On Mon, Dec 4, 2023 at 11:48 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Mon, Dec 04, 2023 at 10:43:51AM +0100, Florian Westphal wrote: > > Florian Westphal <fw@xxxxxxxxx> wrote: > > > Maciej Żenczykowski <zenczykowski@xxxxxxxxx> wrote: > > > > FYI, I upgraded the router to OpenWrt 23.05.2 with 5.15.137 and it > > > > doesn't appear to have changed anything, ie. 'tcp option fastopen > > > > exists' still does not appear to match. > > > > > > > > Also note that I'm putting this in table inet filter postrouting like > > > > below... but that shouldn't matter should it? > > > > > > No, this is an endianess bug, on BE the compared byte is always 0. > > > > We could fix this from userspace too: > > > > ... exists -> reg32 != 0 > > ... missing -> reg32 == 0 > > > > currently nftables uses &boolean_type, so the > > compare is for 1 byte. We could switch this to > > 32 bit integer type, this way it will no longer > > matter if the kernel stores the number at offset 0 or 3. > > This simplifies things. > > > Phil, Pablo, what do you think? > > Just make sure this does not break backward compatibility. When used > from set declarations with typeof, for example. I can confirm the box in question is Big Endian: root@mf286a:~# uname -a; cat /proc/net/tcp | egrep '0100007F|7F000001' Linux mf286a 5.15.137 #0 Tue Nov 14 13:38:11 2023 mips GNU/Linux 3: 7F000001:0035 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3519 1 2ca55a24 100 0 0 ^ 7F000001 - big endian ^ 0100007F - little endian (I'm guessing 'mips' is always BE, vs mipsel being LE or something, but not actually 100% sure of that) wrt. the fix, perhaps this should be fixed both in the kernel and in userspace? it seems wrong to have unpredictable endian-ness dependent kernel logic, but a userspace fix/workaround would be easier to deploy... Is there some way I could feed raw nf bytecode in via nft syntax (if no... should support for this be added?) ? (ie. I'm not too sure how to rebuild/flash the kernel, changing userspace nft binary would be easier, but doing something without rebuilding either, to confirm this will indeed fix it would be even better...)
