[PATCH] conntrackd: cache: fix zone entry uniqueness in external cache

[PATCH] conntrackd: cache: fix zone entry uniqueness in external cache

[Adam Casella]

In some use-cases, zone is used to differetiate conntrack state.  This preserves that uniqueness by adding zone into the cache in addtion to 5-tuple data
This preserves external-cache uniqueness per zone when synced.

Follow up fix to: https://git.netfilter.org/conntrack-tools/commit/?id=a08af5d26297eb85218a3c3a9e0991001a88cf10

Signed-off-by: Adam Casella <adam.casella1984@gmail.com>
---
 src/cache-ct.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/cache-ct.c b/src/cache-ct.c
index abcfde4..7e788d2 100644
--- a/src/cache-ct.c
+++ b/src/cache-ct.c
@@ -41,7 +41,8 @@ cache_hash4_ct(const struct nf_conntrack *ct, const struct hashtable *table)
 			  nfct_get_attr_u8(ct, ATTR_L4PROTO),
 		[3]	= nfct_get_attr_u16(ct, ATTR_PORT_SRC) << 16 |
 			  nfct_get_attr_u16(ct, ATTR_PORT_DST),
-	};
+                [4]     = nfct_get_attr_u16(ct, ATTR_ZONE),
+        };
 
 	/*
 	 * Instead of returning hash % table->hashsize (implying a divide)
@@ -50,13 +51,13 @@ cache_hash4_ct(const struct nf_conntrack *ct, const struct hashtable *table)
 	 * but using a multiply, less expensive than a divide. See:
 	 * http://www.mail-archive.com/netdev@vger.kernel.org/msg56623.html
 	 */
-	return ((uint64_t)jhash2(a, 4, 0) * table->hashsize) >> 32;
+	return ((uint64_t)jhash2(a, 5, 0) * table->hashsize) >> 32;
 }
 
 static uint32_t
 cache_hash6_ct(const struct nf_conntrack *ct, const struct hashtable *table)
 {
-	uint32_t a[10];
+	uint32_t a[11];
 
 	memcpy(&a[0], nfct_get_attr(ct, ATTR_IPV6_SRC), sizeof(uint32_t)*4);
 	memcpy(&a[4], nfct_get_attr(ct, ATTR_IPV6_DST), sizeof(uint32_t)*4);
@@ -64,8 +65,9 @@ cache_hash6_ct(const struct nf_conntrack *ct, const struct hashtable *table)
 	       nfct_get_attr_u8(ct, ATTR_ORIG_L4PROTO);
 	a[9] = nfct_get_attr_u16(ct, ATTR_ORIG_PORT_SRC) << 16 |
 	       nfct_get_attr_u16(ct, ATTR_ORIG_PORT_DST);
+        a[10] = nfct_get_attr_u16(ct, ATTR_ZONE);
 
-	return ((uint64_t)jhash2(a, 10, 0) * table->hashsize) >> 32;
+	return ((uint64_t)jhash2(a, 11, 0) * table->hashsize) >> 32;
 }
 
 static uint32_t
-- 
2.30.1 (Apple Git-130)

Re: [PATCH] conntrackd: cache: fix zone entry uniqueness in external cache

[Pablo Neira Ayuso]

Hi,

Applied, thanks.

Please, send your patches to netfilter-devel@vger.kernel.org next
time.

One comment below.

On Tue, Aug 17, 2021 at 01:31:25PM -0700, Adam Casella wrote:
> In some use-cases, zone is used to differetiate conntrack state.  This preserves that uniqueness by adding zone into the cache in addtion to 5-tuple data
> This preserves external-cache uniqueness per zone when synced.
> 
> Follow up fix to: https://git.netfilter.org/conntrack-tools/commit/?id=a08af5d26297eb85218a3c3a9e0991001a88cf10
> 
> Signed-off-by: Adam Casella <adam.casella1984@gmail.com>
> ---
>  src/cache-ct.c | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/src/cache-ct.c b/src/cache-ct.c
> index abcfde4..7e788d2 100644
> --- a/src/cache-ct.c
> +++ b/src/cache-ct.c
> @@ -41,7 +41,8 @@ cache_hash4_ct(const struct nf_conntrack *ct, const struct hashtable *table)
>  			  nfct_get_attr_u8(ct, ATTR_L4PROTO),
>  		[3]	= nfct_get_attr_u16(ct, ATTR_PORT_SRC) << 16 |
>  			  nfct_get_attr_u16(ct, ATTR_PORT_DST),
> -	};
> +                [4]     = nfct_get_attr_u16(ct, ATTR_ZONE),

This array has a size of 4 slots, you forgot to update it, in case you
are using this patch in production already.

I have fixed it here before applying.