* [PATCH v2 nft 1/4] src: make hash seed attribute optional
@ 2016-11-01 15:02 Laura Garcia Liebana
0 siblings, 0 replies; only message in thread
From: Laura Garcia Liebana @ 2016-11-01 15:02 UTC (permalink / raw)
To: netfilter-devel
The hash expression requires a seed attribute to call the jhash
operation, eg.
# nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \
seed 0xdeadbeef
With this patch the seed attribute is optional and it's generated by a
random function from userspace, eg.
# nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2
In order to generate a resilient random number, the syscall
getrandom(2)[0] is used if detected. In other case, the trivial rand()
will be used.
[0] https://lwn.net/Articles/605828/
Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
Changes in v2:
- Use getrandom(2) syscall instead of arc4random, suggested by Pablo.
- This case hasn't a test case due to the random seed generation in
the payload won't match.
configure.ac | 22 +++++++++++++++++++++-
include/hash.h | 12 ++++++++++++
src/parser_bison.y | 5 +++++
3 files changed, 38 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 7e0b75c..d21fe97 100644
--- a/configure.ac
+++ b/configure.ac
@@ -108,6 +108,24 @@ AC_DEFINE([HAVE_LIBXTABLES], [1], [0])
AC_SUBST(with_libxtables)
AM_CONDITIONAL([BUILD_XTABLES], [test "x$with_libxtables" == xyes])
+AC_COMPILE_IFELSE(
+[
+ AC_LANG_SOURCE([[
+ #include <sys/syscall.h>
+ #include <linux/random.h>
+ int main(){
+ int s;
+ syscall(SYS_getrandom, &s, sizeof(s), 0);
+ }
+ ]])
+], [have_random=yes
+ AC_DEFINE([HAVE_GETRANDOM], [1], [] )],
+ [have_random=no])
+
+AS_IF([test "x$have_random" != xno],
+[have_random=getrandom],
+[have_random=rand])
+
# Checks for header files.
AC_HEADER_STDC
AC_HEADER_ASSERT
@@ -158,4 +176,5 @@ nft configuration:
enable debugging: ${with_debug}
use mini-gmp: ${with_mini_gmp}
enable pdf documentation: ${enable_pdf_doc}
- libxtables support: ${with_libxtables}"
+ libxtables support: ${with_libxtables}
+ random used: ${have_random}"
diff --git a/include/hash.h b/include/hash.h
index bc8c86a..6d6badd 100644
--- a/include/hash.h
+++ b/include/hash.h
@@ -1,6 +1,18 @@
#ifndef NFTABLES_HASH_H
#define NFTABLES_HASH_H
+#ifdef HAVE_GETRANDOM
+#include <sys/syscall.h>
+#include <linux/random.h>
+#define selrandom() ({ uint32_t s; \
+ syscall(SYS_getrandom, &s, sizeof(s), 0); s; })
+
+#else
+#include <time.h>
+#include <stdlib.h>
+#define selrandom() ({ srand(time(NULL)); (uint32_t)rand(); })
+#endif
+
extern struct expr *hash_expr_alloc(const struct location *loc,
uint32_t modulus, uint32_t seed);
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 106df27..6a24bec 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2585,6 +2585,11 @@ hash_expr : JHASH expr MOD NUM SEED NUM
$$ = hash_expr_alloc(&@$, $4, $6);
$$->hash.expr = $2;
}
+ | JHASH expr MOD NUM
+ {
+ $$ = hash_expr_alloc(&@$, $4, selrandom());
+ $$->hash.expr = $2;
+ }
;
rt_expr : RT rt_key
--
2.9.3
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2016-11-01 15:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-01 15:02 [PATCH v2 nft 1/4] src: make hash seed attribute optional Laura Garcia Liebana
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.