Create Nftables docker tests.

PiperOrigin-RevId: 800603329

Author: kerumeto

Makefile

@@ -420,6 +420,13 @@ iptables-tests: load-iptables $(RUNTIME_BIN)
 	@$(call test_runtime,$(RUNTIME)-nftables,--test_env=TEST_NET_RAW=true --test_output=all //test/iptables:nftables_test)
 .PHONY: iptables-tests
 
+nftables-tests: load-nftables $(RUNTIME_BIN)
+	@sudo modprobe nfnetlink
+	@sudo modprobe nf_tables
+	@$(call install_runtime,$(RUNTIME),--net-raw --TESTONLY-nftables)
+	@$(call test_runtime,$(RUNTIME),--test_env=TEST_NET_RAW=true //test/nftables:nftables_test)
+.PHONY: nftables-tests
+
 packetdrill-tests: load-packetdrill $(RUNTIME_BIN)
 	@$(call install_runtime,$(RUNTIME),) # Clear flags.
 	@$(call test_runtime,$(RUNTIME),//test/packetdrill:all_tests)

images/nftables/Dockerfile

@@ -0,0 +1,5 @@
+FROM ubuntu:24.04
+
+# Install the nftables package.
+# It provides the 'nft' command-line utility for managing the nftables firewall.
+RUN apt update && apt install -y nftables

test/netutils/BUILD

@@ -9,6 +9,9 @@ go_library(
     name = "netutils",
     testonly = 1,
     srcs = ["utils.go"],
-    visibility = ["//test/iptables:__subpackages__"],
+    visibility = [
+        "//test/iptables:__subpackages__",
+        "//test/nftables:__subpackages__",
+    ],
     deps = ["//pkg/test/testutil"],
 )

test/nftables/BUILD

@@ -0,0 +1,37 @@
+load("//tools:defs.bzl", "go_library", "go_test")
+
+package(
+    default_applicable_licenses = ["//:license"],
+    licenses = ["notice"],
+)
+
+go_library(
+    name = "nftables",
+    testonly = 1,
+    srcs = [
+        "filter_input.go",
+        "filter_input_iptables.go",
+        "iptables_util.go",
+        "nftables.go",
+        "nftables_util.go",
+    ],
+    visibility = ["//test/nftables:__subpackages__"],
+    deps = ["//test/netutils"],
+)
+
+go_test(
+    name = "nftables_test",
+    size = "large",
+    srcs = ["nftables_test.go"],
+    data = ["//test/nftables/runner"],
+    library = ":nftables",
+    tags = [
+        "local",
+        "manual",
+    ],
+    deps = [
+        "//pkg/log",
+        "//pkg/test/dockerutil",
+        "//pkg/test/testutil",
+    ],
+)

test/nftables/README.md

@@ -0,0 +1,84 @@
+# nftables Tests
+
+nftables tests are run via `make nftables-tests`.
+
+nftables require some extra Docker configuration to work. Enable IPv6 in
+`/etc/docker/daemon.json` (make sure to restart Docker if you change this file):
+
+```json
+{
+    "experimental": true,
+    "fixed-cidr-v6": "2001:db8:1::/64",
+    "ipv6": true,
+    // Runtimes and other Docker config...
+}
+```
+
+And if you're running manually (i.e. not using the `make` target), you'll need
+to:
+
+*   Enable nftables via `modprobe nfnetlink && modprobe nf_tables`.
+*   Enable `--net-raw` in your chosen runtime in `/etc/docker/daemon.json` (make
+    sure to restart Docker if you change this file).
+
+The resulting runtime should look something like this:
+
+```json
+"runsc": {
+    "path": "/tmp/nftables/runsc",
+    "runtimeArgs": [
+        "--debug-log",
+        "/tmp/nftables/logs/runsc.log.%TEST%.%TIMESTAMP%.%COMMAND%",
+        "--net-raw"
+    ]
+},
+// ...
+```
+
+## Test Structure
+
+Each test implements `TestCase`, providing (1) a function to run inside the
+container and (2) a function to run locally. Those processes are given each
+others' IP addresses. The test succeeds when both functions succeed.
+
+The function inside the container (`ContainerAction`) typically sets some
+nftables rules and then tries to send or receive packets. The local function
+(`LocalAction`) will typically just send or receive packets.
+
+### Adding Tests
+
+1) Add your test to the `nftables` package.
+
+2) Register the test in an `init` function via `RegisterTestCase` (see
+`filter_input.go` as an example).
+
+3) Add it to `nftables_test.go` (see the other tests in that file).
+
+Your test is now runnable with bazel!
+
+## Run individual tests
+
+Build and install `runsc`. Re-run this when you modify gVisor:
+
+```bash
+$ bazel build //runsc && sudo cp bazel-out/k8-fastbuild-ST-4c64f0b3d5c7/bin/runsc/runsc_/runsc $(which runsc)
+```
+
+Build the testing Docker container. Re-run this when you modify the test code in
+this directory:
+
+```bash
+$ make load-nftables
+```
+
+Run an individual test via:
+
+```bash
+$ bazel test //test/nftables:nftables_test --test_filter=<TESTNAME>
+```
+
+To run an individual test with `runc`:
+
+```bash
+$ bazel test //test/nftables:nftables_test --test_filter=<TESTNAME> --test_env=RUNTIME=runc
+```

test/nftables/filter_input.go

@@ -0,0 +1,71 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package nftables
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"time"
+
+	"gvisor.dev/gvisor/test/netutils"
+)
+
+const (
+	dropPort         = 2401
+	acceptPort       = 2402
+	sendloopDuration = 2 * time.Second
+	chainName        = "foochain"
+)
+
+func init() {
+	RegisterTestCase(&FilterInputDropAll{})
+}
+
+// FilterInputDropAll tests that we can drop all traffic to the INPUT chain.
+type FilterInputDropAll struct{ containerCase }
+
+var _ TestCase = (*FilterInputDropAll)(nil)
+
+// Name implements TestCase.Name.
+func (*FilterInputDropAll) Name() string {
+	return "FilterInputDropAll"
+}
+
+// ContainerAction implements TestCase.ContainerAction.
+func (*FilterInputDropAll) ContainerAction(ctx context.Context, ip net.IP, ipv6 bool) error {
+	if err := createDropAllTable(ipv6, "filterTab"); err != nil {
+		return err
+	}
+
+	// Listen for all packets on dropPort.
+	timedCtx, cancel := context.WithTimeout(ctx, NegativeTimeout)
+	defer cancel()
+	if err := netutils.ListenUDP(timedCtx, dropPort, ipv6); err == nil {
+		return fmt.Errorf("packets should have been dropped, but got a packet")
+	} else if !errors.Is(err, context.DeadlineExceeded) {
+		return fmt.Errorf("error reading: %v", err)
+	}
+
+	// At this point we know that reading timed out and never received a
+	// packet.
+	return nil
+}
+
+// LocalAction implements TestCase.LocalAction.
+func (*FilterInputDropAll) LocalAction(ctx context.Context, ip net.IP, ipv6 bool) error {
+	return netutils.SendUDPLoop(ctx, ip, dropPort, ipv6)
+}