inet: switch IP ID generator to siphash

author Eric Dumazet <edumazet@google.com>

Wed, 27 Mar 2019 19:40:33 +0000 (12:40 -0700)

committer Stricted <info@stricted.net>

Fri, 16 Oct 2020 20:56:05 +0000 (20:56 +0000)
author Eric Dumazet <edumazet@google.com>
Wed, 27 Mar 2019 19:40:33 +0000 (12:40 -0700)
committer Stricted <info@stricted.net>
Fri, 16 Oct 2020 20:56:05 +0000 (20:56 +0000)
diff --git a/include/linux/siphash.h b/include/linux/siphash.h

index fa7a6b9cedbffeac141a157790115288132f43e9..bf21591a9e5e653585c26cb3f3f0857256c0eb89 100644 (file)
--- a/include/linux/siphash.h
+++ b/include/linux/siphash.h
@@ -21,6 +21,11 @@ typedef struct {
         u64 key[2];
  } siphash_key_t;
  
+static inline bool siphash_key_is_zero(const siphash_key_t *key)
+{
+       return !(key->key[0] | key->key[1]);
+}
+
  u64 __siphash_aligned(const void *data, size_t len, const siphash_key_t *key);
  #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
  u64 __siphash_unaligned(const void *data, size_t len, const siphash_key_t *key);
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h

index 8fcff283748444fd561ffe1be00b95dcbb84710d..a2e4adafd34da6d1f6d91deb02892115706de199 100644 (file)
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -9,6 +9,7 @@
  #include <linux/uidgid.h>
  #include <net/inet_frag.h>
  #include <linux/rcupdate.h>
+#include <linux/siphash.h>
  
  struct tcpm_hash_bucket;
  struct ctl_table_header;
@@ -164,5 +165,6 @@ struct netns_ipv4 {
         unsigned int    fib_seq;        /* protected by rtnl_mutex */
  
         atomic_t        rt_genid;
+       siphash_key_t   ip_id_key;
  };
  #endif
diff --git a/net/ipv4/route.c b/net/ipv4/route.c

index a1bf87711bfaa077584dd98c30eed88f45d24417..699b63f04d1eaf8fdb4d5eeecf8932dd45e02acf 100644 (file)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -517,15 +517,17 @@ EXPORT_SYMBOL(ip_idents_reserve);
  
  void __ip_select_ident(struct net *net, struct iphdr *iph, int segs)
  {
-       static u32 ip_idents_hashrnd __read_mostly;
         u32 hash, id;
  
-       net_get_random_once(&ip_idents_hashrnd, sizeof(ip_idents_hashrnd));
+       /* Note the following code is not safe, but this is okay. */
+       if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+               get_random_bytes(&net->ipv4.ip_id_key,
+                                sizeof(net->ipv4.ip_id_key));
  
-       hash = jhash_3words((__force u32)iph->daddr,
+       hash = siphash_3u32((__force u32)iph->daddr,
                             (__force u32)iph->saddr,
-                           iph->protocol ^ net_hash_mix(net),
-                           ip_idents_hashrnd);
+                           iph->protocol,
+                           &net->ipv4.ip_id_key);
         id = ip_idents_reserve(hash, segs);
         iph->id = htons(id);
  }
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c

index 4fe7c90962ddae3356200376aa911bab6d75bb48..868ae23dbae195de0e81fcad2566af2420294d7e 100644 (file)
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -10,15 +10,25 @@
  #include <net/secure_seq.h>
  #include <linux/netfilter.h>
  
-static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
+static u32 __ipv6_select_ident(struct net *net,
                                const struct in6_addr *dst,
                                const struct in6_addr *src)
  {
+       const struct {
+               struct in6_addr dst;
+               struct in6_addr src;
+       } __aligned(SIPHASH_ALIGNMENT) combined = {
+               .dst = *dst,
+               .src = *src,
+       };
         u32 hash, id;
  
-       hash = __ipv6_addr_jhash(dst, hashrnd);
-       hash = __ipv6_addr_jhash(src, hash);
-       hash ^= net_hash_mix(net);
+       /* Note the following code is not safe, but this is okay. */
+       if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
+               get_random_bytes(&net->ipv4.ip_id_key,
+                                sizeof(net->ipv4.ip_id_key));
+
+       hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
  
         /* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
          * set the hight order instead thus minimizing possible future
@@ -41,7 +51,6 @@ static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
   */
  __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
  {
-       static u32 ip6_proxy_idents_hashrnd __read_mostly;
         struct in6_addr buf[2];
         struct in6_addr *addrs;
         u32 id;
@@ -53,11 +62,7 @@ __be32 ipv6_proxy_select_ident(struct net *net, struct sk_buff *skb)
         if (!addrs)
                 return 0;
  
-       net_get_random_once(&ip6_proxy_idents_hashrnd,
-                           sizeof(ip6_proxy_idents_hashrnd));
-
-       id = __ipv6_select_ident(net, ip6_proxy_idents_hashrnd,
-                                &addrs[1], &addrs[0]);
+       id = __ipv6_select_ident(net, &addrs[1], &addrs[0]);
         return htonl(id);
  }
  EXPORT_SYMBOL_GPL(ipv6_proxy_select_ident);
@@ -66,12 +71,9 @@ __be32 ipv6_select_ident(struct net *net,
                          const struct in6_addr *daddr,
                          const struct in6_addr *saddr)
  {
-       static u32 ip6_idents_hashrnd __read_mostly;
         u32 id;
  
-       net_get_random_once(&ip6_idents_hashrnd, sizeof(ip6_idents_hashrnd));
-
-       id = __ipv6_select_ident(net, ip6_idents_hashrnd, daddr, saddr);
+       id = __ipv6_select_ident(net, daddr, saddr);
         return htonl(id);
  }
  EXPORT_SYMBOL(ipv6_select_ident);
author	Eric Dumazet <edumazet@google.com>
	Wed, 27 Mar 2019 19:40:33 +0000 (12:40 -0700)
committer	Stricted <info@stricted.net>
	Fri, 16 Oct 2020 20:56:05 +0000 (20:56 +0000)
include/linux/siphash.h		patch \| blob \| blame \| history
include/net/netns/ipv4.h		patch \| blob \| blame \| history
net/ipv4/route.c		patch \| blob \| blame \| history
net/ipv6/output_core.c		patch \| blob \| blame \| history