From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 10818C433FE for ; Wed, 17 Nov 2021 12:06:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E45A363215 for ; Wed, 17 Nov 2021 12:06:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237120AbhKQMJQ (ORCPT ); Wed, 17 Nov 2021 07:09:16 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229656AbhKQMJQ (ORCPT ); Wed, 17 Nov 2021 07:09:16 -0500 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:12e:520::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5D0DC061570; Wed, 17 Nov 2021 04:06:17 -0800 (PST) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1mnJhZ-0000WK-LW; Wed, 17 Nov 2021 13:06:09 +0100 Date: Wed, 17 Nov 2021 13:06:09 +0100 From: Florian Westphal To: Stefano Brivio Cc: Nikita Yushchenko , Netdev , netfilter-devel@vger.kernel.org Subject: Re: "AVX2-based lookup implementation" has broken ebtables --among-src Message-ID: <20211117120609.GI6326@breakpoint.cc> References: <20211116173352.1a5ff66a@elisabeth> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211116173352.1a5ff66a@elisabeth> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Stefano Brivio wrote: > [Adding netfilter-devel] > > Hi Nikita, > > On Tue, 16 Nov 2021 11:51:01 +0300 > Nikita Yushchenko wrote: > > > Hello Stefano. > > > > I've found that nftables rule added by > > > > # ebtables -A INPUT --among-src 8:0:27:40:f7:9=192.168.56.10 -j log > > > > does not match packets on kernel 5.14 and on current mainline. > > Although it matched correctly on kernel 4.18 > > > > I've bisected this issue. It was introduced by your commit 7400b063969b ("nft_set_pipapo: Introduce > > AVX2-based lookup implementation") from 5.7 development cycle. > > > > The nftables rule created by the above command uses concatenation: > > > > # nft list chain bridge filter INPUT > > table bridge filter { > > chain INPUT { > > type filter hook input priority filter; policy accept; > > ether saddr . ip saddr { 08:00:27:40:f7:09 . 192.168.56.10 } counter packets 0 bytes 0 > > log level notice flags ether > > } > > } > > > > Looks like the AVX2-based lookup does not process this correctly. > > Thanks for bisecting and reporting this! I'm looking into it now, I > might be a bit slow as I'm currently traveling. Might be a bug in ebtables. This is what nft monitor shows: add chain bridge filter INPUT { type filter hook input priority filter; policy accept; } add rule bridge filter INPUT ether saddr . ip saddr { 08:00:27:40:f7:09 . 192.168.56.10-0x1297286e2b2 [..] I can have a look at ebtables-nft side.