Brand new hash expression

The new hash expression provides a way to generate a Jenkins Hash operation given a source register that could be a source IP address, destination IP address, or any other packet field.

meta mark set hash ip saddr mod 10

There was a module called nft_hash that implements a hash table, so I’ve to apply a patch to rename such module to another. This is the patch.

I had to learn the Jenkins Hash API in order to use it as described here:

http://lxr.free-electrons.com/source/include/linux/jhash.h

And make the changes in the libnftnl package to support this new expression in the form:

reg1 <- payload(base, offset, len)
reg1 <- hash(reg1, len, mod)
mark set reg1

But after the implementation in the kernel and libnftnl sides, I get the following error:

 root@nfkernel:~# /usr/src/libnftnl/examples/nft-rule-add ip filter
 input
 mnl_cb_run: No such file or directory

This error could be shown if the given table or chain doesn’t exist, or if the module is not loaded. But….

The nft structure was created

 root@nfkernel:~# nft list ruleset
 table ip filter {
         chain input {
                 type filter hook input priority 0; policy accept;
         }
 (...)
 }

And the module was loaded

 Module                  Size  Used by
 nft_hash                9946  0
 nf_tables_ipv6          2206  4
 nf_tables_ipv4          2206  4
 nf_tables              56474  3 nf_tables_ipv4,nf_tables_ipv6,nft_hash
 nfnetlink               5700  1 nf_tables

But then I realized that the nft_hash module size in memory is too big for such relatively “small” expression.

Then, I came into the idea that some kind of incompatibility or collision in the kernel between the “old” and the “new” nft_hash module must exist.

Finally, and thanks to my mentor Pablo Neira, I must include the following line in the source code.

 MODULE_ALIAS_NFT_EXPR("hash");

Then,

make clean
make
make modules_install

And it’s ready!

Here is the first patch for the kernel and libnftnl:

http://marc.info/?l=netfilter-devel&m=147075140407812&w=2

http://marc.info/?l=netfilter-devel&m=147075143907821&w=2

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s