Re: [nf-next PATCH v2] netfilter: nf_tables: Introduce NFTA_RULE_ACTUAL_EXPR

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Sat, Feb 04, 2023 at 10:00:25PM +0100, Phil Sutter wrote:
> On Sat, Feb 04, 2023 at 10:41:37AM +0100, Pablo Neira Ayuso wrote:
> > On Fri, Feb 03, 2023 at 05:21:29PM +0100, Phil Sutter wrote:
> > [...]
> > > On Fri, Feb 03, 2023 at 04:32:01PM +0100, Pablo Neira Ayuso wrote:
> > [...]
> > > > I also wonder if this might cause problems with nftables and implicit
> > > > sets, they are bound to one single lookup expression that, when gone,
> > > > the set is released. Now you will have two expressions pointing to an
> > > > implicit set. Same thing with implicit chains. This might get tricky
> > > > with the transaction interface.
> > > 
> > > While indeed two lookup expressions will refer to the same anonymous
> > > set, only one of those expressions will ever be in use. There's no way
> > > the kernel would switch between rule variants (or use both at the same
> > > time).
> > 
> > OK, but control plane will reject two lookup expressions that refer to
> > the same anonymous set.
> 
> Only if it sees the second expression: If NFTA_RULE_ACTUAL_EXPR is
> present, the kernel will copy the content of NFTA_RULE_EXPRESSIONS into
> a buffer pointed to by nft_rule::dump_expr. It does not inspect the
> content apart from nla_policy checking which merely ensures it's a
> nested array of elements conforming to nft_expr_policy (i.e., have a
> NAME and DATA attribute).
> 
> The copied data is touched only by nf_tables_fill_rule_info() which
> copies it as-is into the skb. Later, nf_tables_rule_destroy() just frees
> the whole blob.
> 
> So effectively the kernel doesn't know or care what expressions are
> contained in NFTA_RULE_EXPRESSIONS.

Copy should work, sorry I thought you were parsing the expression again.