On Mon, Sep 12, 2016 at 02:22:57PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Sun, Sep 11, 2016 at 11:12:26PM +0200, Florian Westphal wrote: > > > My first thought was that it would be better to just support one single > > > sreg (the queue number) and eventually externalize the hashing/queue > > > selection: > > > > > > queue num jhash ip saddr . ip daddr mod ... > > > > > > Problem is that with plain jhash we won't get a symmetric hash > > > for origin and reply, so for this we would need a new expression/hash > > > mode. > > > > Are you think of xor hashing to provide the symmetry? Downside is that > > bad tuple selection may result in poor distribution, but this is > > something we can document. > > No, I was thinking of a new hash mode to do this, e.g. just do same > what current nfqueue selection does: hash lower address first. Currently we have one single register pointing to the entire tuple concatenation that we hash, we would need to support multiple registers as input, check that they are consecutive. Then, the logic to compare the data. And a way to express this in syntax. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
