From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: [PATCH nft 1/4] src: make hash seed attribute optional Date: Thu, 27 Oct 2016 19:07:50 +0200 Message-ID: <20161027170750.GC17733@salvia> References: <9d2ade5563d42e65466eef399a5b1b9e14954463.1477170966.git.nevola@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netfilter-devel@vger.kernel.org To: Laura Garcia Liebana Return-path: Received: from mail.us.es ([193.147.175.20]:50942 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S941478AbcJ0RII (ORCPT ); Thu, 27 Oct 2016 13:08:08 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 4CE3925D2E for ; Thu, 27 Oct 2016 19:07:54 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 3B86ADA847 for ; Thu, 27 Oct 2016 19:07:54 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 8366DDA845 for ; Thu, 27 Oct 2016 19:07:51 +0200 (CEST) Content-Disposition: inline In-Reply-To: <9d2ade5563d42e65466eef399a5b1b9e14954463.1477170966.git.nevola@gmail.com> Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Sat, Oct 22, 2016 at 11:34:15PM +0200, Laura Garcia Liebana wrote: > The hash expression requires a seed attribute to call the jhash > operation, eg. > > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \ > seed 0xdeadbeef > > With this patch the seed attribute is optional and it's generated by a > random function from userspace, eg. > > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 > > To generate a secure random number it has been included the libbsd > library dependency by default, that implements the arc4random() > function generator. But it's possible to get rid of this dependency > applying the option --without-arc4random during the configure of the > package. > > Suggested-by: Pablo Neira Ayuso > Signed-off-by: Laura Garcia Liebana > --- > configure.ac | 14 +++++++++++++- > include/hash.h | 10 ++++++++++ > src/parser_bison.y | 5 +++++ > tests/py/ip/hash.t | 2 ++ > 4 files changed, 30 insertions(+), 1 deletion(-) > > diff --git a/configure.ac b/configure.ac > index 7e0b75c..8c93981 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -108,6 +108,17 @@ AC_DEFINE([HAVE_LIBXTABLES], [1], [0]) > AC_SUBST(with_libxtables) > AM_CONDITIONAL([BUILD_XTABLES], [test "x$with_libxtables" == xyes]) > > +AC_ARG_WITH([arc4random], [AS_HELP_STRING([--without-arc4random], > + [disable arc4random (libbsd dev support)])], > + [], [with_arc4random=yes]) > +AS_IF([test "x$with_arc4random" != xno], [ > +AC_CHECK_LIB([bsd], [arc4random], , > + AC_MSG_ERROR([No suitable version of libbsd dev found])) > +AC_DEFINE([HAVE_LIBBSD], [1], []) > +]) > +AC_SUBST(with_arc4random) > +AM_CONDITIONAL([BUILD_ARC4RANDOM], [test "x$with_arc4random" != xno]) We have getrandom() already around for a while: https://lwn.net/Articles/605828/ Main problem is that your libc version may not yet support this. But in case HAVE_GETRANDOM is not set, otherwise fallback on the poorman version by now. > # Checks for header files. > AC_HEADER_STDC > AC_HEADER_ASSERT > @@ -158,4 +169,5 @@ nft configuration: > enable debugging: ${with_debug} > use mini-gmp: ${with_mini_gmp} > enable pdf documentation: ${enable_pdf_doc} > - libxtables support: ${with_libxtables}" > + libxtables support: ${with_libxtables} > + arc4random support: ${with_arc4random}" It would be good to indicate here what random approach we follow, just for the record. Thanks.