From 44ad4214b1936868befa933fa234da481c3fbeb5 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 14 Jul 2025 15:40:48 +0200 Subject: [PATCH] daemon: add configurability for low source port check In commit c0482d5a8a this check was added. Now one can e.g. disable by > require('ffi').C.the_network.min_udp_source_port = 0 (typically used inside YAML config at /lua/script or /lua/script-file) --- daemon/io.c | 4 +--- daemon/lua/kres-gen-33.lua | 1 + daemon/network.c | 1 + daemon/network.h | 3 +++ 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/daemon/io.c b/daemon/io.c index 3f0f1065e..fa99ac036 100644 --- a/daemon/io.c +++ b/daemon/io.c @@ -78,9 +78,7 @@ void udp_recv(uv_udp_t *handle, ssize_t nread, const uv_buf_t *buf, } } - // We're aware of no use cases for low source ports, - // and they might be useful for attacks with spoofed source IPs. - if (!s->outgoing && kr_inaddr_port(comm_addr) < 1024) { + if (!s->outgoing && kr_inaddr_port(comm_addr) < the_network->min_udp_source_port) { kr_log_debug(IO, "<= ignoring UDP from suspicious port: '%s'\n", kr_straddr(comm_addr)); return; diff --git a/daemon/lua/kres-gen-33.lua b/daemon/lua/kres-gen-33.lua index efe0d6856..83269222c 100644 --- a/daemon/lua/kres-gen-33.lua +++ b/daemon/lua/kres-gen-33.lua @@ -608,6 +608,7 @@ struct network { int rcv; } listen_tcp_buflens; _Bool enable_connect_udp; + uint16_t min_udp_source_port; }; struct args *the_args; struct endpoint { diff --git a/daemon/network.c b/daemon/network.c index 5551b15a0..9bedfc929 100644 --- a/daemon/network.c +++ b/daemon/network.c @@ -79,6 +79,7 @@ void network_init(uv_loop_t *loop, int tcp_backlog) the_network->tcp.user_timeout = 1000; // 1s should be more than enough the_network->tcp_backlog = tcp_backlog; the_network->enable_connect_udp = true; + the_network->min_udp_source_port = 1024; // On Linux, unset means some auto-tuning mechanism also depending on RAM, // which might be OK default (together with the user_timeout above) diff --git a/daemon/network.h b/daemon/network.h index 9d50e46d3..00fa10a19 100644 --- a/daemon/network.h +++ b/daemon/network.h @@ -122,6 +122,9 @@ struct network { * a slight improvement in syscall processing efficiency. * Note: This does not necessarily lead to overall performance gains. */ bool enable_connect_udp; + + /** Low source port (e.g. 53) might be useful for attacks with spoofed source IPs. */ + uint16_t min_udp_source_port; }; /** Pointer to the singleton network state. NULL if not initialized. */ -- 2.47.2