[Bro-Dev] [JIRA] (BIT-1575) AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics

Jan Grashoefer (JIRA) jira at bro-tracker.atlassian.net
Tue Apr 26 15:52:00 PDT 2016

    [ https://bro-tracker.atlassian.net/browse/BIT-1575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25903#comment-25903 ] 

Jan Grashoefer commented on BIT-1575:

As 4.2 and 4.4 both call the [__flow_hash_consistentify|http://lxr.free-electrons.com/source/net/core/flow_dissector.c#L575] function, I am not yet convinced this isn't a bug. I will try to further investigate this. However, supporting BPF for load-balancing is a great feature anyway.

> AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics
> -------------------------------------------------------------------------
>                 Key: BIT-1575
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1575
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Michal Purzynski
> The AF_Packet in 4.4 and onward has undergone a major redesign and rewrite.
> In order to make it more generic and correctly support Vlans, GRE tunnels, IPv6, and so on, the hash function has been generalized and is not symmetric anymore.
> This affacts the af_packet capture plugin.
> For kernel version 4.2, the following function was used
> static inline u32 __flow_hash_from_keys(struct flow_keys *keys)
>      /* get a *consistent hash* (*same value on both flow directions*) */
> In 4.4 it's jhash2, which is *not* symmetric. This results in splitted connections.
> static __always_inline u32 __flow_hash_words(const u32 *words, u32 length, u32 keyval)
> {
>      return jhash2(words, length, keyval);
> }
> I have tested this on 4.2, then upgraded to 4.4, observed lots of SAD connections, went back to 4.2.
> This seems to clarify this design decision
> https://patchwork.ozlabs.org/patch/467861/
> After consulting Suricata developers (thank you, Regit!!) seems like there's a new way to achieve consistent hashing. This method must be implemented for kernels >= 4.4 (maybe others, too).
> https://lwn.net/Articles/655295/
> https://www.kernel.org/doc/Documentation/networking/filter.txt
> eBPF fanout mode, so you write a filter and it af_packet respects hashing from it.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list