[PATCH next] nft_meta: add skb hash get support

[PATCH next] nft_meta: add skb hash get support

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
NB1: Alternative is to place this in nft_hash, but that uses
an sreg so i think meta is fine.

NB2: This causes a compile warning wrt. __skb_get_hash_symmetric;
net-next tree contains a change to make its argument const so this
warning won't show up anymore one this commit makes it to net-next.

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 14e5f619167e..a931bd0dca6d 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -729,6 +729,8 @@ enum nft_exthdr_attributes {
  * @NFT_META_OIFGROUP: packet output interface group
  * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
  * @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_HASH: skb hash
+ * @NFT_META_SYMHASH: symmetric skb hash
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -756,6 +758,8 @@ enum nft_meta_keys {
 	NFT_META_OIFGROUP,
 	NFT_META_CGROUP,
 	NFT_META_PRANDOM,
+	NFT_META_HASH,
+	NFT_META_SYMHASH,
 };
 
 /**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 64994023bf81..ea6018e7a6c4 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -190,6 +190,12 @@ void nft_meta_get_eval(const struct nft_expr *expr,
 		*dest = prandom_u32_state(state);
 		break;
 	}
+	case NFT_META_HASH:
+		*dest = skb_get_hash(pkt->skb);
+		break;
+	case NFT_META_SYMHASH:
+		*dest = __skb_get_hash_symmetric(skb);
+		break;
 	default:
 		WARN_ON(1);
 		goto err;
@@ -273,6 +279,8 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
 #ifdef CONFIG_CGROUP_NET_CLASSID
 	case NFT_META_CGROUP:
 #endif
+	case NFT_META_HASH:
+	case NFT_META_SYMHASH:
 		len = sizeof(u32);
 		break;
 	case NFT_META_IIFNAME:
-- 
2.7.3

Re: [PATCH next] nft_meta: add skb hash get support

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 1907 bytes --]

Hi Florian,

[auto build test WARNING on next-20161028]

url:    https://github.com/0day-ci/linux/commits/Florian-Westphal/nft_meta-add-skb-hash-get-support/20161031-204758
config: i386-randconfig-x078-201644 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
        # save the attached .config to linux build tree
        make ARCH=i386 

All warnings (new ones prefixed by >>):

   net/netfilter/nft_meta.c: In function 'nft_meta_get_eval':
>> net/netfilter/nft_meta.c:197:36: warning: passing argument 1 of '__skb_get_hash_symmetric' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
      *dest = __skb_get_hash_symmetric(skb);
                                       ^~~
   In file included from include/linux/netlink.h:6:0,
                    from net/netfilter/nft_meta.c:14:
   include/linux/skbuff.h:1090:5: note: expected 'struct sk_buff *' but argument is of type 'const struct sk_buff *'
    u32 __skb_get_hash_symmetric(struct sk_buff *skb);
        ^~~~~~~~~~~~~~~~~~~~~~~~

vim +197 net/netfilter/nft_meta.c

   181		case NFT_META_CGROUP:
   182			sk = skb_to_full_sk(skb);
   183			if (!sk || !sk_fullsock(sk))
   184				goto err;
   185			*dest = sock_cgroup_classid(&sk->sk_cgrp_data);
   186			break;
   187	#endif
   188		case NFT_META_PRANDOM: {
   189			struct rnd_state *state = this_cpu_ptr(&nft_prandom_state);
   190			*dest = prandom_u32_state(state);
   191			break;
   192		}
   193		case NFT_META_HASH:
   194			*dest = skb_get_hash(pkt->skb);
   195			break;
   196		case NFT_META_SYMHASH:
 > 197			*dest = __skb_get_hash_symmetric(skb);
   198			break;
   199		default:
   200			WARN_ON(1);
   201			goto err;
   202		}
   203		return;
   204	
   205	err:

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 25103 bytes --]

Re: [PATCH next] nft_meta: add skb hash get support

[Pablo Neira Ayuso]

On Mon, Oct 31, 2016 at 01:44:29PM +0100, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> NB1: Alternative is to place this in nft_hash, but that uses
> an sreg so i think meta is fine.
> 
> NB2: This causes a compile warning wrt. __skb_get_hash_symmetric;
> net-next tree contains a change to make its argument const so this
> warning won't show up anymore one this commit makes it to net-next.

Let me send a nf-next pull request, then I'll resync so I can take
this and my pending core rework on top. Will be doing this at some
point today.

Re: [PATCH next] nft_meta: add skb hash get support

[Pablo Neira Ayuso]

On Mon, Oct 31, 2016 at 01:44:29PM +0100, Florian Westphal wrote:
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> NB1: Alternative is to place this in nft_hash, but that uses
> an sreg so i think meta is fine.

Right. We may still reuse all these attributes though if we use the
hash expression:

 * @NFTA_HASH_DREG: destination register (NLA_U32)
 * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
 * @NFTA_HASH_OFFSET: add this offset value to hash result (NLA_U32)

This would need a new NFTA_HASH_TYPE, defaulting on jhash.

Otherwise we would need a scaling expression in case we want to use
this new meta field for load balancing just like af_packet fanout. Do
you prefer to follow up this path?