git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 16 Sep 2025 16:34:01 +0000 (18:34 +0200)
committer	Florian Westphal <fw@strlen.de>
	Wed, 24 Sep 2025 09:50:28 +0000 (11:50 +0200)
commit	4dbac7db17f1e973fbbd6aea07a00181cd4cd162
tree	a46618ab507daaae0230b1a1431e078b374f3376	tree \| snapshot
parent	09efbac953f6f076a07735f9ba885148d4796235	commit \| diff

netfilter: nft_set_pipapo: use 0 genmask for packetpath lookups

In commit c4eaca2e1052 ("netfilter: nft_set_pipapo: don't check genbit from
packetpath lookups") I replaced genmask_cur() with NFT_GENMASK_ANY, but
this change has no effect in the pipapo set type.

New entries are unreachable from the active copy, so NFT_GENMASK_ANY has
same result as genmask_cur():

current-gen elements are disabled and the new-generation
elements cannot be found.

Tests did not catch this incomplete fix because the change also dropped
the genmask test from the AVX2 version of the algorithm, so test only
fails if host cpu lacks AVX2 support.

Use genmask test only from the control plane (inserts, deletions, ..).

Packet path has to skip the check, use of 0 is enough for this because
ext->genmask has a the relevant bit set when the element is INACTIVE
in that generation: using a 0 genmask thus makes nft_set_elem_active()
always return true.

Fix the comment and replace NFT_GENMASK_ANY with 0.

Fixes: c4eaca2e1052 ("netfilter: nft_set_pipapo: don't check genbit from packetpath lookups")
Signed-off-by: Florian Westphal <fw@strlen.de>

net/netfilter/nft_set_pipapo.c		diff \| blob \| blame \| history
net/netfilter/nft_set_pipapo_avx2.c		diff \| blob \| blame \| history