On Fri, 23 May 2025 14:20:43 +0200
Florian Westphal <fw@xxxxxxxxx> wrote:
> The avx2 implementation suffers from the same bug fixed in the C
> implementation with 791a615b7ad2
> ("netfilter: nf_set_pipapo: fix initial map fill").
>
> If the first field isn't the largest one, there will be mismatches, i.e.
> a wrong match will be returned.
...weird that we didn't catch this together with the issue described
by 791a615b7ad2, I guess it wasn't found on x86.
> First patch fixes this bug.
>
> Because the selftest data path test does:
> .... @test counter name ...
>
> .. and then checks if the counter has been incremented, the selftest
> first needs to be reworked to use per-element counters.
That makes sense indeed, I didn't even know they existed. Actually, I
just learnt about 'nft reset element', that's quite neat.
> Otherwise, we can only differentiate between 'no entry matches' and
> 'some entry matches', but its imperative we can also validate that
> the lookup did return the correct element.
>
> The second patch does reworks the selftest accordingly.
>
> Last patch adds extends the existing regression test for this
> bug class by also validating the datapath, rather than just the
> control plane.
>
> Florian Westphal (3):
> netfilter: nf_set_pipapo_avx2: fix initial map fill
> selftests: netfilter: nft_concat_range.sh: prefer per element counters
> for testing
> selftests: netfilter: nft_concat_range.sh: add datapath check for map
> fill bug
For the series,
Reviewed-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
--
Stefano
