netfilter: nft_set_pipapo: .walk does not deal with generations

JIRA: https://issues.redhat.com/browse/RHEL-1720
JIRA: https://issues.redhat.com/browse/RHEL-1721
Upstream Status: commit 2b84e21

commit 2b84e21
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Fri Jun 16 15:20:04 2023 +0200

    netfilter: nft_set_pipapo: .walk does not deal with generations

    The .walk callback iterates over the current active set, but it might be
    useful to iterate over the next generation set. Use the generation mask
    to determine what set view (either current or next generation) is use
    for the walk iteration.

    Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/nft_set_pipapo.c

@@ -1978,12 +1978,16 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set,
 			    struct nft_set_iter *iter)
 {
 	struct nft_pipapo *priv = nft_set_priv(set);
+	struct net *net = read_pnet(&set->net);
 	struct nft_pipapo_match *m;
 	struct nft_pipapo_field *f;
 	int i, r;
 
 	rcu_read_lock();
-	m = rcu_dereference(priv->match);
+	if (iter->genmask == nft_genmask_cur(net))
+		m = rcu_dereference(priv->match);
+	else
+		m = priv->clone;
 
 	if (unlikely(!m))
 		goto out;