On Mon, Dec 04, 2023 at 02:57:31PM +0100, Phil Sutter wrote:
> On Mon, Dec 04, 2023 at 12:29:54PM +0100, Florian Westphal wrote:
> > Maze reports "tcp option fastopen exists" fails to match on
> > OpenWrt 22.03.5, r20134-5f15225c1e (5.10.176) router.
> >
> > "tcp option fastopen exists" translates to:
> > inet
> > [ exthdr load tcpopt 1b @ 34 + 0 present => reg 1 ]
> > [ cmp eq reg 1 0x00000001 ]
> >
> > .. but existing nft userspace generates a 1-byte compare.
> >
> > On LSB (x86), "*reg32 = 1" is identical to nft_reg_store8(reg32, 1), but
> > not on MSB, which will place the 1 last. IOW, on bigendian aches the cmp8
> > is awalys false.
> >
> > Make sure we store this in a consistent fashion, so existing userspace
> > will also work on MSB (bigendian).
> >
> > Regardless of this patch we can also change nft userspace to generate
> > 'reg32 == 0' and 'reg32 != 0' instead of u8 == 0 // u8 == 1 when
> > adding 'option x missing/exists' expressions as well.
> >
> > Fixes: 3c1fece8819e ("netfilter: nft_exthdr: Allow checking TCP option presence, too")
> > Fixes: b9f9a485fb0e ("netfilter: nft_exthdr: add boolean DCCP option matching")
> > Fixes: 055c4b34b94f ("netfilter: nft_fib: Support existence check")
> > Reported-by: Maciej Żenczykowski <zenczykowski@xxxxxxxxx>
> > Closes: https://lore.kernel.org/netfilter-devel/CAHo-OozyEqHUjL2-ntATzeZOiuftLWZ_HU6TOM_js4qLfDEAJg@xxxxxxxxxxxxxx/
> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
>
> I reckon we want this irrespective of any user space changes as it fixes
> for existing/old user space on Big Endian. Therefore:
>
> Acked-by: Phil Sutter <phil@xxxxxx>
Agreed.
