google
diff --git a/‎pkg/abi/linux/BUILD
Lines changed: 1 addition & 0 deletions b/‎pkg/abi/linux/BUILD
Lines changed: 1 addition & 0 deletions
diff --git a/‎pkg/abi/linux/netfilter.go
Lines changed: 7 additions & 0 deletions b/‎pkg/abi/linux/netfilter.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/abi/linux/netfilter_arp.go
Lines changed: 24 additions & 0 deletions b/‎pkg/abi/linux/netfilter_arp.go
Lines changed: 24 additions & 0 deletions
diff --git a/‎pkg/abi/linux/netfilter_bridge.go
Lines changed: 11 additions & 0 deletions b/‎pkg/abi/linux/netfilter_bridge.go
Lines changed: 11 additions & 0 deletions
diff --git a/‎pkg/abi/linux/netlink.go
Lines changed: 23 additions & 9 deletions b/‎pkg/abi/linux/netlink.go
Lines changed: 23 additions & 9 deletions
diff --git a/‎pkg/abi/linux/nf_tables.go
Lines changed: 59 additions & 1 deletion b/‎pkg/abi/linux/nf_tables.go
Lines changed: 59 additions & 1 deletion
diff --git a/‎pkg/sentry/socket/netlink/netfilter/BUILD
Lines changed: 2 additions & 0 deletions b/‎pkg/sentry/socket/netlink/netfilter/BUILD
Lines changed: 2 additions & 0 deletions
@@ -52,6 +52,7 @@ go_library(
         "msgqueue.go",
         "netdevice.go",
         "netfilter.go",
+        "netfilter_arp.go",
         "netfilter_bridge.go",
         "netfilter_ipv4.go",
         "netfilter_ipv6.go",
 
@@ -31,6 +31,13 @@ const (
 	NF_INET_LOCAL_OUT    = 3
 	NF_INET_POST_ROUTING = 4
 	NF_INET_NUMHOOKS     = 5
+	NF_INET_INGRESS      = NF_INET_NUMHOOKS
+)
+
+const (
+	NF_NETDEV_INGRESS = iota
+	NF_NETDEV_EGRESS
+	NF_NETDEV_NUMHOOKS
 )
 
 // Protocol families (address families). These correspond to values in
 
@@ -0,0 +1,24 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package linux
+
+// These constants show the hooks ARP packets can be evaluated at.
+// From include/uapi/linux/netfilter_arp.h.
+const (
+	NF_ARP_IN = iota
+	NF_ARP_OUT
+	NF_ARP_FORWARD
+	NF_ARP_NUMHOOKS
+)
@@ -16,6 +16,17 @@ package linux
 
 import "math"
 
+// Netfilter Bridge Standard Hook Points, from uapi/linux/netfilter_bridge.h.
+const (
+	NF_BR_PRE_ROUTING = iota
+	NF_BR_LOCAL_IN
+	NF_BR_FORWARD
+	NF_BR_LOCAL_OUT
+	NF_BR_POST_ROUTING
+	NF_BR_BROUTING
+	NF_BR_NUMHOOKS
+)
+
 // Netfilter Bridge Standard Hook Priorities, from
 // uapi/linux/netfilter_bridge.h.
 const (
 
@@ -66,21 +66,35 @@ type NetlinkMessageHeader struct {
 // NetlinkMessageHeaderSize is the size of NetlinkMessageHeader.
 const NetlinkMessageHeaderSize = 16
 
-// Netlink message header flags, from uapi/linux/netlink.h.
+// Netlink message header flag values, from uapi/linux/netlink.h.
 const (
 	NLM_F_REQUEST   = 0x1
 	NLM_F_MULTI     = 0x2
 	NLM_F_ACK       = 0x4
 	NLM_F_ECHO      = 0x8
 	NLM_F_DUMP_INTR = 0x10
-	NLM_F_ROOT      = 0x100
-	NLM_F_MATCH     = 0x200
-	NLM_F_ATOMIC    = 0x400
-	NLM_F_DUMP      = NLM_F_ROOT | NLM_F_MATCH
-	NLM_F_REPLACE   = 0x100
-	NLM_F_EXCL      = 0x200
-	NLM_F_CREATE    = 0x400
-	NLM_F_APPEND    = 0x800
+)
+
+// Netlink message header flags for GET requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_ROOT   = 0x100
+	NLM_F_MATCH  = 0x200
+	NLM_F_ATOMIC = 0x400
+	NLM_F_DUMP   = NLM_F_ROOT | NLM_F_MATCH
+)
+
+// Netlink message header flags for NEW requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_REPLACE = 0x100
+	NLM_F_EXCL    = 0x200
+	NLM_F_CREATE  = 0x400
+	NLM_F_APPEND  = 0x800
+)
+
+// Netlink message header flags for DELETE requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_NONREC = 0x100
+	NLM_F_BULK   = 0x200
 )
 
 // Standard netlink message types, from uapi/linux/netlink.h.
 
@@ -16,6 +16,20 @@ package linux
 
 // This file contains constants required to support nf_tables.
 
+const NFT_MAX_HOOKS = NF_INET_NUMHOOKS + 1
+
+// Name length constants for nf_table structures. These correspond to values in
+// include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFT_NAME_MAXLEN      = 256
+	NFT_TABLE_MAXNAMELEN = NFT_NAME_MAXLEN
+	NFT_CHAIN_MAXNAMELEN = NFT_NAME_MAXLEN
+	NFT_SET_MAXNAMELEN   = NFT_NAME_MAXLEN
+	NFT_OBJ_MAXNAMELEN   = NFT_NAME_MAXLEN
+	NFT_USERDATA_MAXLEN  = 256
+	NFT_OSF_MAXGENRELEN  = 16
+)
+
 // 16-byte Registers that can be used to maintain state for rules.
 // These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
 const (
@@ -124,10 +138,25 @@ const (
 	NFT_MSG_MAX
 )
 
+// NfTableHookAttributes represents the netfilter hook attributes.
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFTA_HOOK_UNSPEC uint16 = iota
+	NFTA_HOOK_HOOKNUM
+	NFTA_HOOK_PRIORITY
+	NFTA_HOOK_DEV
+	NFTA_HOOK_DEVS
+	__NFTA_HOOK_MAX
+	NFTA_HOOK_MAX = __NFTA_HOOK_MAX - 1
+)
+
 // NfTableFlags represents table flags that can be set for a table, namely dormant.
 // These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
 const (
-	NFT_TABLE_F_DORMANT = 0x1
+	NFT_TABLE_F_DORMANT uint32 = 0x1
+	NFT_TABLE_F_OWNER          = 0x2
+	NFT_TABLE_F_PERSIST        = 0x4
+	NFT_TABLE_F_MASK           = NFT_TABLE_F_DORMANT | NFT_TABLE_F_OWNER | NFT_TABLE_F_PERSIST
 )
 
 // NfTableAttributes represents the netfilter table attributes.
@@ -147,6 +176,35 @@ const (
 // NFTA_TABLE_MAX is the maximum netfilter table attribute.
 const NFTA_TABLE_MAX = __NFTA_TABLE_MAX - 1
 
+// NfTableChainFlags represents chain flags that can be set for a chain.
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFT_CHAIN_BASE       uint32 = (1 << 0)
+	NFT_CHAIN_HW_OFFLOAD        = (1 << 1)
+	NFT_CHAIN_BINDING           = (1 << 2)
+	NFT_CHAIN_FLAGS             = (NFT_CHAIN_BASE | NFT_CHAIN_HW_OFFLOAD | NFT_CHAIN_BINDING)
+)
+
+// NfTableChainAttributes represents the netfilter chain attributes.
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFTA_CHAIN_UNSPEC uint16 = iota
+	NFTA_CHAIN_TABLE
+	NFTA_CHAIN_HANDLE
+	NFTA_CHAIN_NAME
+	NFTA_CHAIN_HOOK
+	NFTA_CHAIN_POLICY
+	NFTA_CHAIN_USE
+	NFTA_CHAIN_TYPE
+	NFTA_CHAIN_COUNTERS
+	NFTA_CHAIN_PAD
+	NFTA_CHAIN_FLAGS
+	NFTA_CHAIN_ID
+	NFTA_CHAIN_USERDATA
+	__NFTA_CHAIN_MAX
+	NFTA_CHAIN_MAX = __NFTA_CHAIN_MAX - 1
+)
+
 // Nf table relational operators.
 // Used by the nft comparison operation to compare values in registers.
 // These correspond to enum values in include/uapi/linux/netfilter/nf_tables.h.
 
@@ -11,8 +11,10 @@ go_library(
     visibility = ["//pkg/sentry:internal"],
     deps = [
         "//pkg/abi/linux",
+        "//pkg/atomicbitops",
         "//pkg/context",
         "//pkg/log",
+        "//pkg/marshal/primitive",
         "//pkg/sentry/inet",
         "//pkg/sentry/kernel",
         "//pkg/sentry/socket/netlink",