From: Pavel Balaev <mail@void.so>
To: David Ahern <dsahern@gmail.com>, netdev@vger.kernel.org
Cc: christophe.jaillet@wanadoo.fr, davem@davemloft.net,
kuba@kernel.org, yoshfuji@linux-ipv6.org, dsahern@kernel.org
Subject: Re: [PATCH v3 net-next] net: multipath routing: configurable seed
Date: Wed, 14 Apr 2021 10:33:38 +0300 [thread overview]
Message-ID: <YHaa0pRCTKFbEhA2@rnd> (raw)
In-Reply-To: <08aba836-162e-b5d3-7a93-0488489be798@gmail.com>
On Tue, Apr 13, 2021 at 08:28:52PM -0700, David Ahern wrote:
> On 4/13/21 4:55 AM, Balaev Pavel wrote:
> > Ability for a user to assign seed value to multipath route hashes.
> > Now kernel uses random seed value to prevent hash-flooding DoS attacks;
> > however, it disables some use cases, f.e:
> >
> > +-------+ +------+ +--------+
> > | |-eth0---| FW0 |---eth0-| |
> > | | +------+ | |
> > | GW0 |ECMP ECMP| GW1 |
> > | | +------+ | |
> > | |-eth1---| FW1 |---eth1-| |
> > +-------+ +------+ +--------+
> >
> > In this use case, two ECMP routers balance traffic between
> > two firewalls. If some flow transmits a response over a different channel than request,
> > such flow will be dropped, because keep-state rules are created on
> > the other firewall.
> >
> > This patch adds sysctl variable: net.ipv4.fib_multipath_hash_seed.
> > User can set the same seed value on GW0 and GW1 for traffic to be
> > mirror-balanced. By default, random value is used.
> >
> > Signed-off-by: Balaev Pavel <balaevpa@infotecs.ru>
> > ---
> > Documentation/networking/ip-sysctl.rst | 14 ++++
> > include/net/flow_dissector.h | 4 +
> > include/net/netns/ipv4.h | 20 +++++
> > net/core/flow_dissector.c | 9 +++
> > net/ipv4/af_inet.c | 5 ++
> > net/ipv4/route.c | 10 ++-
> > net/ipv4/sysctl_net_ipv4.c | 104 +++++++++++++++++++++++++
> > 7 files changed, 165 insertions(+), 1 deletion(-)
> >
>
> This should work the same for IPv6.
I wanted to add IPv6 support after IPv4 will be approved,
anyway no problem, will add IPv6 in next version
> And please add test cases under tools/testing/selftests/net.
This feature cannot be tested whithin one host instance, becasue the same seed
will be used by default for all netns, so results will be the same
anyway, should I use QEMU for this tests?
next prev parent reply other threads:[~2021-04-14 7:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-13 11:55 [PATCH v3 net-next] net: multipath routing: configurable seed Balaev Pavel
2021-04-13 23:15 ` David Miller
2021-04-14 7:45 ` Pavel Balaev
2021-04-14 3:28 ` David Ahern
2021-04-14 7:33 ` Pavel Balaev [this message]
2021-04-15 3:24 ` David Ahern
2021-04-15 8:20 ` Pavel Balaev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YHaa0pRCTKFbEhA2@rnd \
--to=mail@void.so \
--cc=christophe.jaillet@wanadoo.fr \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=dsahern@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.