On Fri, May 05, 2023 at 04:51:13PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Fri, May 05, 2023 at 01:16:53PM +0200, Florian Westphal wrote: > > > Keep a per-rule bitmask that tracks registers that have seen a store, > > > then reject loads when the accessed registers haven't been flagged. > > > > > > This changes uabi contract, because we previously allowed this. > > > Neither nftables nor iptables-nft create such rules. > > > > > > In case there is breakage, we could insert an 'store 0 to x' > > > immediate expression into the ruleset automatically, but this > > > isn't done here. > > > > > > Let me know if you think the "refuse" approach is too risky. > > > > Might the NFT_BREAK case defeat this approach? Sequence is: > > > > 1) expression that writes on register hits NFT_BREAK (nothing is written) > > 2) expression that read from register, it reads uninitialized data. > > > > From ruleset load step, we cannot know if the write fails, because it > > is subject to NFT_BREAK. > > Yes, but its irrelevant: If 1) issues NFT_BREAK, 2) won't execute. And register tracking is done per rule, given context is per rule too, good. I wonder if it is worth to move the bitmask away from nft_ctx, given this structure is stored in the struct nft_trans, hence increasing the size of this object which is not required at a later state, maybe there is a need for a new container structure that store data useful for the initial preparation step of the commit protocol.
