zebra: pbr hash cleanup #15556
zebra: pbr hash cleanup #15556
Conversation
paulzlabn
force-pushed
the
working/ziemba/zebra-pbr-hash
branch
from
9160d7b to
67b4242
Compare
|
Is this still a WIP? |
I added some discussion items in the description. I'd like at least donaldsharp and mjs to review, as well as anyone else who might have an interest. For some reason I am unable to add reviewers to this PR. |
zebra/zebra_pbr.c
Outdated
|
|
||
| key = jhash_3words(rule->rule.filter.fwmark, rule->vrf_id, | ||
| rule->rule.filter.ip_proto, key); | ||
| key = jhash_2words(rule->rule.unique, rule->sock, 0); |
There was a problem hiding this comment.
the tuple of vrf+ifname is necessary, I think? small change, but will be safer.
There was a problem hiding this comment.
Is it possible to have a given ifname in more than one vrf? (I thought no?)
There was a problem hiding this comment.
yes, in netns-based vrfs I believe it is possible, so we accomodate that ... in many places
There was a problem hiding this comment.
I added vrf_id back to the hash in this latest push
zebra/zebra_pbr.c
Outdated
|
|
||
| key = jhash_3words(rule->rule.filter.fwmark, rule->vrf_id, | ||
| rule->rule.filter.ip_proto, key); | ||
| key = jhash_2words(rule->rule.unique, rule->sock, 0); |
There was a problem hiding this comment.
Having some random init value for the 'key' would be nice - it's a good practice to follow?
There was a problem hiding this comment.
Is that the same thing as a "seeded" hash? It looks like that is a defense against DDOS attacks so I'm guessing in this case an attacker would craft a set of PBR rules to slow down lookups?
In general it could be a good thing. Maybe better implemented in the hash library so all callers benefit?
There was a problem hiding this comment.
My point is just about having the various examples in the codebase stay aligned as much as possible. In general, we try to encourage some kind of initialization for the key, so it'd be good to do that here also.
There was a problem hiding this comment.
Please help me understand - my eyeball estimate is that around a third of the jhash_ algorithms in FRR start with some arbitrary fixed seed, and the rest use 0. What does it accomplish? What's the basis for choosing a particular 32-bit seed?
I'm not finding either general information (via goog) or any comments in frr/docs/developer.
|
I've added Donald Sharp as a reviewer (with his permission, I think)
|
In the zebra PBR rule database, the hash was previously calculated
over many fields, including most of the filter and action values.
But a given rule should be identifiable by just:
1. the identity of its originating daemon (ZAPI socket FD); and
2. the 'unique' field in struct pbr_rule
However, pbrd assigns a 'unique' field value per map (which may
be assigned to multiple interfaces, yielding multiple corresponding
rules). We could possibly modify pbrd to generate a 'unique'
field value per rule instance, but the simpler solution for the
moment is to also hash on the interface name.
This commit changes the PBR hash function to use only the
following parameters:
1. the identity of its originating daemon (ZAPI socket FD); and
2. the 'unique' field in struct pbr_rule
3. the VRF ID
4. the interface name
The goal of the above change is to get a better handle on what
parameters uniquely identify a rule, to (eventually) allow the
assignment or parallel generation of a globally-unique identifier
for each rule that can be used with a dataplane.
This commit also removes the inefficient pbr_rule_lookup_unique()
code that iterated linearly over the entire rule database.
Signed-off-by: G. Paul Ziemba <[email protected]>
paulzlabn
force-pushed
the
working/ziemba/zebra-pbr-hash
branch
from
67b4242 to
d2e5e9a
Compare
|
This PR is stale because it has been open 180 days with no activity. Comment or remove the |
ISSUES:
I invite review comments particularly on these issues