From nobody Fri Nov 22 21:24:17 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Xw7QT2hwRz5dP5T;
	Fri, 22 Nov 2024 21:24:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Xw7QT1HxPz4d5g;
	Fri, 22 Nov 2024 21:24:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1732310657;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=GoYgRYMGJoZNqNTr2JE0aaI7Wn2KB8WuOg0fQqkL4Dg=;
	b=JsZLOo/hOhSi0EuBbG5Lo93LcIWB/kTZO1i2xN7vA3bK8d0ycgmxxpl2blN3K7/DOEFaTa
	jTgKZ4imuY11DZFmwPhx/Xv1oWtG4qc6GSjWemYXNSLGanY8/AlDfYJPlAMeb2dTgiXXFf
	rDMWN61I+Y5k7FWwdlbvfpYXDiZtU56OmrhXxq1X2e0kUUV/lp/+QWEtKYiAWLSS0b2F8H
	zkCrNGY7uX6t8l+s/HSJFAM1F1SWD+b+UXaKZMbkGcI9VIscqQmpkMy7P8999hmd9PDF7k
	Yecm/DaqVP8rFssC3GKnDaFJyZ2/Wz0FRIptdzSPIBo+qNCENZp8OyQ/sArrqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1732310657;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=GoYgRYMGJoZNqNTr2JE0aaI7Wn2KB8WuOg0fQqkL4Dg=;
	b=MoAn7GQBdlvv1yGjOCl2j9U9mjXhszaQYlLYAhNz7BC0UtBHZQkoUVv47M+azSlr62e4vH
	FEDwPW4YAdc1eUeLjeLNE9TmCn0Wm0PYYjOfZgskwfv3+QoaI9UyAEn6sZHSRJ1haGwHDg
	NFPmg8p7G/vV84TbISjrymy1kdcuBkLGTsQnEnX21Sw/QAUiEm8DcvAveVwIgMn7DcP8ul
	DFZNbYe37fvvNNM3990UwaBQZaZjnKl1U3PVbiPKoQDTDtEK8dfVXWy52ttOvlwaaiXkK5
	/ldgn2SO+1lEWwNdc5hpWAdrhEoYg0rbuH1zGqF93VPTaRDz7oDl3vDDRIjpNA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732310657; a=rsa-sha256; cv=none;
	b=BG2StyXMJCVtr5ko+GCfnzt4ZqNF03loIfKd+Mf5wBB+R9DU67h8UWG9Qm6Fvzf2E2gQX6
	s8vefprbqZHzaSUpYkeU3M3rlEDcZJ9T/yskroWFe0r5JuCnwvNyCTtCr8TU2NZC6IeabI
	H+0DrdC8mX5UzTy+gF7hmMuxOKXWQwOX9JxhYgmwIwHLrTyhimjYrZiTJGfMAOZ793hccy
	b6FybMl64Goosjbg+rr/g4fbeVw0Z+WmZDbWBy/ZWaYq01tHVL4lydkjikn1m5O6MgYubn
	Zknoi47JlSq6bXAv/WTqhIiQLfSv9yg91CUSknL0rt3wq6lHjViYGabcaU6wgQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Xw7QT0t1nzgmn;
	Fri, 22 Nov 2024 21:24:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AMLOHWx088563;
	Fri, 22 Nov 2024 21:24:17 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AMLOHV5088560;
	Fri, 22 Nov 2024 21:24:17 GMT
	(envelope-from git)
Date: Fri, 22 Nov 2024 21:24:17 GMT
Message-Id: <202411222124.4AMLOHV5088560@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 0e290388cb17 - stable/14 - pf: Add a sysctl to limit
  work done for rdr source port rewriting
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 0e290388cb17b76d3e79ee5f405405bf0a1169ee
Auto-Submitted: auto-generated

The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=0e290388cb17b76d3e79ee5f405405bf0a1169ee

commit 0e290388cb17b76d3e79ee5f405405bf0a1169ee
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-09-10 14:33:47 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-11-22 21:23:47 +0000

    pf: Add a sysctl to limit work done for rdr source port rewriting
    
    It was pointed out that the current approach of exhaustively searching
    for a free source port might be very time consuming.  Limit the amount
    of work that we might do before giving up.
    
    Reviewed by:    kp
    Reported by:    Eirik Øverby <ltning-freebsd@anduin.net>
    MFC after:      3 months
    Sponsored by:   Klara, Inc.
    Sponsored by:   Modirum
    Differential Revision:  https://reviews.freebsd.org/D46495
    
    (cherry picked from commit 339a1977c32414f3d23733504955245ca6f3802d)
---
 share/man/man4/pf.4      |  5 +++++
 share/man/man5/pf.conf.5 |  6 +++++-
 sys/netpfil/pf/pf_lb.c   | 18 ++++++++++++++++--
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
index b757376e0183..4938e719b17e 100644
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@@ -87,6 +87,11 @@ Default value is 131072.
 Size of hash table that store source nodes.
 Should be power of 2.
 Default value is 32768.
+.It Va net.pf.rdr_srcport_rewrite_tries
+The maximum number of times to try and find a free source port when handling
+redirects.
+Such rules are typically applied to external traffic, so an exhaustive search
+may be too expensive.
 .El
 .Pp
 Read only
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index d9e9127f8a84..935a70301d88 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1410,7 +1410,11 @@ A
 .Ar rdr
 rule may cause the source port to be modified if doing so avoids a conflict
 with an existing connection.
-A random source port in the range 50001-65535 is chosen in this case.
+A random source port in the range 50001-65535 is chosen in this case; to
+avoid excessive CPU consumption, the number of searches for a free port is
+limited by the
+.Va net.pf.rdr_srcport_rewrite_tries
+sysctl.
 Port numbers are never translated with a
 .Ar binat
 rule.
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 3f5b3f90a4e4..2623a22db86b 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -52,6 +52,13 @@
 #include <net/pfvar.h>
 #include <net/if_pflog.h>
 
+/*
+ * Limit the amount of work we do to find a free source port for redirects that
+ * introduce a state conflict.
+ */
+#define	V_pf_rdr_srcport_rewrite_tries	VNET(pf_rdr_srcport_rewrite_tries)
+VNET_DEFINE_STATIC(int, pf_rdr_srcport_rewrite_tries) = 16;
+
 #define DPFPRINTF(n, x)	if (V_pf_status.debug >= (n)) printf x
 
 static void		 pf_hash(struct pf_addr *, struct pf_addr *,
@@ -756,6 +763,7 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
 		break;
 	case PF_RDR: {
 		struct pf_state_key_cmp key;
+		int tries;
 		uint16_t cut, low, high, nport;
 
 		reason = pf_map_addr(pd->af, r, saddr, naddr, NULL, NULL, sn);
@@ -807,11 +815,15 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
 		if (!pf_find_state_all_exists(&key, PF_OUT))
 			break;
 
+		tries = 0;
+
 		low = 50001;	/* XXX-MJ PF_NAT_PROXY_PORT_LOW/HIGH */
 		high = 65535;
 		cut = arc4random() % (1 + high - low) + low;
 		for (uint32_t tmp = cut;
-		    tmp <= high && tmp <= UINT16_MAX; tmp++) {
+		    tmp <= high && tmp <= UINT16_MAX &&
+		    tries < V_pf_rdr_srcport_rewrite_tries;
+		    tmp++, tries++) {
 			key.port[0] = htons(tmp);
 			if (!pf_find_state_all_exists(&key, PF_OUT)) {
 				/* Update the source port. */
@@ -819,7 +831,9 @@ pf_get_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
 				goto out;
 			}
 		}
-		for (uint32_t tmp = cut - 1; tmp >= low; tmp--) {
+		for (uint32_t tmp = cut - 1;
+		    tmp >= low && tries < V_pf_rdr_srcport_rewrite_tries;
+		    tmp--, tries++) {
 			key.port[0] = htons(tmp);
 			if (!pf_find_state_all_exists(&key, PF_OUT)) {
 				/* Update the source port. */