summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2023-07-04 12:25:23 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2023-07-05 14:42:16 +0200
commiteaf9e7192ec9af2fbf1b6eb2299dd0feca6c5f7e (patch)
treea3839f7937a1e05279a2c1d4c2046cac7d4f2370 /include
parentnetfilter: conntrack: Avoid nf_ct_helper_hash uses after free (diff)
downloadlinux-eaf9e7192ec9af2fbf1b6eb2299dd0feca6c5f7e.tar.xz
linux-eaf9e7192ec9af2fbf1b6eb2299dd0feca6c5f7e.zip
netfilter: conntrack: don't fold port numbers into addresses before hashing
Originally this used jhash2() over tuple and folded the zone id, the pernet hash value, destination port and l4 protocol number into the 32bit seed value. When the switch to siphash was done, I used an on-stack temporary buffer to build a suitable key to be hashed via siphash(). But this showed up as performance regression, so I got rid of the temporary copy and collected to-be-hashed data in 4 u64 variables. This makes it easy to build tuples that produce the same hash, which isn't desirable even though chain lengths are limited. Switch back to plain siphash, but just like with jhash2(), take advantage of the fact that most of to-be-hashed data is already in a suitable order. Use an empty struct as annotation in 'struct nf_conntrack_tuple' to mark last member that can be used as hash input. The only remaining data that isn't present in the tuple structure are the zone identifier and the pernet hash: fold those into the key. Fixes: d2c806abcf0b ("netfilter: conntrack: use siphash_4u64") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r--include/net/netfilter/nf_conntrack_tuple.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index 9334371c94e2..f7dd950ff250 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -67,6 +67,9 @@ struct nf_conntrack_tuple {
/* The protocol. */
u_int8_t protonum;
+ /* The direction must be ignored for the tuplehash */
+ struct { } __nfct_hash_offsetend;
+
/* The direction (for tuplehash) */
u_int8_t dir;
} dst;