From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-x241.google.com (mail-qk0-x241.google.com [IPv6:2607:f8b0:400d:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id 53FCE3B2A4 for ; Fri, 20 Jan 2017 16:47:01 -0500 (EST) Received: by mail-qk0-x241.google.com with SMTP id u25so2732609qki.2 for ; Fri, 20 Jan 2017 13:47:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=3p7df3ott/1XSH8fTlL4p/aXhLB8z7suNEbtk7dTEas=; b=NaxaMZ9s6EnIziOZlI1lYIlXYUCTU86ryoNozecgXWV0qj2sTYDjm7H7rsCSncpKiL VyMtsXXaA887YOMIVMdqyaWbAkdFKOH94AKo80vZL+v2bBXyc+rsxQIR2HGrFeS8bPnT /remNbP94IQW+T6fDiR3FBz4aYpVZ5TCw8zcEJ065PvJoZnkPIXWAnGwuF4o5pygnvmz Y6bVfJv6YsLzXkipsnkcPf0AknYTioudvkYAoBbqjx3BJ35fExHljO6b2JEehbehA69/ jy8xukC03YkQsLF8FutkkT9JMKNhXao7Vo9Cc1SaX3W8yuImKAOgZkv932+0vH4OsbpE 3uHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=3p7df3ott/1XSH8fTlL4p/aXhLB8z7suNEbtk7dTEas=; b=IyCbHH1gCBNZbzrihNuwb7HqTldWHCpLWVOQRx/OSSnw+Q/Zalu1zoc65btclpcRd0 WhxOe1l3boHQAuoLvr8FeGjy5dpDeCgU1lUOywtiG32jLyHDixCkJO5yRHOJcU0zE/vd diykTqQVECueEHCBIoTXQpc4VM19nFzCAYdxuAlWrlApB+GtsxJpeo2yXhI/8hOCxErk KRmpMYdXerX0Fi+ZVjE47ZBGEebhhqdtqwXmejhHqV+yeN4RIt9UVkiB+gqnlxKWNR/7 6FvQbbkG6kSq9KpFauH0QuWDouMPPPJcmr4slTscIY4TwZPiZmN9fvAnEQ7+AMX3oiiS 1CpQ== X-Gm-Message-State: AIkVDXLwZgzU/Lo1lNyZDyFvCfK0IsBHM525dKVLctcXSVTBmKqQCHrktgYf/0yeg8WWL6si11I2dbzYAhLcDQ== X-Received: by 10.200.0.193 with SMTP id d1mr13284569qtg.275.1484948820909; Fri, 20 Jan 2017 13:47:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.152.197 with HTTP; Fri, 20 Jan 2017 13:47:00 -0800 (PST) In-Reply-To: References: From: Dave Taht Date: Fri, 20 Jan 2017 13:47:00 -0800 Message-ID: To: Eric Dumazet Cc: cake@lists.bufferbloat.net Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [Cake] fq_codel leveraging the skb->hash now in net-next X-BeenThere: cake@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Cake - FQ_codel the next generation List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2017 21:47:01 -0000 On Fri, Jan 20, 2017 at 1:36 PM, Eric Dumazet wrote: > The 0 case is checked. > > If skb->hash =3D=3D 0 or a non L4 hash was stored in skb->hash, we call > the same flow dissector code than before ;) > > And each host has normally : > > 1) Boot time generated RSS keys on NIC providing skb->hash > 2) A boot time random number > static u32 hashrnd __read_mostly; > static __always_inline void __flow_hash_secret_init(void) > { > net_get_random_once(&hashrnd, sizeof(hashrnd)); > } > > u32 flow_hash_from_keys(struct flow_keys *keys) > { > __flow_hash_secret_init(); > return __flow_hash_from_keys(keys, hashrnd); > } > EXPORT_SYMBOL(flow_hash_from_keys); > > static inline u32 ___skb_get_hash(const struct sk_buff *skb, > struct flow_keys *keys, u32 keyval) > { > skb_flow_dissect_flow_keys(skb, keys, > FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL); > > return __flow_hash_from_keys(keys, keyval); > } > > > So an attacker has no way to guess in which slot of the hash table a > particular flow will end up. Groovy. safe to backport to 4.4? (lede/openwrt)? > For the record, I will add (optional) pacing to fq_codel. BBR is one less step away from world domination then! My dream has always been to have all timestamping being on ingress, thus eliminating that within fq_codel also, thus measuring cpu overload on queuing within linux itself. This would also tend toward favoring local tcp flows (I think), slightly, in the fq_codel case. But perhaps I'm still dreaming too hard. > > On Fri, Jan 20, 2017 at 1:29 PM, Dave Taht wrote: >> It's not clear to me if all the encapsulation types (6rd for >> example?), or drivers? are generating an skb->hash (or as of what >> release of linux they did), and there's no error checking for 0, and >> whether or not they are being permuted in skb->hash, (otherwise all >> linux implementations in the world will end up hashing the same way on >> the same combination of ips and ports), >> >> but I tend to trust eric to get it right, and hashing here was always >> the 2nd or 3rd biggest hotspot in fq_codel. >> >> https://www.mail-archive.com/netdev@vger.kernel.org/msg148598.html >> >> -- >> Dave T=C3=A4ht >> Let's go make home routers and wifi faster! With better software! >> http://blog.cerowrt.org --=20 Dave T=C3=A4ht Let's go make home routers and wifi faster! With better software! http://blog.cerowrt.org