On Fri, May 05, 2023 at 03:46:55PM +0200, Florian Westphal wrote: > Phil Sutter <phil@xxxxxx> wrote: > > On Fri, May 05, 2023 at 01:16:53PM +0200, Florian Westphal wrote: > > > Keep a per-rule bitmask that tracks registers that have seen a store, > > > then reject loads when the accessed registers haven't been flagged. > > > > > > This changes uabi contract, because we previously allowed this. > > > Neither nftables nor iptables-nft create such rules. > > > > Did you consider keeping this bitmask on a per base-chain level? One had > > to perform this for each base chain of a table upon each rule change and > > traverse the tree of chains jumped to from there. I guess the huge > > overhead disqualifies this, though. > > Yes, but its very hard task, because in that case we also need to prove > that a write *WILL* happen, rather than *might happen*. > > Consider: > > rule1: > ip protocol tcp iifname "eth0" ... > reg1 := ip protocol > cmp reg1 > reg2 := meta iifname > > rule2: > iifname "eth1" ... > cmp reg2 "eth0" > > rule 2 has to be rejected because reg2 might be unitialized for != tcp. > > Even if we can handle this some way, we now also need to revalidate the > ruleset on deletes, because we'd have to detect when a register write > we depend on goes away. Ah, right. I forgot about "partial" rule execution again. Same thing which broke expression reduction for us. Maybe one could introduce a "chain optimizer" creating an initial meta-rule which just populates registers with packet/meta data rules may need. Not something I would want to rely upon regarding kernel info leaks, though. Cheers, Phil
