From mboxrd@z Thu Jan 1 00:00:00 1970 From: Laura Garcia Liebana Subject: [PATCH v2 nft 1/4] src: make hash seed attribute optional Date: Tue, 1 Nov 2016 16:02:41 +0100 Message-ID: <20161101150238.GA6832@sonyv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii To: netfilter-devel@vger.kernel.org Return-path: Received: from mail-wm0-f67.google.com ([74.125.82.67]:33227 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1034139AbcKAPCq (ORCPT ); Tue, 1 Nov 2016 11:02:46 -0400 Received: by mail-wm0-f67.google.com with SMTP id u144so3881430wmu.0 for ; Tue, 01 Nov 2016 08:02:45 -0700 (PDT) Received: from sonyv (72.red-88-15-56.dynamicip.rima-tde.net. [88.15.56.72]) by smtp.gmail.com with ESMTPSA id rv12sm36151089wjb.29.2016.11.01.08.02.43 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Tue, 01 Nov 2016 08:02:43 -0700 (PDT) Content-Disposition: inline Sender: netfilter-devel-owner@vger.kernel.org List-ID: The hash expression requires a seed attribute to call the jhash operation, eg. # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \ seed 0xdeadbeef With this patch the seed attribute is optional and it's generated by a random function from userspace, eg. # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 In order to generate a resilient random number, the syscall getrandom(2)[0] is used if detected. In other case, the trivial rand() will be used. [0] https://lwn.net/Articles/605828/ Suggested-by: Pablo Neira Ayuso Signed-off-by: Laura Garcia Liebana --- Changes in v2: - Use getrandom(2) syscall instead of arc4random, suggested by Pablo. - This case hasn't a test case due to the random seed generation in the payload won't match. configure.ac | 22 +++++++++++++++++++++- include/hash.h | 12 ++++++++++++ src/parser_bison.y | 5 +++++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 7e0b75c..d21fe97 100644 --- a/configure.ac +++ b/configure.ac @@ -108,6 +108,24 @@ AC_DEFINE([HAVE_LIBXTABLES], [1], [0]) AC_SUBST(with_libxtables) AM_CONDITIONAL([BUILD_XTABLES], [test "x$with_libxtables" == xyes]) +AC_COMPILE_IFELSE( +[ + AC_LANG_SOURCE([[ + #include + #include + int main(){ + int s; + syscall(SYS_getrandom, &s, sizeof(s), 0); + } + ]]) +], [have_random=yes + AC_DEFINE([HAVE_GETRANDOM], [1], [] )], + [have_random=no]) + +AS_IF([test "x$have_random" != xno], +[have_random=getrandom], +[have_random=rand]) + # Checks for header files. AC_HEADER_STDC AC_HEADER_ASSERT @@ -158,4 +176,5 @@ nft configuration: enable debugging: ${with_debug} use mini-gmp: ${with_mini_gmp} enable pdf documentation: ${enable_pdf_doc} - libxtables support: ${with_libxtables}" + libxtables support: ${with_libxtables} + random used: ${have_random}" diff --git a/include/hash.h b/include/hash.h index bc8c86a..6d6badd 100644 --- a/include/hash.h +++ b/include/hash.h @@ -1,6 +1,18 @@ #ifndef NFTABLES_HASH_H #define NFTABLES_HASH_H +#ifdef HAVE_GETRANDOM +#include +#include +#define selrandom() ({ uint32_t s; \ + syscall(SYS_getrandom, &s, sizeof(s), 0); s; }) + +#else +#include +#include +#define selrandom() ({ srand(time(NULL)); (uint32_t)rand(); }) +#endif + extern struct expr *hash_expr_alloc(const struct location *loc, uint32_t modulus, uint32_t seed); diff --git a/src/parser_bison.y b/src/parser_bison.y index 106df27..6a24bec 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -2585,6 +2585,11 @@ hash_expr : JHASH expr MOD NUM SEED NUM $$ = hash_expr_alloc(&@$, $4, $6); $$->hash.expr = $2; } + | JHASH expr MOD NUM + { + $$ = hash_expr_alloc(&@$, $4, selrandom()); + $$->hash.expr = $2; + } ; rt_expr : RT rt_key -- 2.9.3