From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC nf-next 3/4] netfilter: nf_tables: insert register zeroing instructions for dodgy chains
Date: Tue, 2 Jul 2024 00:32:32 +0200 [thread overview]
Message-ID: <ZoMugPfekHpNjGjO@calendula> (raw)
In-Reply-To: <20240701221830.GB11142@breakpoint.cc>
On Tue, Jul 02, 2024 at 12:18:30AM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > I would not add this patch and keep the reject behaviour, as the
> > > nftables uapi is specifically built around the rule being a standalone
> > > object. I also question if it makes real sense to do such preload from
> > > userspace, it has little benefit for well-formed (non-repetitive) rulesets.
> >
> > I am afraid there won't be an easy way to revert this in this future?
> >
> > Is there any specific concern you have? Buggy validation allowing to
> > access uninitialized registers? In that case, there is a need to
> > improve test infrastructure to exercise this code more.
>
> Yes, for one thing, but I also do not see how we can ever move to a
> model where registers are re-used by subsequent rules, its incompatible
> with the rule-is-smallest-replaceable-object design.
Yes, incremental updates are an issue. Another possibility is to add
support for static rulesets, so there is a simple way for userspace to
recycle registers (this would be fully performed from userspace).
And users can still inject raw bytecode to make their own programs. We
have been discussing that dumping a listing with bytecode that cannot
be interpreted is an option to deal with "forward compatibility",
similar approach could help deal with this.
If your concern is the register tracking from the kernel, I am not
pursuing that approach anymore and I can make a patch to ditch it
after this series.
> (Meaning: userspace needs to be fully cooperative and aware that
> it cannot insert a random rule at location x).
next prev parent reply other threads:[~2024-07-01 22:32 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-27 13:53 [RFC nf-next 0/4] nf_tables: remove explicit register zeroing Florian Westphal
2024-06-27 13:53 ` [RFC nf-next 1/4] netfilter: nf_tables: pass context structure to nft_parse_register_load Florian Westphal
2024-06-27 13:53 ` [RFC nf-next 2/4] netfilter: nf_tables: allow loads only when register is initialized Florian Westphal
2024-07-01 20:31 ` Pablo Neira Ayuso
2024-07-01 22:16 ` Florian Westphal
2024-06-27 13:53 ` [RFC nf-next 3/4] netfilter: nf_tables: insert register zeroing instructions for dodgy chains Florian Westphal
2024-07-01 20:30 ` Pablo Neira Ayuso
2024-07-01 22:18 ` Florian Westphal
2024-07-01 22:32 ` Pablo Neira Ayuso [this message]
2024-06-27 13:53 ` [RFC nf-next 4/4] netfilter: nf_tables: don't initialize registers in nft_do_chain() Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZoMugPfekHpNjGjO@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.