Hi,
please consider to add
> From 0414c78f14861cb704d6e6888efd53dd36e3bdde Mon Sep 17 00:00:00 2001
> From: Anatole Denis <anatole@xxxxxxxxx>
> Date: Wed, 4 Oct 2017 01:17:14 +0100
> Subject: netfilter: nft_set_hash: disable fast_ops for 2-len keys
>
> jhash_1word of a u16 is a different value from jhash of the same u16 with
> length 2.
> Since elements are always inserted in sets using jhash over the actual
> klen, this would lead to incorrect lookups on fixed-size sets with a key
> length of 2, as they would be inserted with hash value jhash(key, 2) and
> looked up with hash value jhash_1word(key), which is different.
>
> Example reproducer(v4.13+), using anonymous sets which always have a
> fixed size:
>
> table inet t {
> chain c {
> type filter hook output priority 0; policy accept;
> tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject
> tcp dport 10001 counter packets 4 bytes 240 reject
> tcp dport 10003 counter packets 4 bytes 240 reject
> tcp dport 10005 counter packets 4 bytes 240 reject
> tcp dport 10007 counter packets 0 bytes 0 reject
> tcp dport 10009 counter packets 4 bytes 240 reject
> }
> }
>
> then use nc -z localhost <port> to probe; incorrectly hashed ports will
> pass through the set lookup and increment the counter of an individual
> rule.
>
> jhash being seeded with a random value, it is not deterministic which
> ports will incorrectly hash, but in testing with 5 ports in the set I
> always had 4 or 5 with an incorrect hash value.
>
> Signed-off-by: Anatole Denis <anatole@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
This commit fixes a problem in 4.13+ with latest >=nftables-0.8 release.
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880145
Bug: https://bugs.gentoo.org/636968
--
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
Attachment:
signature.asc
Description: OpenPGP digital signature