bugzilla-daemon at netfilter.org
2017-Oct-28 23:07 UTC
[Bug 1199] New: nft_set_hash fast lookup broken for 2 byte keys
https://bugzilla.netfilter.org/show_bug.cgi?id=1199
Bug ID: 1199
Summary: nft_set_hash fast lookup broken for 2 byte keys
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: major
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: makovick at gmail.com
Hi,
after an upgrade of the userspace nftables to v0.8, I found that my port sets
suddenly stopped matching. After some searching, I tracked the issue down to
nft_hash_key and nft_hash_lookup_fast - with v0.8, the kernel started
preferring hashes instead of bitsets.
nft_hash_lookup_fast uses jhash_1word, which always uses the hash initializer
appropriate for keys of length == 4. This means it miscomputes the bucket
location for 2-byte keys and the lookup fails. In addition, lookups for 4-byte
keys will probably fail on big endian machines - the byte-wise jhash used
everywhere else reads the u32s as litle endian.
I tried removing the fast version of the hash lookups, and it indeed fixes the
issue.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171028/16de9c81/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-29 12:03 UTC
[Bug 1199] nft_set_hash fast lookup broken for 2 byte keys
https://bugzilla.netfilter.org/show_bug.cgi?id=1199
--- Comment #1 from Jindřich Makovička <makovick at gmail.com> ---
When searching for this bug, I also found this piece of code in
nft_hash_deactivate():
hlist_for_each_entry(he, &priv->table[hash], node) {
if (!memcmp(nft_set_ext_key(&this->ext), &elem->key.val,
set->klen) ||
nft_set_elem_active(&he->ext, genmask)) {
nft_set_elem_change_active(net, set, &he->ext);
return he;
}
}
The logical OR looks fishy to me. Shouldn't be && there instead?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171029/22802ce1/attachment.html>
bugzilla-daemon at netfilter.org
2017-Nov-02 18:20 UTC
[Bug 1199] nft_set_hash fast lookup broken for 2 byte keys
https://bugzilla.netfilter.org/show_bug.cgi?id=1199
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw at strlen.de
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Florian Westphal <fw at strlen.de> ---
Fixed via
commit 0414c78f14861cb704d6e6888efd53dd36e3bdde
netfilter: nft_set_hash: disable fast_ops for 2-len keys
in nf/net trees.
I submitted a patch to address || vs &&, thanks for reporting!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171102/516989c2/attachment.html>
bugzilla-daemon at netfilter.org
2017-Nov-02 18:30 UTC
[Bug 1199] nft_set_hash fast lookup broken for 2 byte keys
https://bugzilla.netfilter.org/show_bug.cgi?id=1199 --- Comment #3 from Jindřich Makovička <makovick at gmail.com> --- Thanks, I think the 4 byte version should be also disabled for BE archs though. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171102/ac08b990/attachment.html>
bugzilla-daemon at netfilter.org
2017-Nov-02 18:36 UTC
[Bug 1199] nft_set_hash fast lookup broken for 2 byte keys
https://bugzilla.netfilter.org/show_bug.cgi?id=1199 --- Comment #4 from Florian Westphal <fw at strlen.de> --- (In reply to Jindřich Makovička from comment #3)> Thanks, I think the 4 byte version should be also disabled for BE archs > though.Right, I missed the comment wrt. jhash_1word vs. jhash() on big endian. I will look at it again, but I think that it might not be worth fixing this so removing the "fast" versions seems better. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171102/96348198/attachment.html>
bugzilla-daemon at netfilter.org
2017-Nov-15 18:22 UTC
[Bug 1199] nft_set_hash fast lookup broken for 2 byte keys
https://bugzilla.netfilter.org/show_bug.cgi?id=1199
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|FIXED |DUPLICATE
--- Comment #5 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Fix for this bug is now available in Linux kernel release 4.13.13.
*** This bug has been marked as a duplicate of bug 1201 ***
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171115/e4cfa96d/attachment.html>
Maybe Matching Threads
- [Bug 1426] New: Inefficient command lookup on errors
- [Bug 1201] New: Some filters randomly do not work since version 0.8
- [Bug 1199] ssh sends invalid ttymodes when stdin is not a tty
- OpenStack+libvirt+lxc: lxcContainerGetSubtree:1199 : Failed to read /proc/mounts
- CEBA-2012:1199 CentOS 6 kernel Update