Implement GETGEN and a skeleton for GETSET.

This change implements functionality to retrieve the nftables
generation id, as well as a skeleton for getting element
sets. The nft CLI requires these to be present when adding
new rules, but their functionality does not directly impact
packet filtering functionality.

Updates #11778

PiperOrigin-RevId: 800582677

Author: kerumeto

pkg/abi/linux/nf_tables.go

@@ -462,3 +462,14 @@ const (
 	NFT_META_SDIFNAME             // Slave device interface name
 	NFT_META_BRI_BROUTE           // Packet br_netfilter_broute bit
 )
+
+// Nftables Generation Attributes
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFTA_GEN_UNSPEC uint16 = iota
+	NFTA_GEN_ID
+	NFTA_GEN_PROC_PID
+	NFTA_GEN_PROC_NAME
+	__NFTA_GEN_MAX
+	NFTA_GEN_MAX = __NFTA_GEN_MAX - 1
+)

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -1102,6 +1102,25 @@ func fillRuleInfo(rule *nftables.Rule, ms *nlmsg.MessageSet) *syserr.AnnotatedEr
 	return nil
 }
 
+// getGen returns the generation info for the current nftables instance.
+func (p *Protocol) getGen(nft *nftables.NFTables, task *kernel.Task, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+	m := ms.AddMessage(linux.NetlinkMessageHeader{
+		Type: uint16(linux.NFNL_SUBSYS_NFTABLES)<<8 | uint16(linux.NFT_MSG_NEWGEN),
+	})
+	m.Put(&linux.NetFilterGenMsg{
+		Family:  uint8(nftables.AfProtocol(stack.Unspec)),
+		Version: uint8(linux.NFNETLINK_V0),
+		// Unused, set to 0.
+		ResourceID: uint16(0),
+	})
+
+	m.PutAttr(linux.NFTA_GEN_ID, nlmsg.PutU32(nft.GetGenID()))
+	m.PutAttr(linux.NFTA_GEN_PROC_PID, nlmsg.PutU32(uint32(task.ThreadGroup().ID())))
+	// TODO - b/434244017: Add support for dumping the process name.
+	m.PutAttrString(linux.NFTA_GEN_PROC_NAME, "placeholder")
+	return nil
+}
+
 // isNetDevHook returns whether the given family and hook number represent a
 // netdev hook, or if the family is inet and is attempting to attach to
 // Ingress or Egress hooks.
@@ -1170,9 +1189,20 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 		}
 
 		return nil
-	case linux.NFT_MSG_GETRULE_RESET,
-		linux.NFT_MSG_GETSET, linux.NFT_MSG_GETSETELEM,
-		linux.NFT_MSG_GETSETELEM_RESET, linux.NFT_MSG_GETGEN,
+	case linux.NFT_MSG_GETGEN:
+		if err := p.getGen(nft, kernel.TaskFromContext(ctx), attrs, family, hdr.Flags, ms); err != nil {
+			log.Debugf("Nftables get gen error: %s", err)
+			return err.GetError()
+		}
+		return nil
+	case linux.NFT_MSG_GETSET:
+		// TODO - b/421437663: Implement sets for nftables. This skeleton is
+		// left here to satisfy auxiliary calls from the nft CLI not needed
+		// for packet filtering functionality.
+		ms.Multi = true
+		return nil
+	case linux.NFT_MSG_GETRULE_RESET, linux.NFT_MSG_GETSETELEM,
+		linux.NFT_MSG_GETSETELEM_RESET,
 		linux.NFT_MSG_GETOBJ, linux.NFT_MSG_GETOBJ_RESET,
 		linux.NFT_MSG_GETFLOWTABLE:
 

pkg/tcpip/nftables/nftables.go

@@ -243,7 +243,12 @@ func NewNFTables(clock tcpip.Clock, rng rand.RNG) *NFTables {
 	if rng.Reader == nil {
 		panic("nftables state must be initialized with a non-nil random number generator")
 	}
-	return &NFTables{clock: clock, startTime: clock.Now(), rng: rng, tableHandleCounter: atomicbitops.Uint64{}}
+	return &NFTables{clock: clock, startTime: clock.Now(), rng: rng, tableHandleCounter: atomicbitops.Uint64{}, genid: 1}
+}
+
+// GetGenID returns the generation ID for the NFTables object.
+func (nf *NFTables) GetGenID() uint32 {
+	return nf.genid
 }
 
 // Flush clears entire ruleset and all data for all address families

pkg/tcpip/nftables/nftables_types.go

@@ -87,6 +87,7 @@ const (
 
 // addressFamilyProtocols maps address families to their protocol number.
 var addressFamilyProtocols = map[stack.AddressFamily]uint8{
+	stack.Unspec: linux.NFPROTO_UNSPEC,
 	stack.IP:     linux.NFPROTO_IPV4,
 	stack.IP6:    linux.NFPROTO_IPV6,
 	stack.Inet:   linux.NFPROTO_INET,
@@ -243,6 +244,7 @@ type NFTables struct {
 	rng                rand.RNG                           // Random number generator.
 	tableHandleCounter atomicbitops.Uint64                // Table handle counter.
 	Mu                 nfTablesRWMutex                    // Mutex for tableHandles.
+	genid              uint32                             // Generation ID for nftables.
 }
 
 // Ensures NFTables implements the NFTablesInterface.
@@ -1260,4 +1262,5 @@ func (nf *NFTables) DeepCopy() *NFTables {
 // with the tables of the passed in NFTables struct.
 func (nf *NFTables) ReplaceNFTables(nftCopy *NFTables) {
 	nf.filters = nftCopy.filters
+	nf.genid++
 }

test/syscalls/linux/socket_netlink_netfilter.cc

@@ -3401,6 +3401,31 @@ TEST_F(NetlinkNetfilterTest, GetRuleDumpTableChainSpecified) {
   EXPECT_EQ(rules_found, 0);
 }
 
+TEST_F(NetlinkNetfilterTest, GetGenerationID) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_NET_RAW)));
+  SKIP_IF(!IsRunningOnGvisor());
+  FileDescriptor fd =
+      ASSERT_NO_ERRNO_AND_VALUE(NetlinkBoundSocket(NETLINK_NETFILTER));
+
+  std::vector<char> get_gen_request =
+      NlReq("getgen req inet").Seq(kSeq).Build();
+
+  ASSERT_NO_ERRNO(NetlinkRequestResponse(
+      fd, get_gen_request.data(), get_gen_request.size(),
+      [&](const struct nlmsghdr* hdr) {
+        const struct nfattr* gen_id_attr =
+            FindNfAttr(hdr, nullptr, NFTA_GEN_ID);
+        EXPECT_NE(gen_id_attr, nullptr);
+        // Although the generation ID is initialized to 1, this number gets
+        // incremented on successful NETFILTER nftables batch requests.
+        // Thus, we simply check that is is greater than 1 here.
+        uint32_t gen_id =
+            ntohl(*(reinterpret_cast<uint32_t*>(NFA_DATA(gen_id_attr))));
+        EXPECT_GE(gen_id, 1);
+      },
+      false));
+}
+
 }  // namespace
 
 }  // namespace testing

test/syscalls/linux/socket_netlink_netfilter_util.cc

@@ -472,7 +472,8 @@ bool NlReq::MsgTypeToken(const std::string& token) {
       {"deltable", NFT_MSG_DELTABLE}, {"destroytable", NFT_MSG_DESTROYTABLE},
       {"newchain", NFT_MSG_NEWCHAIN}, {"getchain", NFT_MSG_GETCHAIN},
       {"delchain", NFT_MSG_DELCHAIN}, {"destroychain", NFT_MSG_DESTROYCHAIN},
-      {"newrule", NFT_MSG_NEWRULE},   {"getrule", NFT_MSG_GETRULE}};
+      {"newrule", NFT_MSG_NEWRULE},   {"getrule", NFT_MSG_GETRULE},
+      {"getgen", NFT_MSG_GETGEN}};
   auto it = token_to_msg_type.find(token);
   if (it != token_to_msg_type.end()) {
     EXPECT_FALSE(msg_type_set_) << "Message type already set: " << msg_type_;