From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next 0/3] netfilter: nf_tables: reject loads from uninitialized registers
Date: Wed, 10 May 2023 10:06:32 +0200 [thread overview]
Message-ID: <20230510080632.GB21949@breakpoint.cc> (raw)
In-Reply-To: <ZFtOQEZmKEZ2VHPE@calendula>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > Hmm, this will get messy.
> >
> > I only see two alternatives:
> >
> > - place the bitmask in the pernet structure.
> > - add struct nft_expr_ctx as a container structure, which has
> > nft_ctx as first member and the bitmask as second member, to
> > be used for NEWRULE and NEWSETELEM instead of nft_ctx.
>
> Can the 'level' field be moved to this nft_expr_ctx structure? This
> field is only used from the preparation phase (not in the commit
> phase).
>
> Probably we need to rename nft_ctx to nft_trans_ctx, so it contains
> the fields that are needed from the commit phase. Then, re-add a
> nft_ctx again which contains nft_trans_ctx at the beginning, then the
> register bitmap and the level field. Thus, any future fields only
> required by preparation phase only will go in nft_ctx, and fields that
> are specifically are set up from preparation phase and consumed from
> commit step go in nft_trans_ctx.
>
> It is a bit of churn, but it is probably good to tidy up this for
> future extensions?
Yes, its a lot of churn, I can have a look at how intrusive this will
be. Problem is that we have a bunch of helpers that take
'struct nft_ctx *', which are fed via '&trans->ctx'.
I'd like to avoid 'union nf_ctx_any *' tricks...
next prev parent reply other threads:[~2023-05-10 8:06 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 11:16 [PATCH nf-next 0/3] netfilter: nf_tables: reject loads from uninitialized registers Florian Westphal
2023-05-05 11:16 ` [PATCH nf-next 1/3] netfilter: nf_tables: pass context structure to nft_parse_register_load Florian Westphal
2023-05-05 11:16 ` [PATCH nf-next 2/3] netfilter: nf_tables: validate register loads never access unitialised registers Florian Westphal
2023-05-30 23:49 ` Pablo Neira Ayuso
2023-05-31 9:51 ` Florian Westphal
2023-05-05 11:16 ` [PATCH nf-next 3/3] netfilter: nf_tables: don't initialize registers in nft_do_chain() Florian Westphal
2023-05-05 13:16 ` [PATCH nf-next 0/3] netfilter: nf_tables: reject loads from uninitialized registers Phil Sutter
2023-05-05 13:46 ` Florian Westphal
2023-05-05 14:14 ` Phil Sutter
2023-05-05 14:32 ` Pablo Neira Ayuso
2023-05-05 14:51 ` Florian Westphal
2023-05-05 15:34 ` Pablo Neira Ayuso
2023-05-07 11:22 ` Florian Westphal
2023-05-10 7:56 ` Pablo Neira Ayuso
2023-05-10 8:06 ` Florian Westphal [this message]
2023-05-10 15:46 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230510080632.GB21949@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.