[Bug 1199] New: nft_set_hash fast lookup broken for 2 byte keys

Sun Oct 29 01:07:25 CEST 2017

https://bugzilla.netfilter.org/show_bug.cgi?id=1199

            Bug ID: 1199
           Summary: nft_set_hash fast lookup broken for 2 byte keys
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: makovick at gmail.com

Hi,

after an upgrade of the userspace nftables to v0.8, I found that my port sets
suddenly stopped matching. After some searching, I tracked the issue down to
nft_hash_key and nft_hash_lookup_fast - with v0.8, the kernel started
preferring hashes instead of bitsets.

nft_hash_lookup_fast uses jhash_1word, which always uses the hash initializer
appropriate for keys of length == 4. This means it miscomputes the bucket
location for 2-byte keys and the lookup fails. In addition, lookups for 4-byte
keys will probably fail on big endian machines - the byte-wise jhash used
everywhere else reads the u32s as litle endian.

I tried removing the fast version of the hash lookups, and it indeed fixes the
issue.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171028/16de9c81/attachment.html>