diff options
author | Ted Unangst <tedu@cvs.openbsd.org> | 2014-12-18 19:02:57 +0000 |
---|---|---|
committer | Ted Unangst <tedu@cvs.openbsd.org> | 2014-12-18 19:02:57 +0000 |
commit | c9eccb02a456f2ccc9be867e606fde123f163dfb (patch) | |
tree | 0988c45eb64cfbf4a763a7732e433a605ac0e9f4 /sys | |
parent | 0c7d2c08a98cbc14c160b5c81a017d5f2f3654f0 (diff) |
use siphash for pf_lb. for ipv6, we stretch it out a bit, but good enough.
ok reyk
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf_lb.c | 58 |
1 files changed, 20 insertions, 38 deletions
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c index 392fa85c843..bbaa2984b8d 100644 --- a/sys/net/pf_lb.c +++ b/sys/net/pf_lb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_lb.c,v 1.36 2014/11/18 02:37:31 tedu Exp $ */ +/* $OpenBSD: pf_lb.c,v 1.37 2014/12/18 19:02:56 tedu Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -53,6 +53,7 @@ #include <sys/syslog.h> #include <sys/stdint.h> +#include <crypto/siphash.h> #include <crypto/md5.h> #include <net/if.h> @@ -103,19 +104,6 @@ int pf_map_addr_sticky(sa_family_t, struct pf_rule *, struct pf_src_node **, struct pf_pool *, enum pf_sn_types); -#define mix(a,b,c) \ - do { \ - a -= b; a -= c; a ^= (c >> 13); \ - b -= c; b -= a; b ^= (a << 8); \ - c -= a; c -= b; c ^= (b >> 13); \ - a -= b; a -= c; a ^= (c >> 12); \ - b -= c; b -= a; b ^= (a << 16); \ - c -= a; c -= b; c ^= (b >> 5); \ - a -= b; a -= c; a ^= (c >> 3); \ - b -= c; b -= a; b ^= (a << 10); \ - c -= a; c -= b; c ^= (b >> 15); \ - } while (0) - /* * hash function based on bridge_hash in if_bridge.c */ @@ -123,38 +111,32 @@ void pf_hash(struct pf_addr *inaddr, struct pf_addr *hash, struct pf_poolhashkey *key, sa_family_t af) { - u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0]; +#ifdef INET6 + union { + uint64_t hash64; + uint32_t hash32[2]; + } h; +#endif switch (af) { #ifdef INET case AF_INET: - a += inaddr->addr32[0]; - b += key->key32[1]; - mix(a, b, c); - hash->addr32[0] = c + key->key32[2]; + hash->addr32[0] = SipHash24((SIPHASH_KEY *)key, + &inaddr->addr32[0], sizeof(inaddr->addr32[0])); break; #endif /* INET */ #ifdef INET6 case AF_INET6: - a += inaddr->addr32[0]; - b += inaddr->addr32[2]; - mix(a, b, c); - hash->addr32[0] = c; - a += inaddr->addr32[1]; - b += inaddr->addr32[3]; - c += key->key32[1]; - mix(a, b, c); - hash->addr32[1] = c; - a += inaddr->addr32[2]; - b += inaddr->addr32[1]; - c += key->key32[2]; - mix(a, b, c); - hash->addr32[2] = c; - a += inaddr->addr32[3]; - b += inaddr->addr32[0]; - c += key->key32[3]; - mix(a, b, c); - hash->addr32[3] = c; + h.hash64 = SipHash24((SIPHASH_KEY *)key, &inaddr->addr32[0], + 4 * sizeof(inaddr->addr32[0])); + hash->addr32[0] = h.hash32[0]; + hash->addr32[1] = h.hash32[1]; + /* + * siphash isn't big enough, but flipping it around is + * good enough here. + */ + hash->addr32[2] = ~h.hash32[1]; + hash->addr32[3] = ~h.hash32[0]; break; #endif /* INET6 */ } |