nftables: Added support for nla policy.

Similar to `nla_policy` defined in include/net/netlink.h.

PiperOrigin-RevId: 836423732

Author: parth-opensrc

pkg/abi/linux/netlink.go

@@ -136,6 +136,33 @@ const NetlinkAttrHeaderSize = 4
 // uapi/linux/netlink.h.
 const NLA_ALIGNTO = 4
 
+// Standard attribute types to specify validation policy, from
+// include/net/netlink.h.
+const (
+	NLA_UNSPEC = iota
+	NLA_U8
+	NLA_U16
+	NLA_U32
+	NLA_U64
+	NLA_STRING
+	NLA_FLAG
+	NLA_MSECS
+	NLA_NESTED
+	NLA_NESTED_ARRAY
+	NLA_NUL_STRING
+	NLA_BINARY
+	NLA_S8
+	NLA_S16
+	NLA_S32
+	NLA_S64
+	NLA_BITFIELD32
+	NLA_REJECT
+	NLA_BE16
+	NLA_BE32
+	__NLA_TYPE_MAX
+	NLA_TYPE_MAX = __NLA_TYPE_MAX - 1
+)
+
 // Socket options, from uapi/linux/netlink.h.
 const (
 	NETLINK_ADD_MEMBERSHIP   = 1

pkg/tcpip/nftables/BUILD

@@ -29,6 +29,7 @@ go_library(
         "nft_ranged.go",
         "nft_route.go",
         "nftables.go",
+        "nftables_attrs.go",
         "nftables_mutex.go",
         "nftables_types.go",
         "nftinterp.go",
@@ -63,10 +64,12 @@ go_test(
         "//pkg/abi/linux",
         "//pkg/buffer",
         "//pkg/rand",
+        "//pkg/sentry/socket/netlink/nlmsg",
         "//pkg/sync",
         "//pkg/tcpip",
         "//pkg/tcpip/faketime",
         "//pkg/tcpip/header",
         "//pkg/tcpip/stack",
+        "@com_github_google_go_cmp//cmp:go_default_library",
     ],
 )

pkg/tcpip/nftables/nftables_attrs.go

@@ -0,0 +1,164 @@
+// Copyright 2024 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nftables
+
+import (
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
+)
+
+var nlaTypeToString = [...]string{
+	linux.NLA_UNSPEC:       "NLA_UNSPEC",
+	linux.NLA_U8:           "NLA_U8",
+	linux.NLA_U16:          "NLA_U16",
+	linux.NLA_U32:          "NLA_U32",
+	linux.NLA_U64:          "NLA_U64",
+	linux.NLA_STRING:       "NLA_STRING",
+	linux.NLA_FLAG:         "NLA_FLAG",
+	linux.NLA_MSECS:        "NLA_MSECS",
+	linux.NLA_NESTED:       "NLA_NESTED",
+	linux.NLA_NESTED_ARRAY: "NLA_NESTED_ARRAY",
+	linux.NLA_NUL_STRING:   "NLA_NUL_STRING",
+	linux.NLA_BINARY:       "NLA_BINARY",
+	linux.NLA_S8:           "NLA_S8",
+	linux.NLA_S16:          "NLA_S16",
+	linux.NLA_S32:          "NLA_S32",
+	linux.NLA_S64:          "NLA_S64",
+	linux.NLA_BITFIELD32:   "NLA_BITFIELD32",
+	linux.NLA_REJECT:       "NLA_REJECT",
+	linux.NLA_BE16:         "NLA_BE16",
+	linux.NLA_BE32:         "NLA_BE32",
+}
+
+// NlaPolicy represents the policy for a netlink attribute.
+// Similar to struct nla_policy defined in include/net/netlink.h.
+type NlaPolicy struct {
+	nlaType   uint8
+	validator NlaPolicyValidator
+}
+
+// NlaPolicyValidator is used to validate the data for a netlink attribute.
+type NlaPolicyValidator func(data any) bool
+
+func validateData(policy *NlaPolicy, data nlmsg.BytesView) bool {
+	validator := policy.validator
+	if validator == nil {
+		// No validator is set, still check the data type
+		// through the switch case below.
+		validator = func(data any) bool { return true }
+	}
+	switch policy.nlaType {
+	case linux.NLA_U8:
+		if v, ok := data.Uint8(); ok {
+			return validator(v)
+		}
+	case linux.NLA_S8:
+		if v, ok := data.Int8(); ok {
+			return validator(v)
+		}
+	case linux.NLA_U16:
+		if v, ok := data.Uint16(); ok {
+			return validator(v)
+		}
+	case linux.NLA_S16:
+		if v, ok := data.Int16(); ok {
+			return validator(v)
+		}
+	case linux.NLA_BE16:
+		if v, ok := data.Uint16(); ok {
+			return validator(nlmsg.NetToHostU16(v))
+		}
+	case linux.NLA_U32:
+		if v, ok := data.Uint32(); ok {
+			return validator(v)
+		}
+	case linux.NLA_S32:
+		if v, ok := data.Int32(); ok {
+			return validator(v)
+		}
+	case linux.NLA_BE32:
+		if v, ok := data.Uint32(); ok {
+			return validator(nlmsg.NetToHostU32(v))
+		}
+	case linux.NLA_U64:
+		if v, ok := data.Uint64(); ok {
+			return validator(v)
+		}
+	case linux.NLA_S64:
+		if v, ok := data.Int64(); ok {
+			return validator(v)
+		}
+	// return true for all other valid types.
+	case linux.NLA_STRING,
+		linux.NLA_NUL_STRING,
+		linux.NLA_BINARY,
+		linux.NLA_FLAG,
+		linux.NLA_MSECS,
+		linux.NLA_NESTED,
+		linux.NLA_NESTED_ARRAY,
+		linux.NLA_BITFIELD32,
+		linux.NLA_REJECT:
+
+		return true
+	}
+	return false
+}
+
+type integer interface {
+	int | uint | int8 | uint8 | int16 | uint16 | int32 | uint32 | int64 | uint64
+}
+
+// AttrMaxValidator checks if the data is less than or equal to the maxValue.
+func AttrMaxValidator[T integer](maxValue T) NlaPolicyValidator {
+	return func(data any) bool {
+		v, ok := data.(T)
+		return ok && v <= maxValue
+	}
+}
+
+// NfParseWithPolicy parses the data bytes, clearing the nested attribute bit if present.
+// For nested attributes, Linux supports these attributes having the bit
+// set or unset. It is cleared here for consistency. The policy map is used to validate the
+// attributes with the given validation function, if present.
+func NfParseWithPolicy(data nlmsg.AttrsView, policy []NlaPolicy) (map[uint16]nlmsg.BytesView, bool) {
+	attrs, ok := data.Parse()
+	if !ok {
+		return nil, ok
+	}
+	policyLen := uint16(len(policy))
+	newAttrs := make(map[uint16]nlmsg.BytesView)
+	for attr, attrData := range attrs {
+		unNestedAttr := attr & ^linux.NLA_F_NESTED
+		policyExists := unNestedAttr < policyLen
+		if policyExists {
+			if ok := validateData(&policy[unNestedAttr], attrData); !ok {
+				return nil, false
+			}
+		}
+		newAttrs[unNestedAttr] = attrData
+	}
+	return newAttrs, true
+}
+
+// NfParse parses the data bytes with no validation.
+func NfParse(data nlmsg.AttrsView) (map[uint16]nlmsg.BytesView, bool) {
+	return NfParseWithPolicy(data, nil)
+}
+
+// HasAttr returns whether the given attribute key is present in the attribute map.
+func HasAttr(attrName uint16, attrs map[uint16]nlmsg.BytesView) bool {
+	_, ok := attrs[attrName]
+	return ok
+}

pkg/tcpip/nftables/nftables_test.go

@@ -22,9 +22,11 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/go-cmp/cmp"
 	"gvisor.dev/gvisor/pkg/abi/linux"
 	"gvisor.dev/gvisor/pkg/buffer"
 	"gvisor.dev/gvisor/pkg/rand"
+	"gvisor.dev/gvisor/pkg/sentry/socket/netlink/nlmsg"
 	"gvisor.dev/gvisor/pkg/sync"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/faketime"
@@ -3830,3 +3832,96 @@ func (*fixedReader) Read(buf []byte) (int, error) {
 	}
 	return len(buf), nil
 }
+
+func createEmptyNlMsg() *nlmsg.Message {
+	m := nlmsg.NewMessage(linux.NetlinkMessageHeader{})
+	m.Put(&linux.NetFilterGenMsg{})
+	return m
+}
+
+func TestNfAttrParser(t *testing.T) {
+	tests := []struct {
+		name   string
+		msg    *nlmsg.Message
+		policy []NlaPolicy
+		want   map[uint16]nlmsg.BytesView
+	}{
+		{
+			name: "validAttrs",
+			msg: func() *nlmsg.Message {
+				m := createEmptyNlMsg()
+				m.PutAttr(linux.NFTA_TABLE_HANDLE, nlmsg.PutU32(123))
+				m.PutAttr(linux.NFTA_TABLE_USE, nlmsg.PutU64(1))
+				m.PutAttrString(linux.NFTA_TABLE_NAME, "test_table")
+				return m
+			}(),
+			policy: []NlaPolicy{
+				linux.NFTA_TABLE_HANDLE: {nlaType: linux.NLA_BE32, validator: AttrMaxValidator[uint32](256)},
+				linux.NFTA_TABLE_USE:    {nlaType: linux.NLA_U64, validator: AttrMaxValidator[uint64](nlmsg.HostToNetU64(1))},
+				linux.NFTA_TABLE_NAME:   {nlaType: linux.NLA_STRING},
+			},
+			want: map[uint16]nlmsg.BytesView{
+				linux.NFTA_TABLE_HANDLE: []byte{0, 0, 0, 123},           // Network byte order.
+				linux.NFTA_TABLE_USE:    []byte{0, 0, 0, 0, 0, 0, 0, 1}, // Network byte order.
+				// The string is expected to be null terminated.
+				linux.NFTA_TABLE_NAME: []byte{'t', 'e', 's', 't', '_', 't', 'a', 'b', 'l', 'e', '\x00'},
+			},
+		},
+		{
+			name: "attrsWithoutPolicy",
+			msg: func() *nlmsg.Message {
+				m := createEmptyNlMsg()
+				m.PutAttr(linux.NFTA_TABLE_HANDLE, nlmsg.PutU32(123))
+				m.PutAttr(linux.NFTA_TABLE_USE, nlmsg.PutU64(1))
+				return m
+			}(),
+			want: map[uint16]nlmsg.BytesView{
+				linux.NFTA_TABLE_HANDLE: []byte{0, 0, 0, 123},
+				linux.NFTA_TABLE_USE:    []byte{0, 0, 0, 0, 0, 0, 0, 1},
+			},
+		},
+		{
+			name: "attrGtThanMax",
+			msg: func() *nlmsg.Message {
+				m := createEmptyNlMsg()
+				m.PutAttr(linux.NFTA_TABLE_HANDLE, nlmsg.PutU32(123))
+				return m
+			}(),
+			policy: []NlaPolicy{
+				linux.NFTA_TABLE_HANDLE: {nlaType: linux.NLA_BE32, validator: AttrMaxValidator[uint32](1)},
+			},
+		},
+		{
+			name: "attrWithInvalidType",
+			msg: func() *nlmsg.Message {
+				m := createEmptyNlMsg()
+				m.PutAttr(linux.NFTA_TABLE_HANDLE, nlmsg.PutU16(123))
+				return m
+			}(),
+			policy: []NlaPolicy{
+				linux.NFTA_TABLE_HANDLE: {nlaType: linux.NLA_U32},
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			var nfGenMsg linux.NetFilterGenMsg
+			attr, ok := test.msg.GetData(&nfGenMsg)
+			if !ok {
+				t.Fatalf("GetData() failed for msg %v", test.msg)
+			}
+			got, gotOk := NfParseWithPolicy(attr, test.policy)
+			wantOk := test.want != nil
+			if wantOk != gotOk {
+				t.Fatalf("NfParseWithPolicy() failed, want ok: %v, got ok: %v", wantOk, gotOk)
+			}
+			if !wantOk {
+				return
+			}
+			if diff := cmp.Diff(test.want, got); diff != "" {
+				t.Fatalf("NfParseWithPolicy() returned diff (-want +got): %v", diff)
+			}
+		})
+	}
+}

pkg/tcpip/nftables/nftables_types.go

@@ -1112,31 +1112,6 @@ func validateVerdictData(tab *Table, bytes nlmsg.AttrsView) (stack.NFVerdict, *s
 	return v, nil
 }
 
-// HasAttr returns whether the given attribute key is present in the attribute map.
-func HasAttr(attrName uint16, attrs map[uint16]nlmsg.BytesView) bool {
-	_, ok := attrs[attrName]
-	return ok
-}
-
-// NfParse parses the data bytes, clearing the nested attribute bit if present.
-// For nested attributes, Linux supports these attributes having the bit
-// set or unset. It is cleared here for consistency.
-func NfParse(data nlmsg.AttrsView) (map[uint16]nlmsg.BytesView, bool) {
-	attrs, ok := data.Parse()
-	if !ok {
-		return nil, ok
-	}
-
-	newAttrs := make(map[uint16]nlmsg.BytesView)
-	// TODO - b/421437663: If any validation has to be done on nested attributes,
-	// it should be done here.
-	for attr, attrData := range attrs {
-		newAttrs[attr & ^linux.NLA_F_NESTED] = attrData
-	}
-
-	return newAttrs, ok
-}
-
 // deepCopyRule returns a deep copy of the Rule struct.
 func deepCopyRule(rule *Rule, chainCopy *Chain) *Rule {
 	return &Rule{