Commit aeac4ec8 authored by Gleb Mazovetskiy's avatar Gleb Mazovetskiy Committed by David S. Miller

tcp: configurable source port perturb table size

On embedded systems with little memory and no relevant
security concerns, it is beneficial to reduce the size
of the table.

Reducing the size from 2^16 to 2^8 saves 255 KiB
of kernel RAM.

Makes the table size configurable as an expert option.

The size was previously increased from 2^8 to 2^16
in commit 4c2c8f03 ("tcp: increase source port perturb table to
2^16").
Signed-off-by: default avatarGleb Mazovetskiy <glex.spb@gmail.com>
Reviewed-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b68777d5
...@@ -402,6 +402,16 @@ config INET_IPCOMP ...@@ -402,6 +402,16 @@ config INET_IPCOMP
If unsure, say Y. If unsure, say Y.
config INET_TABLE_PERTURB_ORDER
int "INET: Source port perturbation table size (as power of 2)" if EXPERT
default 16
help
Source port perturbation table size (as power of 2) for
RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm.
The default is almost always what you want.
Only change this if you know what you are doing.
config INET_XFRM_TUNNEL config INET_XFRM_TUNNEL
tristate tristate
select INET_TUNNEL select INET_TUNNEL
......
...@@ -906,13 +906,13 @@ EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr); ...@@ -906,13 +906,13 @@ EXPORT_SYMBOL_GPL(inet_bhash2_update_saddr);
* Note that we use 32bit integers (vs RFC 'short integers') * Note that we use 32bit integers (vs RFC 'short integers')
* because 2^16 is not a multiple of num_ephemeral and this * because 2^16 is not a multiple of num_ephemeral and this
* property might be used by clever attacker. * property might be used by clever attacker.
*
* RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though * RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
* attacks were since demonstrated, thus we use 65536 instead to really * attacks were since demonstrated, thus we use 65536 by default instead
* give more isolation and privacy, at the expense of 256kB of kernel * to really give more isolation and privacy, at the expense of 256kB
* memory. * of kernel memory.
*/ */
#define INET_TABLE_PERTURB_SHIFT 16 #define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER)
#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
static u32 *table_perturb; static u32 *table_perturb;
int __inet_hash_connect(struct inet_timewait_death_row *death_row, int __inet_hash_connect(struct inet_timewait_death_row *death_row,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment