On Mon, 22 Nov 2021 14:29:33 +0100 Stefano Brivio <sbrivio@xxxxxxxxxx> wrote: > On Wed, 17 Nov 2021 15:08:54 +0300 > Nikita Yushchenko <nikita.yushchenko@xxxxxxxxxxxxx> wrote: > > > >>> Looks like the AVX2-based lookup does not process this correctly. > > >> > > >> Thanks for bisecting and reporting this! I'm looking into it now, I > > >> might be a bit slow as I'm currently traveling. > > > > > > Might be a bug in ebtables.... > > > > Exactly same ebtables binary (and exactly same rule) works with > > kernel 4.18 and all kernels up to the mentioned patch applied. > > Sorry for the delay, I've been offline the past days, I'll restart > looking into this now. I'm still debugging this but, if it helps, I found another workaround while checking: swapping the order of IP address and MAC address "fixes" it -- unfortunately I didn't think of this while writing the selftests, so that's what nft_concat_range.sh checks, a set with type "net, mac", and not "mac, net". E.g.: table ip t { set s { type ipv4_addr . ether_addr flags interval elements = { 192.168.122.1 . 52:54:00:04:9e:00 } } chain c { type filter hook input priority filter; policy accept; ip saddr . ether saddr @s counter packets 19 bytes 1284 } } ...of course this is due to an implementation detail (and the bug I'm chasing), functionally it's expected to be the same. -- Stefano