On Thu, Jun 27, 2024 at 03:53:23PM +0200, Florian Westphal wrote: > Instead of rejecting rules that read from registers that saw no store, > insert nft_imm instruction preamble when building the ruleset blob. > > Once any rule triggers 'uninitied access', table gets marked as > need-rebuild, then all base-chains in the affected table are regenerated. > > Known drawback: 'nft monitor trace' may show 'unkown rule handle 0 > verdict continue' when this auto-zero is active. > If this is unwanted, the trace infra in kernel could be patched to > suppress notification for handle-0 rules. > > As normal rulesets generated by nft or iptables-nft never cause such > uninitialised reads this allows to revert the forced zeroing in the > next patch. > > I would not add this patch and keep the reject behaviour, as the > nftables uapi is specifically built around the rule being a standalone > object. I also question if it makes real sense to do such preload from > userspace, it has little benefit for well-formed (non-repetitive) rulesets. I am afraid there won't be an easy way to revert this in this future? Is there any specific concern you have? Buggy validation allowing to access uninitialized registers? In that case, there is a need to improve test infrastructure to exercise this code more. Thanks.
