Sunny73Cr <Sunny73Cr@xxxxxxxxxxxxxx> wrote:
> It appears that the incorrect register is accepted when data is modified.
>
> Running Debian 12.9.
>
> /etc/nftables.conf:
>
> #!/usr/sbin/nft -f
> flush ruleset
> table inet filter {
> chain output {
> type filter hook output priority filter;
>
> @ih,0,128 set 0 \
> accept;
> }
> }
>
> output (viewable with /usr/sbin/nft -d all -f /etc/nftables.conf):
>
> [ immediate reg 1 0x00000000 0x00000000 0x00000000 0x00000000 ]
> [ payload write reg 1 => 16b @ inner header + 0 csum_type 0 csum_off 0 csum_flags 0x1 ]
> [ immediate reg 0 accept ]
>
> If reg 1 was modified, I believe it should be reg 1 that is accepted.
No, never. reg0 is the verdict register.
"immediate reg 1 0x0000...." means we store 0 in reg 1.
"immediate reg 0 accept" means we store "accept" in reg 0.
Those are stores, not loads.
