From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Liping Zhang <zlpnobody@163.com>
Cc: netfilter-devel@vger.kernel.org, laura.garcia@zevenet.com,
Liping Zhang <zlpnobody@gmail.com>
Subject: Re: [PATCH nft] hash: generate a random seed if seed option is empty
Date: Thu, 13 Apr 2017 23:04:22 +0200 [thread overview]
Message-ID: <20170413210422.GA2111@salvia> (raw)
In-Reply-To: <20170413205709.GA2039@salvia>
On Thu, Apr 13, 2017 at 10:57:09PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Apr 03, 2017 at 04:29:57PM +0800, Liping Zhang wrote:
> > From: Liping Zhang <zlpnobody@gmail.com>
> >
> > Typing the "nft add rule x y ct mark set jhash ip saddr mod 2" will
> > not generate a random seed, instead, the seed will always be zero.
> >
> > So if seed option is empty, we shoulde not set the NFTA_HASH_SEED
> > attribute, then a random seed will be generted in the kernel.
> >
> > Also: just to keep it simple, "seed 0" is equal to "seed opt is empty",
> > since this is not a big problem.
> >
> > Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
> > ---
> > Note, another kernel patch is necessary to avoid the annoying warning
> > from "nft-test.py ip/hash.t":
> > ip/hash.t: WARNING: line: 5: 'src/nft add rule --debug=netlink ip test-ip4
> > pre ct mark set jhash ip saddr . ip daddr mod 2': 'ct mark set jhash ip saddr
> > . ip daddr mod 2' mismatches 'ct mark set jhash ip saddr . ip daddr mod 2
> > seed 0xd6ab633c'
> >
> > src/netlink_linearize.c | 3 ++-
> > tests/py/ip/hash.t | 1 +
> > tests/py/ip/hash.t.payload | 7 +++++++
> > 3 files changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
> > index b2f27b7..0dba658 100644
> > --- a/src/netlink_linearize.c
> > +++ b/src/netlink_linearize.c
> > @@ -139,7 +139,8 @@ static void netlink_gen_hash(struct netlink_linearize_ctx *ctx,
> > }
> > netlink_put_register(nle, NFTNL_EXPR_HASH_DREG, dreg);
> > nftnl_expr_set_u32(nle, NFTNL_EXPR_HASH_MODULUS, expr->hash.mod);
> > - nftnl_expr_set_u32(nle, NFTNL_EXPR_HASH_SEED, expr->hash.seed);
> > + if (expr->hash.seed)
> > + nftnl_expr_set_u32(nle, NFTNL_EXPR_HASH_SEED, expr->hash.seed);
>
> I prefer we have a hash.seed_set, instead of relying on 0 meaning
> "unset".
>
> I'm thinking of people willing to implement some sort of poor man
> symmetric hashing with two rules, one per each direction. The seed
> needs to be the same so the jhash is consistent.
I'm thinking of things like:
iif eth0 jhash ip saddr . tcp dport seed 0xdeadbeef
iif eth1 jhash ip daddr . tcp sport seed 0xdeadbeef
I think may be useful in case of several uplinks are available, and
you want something a bit more configurable that symhash, at the cost
of having two rules, one per direction.
next prev parent reply other threads:[~2017-04-13 21:04 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-03 8:29 [PATCH nft] hash: generate a random seed if seed option is empty Liping Zhang
2017-04-13 20:57 ` Pablo Neira Ayuso
2017-04-13 21:04 ` Pablo Neira Ayuso [this message]
2017-04-13 23:13 ` Liping Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170413210422.GA2111@salvia \
--to=pablo@netfilter.org \
--cc=laura.garcia@zevenet.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=zlpnobody@163.com \
--cc=zlpnobody@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).