On Sat, Oct 22, 2016 at 11:34:15PM +0200, Laura Garcia Liebana wrote: > The hash expression requires a seed attribute to call the jhash > operation, eg. > > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \ > seed 0xdeadbeef > > With this patch the seed attribute is optional and it's generated by a > random function from userspace, eg. > > # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 > > To generate a secure random number it has been included the libbsd > library dependency by default, that implements the arc4random() > function generator. But it's possible to get rid of this dependency > applying the option --without-arc4random during the configure of the > package. > > Suggested-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > Signed-off-by: Laura Garcia Liebana <nevola@xxxxxxxxx> > --- > configure.ac | 14 +++++++++++++- > include/hash.h | 10 ++++++++++ > src/parser_bison.y | 5 +++++ > tests/py/ip/hash.t | 2 ++ > 4 files changed, 30 insertions(+), 1 deletion(-) > > diff --git a/configure.ac b/configure.ac > index 7e0b75c..8c93981 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -108,6 +108,17 @@ AC_DEFINE([HAVE_LIBXTABLES], [1], [0]) > AC_SUBST(with_libxtables) > AM_CONDITIONAL([BUILD_XTABLES], [test "x$with_libxtables" == xyes]) > > +AC_ARG_WITH([arc4random], [AS_HELP_STRING([--without-arc4random], > + [disable arc4random (libbsd dev support)])], > + [], [with_arc4random=yes]) > +AS_IF([test "x$with_arc4random" != xno], [ > +AC_CHECK_LIB([bsd], [arc4random], , > + AC_MSG_ERROR([No suitable version of libbsd dev found])) > +AC_DEFINE([HAVE_LIBBSD], [1], []) > +]) > +AC_SUBST(with_arc4random) > +AM_CONDITIONAL([BUILD_ARC4RANDOM], [test "x$with_arc4random" != xno]) We have getrandom() already around for a while: https://lwn.net/Articles/605828/ Main problem is that your libc version may not yet support this. But in case HAVE_GETRANDOM is not set, otherwise fallback on the poorman version by now. > # Checks for header files. > AC_HEADER_STDC > AC_HEADER_ASSERT > @@ -158,4 +169,5 @@ nft configuration: > enable debugging: ${with_debug} > use mini-gmp: ${with_mini_gmp} > enable pdf documentation: ${enable_pdf_doc} > - libxtables support: ${with_libxtables}" > + libxtables support: ${with_libxtables} > + arc4random support: ${with_arc4random}" It would be good to indicate here what random approach we follow, just for the record. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
