Commit 08dcdbf6 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

ipv6: use a stronger hash for tcp

It looks like its possible to open thousands of TCP IPv6
sessions on a server, all landing in a single slot of TCP hash
table. Incoming packets have to lookup sockets in a very
long list.

We should hash all bits from foreign IPv6 addresses, using
a salt and hash mix, not a simple XOR.

inet6_ehashfn() can also separately use the ports, instead
of xoring them.
Reported-by: default avatarNeal Cardwell <ncardwell@google.com>
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 0ab8a9f5
...@@ -28,16 +28,16 @@ ...@@ -28,16 +28,16 @@
struct inet_hashinfo; struct inet_hashinfo;
/* I have no idea if this is a good hash for v6 or not. -DaveM */
static inline unsigned int inet6_ehashfn(struct net *net, static inline unsigned int inet6_ehashfn(struct net *net,
const struct in6_addr *laddr, const u16 lport, const struct in6_addr *laddr, const u16 lport,
const struct in6_addr *faddr, const __be16 fport) const struct in6_addr *faddr, const __be16 fport)
{ {
u32 ports = (lport ^ (__force u16)fport); u32 ports = (((u32)lport) << 16) | (__force u32)fport;
return jhash_3words((__force u32)laddr->s6_addr32[3], return jhash_3words((__force u32)laddr->s6_addr32[3],
(__force u32)faddr->s6_addr32[3], ipv6_addr_jhash(faddr),
ports, inet_ehash_secret + net_hash_mix(net)); ports,
inet_ehash_secret + net_hash_mix(net));
} }
static inline int inet6_sk_ehashfn(const struct sock *sk) static inline int inet6_sk_ehashfn(const struct sock *sk)
......
...@@ -203,6 +203,7 @@ static inline void inet_sk_copy_descendant(struct sock *sk_to, ...@@ -203,6 +203,7 @@ static inline void inet_sk_copy_descendant(struct sock *sk_to,
extern int inet_sk_rebuild_header(struct sock *sk); extern int inet_sk_rebuild_header(struct sock *sk);
extern u32 inet_ehash_secret; extern u32 inet_ehash_secret;
extern u32 ipv6_hash_secret;
extern void build_ehash_secret(void); extern void build_ehash_secret(void);
static inline unsigned int inet_ehashfn(struct net *net, static inline unsigned int inet_ehashfn(struct net *net,
......
...@@ -15,6 +15,7 @@ ...@@ -15,6 +15,7 @@
#include <linux/ipv6.h> #include <linux/ipv6.h>
#include <linux/hardirq.h> #include <linux/hardirq.h>
#include <linux/jhash.h>
#include <net/if_inet6.h> #include <net/if_inet6.h>
#include <net/ndisc.h> #include <net/ndisc.h>
#include <net/flow.h> #include <net/flow.h>
...@@ -514,6 +515,17 @@ static inline u32 ipv6_addr_hash(const struct in6_addr *a) ...@@ -514,6 +515,17 @@ static inline u32 ipv6_addr_hash(const struct in6_addr *a)
#endif #endif
} }
/* more secured version of ipv6_addr_hash() */
static inline u32 ipv6_addr_jhash(const struct in6_addr *a)
{
u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1];
return jhash_3words(v,
(__force u32)a->s6_addr32[2],
(__force u32)a->s6_addr32[3],
ipv6_hash_secret);
}
static inline bool ipv6_addr_loopback(const struct in6_addr *a) static inline bool ipv6_addr_loopback(const struct in6_addr *a)
{ {
#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
......
...@@ -248,8 +248,12 @@ EXPORT_SYMBOL(inet_listen); ...@@ -248,8 +248,12 @@ EXPORT_SYMBOL(inet_listen);
u32 inet_ehash_secret __read_mostly; u32 inet_ehash_secret __read_mostly;
EXPORT_SYMBOL(inet_ehash_secret); EXPORT_SYMBOL(inet_ehash_secret);
u32 ipv6_hash_secret __read_mostly;
EXPORT_SYMBOL(ipv6_hash_secret);
/* /*
* inet_ehash_secret must be set exactly once * inet_ehash_secret must be set exactly once, and to a non nul value
* ipv6_hash_secret must be set exactly once.
*/ */
void build_ehash_secret(void) void build_ehash_secret(void)
{ {
...@@ -259,7 +263,8 @@ void build_ehash_secret(void) ...@@ -259,7 +263,8 @@ void build_ehash_secret(void)
get_random_bytes(&rnd, sizeof(rnd)); get_random_bytes(&rnd, sizeof(rnd));
} while (rnd == 0); } while (rnd == 0);
cmpxchg(&inet_ehash_secret, 0, rnd); if (cmpxchg(&inet_ehash_secret, 0, rnd) == 0)
get_random_bytes(&ipv6_hash_secret, sizeof(ipv6_hash_secret));
} }
EXPORT_SYMBOL(build_ehash_secret); EXPORT_SYMBOL(build_ehash_secret);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment