The avx2 implementation suffers from the same bug fixed in the C
implementation with 791a615b7ad2
("netfilter: nf_set_pipapo: fix initial map fill").
If the first field isn't the largest one, there will be mismatches, i.e.
a wrong match will be returned.
First patch fixes this bug.
Because the selftest data path test does:
.... @test counter name ...
.. and then checks if the counter has been incremented, the selftest
first needs to be reworked to use per-element counters.
Otherwise, we can only differentiate between 'no entry matches' and
'some entry matches', but its imperative we can also validate that
the lookup did return the correct element.
The second patch does reworks the selftest accordingly.
Last patch adds extends the existing regression test for this
bug class by also validating the datapath, rather than just the
control plane.
Florian Westphal (3):
netfilter: nf_set_pipapo_avx2: fix initial map fill
selftests: netfilter: nft_concat_range.sh: prefer per element counters
for testing
selftests: netfilter: nft_concat_range.sh: add datapath check for map
fill bug
net/netfilter/nft_set_pipapo_avx2.c | 21 +++-
.../net/netfilter/nft_concat_range.sh | 102 +++++++++++++++---
2 files changed, 108 insertions(+), 15 deletions(-)
--
2.49.0
