netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dirk Morris <dmorris@metaloft.com>
To: Florian Westphal <fw@strlen.de>, Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH net] netfilter: Use consistent ct id hash calculation
Date: Wed, 7 Aug 2019 22:01:54 -0700	[thread overview]
Message-ID: <f58a512a-0b74-c98d-067d-70ef67da0a95@metaloft.com> (raw)
In-Reply-To: <20190807234552.lnfuktyr7cpvocki@breakpoint.cc>



On 8/7/19 4:45 PM, Florian Westphal wrote:

> 
> So Pablos suggestion above should work just fine.
> Dirk, can you spin a v2 with that change?
> 

Yes, will do tomorrow.

Also, just an idea, I also played around with just adding
u32 id to struct nf_conn and just calculating the hash inside
__nf_conntack_alloc when initialized or even lazily in nf_ct_get_id.
This seems to work fine and you don't have to worry about anything changing
and only calculate the hash once.

I'm presuming this method was avoided for some reason, like keeping the struct
size to a minimum.

---
  include/net/netfilter/nf_conntrack.h |    3 +++
  net/netfilter/nf_conntrack_core.c    |   30 +++++++++++++++---------------
  2 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 93bbae8..9772ddc 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -74,6 +74,9 @@ struct nf_conn {
  	/* jiffies32 when this ct is considered dead */
  	u32 timeout;
  
+	/* ct id */
+	u32 id;
+
  	possible_net_t ct_net;
  
  #if IS_ENABLED(CONFIG_NF_NAT)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index ab73c5f..614fd86 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -312,21 +312,7 @@ EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
   */
  u32 nf_ct_get_id(const struct nf_conn *ct)
  {
-	static __read_mostly siphash_key_t ct_id_seed;
-	unsigned long a, b, c, d;
-
-	net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
-
-	a = (unsigned long)ct;
-	b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
-	c = (unsigned long)ct->ext;
-	d = (unsigned long)siphash(&ct->tuplehash, sizeof(ct->tuplehash),
-				   &ct_id_seed);
-#ifdef CONFIG_64BIT
-	return siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &ct_id_seed);
-#else
-	return siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &ct_id_seed);
-#endif
+    return ct->id;
  }
  EXPORT_SYMBOL_GPL(nf_ct_get_id);
  
@@ -1178,6 +1164,7 @@ __nf_conntrack_alloc(struct net *net,
  		     gfp_t gfp, u32 hash)
  {
  	struct nf_conn *ct;
+	static __read_mostly siphash_key_t ct_id_seed;
  
  	/* We don't want any race condition at early drop stage */
  	atomic_inc(&net->ct.count);
@@ -1215,6 +1202,19 @@ __nf_conntrack_alloc(struct net *net,
  
  	nf_ct_zone_add(ct, zone);
  
+	unsigned long a, b, c;
+	net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
+	a = (unsigned long)ct;
+	b = (unsigned long)ct->master ^ net_hash_mix(nf_ct_net(ct));
+	c = (unsigned long)siphash(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+				   sizeof(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple),
+				   &ct_id_seed);
+#ifdef CONFIG_64BIT
+	ct->id = siphash_3u64((u64)a, (u64)b, (u64)c, &ct_id_seed);
+#else
+	ct->id = siphash_3u32((u32)a, (u32)b, (u32)c, &ct_id_seed);
+#endif
+
  	/* Because we use RCU lookups, we set ct_general.use to zero before
  	 * this is inserted in any list.
  	 */

  reply	other threads:[~2019-08-08  5:01 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-07  0:25 [PATCH net] netfilter: Use consistent ct id hash calculation Dirk Morris
2019-08-07  0:34 ` Florian Westphal
2019-08-07  0:57   ` Dirk Morris
2019-08-07 16:36     ` Pablo Neira Ayuso
2019-08-07 18:01       ` Florian Westphal
2019-08-07 20:31         ` Pablo Neira Ayuso
2019-08-07 23:45           ` Florian Westphal
2019-08-08  5:01             ` Dirk Morris [this message]
2019-08-08 10:28               ` Florian Westphal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f58a512a-0b74-c98d-067d-70ef67da0a95@metaloft.com \
    --to=dmorris@metaloft.com \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).