Re: [PATCH net v2] net: netfilter: Fix port selection of FTP for NF_NAT_RANGE_PROTO_SPECIFIED

From: kernel test robot
Date: Tue Sep 07 2021 - 01:14:53 EST


Hi Cole,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on net/master]

url: https://github.com/0day-ci/linux/commits/Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210907-101823
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git b539c44df067ac116ec1b58b956efda51b6a7fc1
config: arm-randconfig-r003-20210906 (attached as .config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project 9c476172b93367d2cb88d7d3f4b1b5b456fa6020)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://github.com/0day-ci/linux/commit/3d790f5d7c3d6069948749b4697090adfcc48e51
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Cole-Dishington/net-netfilter-Fix-port-selection-of-FTP-for-NF_NAT_RANGE_PROTO_SPECIFIED/20210907-101823
git checkout 3d790f5d7c3d6069948749b4697090adfcc48e51
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=arm

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>

All warnings (new ones prefixed by >>):

>> net/netfilter/nf_nat_core.c:373:6: warning: no previous prototype for function 'nf_nat_l4proto_unique_tuple' [-Wmissing-prototypes]
void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
^
net/netfilter/nf_nat_core.c:373:1: note: declare 'static' if the function is not intended to be used outside of this translation unit
void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
^
static
1 warning generated.


vim +/nf_nat_l4proto_unique_tuple +373 net/netfilter/nf_nat_core.c

367
368 /* Alter the per-proto part of the tuple (depending on maniptype), to
369 * give a unique tuple in the given range if possible.
370 *
371 * Per-protocol part of tuple is initialized to the incoming packet.
372 */
> 373 void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
374 const struct nf_nat_range2 *range,
375 enum nf_nat_manip_type maniptype,
376 const struct nf_conn *ct)
377 {
378 unsigned int range_size, min, max, i, attempts;
379 __be16 *keyptr;
380 u16 off;
381 static const unsigned int max_attempts = 128;
382
383 switch (tuple->dst.protonum) {
384 case IPPROTO_ICMP:
385 case IPPROTO_ICMPV6:
386 /* id is same for either direction... */
387 keyptr = &tuple->src.u.icmp.id;
388 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
389 min = 0;
390 range_size = 65536;
391 } else {
392 min = ntohs(range->min_proto.icmp.id);
393 range_size = ntohs(range->max_proto.icmp.id) -
394 ntohs(range->min_proto.icmp.id) + 1;
395 }
396 goto find_free_id;
397 #if IS_ENABLED(CONFIG_NF_CT_PROTO_GRE)
398 case IPPROTO_GRE:
399 /* If there is no master conntrack we are not PPTP,
400 do not change tuples */
401 if (!ct->master)
402 return;
403
404 if (maniptype == NF_NAT_MANIP_SRC)
405 keyptr = &tuple->src.u.gre.key;
406 else
407 keyptr = &tuple->dst.u.gre.key;
408
409 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
410 min = 1;
411 range_size = 65535;
412 } else {
413 min = ntohs(range->min_proto.gre.key);
414 range_size = ntohs(range->max_proto.gre.key) - min + 1;
415 }
416 goto find_free_id;
417 #endif
418 case IPPROTO_UDP:
419 case IPPROTO_UDPLITE:
420 case IPPROTO_TCP:
421 case IPPROTO_SCTP:
422 case IPPROTO_DCCP:
423 if (maniptype == NF_NAT_MANIP_SRC)
424 keyptr = &tuple->src.u.all;
425 else
426 keyptr = &tuple->dst.u.all;
427
428 break;
429 default:
430 return;
431 }
432
433 /* If no range specified... */
434 if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
435 /* If it's dst rewrite, can't change port */
436 if (maniptype == NF_NAT_MANIP_DST)
437 return;
438
439 if (ntohs(*keyptr) < 1024) {
440 /* Loose convention: >> 512 is credential passing */
441 if (ntohs(*keyptr) < 512) {
442 min = 1;
443 range_size = 511 - min + 1;
444 } else {
445 min = 600;
446 range_size = 1023 - min + 1;
447 }
448 } else {
449 min = 1024;
450 range_size = 65535 - 1024 + 1;
451 }
452 } else {
453 min = ntohs(range->min_proto.all);
454 max = ntohs(range->max_proto.all);
455 if (unlikely(max < min))
456 swap(max, min);
457 range_size = max - min + 1;
458 }
459
460 find_free_id:
461 if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
462 off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
463 else
464 off = prandom_u32();
465
466 attempts = range_size;
467 if (attempts > max_attempts)
468 attempts = max_attempts;
469
470 /* We are in softirq; doing a search of the entire range risks
471 * soft lockup when all tuples are already used.
472 *
473 * If we can't find any free port from first offset, pick a new
474 * one and try again, with ever smaller search window.
475 */
476 another_round:
477 for (i = 0; i < attempts; i++, off++) {
478 *keyptr = htons(min + off % range_size);
479 if (!nf_nat_used_tuple(tuple, ct))
480 return;
481 }
482
483 if (attempts >= range_size || attempts < 16)
484 return;
485 attempts /= 2;
486 off = prandom_u32();
487 goto another_round;
488 }
489

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip