Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > I would not add this patch and keep the reject behaviour, as the > > nftables uapi is specifically built around the rule being a standalone > > object. I also question if it makes real sense to do such preload from > > userspace, it has little benefit for well-formed (non-repetitive) rulesets. > > I am afraid there won't be an easy way to revert this in this future? > > Is there any specific concern you have? Buggy validation allowing to > access uninitialized registers? In that case, there is a need to > improve test infrastructure to exercise this code more. Yes, for one thing, but I also do not see how we can ever move to a model where registers are re-used by subsequent rules, its incompatible with the rule-is-smallest-replaceable-object design. (Meaning: userspace needs to be fully cooperative and aware that it cannot insert a random rule at location x).
