Nftables New Chain implementation

Implements functionality for adding a new base chain and/or regular chain to a
netfilter table. This includes chain flags, user-metadata, handles, policies,
and hook attribute data.

Certain flags like NFTA_CHAIN_COUNTERS were left as explicitly unsupported for
now.

Finally, adding base chains specifically for the netdev family and at the
Ingress and Egress hooks have been explicitly left unsupported for now.
Updating already existing chains have also been explicitly left unsupported
for now, both of which will be implemented in a future change.

PiperOrigin-RevId: 778218038

Author: kerumeto

pkg/abi/linux/BUILD

@@ -52,6 +52,7 @@ go_library(
         "msgqueue.go",
         "netdevice.go",
         "netfilter.go",
+        "netfilter_arp.go",
         "netfilter_bridge.go",
         "netfilter_ipv4.go",
         "netfilter_ipv6.go",

pkg/abi/linux/netfilter.go

@@ -31,6 +31,13 @@ const (
 	NF_INET_LOCAL_OUT    = 3
 	NF_INET_POST_ROUTING = 4
 	NF_INET_NUMHOOKS     = 5
+	NF_INET_INGRESS      = NF_INET_NUMHOOKS
+)
+
+const (
+	NF_NETDEV_INGRESS = iota
+	NF_NETDEV_EGRESS
+	NF_NETDEV_NUMHOOKS
 )
 
 // Protocol families (address families). These correspond to values in

pkg/abi/linux/netfilter_arp.go

@@ -0,0 +1,24 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package linux
+
+// These constants show the hooks ARP packets can be evaluated at.
+// From include/uapi/linux/netfilter_arp.h.
+const (
+	NF_ARP_IN = iota
+	NF_ARP_OUT
+	NF_ARP_FORWARD
+	NF_ARP_NUMHOOKS
+)

pkg/abi/linux/netfilter_bridge.go

@@ -16,6 +16,17 @@ package linux
 
 import "math"
 
+// Netfilter Bridge Standard Hook Points, from uapi/linux/netfilter_bridge.h.
+const (
+	NF_BR_PRE_ROUTING = iota
+	NF_BR_LOCAL_IN
+	NF_BR_FORWARD
+	NF_BR_LOCAL_OUT
+	NF_BR_POST_ROUTING
+	NF_BR_BROUTING
+	NF_BR_NUMHOOKS
+)
+
 // Netfilter Bridge Standard Hook Priorities, from
 // uapi/linux/netfilter_bridge.h.
 const (

pkg/abi/linux/netlink.go

@@ -66,21 +66,35 @@ type NetlinkMessageHeader struct {
 // NetlinkMessageHeaderSize is the size of NetlinkMessageHeader.
 const NetlinkMessageHeaderSize = 16
 
-// Netlink message header flags, from uapi/linux/netlink.h.
+// Netlink message header flag values, from uapi/linux/netlink.h.
 const (
 	NLM_F_REQUEST   = 0x1
 	NLM_F_MULTI     = 0x2
 	NLM_F_ACK       = 0x4
 	NLM_F_ECHO      = 0x8
 	NLM_F_DUMP_INTR = 0x10
-	NLM_F_ROOT      = 0x100
-	NLM_F_MATCH     = 0x200
-	NLM_F_ATOMIC    = 0x400
-	NLM_F_DUMP      = NLM_F_ROOT | NLM_F_MATCH
-	NLM_F_REPLACE   = 0x100
-	NLM_F_EXCL      = 0x200
-	NLM_F_CREATE    = 0x400
-	NLM_F_APPEND    = 0x800
+)
+
+// Netlink message header flags for GET requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_ROOT   = 0x100
+	NLM_F_MATCH  = 0x200
+	NLM_F_ATOMIC = 0x400
+	NLM_F_DUMP   = NLM_F_ROOT | NLM_F_MATCH
+)
+
+// Netlink message header flags for NEW requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_REPLACE = 0x100
+	NLM_F_EXCL    = 0x200
+	NLM_F_CREATE  = 0x400
+	NLM_F_APPEND  = 0x800
+)
+
+// Netlink message header flags for DELETE requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_NONREC = 0x100
+	NLM_F_BULK   = 0x200
 )
 
 // Standard netlink message types, from uapi/linux/netlink.h.

pkg/abi/linux/nf_tables.go

@@ -16,6 +16,20 @@ package linux
 
 // This file contains constants required to support nf_tables.
 
+const NFT_MAX_HOOKS = NF_INET_NUMHOOKS + 1
+
+// Name length constants for nf_table structures. These correspond to values in
+// include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFT_NAME_MAXLEN      = 256
+	NFT_TABLE_MAXNAMELEN = NFT_NAME_MAXLEN
+	NFT_CHAIN_MAXNAMELEN = NFT_NAME_MAXLEN
+	NFT_SET_MAXNAMELEN   = NFT_NAME_MAXLEN
+	NFT_OBJ_MAXNAMELEN   = NFT_NAME_MAXLEN
+	NFT_USERDATA_MAXLEN  = 256
+	NFT_OSF_MAXGENRELEN  = 16
+)
+
 // 16-byte Registers that can be used to maintain state for rules.
 // These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
 const (
@@ -124,10 +138,25 @@ const (
 	NFT_MSG_MAX
 )
 
+// NfTableHookAttributes represents the netfilter hook attributes.
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFTA_HOOK_UNSPEC uint16 = iota
+	NFTA_HOOK_HOOKNUM
+	NFTA_HOOK_PRIORITY
+	NFTA_HOOK_DEV
+	NFTA_HOOK_DEVS
+	__NFTA_HOOK_MAX
+	NFTA_HOOK_MAX = __NFTA_HOOK_MAX - 1
+)
+
 // NfTableFlags represents table flags that can be set for a table, namely dormant.
 // These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
 const (
-	NFT_TABLE_F_DORMANT = 0x1
+	NFT_TABLE_F_DORMANT uint32 = 0x1
+	NFT_TABLE_F_OWNER          = 0x2
+	NFT_TABLE_F_PERSIST        = 0x4
+	NFT_TABLE_F_MASK           = NFT_TABLE_F_DORMANT | NFT_TABLE_F_OWNER | NFT_TABLE_F_PERSIST
 )
 
 // NfTableAttributes represents the netfilter table attributes.
@@ -147,6 +176,35 @@ const (
 // NFTA_TABLE_MAX is the maximum netfilter table attribute.
 const NFTA_TABLE_MAX = __NFTA_TABLE_MAX - 1
 
+// NfTableChainFlags represents chain flags that can be set for a chain.
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFT_CHAIN_BASE       uint32 = (1 << 0)
+	NFT_CHAIN_HW_OFFLOAD        = (1 << 1)
+	NFT_CHAIN_BINDING           = (1 << 2)
+	NFT_CHAIN_FLAGS             = (NFT_CHAIN_BASE | NFT_CHAIN_HW_OFFLOAD | NFT_CHAIN_BINDING)
+)
+
+// NfTableChainAttributes represents the netfilter chain attributes.
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFTA_CHAIN_UNSPEC uint16 = iota
+	NFTA_CHAIN_TABLE
+	NFTA_CHAIN_HANDLE
+	NFTA_CHAIN_NAME
+	NFTA_CHAIN_HOOK
+	NFTA_CHAIN_POLICY
+	NFTA_CHAIN_USE
+	NFTA_CHAIN_TYPE
+	NFTA_CHAIN_COUNTERS
+	NFTA_CHAIN_PAD
+	NFTA_CHAIN_FLAGS
+	NFTA_CHAIN_ID
+	NFTA_CHAIN_USERDATA
+	__NFTA_CHAIN_MAX
+	NFTA_CHAIN_MAX = __NFTA_CHAIN_MAX - 1
+)
+
 // Nf table relational operators.
 // Used by the nft comparison operation to compare values in registers.
 // These correspond to enum values in include/uapi/linux/netfilter/nf_tables.h.

pkg/sentry/socket/netlink/netfilter/BUILD

@@ -11,8 +11,10 @@ go_library(
     visibility = ["//pkg/sentry:internal"],
     deps = [
         "//pkg/abi/linux",
+        "//pkg/atomicbitops",
         "//pkg/context",
         "//pkg/log",
+        "//pkg/marshal/primitive",
         "//pkg/sentry/inet",
         "//pkg/sentry/kernel",
         "//pkg/sentry/socket/netlink",