summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorTed Unangst <tedu@cvs.openbsd.org>2014-12-18 19:02:57 +0000
committerTed Unangst <tedu@cvs.openbsd.org>2014-12-18 19:02:57 +0000
commitc9eccb02a456f2ccc9be867e606fde123f163dfb (patch)
tree0988c45eb64cfbf4a763a7732e433a605ac0e9f4 /sys
parent0c7d2c08a98cbc14c160b5c81a017d5f2f3654f0 (diff)
use siphash for pf_lb. for ipv6, we stretch it out a bit, but good enough.
ok reyk
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf_lb.c58
1 files changed, 20 insertions, 38 deletions
diff --git a/sys/net/pf_lb.c b/sys/net/pf_lb.c
index 392fa85c843..bbaa2984b8d 100644
--- a/sys/net/pf_lb.c
+++ b/sys/net/pf_lb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_lb.c,v 1.36 2014/11/18 02:37:31 tedu Exp $ */
+/* $OpenBSD: pf_lb.c,v 1.37 2014/12/18 19:02:56 tedu Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -53,6 +53,7 @@
#include <sys/syslog.h>
#include <sys/stdint.h>
+#include <crypto/siphash.h>
#include <crypto/md5.h>
#include <net/if.h>
@@ -103,19 +104,6 @@ int pf_map_addr_sticky(sa_family_t, struct pf_rule *,
struct pf_src_node **, struct pf_pool *,
enum pf_sn_types);
-#define mix(a,b,c) \
- do { \
- a -= b; a -= c; a ^= (c >> 13); \
- b -= c; b -= a; b ^= (a << 8); \
- c -= a; c -= b; c ^= (b >> 13); \
- a -= b; a -= c; a ^= (c >> 12); \
- b -= c; b -= a; b ^= (a << 16); \
- c -= a; c -= b; c ^= (b >> 5); \
- a -= b; a -= c; a ^= (c >> 3); \
- b -= c; b -= a; b ^= (a << 10); \
- c -= a; c -= b; c ^= (b >> 15); \
- } while (0)
-
/*
* hash function based on bridge_hash in if_bridge.c
*/
@@ -123,38 +111,32 @@ void
pf_hash(struct pf_addr *inaddr, struct pf_addr *hash,
struct pf_poolhashkey *key, sa_family_t af)
{
- u_int32_t a = 0x9e3779b9, b = 0x9e3779b9, c = key->key32[0];
+#ifdef INET6
+ union {
+ uint64_t hash64;
+ uint32_t hash32[2];
+ } h;
+#endif
switch (af) {
#ifdef INET
case AF_INET:
- a += inaddr->addr32[0];
- b += key->key32[1];
- mix(a, b, c);
- hash->addr32[0] = c + key->key32[2];
+ hash->addr32[0] = SipHash24((SIPHASH_KEY *)key,
+ &inaddr->addr32[0], sizeof(inaddr->addr32[0]));
break;
#endif /* INET */
#ifdef INET6
case AF_INET6:
- a += inaddr->addr32[0];
- b += inaddr->addr32[2];
- mix(a, b, c);
- hash->addr32[0] = c;
- a += inaddr->addr32[1];
- b += inaddr->addr32[3];
- c += key->key32[1];
- mix(a, b, c);
- hash->addr32[1] = c;
- a += inaddr->addr32[2];
- b += inaddr->addr32[1];
- c += key->key32[2];
- mix(a, b, c);
- hash->addr32[2] = c;
- a += inaddr->addr32[3];
- b += inaddr->addr32[0];
- c += key->key32[3];
- mix(a, b, c);
- hash->addr32[3] = c;
+ h.hash64 = SipHash24((SIPHASH_KEY *)key, &inaddr->addr32[0],
+ 4 * sizeof(inaddr->addr32[0]));
+ hash->addr32[0] = h.hash32[0];
+ hash->addr32[1] = h.hash32[1];
+ /*
+ * siphash isn't big enough, but flipping it around is
+ * good enough here.
+ */
+ hash->addr32[2] = ~h.hash32[1];
+ hash->addr32[3] = ~h.hash32[0];
break;
#endif /* INET6 */
}