lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <d35db9d6-0727-1296-fa78-4efeadf3319c@virtuozzo.com>
Date:   Tue, 16 Nov 2021 11:51:01 +0300
From:   Nikita Yushchenko <nikita.yushchenko@...tuozzo.com>
To:     Stefano Brivio <sbrivio@...hat.com>
Cc:     Netdev <netdev@...r.kernel.org>
Subject: "AVX2-based lookup implementation" has broken ebtables --among-src

Hello Stefano.

I've found that nftables rule added by

# ebtables -A INPUT --among-src 8:0:27:40:f7:9=192.168.56.10 -j log

does not match packets on kernel 5.14 and on current mainline.
Although it matched correctly on kernel 4.18

I've bisected this issue. It was introduced by your commit 7400b063969b ("nft_set_pipapo: Introduce 
AVX2-based lookup implementation") from 5.7 development cycle.

The nftables rule created by the above command uses concatenation:

# nft list chain bridge filter INPUT
table bridge filter {
         chain INPUT {
                 type filter hook input priority filter; policy accept;
                 ether saddr . ip saddr { 08:00:27:40:f7:09 . 192.168.56.10 } counter packets 0 bytes 0 
log level notice flags ether
         }
}

Looks like the AVX2-based lookup does not process this correctly.


Nikita

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ