On Wed, May 18, 2022 at 01:48:07PM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > > > | reduce = reduce && expr->ops->type->reduce; > > > > > > Could you elaborate? > > > > Well, an expression which may set verdict register to NFT_BREAK should > > prevent reduction of later expressions in same rule as it may stop rule > > evaluation at run-time. This is obvious for nft_cmp, but nft_meta is > > also a candidate: NFT_META_IFTYPE causes NFT_BREAK if pkt->skb->dev is > > NULL. The optimizer must not assume later expressions are evaluated. > > This all seems fragile to me, with huge potential to add subtle bugs > that will be hard to track down. We can expose flags to indicate that an expression is reduced and expressions that are prefetched. New test infrastructure will help to catch bugs, more selftests and userspace validation of bytecode through exposed flags. It would be good not to re-fetch data into register that is already there.
