Opened 8 weeks ago

Last modified 8 weeks ago

#2467 new defect

Do not use isValidPort() on inbound connections

Reported by: jogger Owned by: zzz
Priority: major Milestone: undecided
Component: router/transport Version: 0.9.39
Keywords: Cc:
Parent Tickets:

Description

My traffic just broke down and I saw 100s of log messages like

ERROR [ Establisher] ter.transport.udp.UDPTransport: The router [Hash: aQJqcFiwno-Evv~AhP6XgEw7ZAi8WX5IWaE5Vu8FSeY=] told us we have an invalid IP - my.ip.add.ress:reservedport. Lets throw tomatoes at them

UDP packet pusher CPU was near zero.

Root cause is that I am sitting behind NAT and my router accidentally chose a port reserved by i2p for outgoing UDP. Since most users simply can not change their routers behaviour, this check has to be removed.

Workaround if you run one of those beautiful $49 EdgeRouters? (highly recommended):
Set NAT protocols for the default rule to TCP/UDP only and then use the command line to "set service nat rule 5010 outside-address port 40000-50000"

After committing the workaround SSU peer count and UDP packet pusher CPU went up immediately.

Subtickets (add)

Change History (3)

comment:1 Changed 8 weeks ago by zzz

what port did it choose?

comment:2 Changed 8 weeks ago by zzz

first report we've ever gotten on this, been like this for years, I assume most firewalls pick a high port value by default, or else this would have happened lots of times and been reported.

comment:3 Changed 8 weeks ago by jogger

My router picked one in the 76xx range.

RFC 2663 does not give details about valid port numbers. Wikipedia says "router picks any free port", so it indeed appears that use of isValidPort() leads to blocking valid connections in this case.

The fact that this was not reported before can be attributed to the fact that this is highly implementation dependent. If it infrequently appears in the logs, no one cares. In my case the router reused the very same port again and again. Others may behave differently.

The code used by Ubiquity (Vyatta code base) certainly is used by other vendors too as it it based on Debian.

Note: See TracTickets for help on using tickets.