[Bro-Dev] [JIRA] (BIT-1575) AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics

Jan Grashoefer (JIRA) jira at bro-tracker.atlassian.net
Thu Apr 28 07:50:01 PDT 2016

    [ https://bro-tracker.atlassian.net/browse/BIT-1575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=26002#comment-26002 ] 

Jan Grashoefer commented on BIT-1575:

For the record: I was not able to reproduce this on 4.4.7-300.fc23.x86_64 monitoring small amounts of IPv4 traffic.

> AF_Packet hash in 4.4 is not symmetric anymore, needs a different tactics
> -------------------------------------------------------------------------
>                 Key: BIT-1575
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1575
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Michal Purzynski
> The AF_Packet in 4.4 and onward has undergone a major redesign and rewrite.
> In order to make it more generic and correctly support Vlans, GRE tunnels, IPv6, and so on, the hash function has been generalized and is not symmetric anymore.
> This affacts the af_packet capture plugin.
> For kernel version 4.2, the following function was used
> static inline u32 __flow_hash_from_keys(struct flow_keys *keys)
>      /* get a *consistent hash* (*same value on both flow directions*) */
> In 4.4 it's jhash2, which is *not* symmetric. This results in splitted connections.
> static __always_inline u32 __flow_hash_words(const u32 *words, u32 length, u32 keyval)
> {
>      return jhash2(words, length, keyval);
> }
> I have tested this on 4.2, then upgraded to 4.4, observed lots of SAD connections, went back to 4.2.
> This seems to clarify this design decision
> https://patchwork.ozlabs.org/patch/467861/
> After consulting Suricata developers (thank you, Regit!!) seems like there's a new way to achieve consistent hashing. This method must be implemented for kernels >= 4.4 (maybe others, too).
> https://lwn.net/Articles/655295/
> https://www.kernel.org/doc/Documentation/networking/filter.txt
> eBPF fanout mode, so you write a filter and it af_packet respects hashing from it.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list