b upstream.

This is a leftover from days where single-cpu systems were common:
Store last port used to resolve a clash to use it as a starting point when
the next conflict needs to be resolved.

When we have parallel attempt to connect to same address:port pair,
its likely that both cores end up computing the same "available" port,
as both use same starting port, and newly used ports won't become
visible to other cores until the conntrack gets confirmed later.

One of the cores then has to drop the packet at insertion time because
the chosen new tuple turns out to be in use after all.

Lets simplify this: remove port rover and use a pseudo-random starting
point.

Note that this doesn't make netfilter default to 'fully random' mode;
the 'rover' was only used if NAT could not reuse source port as-is.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/net/netfilter/nf_nat_l4proto.h		diff \| blob \| blame \| history
net/netfilter/nf_nat_proto_common.c		diff \| blob \| blame \| history
net/netfilter/nf_nat_proto_dccp.c		diff \| blob \| blame \| history
net/netfilter/nf_nat_proto_sctp.c		diff \| blob \| blame \| history
net/netfilter/nf_nat_proto_tcp.c		diff \| blob \| blame \| history
net/netfilter/nf_nat_proto_udp.c		diff \| blob \| blame \| history