Phil Sutter <phil@xxxxxx> wrote: > > > | reduce = reduce && expr->ops->type->reduce; > > > > Could you elaborate? > > Well, an expression which may set verdict register to NFT_BREAK should > prevent reduction of later expressions in same rule as it may stop rule > evaluation at run-time. This is obvious for nft_cmp, but nft_meta is > also a candidate: NFT_META_IFTYPE causes NFT_BREAK if pkt->skb->dev is > NULL. The optimizer must not assume later expressions are evaluated. This all seems fragile to me, with huge potential to add subtle bugs that will be hard to track down.
