Re: [PATCH nf] netfilter: nat: limit port clash resolution attempts

Xiaozhou Liu wrote: > > + for (i = 0; i < attempts; ++off) { > > *portptr = htons(min + off % range_size); > > - if (++i != range_size && nf_nat_used_tuple(tuple, ct)) > > + if (nf_nat_used_tuple(tuple, ct)) > > continue; > > if

Re: [PATCH nf] netfilter: nat: limit port clash resolution attempts

On Sat, Dec 08, 2018 at 11:07:44AM +0100, Florian Westphal wrote: > Pablo, > > this will unfortunately result in a nf-next merge conflict > due to *rover removal in nf-next. > I can send a patch vs. nf-next instead if you prefer. > > net/netfilter/nf_nat_proto_common.c | 26

[PATCH nf] netfilter: nat: limit port clash resolution attempts

In case almost or all available ports are taken, clash resolution can take a very long time, resulting in soft lockup. This can happen when many to-be-natted hosts connect to same destination:port (e.g. a proxy) and all connections pass the same SNAT. Pick a random offset in the acceptable