Implement Nftables DELTABLE, DESTROYTABLE message functionality

These messages now allow us to delete tables by name or by handle,
and flush tables under certain scenarios. Also updated the nftables
package to create a translation between nftables flags (NFPROTO_INET, etc)
to regular address families. This "translation" in Linux is done implicitly
by setting these enums to overlapping values, but here it is done explicitly
because stack.AFs are of custom type AF. This gives us an extra safety check
on allowing only supported family addresses.

Finally, updated tests to dynamically create requests with buffers.
This was needed so that the correct amount of padding is inserted
between headers and payloads.

PiperOrigin-RevId: 783444579

Author: kerumeto

pkg/abi/linux/netlink.go

@@ -66,21 +66,35 @@ type NetlinkMessageHeader struct {
 // NetlinkMessageHeaderSize is the size of NetlinkMessageHeader.
 const NetlinkMessageHeaderSize = 16
 
-// Netlink message header flags, from uapi/linux/netlink.h.
+// Netlink message header flag values, from uapi/linux/netlink.h.
 const (
 	NLM_F_REQUEST   = 0x1
 	NLM_F_MULTI     = 0x2
 	NLM_F_ACK       = 0x4
 	NLM_F_ECHO      = 0x8
 	NLM_F_DUMP_INTR = 0x10
-	NLM_F_ROOT      = 0x100
-	NLM_F_MATCH     = 0x200
-	NLM_F_ATOMIC    = 0x400
-	NLM_F_DUMP      = NLM_F_ROOT | NLM_F_MATCH
-	NLM_F_REPLACE   = 0x100
-	NLM_F_EXCL      = 0x200
-	NLM_F_CREATE    = 0x400
-	NLM_F_APPEND    = 0x800
+)
+
+// Netlink message header flags for GET requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_ROOT   = 0x100
+	NLM_F_MATCH  = 0x200
+	NLM_F_ATOMIC = 0x400
+	NLM_F_DUMP   = NLM_F_ROOT | NLM_F_MATCH
+)
+
+// Netlink message header flags for NEW requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_REPLACE = 0x100
+	NLM_F_EXCL    = 0x200
+	NLM_F_CREATE  = 0x400
+	NLM_F_APPEND  = 0x800
+)
+
+// Netlink message header flags for DELETE requests, from uapi/linux/netlink.h.
+const (
+	NLM_F_NONREC = 0x100
+	NLM_F_BULK   = 0x200
 )
 
 // Standard netlink message types, from uapi/linux/netlink.h.

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -90,10 +90,18 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 	}
 
 	// Nftables functions error check the address family value.
-	family := stack.AddressFamily(nfGenMsg.Family)
+	family, err := nftables.AFtoNetlinkAF(nfGenMsg.Family)
 	// TODO: b/421437663 - Match the message type and call the appropriate Nftables function.
 	switch msgType {
 	case linux.NFT_MSG_NEWTABLE:
+		// We only check the error value in the case of NFT_MSG_NEWTABLE as linux returns
+		// an EOPNOTSUPP error only in that case. Otherwise the other operations will return
+		// errors specific to their function.
+		if err != nil {
+			log.Debugf("Nftables: Unsupported address family: %d", int(nfGenMsg.Family))
+			return err
+		}
+
 		if err := p.newTable(nft, attrs, family, hdr.Flags, ms); err != nil {
 			log.Debugf("Nftables new table error: %s", err)
 			return err.GetError()
@@ -105,6 +113,12 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 			return err.GetError()
 		}
 		return nil
+	case linux.NFT_MSG_DELTABLE, linux.NFT_MSG_DESTROYTABLE:
+		if err := p.deleteTable(nft, attrs, family, hdr, msgType, ms); err != nil {
+			log.Debugf("Nftables delete table error: %s", err)
+			return err.GetError()
+		}
+		return nil
 	default:
 		log.Debugf("Unsupported message type: %d", msgType)
 		return syserr.ErrNotSupported
@@ -247,10 +261,58 @@ func (p *Protocol) getTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.Bytes
 	return nil
 }
 
+// deleteTable deletes a table for the given family.
+func (p *Protocol) deleteTable(nft *nftables.NFTables, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, hdr linux.NetlinkMessageHeader, msgType linux.NfTableMsgType, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+	if family == stack.Unspec || (!hasAttr(linux.NFTA_TABLE_NAME, attrs) && !hasAttr(linux.NFTA_TABLE_HANDLE, attrs)) {
+		nft.Flush(attrs, uint32(ms.PortID))
+		return nil
+	}
+
+	var tab *nftables.Table
+	var err *syserr.AnnotatedError
+	if tabHandleBytes, ok := attrs[linux.NFTA_TABLE_HANDLE]; ok {
+		tabHandle, ok := tabHandleBytes.Uint64()
+		if !ok {
+			return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Table handle attribute is malformed or not found"))
+		}
+
+		tab, err = nft.GetTableByHandle(family, uint64(tabHandle), uint32(ms.PortID))
+	} else {
+		tabNameBytes, ok := attrs[linux.NFTA_TABLE_NAME]
+		if !ok {
+			return syserr.NewAnnotatedError(syserr.ErrInvalidArgument, fmt.Sprintf("Nftables: Table name attribute is malformed or not found"))
+		}
+		tab, err = nft.GetTable(family, tabNameBytes.String(), uint32(ms.PortID))
+	}
+
+	if err != nil {
+		// Ignore ENOENT if DESTROY_TABLE is set
+		if err.GetError() == syserr.ErrNoFileOrDir && msgType == linux.NFT_MSG_DESTROYTABLE {
+			return nil
+		}
+		return err
+	}
+
+	// Don't delete the table if it is not empty and NLM_F_NONREC is set.
+	if hdr.Flags&linux.NLM_F_NONREC == linux.NLM_F_NONREC && tab.ChainCount() > 0 {
+		return syserr.NewAnnotatedError(syserr.ErrBusy, fmt.Sprintf("Nftables: Table with family: %d and name: %s already exists", int(family), tab.GetName()))
+	}
+
+	_, err = nft.DeleteTable(family, tab.GetName())
+	return err
+}
+
+// netLinkMessagePayloadSize returns the size of the netlink message payload.
 func netLinkMessagePayloadSize(h *linux.NetlinkMessageHeader) int {
 	return int(h.Length) - linux.NetlinkMessageHeaderSize
 }
 
+// hasAttr returns whether the given attribute key is present in the attribute map.
+func hasAttr(attrName uint16, attrs map[uint16]nlmsg.BytesView) bool {
+	_, ok := attrs[attrName]
+	return ok
+}
+
 // init registers the NETLINK_NETFILTER provider.
 func init() {
 	netlink.RegisterProvider(linux.NETLINK_NETFILTER, NewProtocol)

pkg/sentry/socket/netlink/nlmsg/BUILD

@@ -10,11 +10,15 @@ go_library(
     srcs = [
         "message.go",
     ],
-    visibility = ["//pkg/sentry:internal"],
+    visibility = [
+        "//pkg/sentry:internal",
+        "//pkg/tcpip/nftables:__subpackages__",
+    ],
     deps = [
         "//pkg/abi/linux",
         "//pkg/bits",
         "//pkg/hostarch",
+        "//pkg/log",
         "//pkg/marshal",
         "//pkg/marshal/primitive",
     ],

pkg/sentry/socket/netlink/nlmsg/message.go

@@ -22,6 +22,7 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/bits"
 	"gvisor.dev/gvisor/pkg/hostarch"
+	"gvisor.dev/gvisor/pkg/log"
 	"gvisor.dev/gvisor/pkg/marshal"
 	"gvisor.dev/gvisor/pkg/marshal/primitive"
 )
@@ -252,17 +253,20 @@ func (v AttrsView) ParseFirst() (hdr linux.NetlinkAttrHeader, value []byte, rest
 
 	hdrBytes, ok := b.Extract(linux.NetlinkAttrHeaderSize)
 	if !ok {
+		log.Debugf("Failed to parse netlink attributes at header stage")
 		return
 	}
 	hdr.UnmarshalUnsafe(hdrBytes)
 
 	value, ok = b.Extract(int(hdr.Length) - linux.NetlinkAttrHeaderSize)
 	if !ok {
+		log.Debugf("Failed to parse %d bytes after %d header bytes", int(hdr.Length)-linux.NetlinkAttrHeaderSize, linux.NetlinkAttrHeaderSize)
 		return
 	}
 
 	_, ok = b.Extract(alignPad(int(hdr.Length), linux.NLA_ALIGNTO))
 	if !ok {
+		log.Debugf("Failed to parse netlink attributes at aligning stage")
 		return
 	}
 
@@ -323,6 +327,17 @@ func (v *BytesView) Uint32() (uint32, bool) {
 	return uint32(val), true
 }
 
+// Uint64 converts the raw attribute value to uint64.
+func (v *BytesView) Uint64() (uint64, bool) {
+	attr := []byte(*v)
+	val := primitive.Uint64(0)
+	if len(attr) != val.SizeBytes() {
+		return 0, false
+	}
+	val.UnmarshalBytes(attr)
+	return uint64(val), true
+}
+
 // Int32 converts the raw attribute value to int32.
 func (v *BytesView) Int32() (int32, bool) {
 	attr := []byte(*v)

pkg/tcpip/nftables/BUILD

@@ -31,6 +31,7 @@ go_library(
         "//pkg/abi/linux",
         "//pkg/atomicbitops",
         "//pkg/rand",
+        "//pkg/sentry/socket/netlink/nlmsg",
         "//pkg/syserr",
         "//pkg/tcpip",
         "//pkg/tcpip/checksum",

pkg/tcpip/nftables/nftables.go

@@ -21,6 +21,7 @@ import (
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/atomicbitops"
 	"gvisor.dev/gvisor/pkg/rand"
+	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
 	"gvisor.dev/gvisor/pkg/syserr"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@@ -245,10 +246,38 @@ func NewNFTables(clock tcpip.Clock, rng rand.RNG) *NFTables {
 	return &NFTables{clock: clock, startTime: clock.Now(), rng: rng, tableHandleCounter: atomicbitops.Uint64{}}
 }
 
-// Flush clears entire ruleset and all data for all address families.
-func (nf *NFTables) Flush() {
+// Flush clears entire ruleset and all data for all address families
+// except for the tables that are not owned by the given owner.
+func (nf *NFTables) Flush(attrs map[uint16]nlmsg.BytesView, owner uint32) {
 	for family := range stack.NumAFs {
-		nf.filters[family] = nil
+		afFilter := nf.filters[family]
+		if afFilter == nil {
+			continue
+		}
+
+		var attrName *string = nil
+		if nameBytes, ok := attrs[linux.NFTA_TABLE_NAME]; ok {
+			name := nameBytes.String()
+			attrName = &name
+		}
+		var tablesToDelete []TableInfo
+		for name, table := range afFilter.tables {
+			// Caller cannot delete a table they do not own.
+			if table.HasOwner() && table.GetOwner() != owner {
+				continue
+			}
+
+			if attrName != nil && *attrName != table.GetName() {
+				continue
+			}
+
+			tablesToDelete = append(tablesToDelete, TableInfo{Name: name, Handle: table.GetHandle()})
+		}
+
+		for _, tableData := range tablesToDelete {
+			delete(afFilter.tables, tableData.Name)
+			delete(afFilter.tableHandles, tableData.Handle)
+		}
 	}
 }
 
@@ -295,6 +324,38 @@ func (nf *NFTables) GetTable(family stack.AddressFamily, tableName string, portI
 	return t, nil
 }
 
+// GetTableByHandle validates the inputs and gets a table by its handle and family if it exists,
+// error otherwise.
+func (nf *NFTables) GetTableByHandle(family stack.AddressFamily, handle uint64, portID uint32) (*Table, *syserr.AnnotatedError) {
+	// Ensures address family is valid.
+	if err := validateAddressFamily(family); err != nil {
+		return nil, err
+	}
+
+	// Checks if the table handle map for the address family has been initialized.
+	if nf.filters[family] == nil || nf.filters[family].tableHandles == nil {
+		return nil, syserr.NewAnnotatedError(syserr.ErrNoFileOrDir, fmt.Sprintf("table handle map for address family %v has no tables", family))
+	}
+
+	// Gets the corresponding table map for the address family.
+	tableHandleMap := nf.filters[family].tableHandles
+
+	// Checks if a table with the name exists.
+	t, exists := tableHandleMap[handle]
+	if !exists {
+		return nil, syserr.NewAnnotatedError(syserr.ErrNoFileOrDir, fmt.Sprintf("table with handle %d not found for address family %v", handle, family))
+	}
+
+	// If the table has an owner, it must match the Netlink portID of the calling process.
+	// User space processes only have non-zero port ids.
+	// Only the kernel can have a zero port id.
+	if t.HasOwner() && portID != 0 && portID != t.GetOwner() {
+		return nil, syserr.NewAnnotatedError(syserr.ErrNotPermitted, fmt.Sprintf("table with handle %d has owner %d, which does not match the Netlink portID of the calling process %d", handle, t.GetOwner(), portID))
+	}
+
+	return t, nil
+}
+
 // AddTable makes a new table for the specified address family, returning an
 // error if the address family is invalid. Can return an error if a table by the
 // same name already exists if errorOnDuplicate is true. Can be used to get an
@@ -312,15 +373,17 @@ func (nf *NFTables) AddTable(family stack.AddressFamily, name string,
 	// Initializes filter if first table for the address family.
 	if nf.filters[family] == nil {
 		nf.filters[family] = &addressFamilyFilter{
-			family:   family,
-			nftState: nf,
-			tables:   make(map[string]*Table),
-			hfStacks: make(map[stack.NFHook]*hookFunctionStack),
+			family:       family,
+			nftState:     nf,
+			tables:       make(map[string]*Table),
+			tableHandles: make(map[uint64]*Table),
+			hfStacks:     make(map[stack.NFHook]*hookFunctionStack),
 		}
 	}
 
 	// Gets the corresponding table map for the address family.
 	tableMap := nf.filters[family].tables
+	tableHandleMap := nf.filters[family].tableHandles
 
 	// Checks if a table with the same name already exists. If so, returns the
 	// existing table (unless errorOnDuplicate is true).
@@ -340,6 +403,7 @@ func (nf *NFTables) AddTable(family stack.AddressFamily, name string,
 		handle:   nf.getNewTableHandle(),
 	}
 	tableMap[name] = t
+	tableHandleMap[t.handle] = t
 
 	return t, nil
 }
@@ -377,8 +441,9 @@ func (nf *NFTables) DeleteTable(family stack.AddressFamily, tableName string) (b
 		t.DeleteChain(chainName)
 	}
 
-	// Deletes the table from the table map.
+	// Deletes the table from the table map and from the table handle map.
 	delete(nf.filters[family].tables, tableName)
+	delete(nf.filters[family].tableHandles, t.handle)
 	return true, nil
 }
 

pkg/tcpip/nftables/nftables_types.go

@@ -161,6 +161,9 @@ type addressFamilyFilter struct {
 	// tables is a map of tables for each address family.
 	tables map[string]*Table
 
+	// tableHandles is a map of table handles (ids) to tables for a given address family.
+	tableHandles map[uint64]*Table
+
 	// hfStacks is a map of hook function stacks (slice of base chains for a
 	// given hook ordered by priority).
 	hfStacks map[stack.NFHook]*hookFunctionStack
@@ -195,6 +198,12 @@ type Table struct {
 	userData []byte
 }
 
+// TableInfo represents data between an AFfilter and a Table.
+type TableInfo struct {
+	Name   string
+	Handle uint64
+}
+
 // hookFunctionStack represents the list of base chains for a specific hook.
 // The stack is ordered by priority and built as chains are added to tables.
 type hookFunctionStack struct {
@@ -759,3 +768,27 @@ func VerdictCodeToString(v uint32) string {
 	}
 	return fmt.Sprintf("invalid verdict: %d", v)
 }
+
+// netlinkAFToStackAF maps address families from linux/socket.h to their corresponding
+// netfilter address families.
+// From linux/include/uapi/linux/netfilter.h
+var netlinkAFToStackAF = map[uint8]stack.AddressFamily{
+	linux.AF_UNSPEC:    stack.Unspec,
+	linux.AF_UNIX:      stack.Inet,
+	linux.AF_INET:      stack.IP,
+	linux.AF_AX25:      stack.Arp,
+	linux.AF_APPLETALK: stack.Netdev,
+	linux.AF_BRIDGE:    stack.Bridge,
+	linux.AF_INET6:     stack.IP6,
+}
+
+// AFtoNetlinkAF converts a generic address family to a netfilter address family.
+// On error, we simply cast it to be a stack.AddressFamily and return an error to allow netfilter
+// sockets to handle it accordingly if needed.
+func AFtoNetlinkAF(af uint8) (stack.AddressFamily, *syserr.Error) {
+	naf, ok := netlinkAFToStackAF[af]
+	if !ok {
+		return stack.NumAFs, syserr.ErrNotSupported
+	}
+	return naf, nil
+}