ipv6: use a stronger hash for tcp

It looks like its possible to open thousands of TCP IPv6
sessions on a server, all landing in a single slot of TCP hash
table. Incoming packets have to lookup sockets in a very
long list.

We should hash all bits from foreign IPv6 addresses, using
a salt and hash mix, not a simple XOR.

inet6_ehashfn() can also separately use the ports, instead
of xoring them.

Reported-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
index 7ca75cbbf75e2071ed068276c8f69f1a11990b2a..fd4ee016ba5cd5e4dc87b08cf06aef17a6b9cc27 100644 (file)
--- a/include/net/inet6_hashtables.h
+++ b/include/net/inet6_hashtables.h
@@ -28,16 +28,16 @@
 
 struct inet_hashinfo;
 
-/* I have no idea if this is a good hash for v6 or not. -DaveM */
 static inline unsigned int inet6_ehashfn(struct net *net,
                                const struct in6_addr *laddr, const u16 lport,
                                const struct in6_addr *faddr, const __be16 fport)
 {
-       u32 ports = (lport ^ (__force u16)fport);
+       u32 ports = (((u32)lport) << 16) | (__force u32)fport;
 
        return jhash_3words((__force u32)laddr->s6_addr32[3],
-                           (__force u32)faddr->s6_addr32[3],
-                           ports, inet_ehash_secret + net_hash_mix(net));
+                           ipv6_addr_jhash(faddr),
+                           ports,
+                           inet_ehash_secret + net_hash_mix(net));
 }
 
 static inline int inet6_sk_ehashfn(const struct sock *sk)

diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
index a4196cbc84eca774d45a2d275f4a38eb5be775f3..7235ae73a1e8d07a905d6803017d341d951e8f56 100644 (file)
--- a/include/net/inet_sock.h
+++ b/include/net/inet_sock.h
@@ -203,6 +203,7 @@ static inline void inet_sk_copy_descendant(struct sock *sk_to,
 extern int inet_sk_rebuild_header(struct sock *sk);
 
 extern u32 inet_ehash_secret;
+extern u32 ipv6_hash_secret;
 extern void build_ehash_secret(void);
 
 static inline unsigned int inet_ehashfn(struct net *net,

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 851d5412a299ba95510305f35cf45bdd7b55dbdc..64d12e77719afd26b95333a8a145b50301cef440 100644 (file)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -15,6 +15,7 @@
 
 #include <linux/ipv6.h>
 #include <linux/hardirq.h>
+#include <linux/jhash.h>
 #include <net/if_inet6.h>
 #include <net/ndisc.h>
 #include <net/flow.h>
@@ -514,6 +515,17 @@ static inline u32 ipv6_addr_hash(const struct in6_addr *a)
 #endif
 }
 
+/* more secured version of ipv6_addr_hash() */
+static inline u32 ipv6_addr_jhash(const struct in6_addr *a)
+{
+       u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1];
+
+       return jhash_3words(v,
+                           (__force u32)a->s6_addr32[2],
+                           (__force u32)a->s6_addr32[3],
+                           ipv6_hash_secret);
+}
+
 static inline bool ipv6_addr_loopback(const struct in6_addr *a)
 {
 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64

diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index e225a4e5b572a5283b8c146f18d47dfc3d5f0e8e..9cbcb94a4c6df5e205a835ee8e77dc750a866576 100644 (file)
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -248,8 +248,12 @@ EXPORT_SYMBOL(inet_listen);
 u32 inet_ehash_secret __read_mostly;
 EXPORT_SYMBOL(inet_ehash_secret);
 
+u32 ipv6_hash_secret __read_mostly;
+EXPORT_SYMBOL(ipv6_hash_secret);
+
 /*
- * inet_ehash_secret must be set exactly once
+ * inet_ehash_secret must be set exactly once, and to a non nul value
+ * ipv6_hash_secret must be set exactly once.
  */
 void build_ehash_secret(void)
 {
@@ -259,7 +263,8 @@ void build_ehash_secret(void)
                get_random_bytes(&rnd, sizeof(rnd));
        } while (rnd == 0);
 
-       cmpxchg(&inet_ehash_secret, 0, rnd);
+       if (cmpxchg(&inet_ehash_secret, 0, rnd) == 0)
+               get_random_bytes(&ipv6_hash_secret, sizeof(ipv6_hash_secret));
 }
 EXPORT_SYMBOL(build_ehash_secret);