netfilter pull request 25-04-10

-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEjF9xRqF1emXiQiqU1w0aZmrPKyEFAmf3ntEACgkQ1w0aZmrP KyHXoxAAs3VQXAXUP7y7vPjzfmgdC6JU3RijcabGvQ7NSfUDIg9dfdv2nRIpSy4c RSxM47htKMAaV3PwdR6C8mHEr5S7fX/v+JhglUQOPverhAH+CUQP0dT2JHdeVH39 QazbD+RDjsJhFvleLboht7gzIKkzBOAXu2dJ/SP/gqsL4uukcm7f2Ke7o0Hg8Ybw jQSBRXeL2i1DVuzH3PeLYjkKG3+GTnPomzlhyL8VbHMxvPMPsjkL60EdRCLV+CcK Ofk/VKmHj4k3zhcFTNk/ts1bQpZ2HRulV5OF2rQqadMNU7WOQT1WGU7P00rCI9yU NcG7pUE1A22yMzC5gwiG03JM+MaoMQz1tkUXCjis9nLrkRBoxidUNix4v5goOD47 Vj+lMS2FJzZe2AAWOEfjQ/4y9HC1S4qCe1mo1TBCReYxd+ZdSjNPnlYn/aqLGjM8 8/pBI0+EwL8shVNzCuAIS0CLgKg6+Qvv3JWqDq0OTKYtXR0sqhYIOr+/BxKJb27u ZT9E90FcxrAG+a7RQyr+XzqcgExZCDdUxqYOWMhemfHiZXwvOGRJHxTDjP20jHHb 5FfkiZSODtdm8rt6a9LXvx3x6GIexs/QBCbaZM3rDVgamMEGarmXsMF/t6bNfDpQ gTwa7S7S8XnioCVHWc1R6iU/OKa61pf0E1QoCdWrq+IkJ0fDTi4= =mkew -----END PGP SIGNATURE----- Merge tag 'nf-25-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following batch contains a Netfilter fix and improved test coverage: 1) Fix AVX2 matching in nft_pipapo, from Florian Westphal. 2) Extend existing test to improve coverage for the aforementioned bug, also from Florian. netfilter pull request 25-04-10 * tag 'nf-25-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: selftests: netfilter: add test case for recent mismatch bug nft_set_pipapo: fix incorrect avx2 match of 5th field octet ==================== Link: https://patch.msgid.link/20250410103647.1030244-1-pablo@netfilter.org Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2025-04-13 09:59:31 +00:00 · 2025-04-10 13:13:35 +02:00 · 2025-04-10 13:13:35 +02:00 · 69ddc6522e
commit 69ddc6522e
parent aabc6596ff 27eb86e22f
2 changed files with 40 additions and 2 deletions
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@ -994,8 +994,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
 		NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt,  8,  pkt[8], bsize);

 		NFT_PIPAPO_AVX2_AND(6, 2, 3);
+		NFT_PIPAPO_AVX2_AND(3, 4, 7);
 		NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt,  9,  pkt[9], bsize);
-		NFT_PIPAPO_AVX2_AND(0, 4, 5);
+		NFT_PIPAPO_AVX2_AND(0, 3, 5);
 		NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize);
 		NFT_PIPAPO_AVX2_AND(2, 6, 7);
 		NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize);
--- a/tools/testing/selftests/net/netfilter/nft_concat_range.sh
+++ b/tools/testing/selftests/net/netfilter/nft_concat_range.sh
@ -27,7 +27,7 @@ TYPES="net_port port_net net6_port port_proto net6_port_mac net6_port_mac_proto
       net6_port_net6_port net_port_mac_proto_net"

 # Reported bugs, also described by TYPE_ variables below
-BUGS="flush_remove_add reload net_port_proto_match"
+BUGS="flush_remove_add reload net_port_proto_match avx2_mismatch"

 # List of possible paths to pktgen script from kernel tree for performance tests
 PKTGEN_SCRIPT_PATHS="
@ -387,6 +387,25 @@ race_repeat	0

 perf_duration	0
 "
+
+TYPE_avx2_mismatch="
+display		avx2 false match
+type_spec	inet_proto . ipv6_addr
+chain_spec	meta l4proto . ip6 daddr
+dst		proto addr6
+src
+start		1
+count		1
+src_delta	1
+tools		ping
+proto		icmp6
+
+race_repeat	0
+
+perf_duration	0
+"
+
+
 # Set template for all tests, types and rules are filled in depending on test
 set_template='
 flush ruleset
@ -1629,6 +1648,24 @@ test_bug_net_port_proto_match() {
 	nft flush ruleset
 }

+test_bug_avx2_mismatch()
+{
+	setup veth send_"${proto}" set || return ${ksft_skip}
+
+	local a1="fe80:dead:01ff:0a02:0b03:6007:8009:a001"
+	local a2="fe80:dead:01fe:0a02:0b03:6007:8009:a001"
+
+	nft "add element inet filter test { icmpv6 . $a1 }"
+
+	dst_addr6="$a2"
+	send_icmp6
+
+	if [ "$(count_packets)" -gt "0" ]; then
+		err "False match for $a2"
+		return 1
+	fi
+}
+
 test_reported_issues() {
 	eval test_bug_"${subtest}"
 }