diff --git a/share/man/man4/ip.4 b/share/man/man4/ip.4 --- a/share/man/man4/ip.4 +++ b/share/man/man4/ip.4 @@ -453,21 +453,6 @@ In these cases, .Va net.inet.ip.portrange.randomized can be used to toggle randomization off. -If more than -.Va net.inet.ip.portrange.randomcps -ports have been allocated in the last second, then return to sequential -port allocation. -Return to random allocation only once the current port allocation rate -drops below -.Va net.inet.ip.portrange.randomcps -for at least -.Va net.inet.ip.portrange.randomtime -seconds. -The default values for -.Va net.inet.ip.portrange.randomcps -and -.Va net.inet.ip.portrange.randomtime -are 10 port allocations per second and 45 seconds correspondingly. .Ss "Multicast Options" .Tn IP multicasting is supported only on diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -716,10 +716,6 @@ VNET_DECLARE(int, ipport_hifirstauto); VNET_DECLARE(int, ipport_hilastauto); VNET_DECLARE(int, ipport_randomized); -VNET_DECLARE(int, ipport_randomcps); -VNET_DECLARE(int, ipport_randomtime); -VNET_DECLARE(int, ipport_stoprandom); -VNET_DECLARE(int, ipport_tcpallocs); #define V_ipport_reservedhigh VNET(ipport_reservedhigh) #define V_ipport_reservedlow VNET(ipport_reservedlow) @@ -730,10 +726,6 @@ #define V_ipport_hifirstauto VNET(ipport_hifirstauto) #define V_ipport_hilastauto VNET(ipport_hilastauto) #define V_ipport_randomized VNET(ipport_randomized) -#define V_ipport_randomcps VNET(ipport_randomcps) -#define V_ipport_randomtime VNET(ipport_randomtime) -#define V_ipport_stoprandom VNET(ipport_stoprandom) -#define V_ipport_tcpallocs VNET(ipport_tcpallocs) void in_pcbinfo_init(struct inpcbinfo *, struct inpcbstorage *, u_int, u_int); diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -55,7 +55,6 @@ #include #include #include -#include #include #include #include @@ -117,8 +116,6 @@ #define INPCBLBGROUP_SIZMAX 256 #define INP_FREED 0x00000200 /* See in_pcb.h. */ -static struct callout ipport_tick_callout; - /* * These configure the range of local port addresses assigned to * "unspecified" outgoing connections/packets/whatever. @@ -138,15 +135,8 @@ VNET_DEFINE(int, ipport_reservedhigh) = IPPORT_RESERVED - 1; /* 1023 */ VNET_DEFINE(int, ipport_reservedlow); -/* Variables dealing with random ephemeral port allocation. */ -VNET_DEFINE(int, ipport_randomized) = 1; /* user controlled via sysctl */ -VNET_DEFINE(int, ipport_randomcps) = 10; /* user controlled via sysctl */ -VNET_DEFINE(int, ipport_randomtime) = 45; /* user controlled via sysctl */ -VNET_DEFINE(int, ipport_stoprandom); /* toggled by ipport_tick */ -VNET_DEFINE(int, ipport_tcpallocs); -VNET_DEFINE_STATIC(int, ipport_tcplastcount); - -#define V_ipport_tcplastcount VNET(ipport_tcplastcount) +/* Enable random ephemeral port allocation by default. */ +VNET_DEFINE(int, ipport_randomized) = 1; #ifdef INET static struct inpcb *in_pcblookup_hash_locked(struct inpcbinfo *pcbinfo, @@ -214,15 +204,6 @@ SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomized, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipport_randomized), 0, "Enable random port allocation"); -SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomcps, - CTLFLAG_VNET | CTLFLAG_RW, - &VNET_NAME(ipport_randomcps), 0, "Maximum number of random port " - "allocations before switching to a sequential one"); -SYSCTL_INT(_net_inet_ip_portrange, OID_AUTO, randomtime, - CTLFLAG_VNET | CTLFLAG_RW, - &VNET_NAME(ipport_randomtime), 0, - "Minimum time to keep sequential port " - "allocation before switching to a random one"); #ifdef RATELIMIT counter_u64_t rate_limit_new; @@ -730,7 +711,7 @@ struct inpcbinfo *pcbinfo; struct inpcb *tmpinp; unsigned short *lastport; - int count, dorandom, error; + int count, error; u_short aux, first, last, lport; #ifdef INET struct in_addr laddr, faddr; @@ -764,27 +745,7 @@ last = V_ipport_lastauto; lastport = &pcbinfo->ipi_lastport; } - /* - * For UDP(-Lite), use random port allocation as long as the user - * allows it. For TCP (and as of yet unknown) connections, - * use random port allocation only if the user allows it AND - * ipport_tick() allows it. - */ - if (V_ipport_randomized && - (!V_ipport_stoprandom || pcbinfo == &V_udbinfo || - pcbinfo == &V_ulitecbinfo)) - dorandom = 1; - else - dorandom = 0; - /* - * It makes no sense to do random port allocation if - * we have the only port available. - */ - if (first == last) - dorandom = 0; - /* Make sure to not include UDP(-Lite) packets in the count. */ - if (pcbinfo != &V_udbinfo && pcbinfo != &V_ulitecbinfo) - V_ipport_tcpallocs++; + /* * Instead of having two loops further down counting up or down * make sure that first is always <= last and go with only one @@ -818,7 +779,7 @@ tmpinp = NULL; lport = *lportp; - if (dorandom) + if (V_ipport_randomized) *lastport = first + (arc4random() % (last - first)); count = last - first; @@ -2609,58 +2570,6 @@ #endif } -/* - * ipport_tick runs once per second, determining if random port allocation - * should be continued. If more than ipport_randomcps ports have been - * allocated in the last second, then we return to sequential port - * allocation. We return to random allocation only once we drop below - * ipport_randomcps for at least ipport_randomtime seconds. - */ -static void -ipport_tick(void *xtp) -{ - VNET_ITERATOR_DECL(vnet_iter); - - VNET_LIST_RLOCK_NOSLEEP(); - VNET_FOREACH(vnet_iter) { - CURVNET_SET(vnet_iter); /* XXX appease INVARIANTS here */ - if (V_ipport_tcpallocs - V_ipport_tcplastcount <= - V_ipport_randomcps) { - if (V_ipport_stoprandom > 0) - V_ipport_stoprandom--; - } else - V_ipport_stoprandom = V_ipport_randomtime; - V_ipport_tcplastcount = V_ipport_tcpallocs; - CURVNET_RESTORE(); - } - VNET_LIST_RUNLOCK_NOSLEEP(); - callout_reset(&ipport_tick_callout, hz, ipport_tick, NULL); -} - -static void -ip_fini(void *xtp) -{ - - callout_stop(&ipport_tick_callout); -} - -/* - * The ipport_callout should start running at about the time we attach the - * inet or inet6 domains. - */ -static void -ipport_tick_init(const void *unused __unused) -{ - - /* Start ipport_tick. */ - callout_init(&ipport_tick_callout, 1); - callout_reset(&ipport_tick_callout, 1, ipport_tick, NULL); - EVENTHANDLER_REGISTER(shutdown_pre_sync, ip_fini, NULL, - SHUTDOWN_PRI_DEFAULT); -} -SYSINIT(ipport_tick_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, - ipport_tick_init, NULL); - void inp_wlock(struct inpcb *inp) {