Michal Purzynski created BIT-1575:
-------------------------------------
Summary: AF_Packet hash in 4.4 is not symmetric anymore, needs a
different tactics
Key: BIT-1575
URL: https://bro-tracker.atlassian.net/browse/BIT-1575
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: git/master
Reporter: Michal Purzynski
The AF_Packet in 4.4 and onward has undergone a major redesign and rewrite.
In order to make it more generic and correctly support Vlans, GRE tunnels,
IPv6, and so on, the hash function has been generalized and is not symmetric
anymore.
This affacts the af_packet capture plugin.
For kernel version 4.2, the following function was used
static inline u32 __flow_hash_from_keys(struct flow_keys *keys)
/* get a *consistent hash* (*same value on both flow directions*) */
In 4.4 it's jhash2, which is *not* symmetric. This results in splitted
connections.
static __always_inline u32 __flow_hash_words(const u32 *words, u32 length, u32
keyval)
{
return jhash2(words, length, keyval);
}
I have tested this on 4.2, then upgraded to 4.4, observed lots of SAD
connections, went back to 4.2.
This seems to clarify this design decision
https://patchwork.ozlabs.org/patch/467861/
After consulting Suricata developers (thank you, Regit!!) seems like there's a
new way to achieve consistent hashing. This method must be implemented for
kernels >= 4.4 (maybe others, too).
https://lwn.net/Articles/655295/
https://www.kernel.org/doc/Documentation/networking/filter.txt
eBPF fanout mode, so you write a filter and it af_packet respects hashing from
it.
--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
