Better Way To Handle Source Port Mapping #13
Description
I've been trying to think of better ways to handle source port mapping inside of the XDP/BPF program.
At the moment, when a new connection is being created, we loop through MIN_PORT and MAX_PORT. If the port is completely available (usually first time used), we use that as the source port. Otherwise, we return the port that is sending the least amount of packets per nanosecond (I'm probably going to add the option of using the connection's last seen in the future). This typically results in the least active connection being recycled.
Unfortunately, the for loop and its logic results in the BPF program's instruction count becoming quite large which in return strictly limits the amount of source ports we can utilize per bind IP address between the MIN_PORT and MAX_PORT range. The user can compile a custom kernel raising these BPF limitations so they can use a much larger port range, but this is still an inconvenience to users who want to utilize this project.
I don't believe there's really any other way we can determine the source port since we'll need to always loop through the port range and the BPF verifier puts into account every possible scenario when calculating the instruction count. We can't hash the packet flow and map it to a unique port because once all the ports become used for the first time, you will still need to always loop through each port to determine which port we will recycle (the least active connection).
Overall, this is one of the bigger cons to not using tunneling protocols such as GRE and IPIP. These tunneling protocols add another IP header so you don't even have to do source port mapping. However, I don't intend on implementing these protocols since they're out of this project's scope and I'd prefer not releasing the code I've made for them given I use it with professional firewalls I make. Plus, it will require the user setting up the tunnels on servers they're forwarding traffic to and I really want this project to work out of the box.