{"id":2230061,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2230061/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260429063004.23002-1-fw@strlen.de/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260429063004.23002-1-fw@strlen.de>","date":"2026-04-29T06:30:00","name":"[nf-next] netfilter: nf_conncount: use per-rule hash initval","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"0dd290aeecd7fa92bef52076acabbf91db3d651b","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/1.1/people/1025/?format=json","name":"Florian Westphal","email":"fw@strlen.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260429063004.23002-1-fw@strlen.de/mbox/","series":[{"id":501999,"url":"http://patchwork.ozlabs.org/api/1.1/series/501999/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501999","date":"2026-04-29T06:30:00","name":"[nf-next] netfilter: nf_conncount: use per-rule hash initval","version":1,"mbox":"http://patchwork.ozlabs.org/series/501999/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2230061/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2230061/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12283-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.105.105.114; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12283-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org [172.105.105.114])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g56qk3cmBz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 16:30:26 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 60CCC302B231\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 06:30:16 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 4F89833F8B4;\n\tWed, 29 Apr 2026 06:30:13 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 74F2E32AAD6\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 29 Apr 2026 06:30:11 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 8A84360640; Wed, 29 Apr 2026 08:30:09 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777444213; cv=none;\n b=ZwxeGItVYoX6fZn/TOBYBMSGfYb1Yg5u6XKQIv4oxuynuguxo+qMHiC3MOGQTDutbIjhBgMCB+cqgrkfaQ96fotx3v7O/4ul+Ub5u9V47xdo8fDUnh79RNKRaQ01fSm2G7pwGfQQ5hHxdVYJwt3PesxoVgzEDhemhWFPP1WRt0U=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777444213; c=relaxed/simple;\n\tbh=j7okPnt+BFhibLFAZFWC6Rbph5KE4HvftetFCj4DZJI=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=qWDFxV3JPE6ZTiTRT96/MDt0AmR0er05aFu/j7eTE2HXDK+9UmWf2NrQv0tMitycP+NxA7ulRDvRDOBr2/veHxqrloqemM9VlTUHl9DQ2qc12mKnZ56Hz8gVb9GKRbMX3IH9NH1Mpa4H+HO/DYQs/vkOQC8Wc+w3aVjE0JtYl3g=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30","From":"Florian Westphal <fw@strlen.de>","To":"<netfilter-devel@vger.kernel.org>","Cc":"Florian Westphal <fw@strlen.de>","Subject":"[PATCH nf-next] netfilter: nf_conncount: use per-rule hash initval","Date":"Wed, 29 Apr 2026 08:30:00 +0200","Message-ID":"<20260429063004.23002-1-fw@strlen.de>","X-Mailer":"git-send-email 2.54.0","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"As-is, different netns will use same slots if the key is the same.\nOVS uses this infrastructure to limit conntrack counts per zones.\nThose can easily overlap. Make them hash to different slots internally.\n\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n net/netfilter/nf_conncount.c | 7 +++----\n 1 file changed, 3 insertions(+), 4 deletions(-)","diff":"diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c\nindex 00eed5b4d1b1..ab28b47395bd 100644\n--- a/net/netfilter/nf_conncount.c\n+++ b/net/netfilter/nf_conncount.c\n@@ -58,6 +58,7 @@ static spinlock_t nf_conncount_locks[CONNCOUNT_SLOTS] __cacheline_aligned_in_smp\n \n struct nf_conncount_data {\n \tunsigned int keylen;\n+\tu32 initval;\n \tstruct rb_root root[CONNCOUNT_SLOTS];\n \tstruct net *net;\n \tstruct work_struct gc_work;\n@@ -65,7 +66,6 @@ struct nf_conncount_data {\n \tunsigned int gc_tree;\n };\n \n-static u_int32_t conncount_rnd __read_mostly;\n static struct kmem_cache *conncount_rb_cachep __read_mostly;\n static struct kmem_cache *conncount_conn_cachep __read_mostly;\n \n@@ -496,7 +496,7 @@ count_tree(struct net *net,\n \tstruct nf_conncount_rb *rbconn;\n \tunsigned int hash;\n \n-\thash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;\n+\thash = jhash2(key, data->keylen, data->initval) % CONNCOUNT_SLOTS;\n \troot = &data->root[hash];\n \n \tparent = rcu_dereference_raw(root->rb_node);\n@@ -630,8 +630,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen\n \t    keylen == 0)\n \t\treturn ERR_PTR(-EINVAL);\n \n-\tnet_get_random_once(&conncount_rnd, sizeof(conncount_rnd));\n-\n \tdata = kmalloc_obj(*data);\n \tif (!data)\n \t\treturn ERR_PTR(-ENOMEM);\n@@ -641,6 +639,7 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen\n \n \tdata->keylen = keylen / sizeof(u32);\n \tdata->net = net;\n+\tdata->initval = get_random_u32();\n \tINIT_WORK(&data->gc_work, tree_gc_worker);\n \n \treturn data;\n","prefixes":["nf-next"]}