netfilter: nft_set_pipapo: use 0 genmask for packetpath lookups

JIRA: https://issues.redhat.com/browse/RHEL-113001
Upstream Status: commit 4dbac7d

Conflicts:
   	net/netfilter/nft_set_pipapo.c
   	net/netfilter/nft_set_pipapo_avx2.c

Elide change to the avx2 version, it doesn't check the generation
bit in RHEL, this is due to lack of
416e53e ("netfilter: nft_set_pipapo_avx2: split lookup function in two parts").
In RHEL 10, the avx2 version is only used from dataplane, whereas
upstream it is now also used from the control plane, e.g. to check
for dupliate at "new elemenent" insert time.

commit 4dbac7d
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Sep 16 18:34:01 2025 +0200

    netfilter: nft_set_pipapo: use 0 genmask for packetpath lookups

    In commit c4eaca2 ("netfilter: nft_set_pipapo: don't check genbit from
    packetpath lookups") I replaced genmask_cur() with NFT_GENMASK_ANY, but
    this change has no effect in the pipapo set type.

    New entries are unreachable from the active copy, so NFT_GENMASK_ANY has
    same result as genmask_cur():

    current-gen elements are disabled and the new-generation
    elements cannot be found.

    Tests did not catch this incomplete fix because the change also dropped
    the genmask test from the AVX2 version of the algorithm, so test only
    fails if host cpu lacks AVX2 support.

    Use genmask test only from the control plane (inserts, deletions, ..).

    Packet path has to skip the check, use of 0 is enough for this because
    ext->genmask has a the relevant bit set when the element is INACTIVE
    in that generation: using a 0 genmask thus makes nft_set_elem_active()
    always return true.

    Fix the comment and replace NFT_GENMASK_ANY with 0.

    Fixes: c4eaca2 ("netfilter: nft_set_pipapo: don't check genbit from packetpath lookups")
    Signed-off-by: Florian Westphal <fw@strlen.de>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/nft_set_pipapo.c

@@ -510,8 +510,7 @@ static struct nft_pipapo_elem *pipapo_get(const struct nft_pipapo_match *m,
  *
  * This function is called from the data path.  It will search for
  * an element matching the given key in the current active copy.
- * Unlike other set types, this uses NFT_GENMASK_ANY instead of
- * nft_genmask_cur().
+ * Unlike other set types, this uses 0 instead of nft_genmask_cur().
  *
  * This is because new (future) elements are not reachable from
  * priv->match, they get added to priv->clone instead.
@@ -521,8 +520,8 @@ static struct nft_pipapo_elem *pipapo_get(const struct nft_pipapo_match *m,
  * inconsistent state: matching old entries get skipped but thew
  * newly matching entries are unreachable.
  *
- * GENMASK will still find the 'now old' entries which ensures consistent
- * priv->match view.
+ * GENMASK_ANY doesn't work for the same reason: old-gen entries get
+ * skipped, new-gen entries are only reachable from priv->clone.
  *
  * nft_pipapo_commit swaps ->clone and ->match shortly after the
  * genbit flip.  As ->clone doesn't contain the old entries in the first
@@ -539,7 +538,7 @@ nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
 	const struct nft_pipapo_elem *e;
 
 	m = rcu_dereference(priv->match);
-	e = pipapo_get(m, (const u8 *)key, NFT_GENMASK_ANY, get_jiffies_64());
+	e = pipapo_get(m, (const u8 *)key, 0, get_jiffies_64());
 
 	return e ? &e->ext : NULL;
 }