From 5f694d1ecfbe2315e9bbcc98a83b83620e6f6b94 Mon Sep 17 00:00:00 2001 From: Vladislav Grishenko Date: Fri, 19 Aug 2022 20:42:22 +0500 Subject: nat: fix nat44-ed port range with multiple workers The number of available dynamic ports is set to (0xffff - 1024) = 64511, which is not divisable by the pow2 number of workers - the only integer divisors are 31 and 2081. So, total dynamic port range of all workers will be less than it: 1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536 2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535 4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533 8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529 ... As seen, with multiple workers there are unused trailing ports for every nat pool address and that is the reason of out-of-bound index in the worker array on out2in path due (port - 1024) / port_per_thread math. This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets to unused ports will go to existing worker and dropped there. Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6: 6. Port Number Ranges o the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA) o the User Ports, also known as the Registered Ports, from 1024- 49151 (assigned by IANA) o the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned) According that let's allocate dynamic ports from 1024 and have full port range with a wide range of the workers number - 64 integer divisors in total, including pow2 ones: 1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536 2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536 3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536 4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536 5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534 6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536 7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536 8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536 ... Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required when the numbers of workers is not the integer divisor of 64512. Type: fix Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e Signed-off-by: Vladislav Grishenko --- src/plugins/nat/nat44-ed/nat44_ed.c | 8 ++++---- src/plugins/nat/nat44-ed/nat44_ed.h | 5 +++++ src/plugins/nat/nat44-ed/nat44_ed_in2out.c | 7 ++++--- src/plugins/nat/nat44-ed/nat44_ed_out2in.c | 3 ++- 4 files changed, 15 insertions(+), 8 deletions(-) (limited to 'src/plugins/nat') diff --git a/src/plugins/nat/nat44-ed/nat44_ed.c b/src/plugins/nat/nat44-ed/nat44_ed.c index 27c1870ccef..2e4c791ef80 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed.c +++ b/src/plugins/nat/nat44-ed/nat44_ed.c @@ -762,8 +762,8 @@ get_thread_idx_by_port (u16 e_port) if (sm->num_workers > 1) { thread_idx = sm->first_worker_index + - sm->workers[(e_port - 1024) / sm->port_per_thread % - _vec_len (sm->workers)]; + sm->workers[(e_port - ED_USER_PORT_OFFSET) / + sm->port_per_thread % _vec_len (sm->workers)]; } return thread_idx; } @@ -2133,7 +2133,7 @@ snat_set_workers (uword * bitmap) j++; } - sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers); + sm->port_per_thread = (65536 - ED_USER_PORT_OFFSET) / _vec_len (sm->workers); return 0; } @@ -2384,7 +2384,7 @@ nat_init (vlib_main_t * vm) } } num_threads = tm->n_vlib_mains - 1; - sm->port_per_thread = 0xffff - 1024; + sm->port_per_thread = 65536 - ED_USER_PORT_OFFSET; vec_validate (sm->per_thread_data, num_threads); /* Use all available workers by default */ diff --git a/src/plugins/nat/nat44-ed/nat44_ed.h b/src/plugins/nat/nat44-ed/nat44_ed.h index 5b5b2ec8cfd..6c64c754073 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed.h +++ b/src/plugins/nat/nat44-ed/nat44_ed.h @@ -41,6 +41,11 @@ * as if there were no free ports available to conserve resources */ #define ED_PORT_ALLOC_ATTEMPTS (10) +/* system ports range is 0-1023, first user port is 1024 per + * https://www.rfc-editor.org/rfc/rfc6335#section-6 + */ +#define ED_USER_PORT_OFFSET 1024 + /* NAT buffer flags */ #define SNAT_FLAG_HAIRPINNING (1 << 0) diff --git a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c index 2d8d96a0f5a..61ce70f357f 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed_in2out.c +++ b/src/plugins/nat/nat44-ed/nat44_ed_in2out.c @@ -102,14 +102,15 @@ nat_ed_alloc_addr_and_port_with_snat_address ( u16 port_per_thread, u32 snat_thread_index, snat_session_t *s, ip4_address_t *outside_addr, u16 *outside_port) { - const u16 port_thread_offset = (port_per_thread * snat_thread_index) + 1024; + const u16 port_thread_offset = + (port_per_thread * snat_thread_index) + ED_USER_PORT_OFFSET; s->o2i.match.daddr = a->addr; /* first try port suggested by caller */ u16 port = clib_net_to_host_u16 (*outside_port); u16 port_offset = port - port_thread_offset; - if (port <= port_thread_offset || - port > port_thread_offset + port_per_thread) + if (port < port_thread_offset || + port >= port_thread_offset + port_per_thread) { /* need to pick a different port, suggested port doesn't fit in * this thread's port range */ diff --git a/src/plugins/nat/nat44-ed/nat44_ed_out2in.c b/src/plugins/nat/nat44-ed/nat44_ed_out2in.c index 33449122e43..dfe4a15752b 100644 --- a/src/plugins/nat/nat44-ed/nat44_ed_out2in.c +++ b/src/plugins/nat/nat44-ed/nat44_ed_out2in.c @@ -279,7 +279,8 @@ nat44_ed_alloc_i2o_port (snat_main_t *sm, snat_address_t *a, snat_session_t *s, for (int i = 0; i < ED_PORT_ALLOC_ATTEMPTS; ++i) { portnum = (sm->port_per_thread * snat_thread_index) + - snat_random_port (0, sm->port_per_thread - 1) + 1024; + snat_random_port (0, sm->port_per_thread - 1) + + ED_USER_PORT_OFFSET; portnum = clib_host_to_net_u16 (portnum); nat_6t_i2o_flow_init (sm, thread_index, s, i2o_addr, i2o_port, a->addr, portnum, i2o_fib_index, proto); -- cgit 1.2.3-korg