[v2] netfilter: nft_hash: Add hash offset value
diff mbox

Message ID 20160906064416.GA32396@sonyv
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Laura Garcia Sept. 6, 2016, 6:44 a.m. UTC
Add support to pass through an offset to the hash value. With this
feature, the sysadmin is able to generate a hash with a given
offset value.

Example:

	meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100

This option generates marks according to the source address from 100 to
101.

Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
---
Changes in v2:
	- Add check for hash + sum overflow.

 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nft_hash.c                 | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

Comments

Pablo Neira Ayuso Sept. 12, 2016, 6:31 p.m. UTC | #1
On Tue, Sep 06, 2016 at 08:44:19AM +0200, Laura Garcia Liebana wrote:
> Add support to pass through an offset to the hash value. With this
> feature, the sysadmin is able to generate a hash with a given
> offset value.
> 
> Example:
> 
> 	meta mark set jhash ip saddr mod 2 seed 0xabcd sum 100
> 
> This option generates marks according to the source address from 100 to
> 101.

Applied, thanks.

I have renamed all these to _OFFSET.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Liping Zhang Sept. 13, 2016, 6:25 a.m. UTC | #2
Hi Laura,

2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana <nevola@gmail.com>:
>  static int nft_hash_init(const struct nft_ctx *ctx,
> @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx,
>             !tb[NFTA_HASH_MODULUS])
>                 return -EINVAL;
>
> +       if (tb[NFTA_HASH_SUM])
> +               priv->sum = ntohl(nla_get_be32(tb[NFTA_HASH_SUM]));
> +       else
> +               priv->sum = 0;
> +
>         priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
>         if (priv->sreg < 0)
>                 return -ERANGE;
> @@ -77,6 +84,9 @@ static int nft_hash_init(const struct nft_ctx *ctx,
>         if (priv->modulus <= 1)
>                 return -ERANGE;
>
> +       if (priv->sum + priv->modulus - 1 < U32_MAX)
> +               return -EOVERFLOW;

I think this judgement here is wrong, it is likely to be true...

When two integer a and b do addition operation, and the calculation
results satisfy the
following conditions: (a + b < a) or (a + b < b), then we can assure
that integer overflow
happened.

So the judgement should be converted to:
     if (priv->sum + priv->modulus - 1 < priv->sum)

> +
>         priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED]));
>
>         return nft_validate_register_load(priv->sreg, priv->len) &&
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Laura Garcia Sept. 13, 2016, 7:59 a.m. UTC | #3
On Tue, Sep 13, 2016 at 02:25:03PM +0800, Liping Zhang wrote:
> Hi Laura,
> 
> 2016-09-06 14:44 GMT+08:00 Laura Garcia Liebana <nevola@gmail.com>:
> >  static int nft_hash_init(const struct nft_ctx *ctx,
> > @@ -60,6 +62,11 @@ static int nft_hash_init(const struct nft_ctx *ctx,
> >             !tb[NFTA_HASH_MODULUS])
> >                 return -EINVAL;
> >
> > +       if (tb[NFTA_HASH_SUM])
> > +               priv->sum = ntohl(nla_get_be32(tb[NFTA_HASH_SUM]));
> > +       else
> > +               priv->sum = 0;
> > +
> >         priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
> >         if (priv->sreg < 0)
> >                 return -ERANGE;
> > @@ -77,6 +84,9 @@ static int nft_hash_init(const struct nft_ctx *ctx,
> >         if (priv->modulus <= 1)
> >                 return -ERANGE;
> >
> > +       if (priv->sum + priv->modulus - 1 < U32_MAX)
> > +               return -EOVERFLOW;
> 
> I think this judgement here is wrong, it is likely to be true...
> 
> When two integer a and b do addition operation, and the calculation
> results satisfy the
> following conditions: (a + b < a) or (a + b < b), then we can assure
> that integer overflow
> happened.
> 
> So the judgement should be converted to:
>      if (priv->sum + priv->modulus - 1 < priv->sum)
> 

Absolutely true, i'll send a patch to fix that.

Thank you!

> > +
> >         priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED]));
> >
> >         return nft_validate_register_load(priv->sreg, priv->len) &&
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch
diff mbox

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 4dbeeed..8026684 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -764,6 +764,7 @@  enum nft_meta_keys {
  * @NFTA_HASH_LEN: source data length (NLA_U32)
  * @NFTA_HASH_MODULUS: modulus value (NLA_U32)
  * @NFTA_HASH_SEED: seed value (NLA_U32)
+ * @NFTA_HASH_SUM: Hash offset value (NLA_U32)
  */
 enum nft_hash_attributes {
 	NFTA_HASH_UNSPEC,
@@ -772,6 +773,7 @@  enum nft_hash_attributes {
 	NFTA_HASH_LEN,
 	NFTA_HASH_MODULUS,
 	NFTA_HASH_SEED,
+	NFTA_HASH_SUM,
 	__NFTA_HASH_MAX,
 };
 #define NFTA_HASH_MAX	(__NFTA_HASH_MAX - 1)
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index b7e3b40..2102c94 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -23,6 +23,7 @@  struct nft_hash {
 	u8			len;
 	u32			modulus;
 	u32			seed;
+	u32			sum;
 };
 
 static void nft_hash_eval(const struct nft_expr *expr,
@@ -35,7 +36,7 @@  static void nft_hash_eval(const struct nft_expr *expr,
 
 	h = reciprocal_scale(jhash(data, priv->len, priv->seed), priv->modulus);
 
-	regs->data[priv->dreg] = h;
+	regs->data[priv->dreg] = priv->sum + h;
 }
 
 const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
@@ -44,6 +45,7 @@  const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
 	[NFTA_HASH_LEN]			= { .type = NLA_U32 },
 	[NFTA_HASH_MODULUS]		= { .type = NLA_U32 },
 	[NFTA_HASH_SEED]		= { .type = NLA_U32 },
+	[NFTA_HASH_SUM]			= { .type = NLA_U32 },
 };
 
 static int nft_hash_init(const struct nft_ctx *ctx,
@@ -60,6 +62,11 @@  static int nft_hash_init(const struct nft_ctx *ctx,
 	    !tb[NFTA_HASH_MODULUS])
 		return -EINVAL;
 
+	if (tb[NFTA_HASH_SUM])
+		priv->sum = ntohl(nla_get_be32(tb[NFTA_HASH_SUM]));
+	else
+		priv->sum = 0;
+
 	priv->sreg = nft_parse_register(tb[NFTA_HASH_SREG]);
 	if (priv->sreg < 0)
 		return -ERANGE;
@@ -77,6 +84,9 @@  static int nft_hash_init(const struct nft_ctx *ctx,
 	if (priv->modulus <= 1)
 		return -ERANGE;
 
+	if (priv->sum + priv->modulus - 1 < U32_MAX)
+		return -EOVERFLOW;
+
 	priv->seed = ntohl(nla_get_be32(tb[NFTA_HASH_SEED]));
 
 	return nft_validate_register_load(priv->sreg, priv->len) &&
@@ -99,7 +109,9 @@  static int nft_hash_dump(struct sk_buff *skb,
 		goto nla_put_failure;
 	if (nft_dump_register(skb, NFTA_HASH_SEED, priv->seed))
 		goto nla_put_failure;
-
+	if (priv->sum != 0)
+		if (nla_put_be32(skb, NFTA_HASH_SUM, htonl(priv->sum)))
+			goto nla_put_failure;
 	return 0;
 
 nla_put_failure: