Hi! On Fri, May 05, 2023 at 01:16:53PM +0200, Florian Westphal wrote: > Keep a per-rule bitmask that tracks registers that have seen a store, > then reject loads when the accessed registers haven't been flagged. > > This changes uabi contract, because we previously allowed this. > Neither nftables nor iptables-nft create such rules. Did you consider keeping this bitmask on a per base-chain level? One had to perform this for each base chain of a table upon each rule change and traverse the tree of chains jumped to from there. I guess the huge overhead disqualifies this, though. Cheers, Phil
