From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: [PATCH nft 1/4] src: make hash seed attribute optional Date: Thu, 27 Oct 2016 19:13:53 +0200 Message-ID: <20161027171353.GD17733@salvia> References: <9d2ade5563d42e65466eef399a5b1b9e14954463.1477170966.git.nevola@gmail.com> <20161027170750.GC17733@salvia> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netfilter-devel@vger.kernel.org To: Laura Garcia Liebana Return-path: Received: from mail.us.es ([193.147.175.20]:53350 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932442AbcJ0RN7 (ORCPT ); Thu, 27 Oct 2016 13:13:59 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id D634773E5 for ; Thu, 27 Oct 2016 19:13:56 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id C6355DA916 for ; Thu, 27 Oct 2016 19:13:56 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 54E0DDA84E for ; Thu, 27 Oct 2016 19:13:54 +0200 (CEST) Content-Disposition: inline In-Reply-To: <20161027170750.GC17733@salvia> Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Thu, Oct 27, 2016 at 07:07:50PM +0200, Pablo Neira Ayuso wrote: > On Sat, Oct 22, 2016 at 11:34:15PM +0200, Laura Garcia Liebana wrote: > > The hash expression requires a seed attribute to call the jhash > > operation, eg. > > > > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \ > > seed 0xdeadbeef > > > > With this patch the seed attribute is optional and it's generated by a > > random function from userspace, eg. > > > > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 > > > > To generate a secure random number it has been included the libbsd > > library dependency by default, that implements the arc4random() > > function generator. But it's possible to get rid of this dependency > > applying the option --without-arc4random during the configure of the > > package. > > > > Suggested-by: Pablo Neira Ayuso > > Signed-off-by: Laura Garcia Liebana > > --- > > configure.ac | 14 +++++++++++++- > > include/hash.h | 10 ++++++++++ > > src/parser_bison.y | 5 +++++ > > tests/py/ip/hash.t | 2 ++ > > 4 files changed, 30 insertions(+), 1 deletion(-) > > > > diff --git a/configure.ac b/configure.ac > > index 7e0b75c..8c93981 100644 > > --- a/configure.ac > > +++ b/configure.ac > > @@ -108,6 +108,17 @@ AC_DEFINE([HAVE_LIBXTABLES], [1], [0]) > > AC_SUBST(with_libxtables) > > AM_CONDITIONAL([BUILD_XTABLES], [test "x$with_libxtables" == xyes]) > > > > +AC_ARG_WITH([arc4random], [AS_HELP_STRING([--without-arc4random], > > + [disable arc4random (libbsd dev support)])], > > + [], [with_arc4random=yes]) > > +AS_IF([test "x$with_arc4random" != xno], [ > > +AC_CHECK_LIB([bsd], [arc4random], , > > + AC_MSG_ERROR([No suitable version of libbsd dev found])) > > +AC_DEFINE([HAVE_LIBBSD], [1], []) > > +]) > > +AC_SUBST(with_arc4random) > > +AM_CONDITIONAL([BUILD_ARC4RANDOM], [test "x$with_arc4random" != xno]) > > We have getrandom() already around for a while: > > https://lwn.net/Articles/605828/ > > Main problem is that your libc version may not yet support this. But > in case HAVE_GETRANDOM is not set, otherwise fallback on the poorman > version by now. I mean, we can add this to configure.ac: AC_CHECK_FUNCS(getrandom) So config.h will define HAVE_GETRANDOM if available. This constant will tell us what implementation we can use for this.