From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Laura Garcia Liebana <nevola@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nft 1/4] src: make hash seed attribute optional
Date: Thu, 27 Oct 2016 19:13:53 +0200 [thread overview]
Message-ID: <20161027171353.GD17733@salvia> (raw)
In-Reply-To: <20161027170750.GC17733@salvia>
On Thu, Oct 27, 2016 at 07:07:50PM +0200, Pablo Neira Ayuso wrote:
> On Sat, Oct 22, 2016 at 11:34:15PM +0200, Laura Garcia Liebana wrote:
> > The hash expression requires a seed attribute to call the jhash
> > operation, eg.
> >
> > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \
> > seed 0xdeadbeef
> >
> > With this patch the seed attribute is optional and it's generated by a
> > random function from userspace, eg.
> >
> > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2
> >
> > To generate a secure random number it has been included the libbsd
> > library dependency by default, that implements the arc4random()
> > function generator. But it's possible to get rid of this dependency
> > applying the option --without-arc4random during the configure of the
> > package.
> >
> > Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
> > ---
> > configure.ac | 14 +++++++++++++-
> > include/hash.h | 10 ++++++++++
> > src/parser_bison.y | 5 +++++
> > tests/py/ip/hash.t | 2 ++
> > 4 files changed, 30 insertions(+), 1 deletion(-)
> >
> > diff --git a/configure.ac b/configure.ac
> > index 7e0b75c..8c93981 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -108,6 +108,17 @@ AC_DEFINE([HAVE_LIBXTABLES], [1], [0])
> > AC_SUBST(with_libxtables)
> > AM_CONDITIONAL([BUILD_XTABLES], [test "x$with_libxtables" == xyes])
> >
> > +AC_ARG_WITH([arc4random], [AS_HELP_STRING([--without-arc4random],
> > + [disable arc4random (libbsd dev support)])],
> > + [], [with_arc4random=yes])
> > +AS_IF([test "x$with_arc4random" != xno], [
> > +AC_CHECK_LIB([bsd], [arc4random], ,
> > + AC_MSG_ERROR([No suitable version of libbsd dev found]))
> > +AC_DEFINE([HAVE_LIBBSD], [1], [])
> > +])
> > +AC_SUBST(with_arc4random)
> > +AM_CONDITIONAL([BUILD_ARC4RANDOM], [test "x$with_arc4random" != xno])
>
> We have getrandom() already around for a while:
>
> https://lwn.net/Articles/605828/
>
> Main problem is that your libc version may not yet support this. But
> in case HAVE_GETRANDOM is not set, otherwise fallback on the poorman
> version by now.
I mean, we can add this to configure.ac:
AC_CHECK_FUNCS(getrandom)
So config.h will define HAVE_GETRANDOM if available. This constant
will tell us what implementation we can use for this.
next prev parent reply other threads:[~2016-10-27 17:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-22 21:33 [PATCH nft 0/4] src: changes related to numgen and hash expressions Laura Garcia Liebana
2016-10-22 21:34 ` [PATCH nft 1/4] src: make hash seed attribute optional Laura Garcia Liebana
2016-10-27 17:07 ` Pablo Neira Ayuso
2016-10-27 17:13 ` Pablo Neira Ayuso [this message]
2016-10-22 21:35 ` [PATCH nft 2/4] src: add offset attribute for hash expression Laura Garcia Liebana
2016-10-27 17:19 ` Pablo Neira Ayuso
2016-10-22 21:36 ` [PATCH nft 3/4] src: add offset attribute for numgen expression Laura Garcia Liebana
2016-10-27 16:57 ` Pablo Neira Ayuso
2016-10-22 21:36 ` [PATCH nft 4/4] netlink: fix linearize numgen type Laura Garcia Liebana
2016-10-27 16:58 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161027171353.GD17733@salvia \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nevola@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.